Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 030fd7f4d -> ac1dbc498
Making HS algo configurable when verifying with a client secret Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ac1dbc49 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ac1dbc49 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ac1dbc49 Branch: refs/heads/3.1.x-fixes Commit: ac1dbc4984cb86a0deda1db79899ff20471c9c97 Parents: 030fd7f Author: Sergey Beryozkin <[email protected]> Authored: Wed Nov 11 16:40:40 2015 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Nov 11 16:42:01 2015 +0000 ---------------------------------------------------------------------- .../rs/security/jose/jwa/AlgorithmUtils.java | 21 +++++++++++++++++--- .../provider/AbstractOAuthJoseJwtConsumer.java | 10 ++++++++-- 2 files changed, 26 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/ac1dbc49/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java index 76854ca..0145b5d 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java @@ -221,9 +221,6 @@ public final class AlgorithmUtils { public static boolean isAesCbcHmac(String algo) { return ACBC_HS_SET.contains(algo); } - public static boolean isHmacSign(String algo) { - return HMAC_SIGN_SET.contains(algo); - } public static boolean isOctet(String algo) { return isHmacSign(algo) || isAesCbcHmac(algo) @@ -231,18 +228,36 @@ public final class AlgorithmUtils { || isAesGcmKeyWrap(algo) || isAesKeyWrap(algo); } + public static boolean isHmacSign(String algo) { + return HMAC_SIGN_SET.contains(algo); + } + public static boolean isHmacSign(SignatureAlgorithm algo) { + return isHmacSign(algo.getJwaName()); + } public static boolean isRsaSign(String algo) { return isRsaShaSign(algo) || isRsaShaPsSign(algo); } + public static boolean isRsaSign(SignatureAlgorithm algo) { + return isRsaSign(algo.getJwaName()); + } public static boolean isRsaShaSign(String algo) { return RSA_SHA_SIGN_SET.contains(algo); } + public static boolean isRsaShaSign(SignatureAlgorithm algo) { + return isRsaShaSign(algo.getJwaName()); + } public static boolean isRsaShaPsSign(String algo) { return RSA_SHA_PS_SIGN_SET.contains(algo); } + public static boolean isRsaShaPsSign(SignatureAlgorithm algo) { + return isRsaShaPsSign(algo.getJwaName()); + } public static boolean isEcDsaSign(String algo) { return EC_SHA_SIGN_SET.contains(algo); } + public static boolean isEcDsaSign(SignatureAlgorithm algo) { + return isEcDsaSign(algo.getJwaName()); + } public static String toJwaName(String javaName, int keyBitSize) { //TODO: perhaps a key should be a name+keysize pair http://git-wip-us.apache.org/repos/asf/cxf/blob/ac1dbc49/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java index 42a66de..e799e35 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java @@ -18,8 +18,11 @@ */ package org.apache.cxf.rs.security.oauth2.provider; +import java.util.Properties; + import javax.crypto.SecretKey; +import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils; import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm; import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider; @@ -43,8 +46,11 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum protected JwsSignatureVerifier getInitializedSignatureVerifier(String clientSecret) { if (verifyWithClientSecret) { - byte[] hmac = CryptoUtils.decodeSequence(clientSecret); - return JwsUtils.getHmacSignatureVerifier(hmac, SignatureAlgorithm.HS256); + Properties props = JwsUtils.loadSignatureInProperties(false); + SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.HS256); + if (AlgorithmUtils.isHmacSign(sigAlgo)) { + return JwsUtils.getHmacSignatureVerifier(clientSecret, sigAlgo); + } } return null; }
