Repository: cxf Updated Branches: refs/heads/master a723da9d9 -> 78cb9f4ea
Making it easier to load JWS/JWE properties from the custom code Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/78cb9f4e Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/78cb9f4e Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/78cb9f4e Branch: refs/heads/master Commit: 78cb9f4eac106c97a0ca67e6913af87a7d233498 Parents: a723da9 Author: Sergey Beryozkin <[email protected]> Authored: Wed Nov 11 12:55:19 2015 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Nov 11 12:55:19 2015 +0000 ---------------------------------------------------------------------- .../cxf/rs/security/jose/jwe/JweUtils.java | 64 +++++++++----- .../security/jose/jws/JwsCompactProducer.java | 11 +-- .../cxf/rs/security/jose/jws/JwsUtils.java | 92 ++++++++++++++------ 3 files changed, 108 insertions(+), 59 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/78cb9f4e/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index a40c619..074dfa5 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -287,13 +287,11 @@ public final class JweUtils { } @SuppressWarnings("deprecation") public static JweEncryptionProvider loadEncryptionProvider(JweHeaders headers, boolean required) { - Message m = PhaseInterceptorChain.getCurrentMessage(); - Properties props = KeyManagementUtils.loadStoreProperties(m, required, - JoseConstants.RSSEC_ENCRYPTION_OUT_PROPS, - JoseConstants.RSSEC_ENCRYPTION_PROPS); + Properties props = loadEncryptionOutProperties(required); if (props == null) { return null; } + Message m = PhaseInterceptorChain.getCurrentMessage(); boolean includeCert = headers != null && MessageUtils.getContextualBoolean( @@ -302,7 +300,7 @@ public final class JweUtils { m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_CERT_SHA1, false); KeyEncryptionProvider keyEncryptionProvider = null; - String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null, null); + String keyEncryptionAlgo = getKeyEncryptionAlgorithm(m, props, null, null); KeyAlgorithm keyAlgo = KeyAlgorithm.getAlgorithm(keyEncryptionAlgo); String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null); m.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, contentEncryptionAlgo); @@ -313,8 +311,8 @@ public final class JweUtils { contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm()); ctEncryptionProvider = getContentEncryptionAlgorithm(jwk, contentEncryptionAlgo); } else { - keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm(), - getDefaultKeyAlgo(jwk)); + keyEncryptionAlgo = getKeyEncryptionAlgorithm(m, props, jwk.getAlgorithm(), + getDefaultKeyAlgorithm(jwk)); keyEncryptionProvider = getKeyEncryptionProvider(jwk, keyAlgo); boolean includePublicKey = headers != null && MessageUtils.getContextualBoolean( @@ -366,18 +364,15 @@ public final class JweUtils { return loadDecryptionProvider(null, required); } public static JweDecryptionProvider loadDecryptionProvider(JweHeaders inHeaders, boolean required) { - Message m = PhaseInterceptorChain.getCurrentMessage(); - Properties props = KeyManagementUtils.loadStoreProperties(m, required, - JoseConstants.RSSEC_ENCRYPTION_IN_PROPS, - JoseConstants.RSSEC_ENCRYPTION_PROPS); + Properties props = loadEncryptionInProperties(required); if (props == null) { return null; } - + Message m = PhaseInterceptorChain.getCurrentMessage(); KeyDecryptionProvider keyDecryptionProvider = null; String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null); SecretKey ctDecryptionKey = null; - String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null, null); + String keyEncryptionAlgo = getKeyEncryptionAlgorithm(m, props, null, null); if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) { // Supporting loading a private key via a certificate for now List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain()); @@ -412,8 +407,8 @@ public final class JweUtils { contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm()); ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentEncryptionAlgo); } else { - keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm(), - getDefaultKeyAlgo(jwk)); + keyEncryptionAlgo = getKeyEncryptionAlgorithm(m, props, jwk.getAlgorithm(), + getDefaultKeyAlgorithm(jwk)); keyDecryptionProvider = getKeyDecryptionProvider(jwk, KeyAlgorithm.getAlgorithm(keyEncryptionAlgo)); } @@ -641,7 +636,7 @@ public final class JweUtils { } } @SuppressWarnings("deprecation") - private static String getKeyEncryptionAlgo(Message m, Properties props, + public static String getKeyEncryptionAlgorithm(Message m, Properties props, String algo, String defaultAlgo) { if (algo == null) { if (defaultAlgo == null) { @@ -649,7 +644,10 @@ public final class JweUtils { } // Check for deprecated identifier first - String encAlgo = props.getProperty(JoseConstants.DEPR_RSSEC_ENCRYPTION_KEY_ALGORITHM); + String encAlgo = null; + if (props != null) { + encAlgo = props.getProperty(JoseConstants.DEPR_RSSEC_ENCRYPTION_KEY_ALGORITHM); + } if (encAlgo == null) { encAlgo = (String)m.getContextualProperty(JoseConstants.DEPR_RSSEC_ENCRYPTION_KEY_ALGORITHM); } @@ -658,12 +656,19 @@ public final class JweUtils { } // Otherwise check newer identifier - return KeyManagementUtils.getKeyAlgorithm(m, props, - JoseConstants.RSSEC_ENCRYPTION_KEY_ALGORITHM, defaultAlgo); + if (props != null) { + return getKeyEncryptionAlgorithm(props, defaultAlgo); + } } return algo; } - private static String getDefaultKeyAlgo(JsonWebKey jwk) { + public static String getKeyEncryptionAlgorithm(Properties props, String defaultAlgo) { + return KeyManagementUtils.getKeyAlgorithm(PhaseInterceptorChain.getCurrentMessage(), + props, + JoseConstants.RSSEC_ENCRYPTION_KEY_ALGORITHM, + defaultAlgo); + } + private static String getDefaultKeyAlgorithm(JsonWebKey jwk) { KeyType keyType = jwk.getKeyType(); if (KeyType.OCTET == keyType) { return AlgorithmUtils.A128GCMKW_ALGO; @@ -704,12 +709,23 @@ public final class JweUtils { return new JweHeaders(Collections.<String, Object>singletonMap(JoseConstants.HEADER_CONTENT_TYPE, ct)); } public static void validateJweCertificateChain(List<X509Certificate> certs) { - Message m = PhaseInterceptorChain.getCurrentMessage(); - Properties props = KeyManagementUtils.loadStoreProperties(m, true, - JoseConstants.RSSEC_ENCRYPTION_IN_PROPS, - JoseConstants.RSSEC_ENCRYPTION_PROPS); + Properties props = loadEncryptionInProperties(true); KeyManagementUtils.validateCertificateChain(props, certs); } + public static Properties loadEncryptionInProperties(boolean required) { + Message m = PhaseInterceptorChain.getCurrentMessage(); + return KeyManagementUtils.loadStoreProperties(m, required, + JoseConstants.RSSEC_ENCRYPTION_IN_PROPS, + JoseConstants.RSSEC_ENCRYPTION_PROPS); + + } + public static Properties loadEncryptionOutProperties(boolean required) { + Message m = PhaseInterceptorChain.getCurrentMessage(); + return KeyManagementUtils.loadStoreProperties(m, required, + JoseConstants.RSSEC_ENCRYPTION_OUT_PROPS, + JoseConstants.RSSEC_ENCRYPTION_PROPS); + + } public static void checkEncryptionKeySize(Key key) { if (key instanceof RSAKey && ((RSAKey)key).getModulus().bitLength() < 2048) { http://git-wip-us.apache.org/repos/asf/cxf/blob/78cb9f4e/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java index 5fba635..ec14b6b 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java @@ -26,8 +26,6 @@ import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter; import org.apache.cxf.message.Message; import org.apache.cxf.phase.PhaseInterceptorChain; -import org.apache.cxf.rs.security.jose.common.JoseConstants; -import org.apache.cxf.rs.security.jose.common.KeyManagementUtils; import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; @@ -142,7 +140,7 @@ public class JwsCompactProducer { if (getAlgorithm() == null) { Properties sigProps = getSignatureProperties(); Message m = PhaseInterceptorChain.getCurrentMessage(); - String signatureAlgo = JwsUtils.getSignatureAlgo(m, sigProps, null, null); + String signatureAlgo = JwsUtils.getSignatureAlgorithm(m, sigProps, null, null); if (signatureAlgo != null) { getJwsHeaders().setSignatureAlgorithm(SignatureAlgorithm.getAlgorithm(signatureAlgo)); } @@ -153,11 +151,8 @@ public class JwsCompactProducer { } } public Properties getSignatureProperties() { - if (signatureProperties == null && PhaseInterceptorChain.getCurrentMessage() != null) { - Message m = PhaseInterceptorChain.getCurrentMessage(); - signatureProperties = KeyManagementUtils.loadStoreProperties(m, false, - JoseConstants.RSSEC_SIGNATURE_OUT_PROPS, - JoseConstants.RSSEC_SIGNATURE_PROPS); + if (signatureProperties == null) { + signatureProperties = JwsUtils.loadSignatureOutProperties(false); } return signatureProperties; http://git-wip-us.apache.org/repos/asf/cxf/blob/78cb9f4e/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index 0bce50e..8792108 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -65,6 +65,9 @@ public final class JwsUtils { public static String sign(PrivateKey key, SignatureAlgorithm algo, String content, String ct) { return sign(getPrivateKeySignatureProvider(key, algo), content, ct); } + public static String sign(String encodedKey, SignatureAlgorithm algo, String content) { + return sign(JoseUtils.decode(encodedKey), algo, content); + } public static String sign(byte[] key, SignatureAlgorithm algo, String content) { return sign(key, algo, content, null); } @@ -75,6 +78,9 @@ public final class JwsUtils { JwsCompactConsumer jws = verify(getPublicKeySignatureVerifier(key, algo), content); return jws.getDecodedJwsPayload(); } + public static String verify(String encodedKey, SignatureAlgorithm algo, String content) { + return verify(JoseUtils.decode(encodedKey), algo, content); + } public static String verify(byte[] key, SignatureAlgorithm algo, String content) { JwsCompactConsumer jws = verify(getHmacSignatureVerifier(key, algo), content); return jws.getDecodedJwsPayload(); @@ -113,6 +119,9 @@ public final class JwsUtils { return null; } + public static JwsSignatureProvider getHmacSignatureProvider(String encodedKey, SignatureAlgorithm algo) { + return getHmacSignatureProvider(JoseUtils.decode(encodedKey), algo); + } public static JwsSignatureProvider getHmacSignatureProvider(byte[] key, SignatureAlgorithm algo) { if (algo == null) { LOG.warning("No signature algorithm was defined"); @@ -158,6 +167,9 @@ public final class JwsUtils { return null; } + public static JwsSignatureVerifier getHmacSignatureVerifier(String encodedKey, SignatureAlgorithm algo) { + return getHmacSignatureVerifier(JoseUtils.decode(encodedKey), algo); + } public static JwsSignatureVerifier getHmacSignatureVerifier(byte[] key, SignatureAlgorithm algo) { if (algo == null) { LOG.warning("No signature algorithm was defined"); @@ -188,29 +200,38 @@ public final class JwsUtils { public static JwsSignatureProvider loadSignatureProvider(boolean required) { return loadSignatureProvider(null, required); } + public static JwsSignatureProvider loadSignatureProvider(JwsHeaders headers, boolean required) { - Message m = PhaseInterceptorChain.getCurrentMessage(); - Properties props = KeyManagementUtils.loadStoreProperties(m, required, - JoseConstants.RSSEC_SIGNATURE_OUT_PROPS, - JoseConstants.RSSEC_SIGNATURE_PROPS); + Properties props = loadSignatureOutProperties(required); if (props == null) { return null; } - JwsSignatureProvider theSigProvider = loadSignatureProvider(m, props, headers, false); + JwsSignatureProvider theSigProvider = loadSignatureProvider(props, headers); if (headers != null) { headers.setSignatureAlgorithm(theSigProvider.getAlgorithm()); } return theSigProvider; } + public static Properties loadSignatureOutProperties(boolean required) { + Message m = PhaseInterceptorChain.getCurrentMessage(); + return KeyManagementUtils.loadStoreProperties(m, required, + JoseConstants.RSSEC_SIGNATURE_OUT_PROPS, + JoseConstants.RSSEC_SIGNATURE_PROPS); + + } + public static Properties loadSignatureInProperties(boolean required) { + Message m = PhaseInterceptorChain.getCurrentMessage(); + return KeyManagementUtils.loadStoreProperties(m, required, + JoseConstants.RSSEC_SIGNATURE_IN_PROPS, + JoseConstants.RSSEC_SIGNATURE_PROPS); + + } public static JwsSignatureVerifier loadSignatureVerifier(boolean required) { return loadSignatureVerifier(null, required); } public static JwsSignatureVerifier loadSignatureVerifier(JwsHeaders headers, boolean required) { - Message m = PhaseInterceptorChain.getCurrentMessage(); - Properties props = KeyManagementUtils.loadStoreProperties(m, required, - JoseConstants.RSSEC_SIGNATURE_IN_PROPS, - JoseConstants.RSSEC_SIGNATURE_PROPS); - return loadSignatureVerifier(m, props, headers, false); + Properties props = loadSignatureInProperties(required); + return loadSignatureVerifier(props, headers); } public static List<JwsSignatureProvider> loadSignatureProviders(String propLoc, Message m) { Properties props = loadJwsProperties(m, propLoc); @@ -261,10 +282,15 @@ public final class JwsUtils { //TODO: validate JWS specific constraints return JoseUtils.validateCriticalHeaders(headers); } + public static JwsSignatureProvider loadSignatureProvider(Properties props, + JoseHeaders headers) { + return loadSignatureProvider(PhaseInterceptorChain.getCurrentMessage(), + props, headers, false); + } public static JwsSignatureProvider loadSignatureProvider(Message m, - Properties props, - JoseHeaders headers, - boolean ignoreNullProvider) { + Properties props, + JoseHeaders headers, + boolean ignoreNullProvider) { JwsSignatureProvider theSigProvider = null; boolean includeCert = headers != null && MessageUtils.getContextualBoolean( @@ -275,7 +301,7 @@ public final class JwsUtils { if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.SIGN); if (jwk != null) { - String signatureAlgo = getSignatureAlgo(m, props, jwk.getAlgorithm(), getDefaultKeyAlgo(jwk)); + String signatureAlgo = getSignatureAlgorithm(m, props, jwk.getAlgorithm(), getDefaultKeyAlgorithm(jwk)); theSigProvider = JwsUtils.getSignatureProvider(jwk, SignatureAlgorithm.getAlgorithm(signatureAlgo)); boolean includePublicKey = headers != null && MessageUtils.getContextualBoolean( @@ -300,7 +326,7 @@ public final class JwsUtils { } } } else { - String signatureAlgo = getSignatureAlgo(m, props, null, null); + String signatureAlgo = getSignatureAlgorithm(m, props, null, null); if (SignatureAlgorithm.getAlgorithm(signatureAlgo) == SignatureAlgorithm.NONE) { theSigProvider = new NoneJwsSignatureProvider(); } else { @@ -324,7 +350,12 @@ public final class JwsUtils { } return theSigProvider; } - private static JwsSignatureVerifier loadSignatureVerifier(Message m, + public static JwsSignatureVerifier loadSignatureVerifier(Properties props, + JwsHeaders inHeaders) { + return loadSignatureVerifier(PhaseInterceptorChain.getCurrentMessage(), + props, inHeaders, false); + } + public static JwsSignatureVerifier loadSignatureVerifier(Message m, Properties props, JwsHeaders inHeaders, boolean ignoreNullVerifier) { @@ -361,12 +392,12 @@ public final class JwsUtils { if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.VERIFY, inHeaderKid); if (jwk != null) { - String signatureAlgo = getSignatureAlgo(m, props, jwk.getAlgorithm(), getDefaultKeyAlgo(jwk)); + String signatureAlgo = getSignatureAlgorithm(m, props, jwk.getAlgorithm(), getDefaultKeyAlgorithm(jwk)); theVerifier = getSignatureVerifier(jwk, SignatureAlgorithm.getAlgorithm(signatureAlgo)); } } else { - String signatureAlgo = getSignatureAlgo(m, props, null, null); + String signatureAlgo = getSignatureAlgorithm(m, props, null, null); if (SignatureAlgorithm.getAlgorithm(signatureAlgo) == SignatureAlgorithm.NONE && SignatureAlgorithm.NONE.getJwaName().equals(inHeaders.getAlgorithm())) { theVerifier = new NoneJwsSignatureVerifier(); @@ -392,14 +423,17 @@ public final class JwsUtils { } @SuppressWarnings("deprecation") - public static String getSignatureAlgo(Message m, Properties props, String algo, String defaultAlgo) { + public static String getSignatureAlgorithm(Message m, Properties props, String algo, String defaultAlgo) { if (algo == null) { if (defaultAlgo == null) { defaultAlgo = AlgorithmUtils.RS_SHA_256_ALGO; } // Check for deprecated identifier first - String sigAlgo = props.getProperty(JoseConstants.DEPR_RSSEC_SIGNATURE_ALGORITHM); + String sigAlgo = null; + if (props != null) { + sigAlgo = props.getProperty(JoseConstants.DEPR_RSSEC_SIGNATURE_ALGORITHM); + } if (sigAlgo == null && m != null) { sigAlgo = (String)m.getContextualProperty(JoseConstants.DEPR_RSSEC_SIGNATURE_ALGORITHM); } @@ -408,12 +442,19 @@ public final class JwsUtils { } // Otherwise check newer identifier - return KeyManagementUtils.getKeyAlgorithm(m, props, - JoseConstants.RSSEC_SIGNATURE_ALGORITHM, defaultAlgo); + if (props != null) { + return getSignatureAlgorithm(props, defaultAlgo); + } } return algo; } - private static String getDefaultKeyAlgo(JsonWebKey jwk) { + public static String getSignatureAlgorithm(Properties props, String defaultAlgo) { + return KeyManagementUtils.getKeyAlgorithm(PhaseInterceptorChain.getCurrentMessage(), + props, + JoseConstants.RSSEC_SIGNATURE_ALGORITHM, + defaultAlgo); + } + private static String getDefaultKeyAlgorithm(JsonWebKey jwk) { KeyType keyType = jwk.getKeyType(); if (KeyType.OCTET == keyType) { return AlgorithmUtils.HMAC_SHA_256_ALGO; @@ -441,10 +482,7 @@ public final class JwsUtils { } public static void validateJwsCertificateChain(List<X509Certificate> certs) { - Message m = PhaseInterceptorChain.getCurrentMessage(); - Properties props = KeyManagementUtils.loadStoreProperties(m, true, - JoseConstants.RSSEC_SIGNATURE_IN_PROPS, - JoseConstants.RSSEC_SIGNATURE_PROPS); + Properties props = loadSignatureInProperties(true); KeyManagementUtils.validateCertificateChain(props, certs); } public static boolean isPayloadUnencoded(JwsHeaders jwsHeaders) {
