[1/5] cxf git commit: Add support for selecting a key for decryption using the sha-1 hash in the header

Mon, 26 Oct 2015 09:21:50 -0700 

Repository: cxf
Updated Branches:
  refs/heads/master a602c9df3 -> d09c4eafb


Add support for selecting a key for decryption using the sha-1 hash in the 
header


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d09c4eaf
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d09c4eaf
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d09c4eaf

Branch: refs/heads/master
Commit: d09c4eafbb8d570c2bfd69270726511cee420645
Parents: e51a7bd
Author: Colm O hEigeartaigh <cohei...@apache.org>
Authored: Mon Oct 26 16:06:58 2015 +0000
Committer: Colm O hEigeartaigh <cohei...@apache.org>
Committed: Mon Oct 26 16:21:07 2015 +0000

----------------------------------------------------------------------
 .../rs/security/jose/common/KeyManagementUtils.java  |  4 ++--
 .../apache/cxf/rs/security/jose/jwe/JweUtils.java    | 15 ++++++++++++++-
 2 files changed, 16 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d09c4eaf/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java
----------------------------------------------------------------------
diff --git 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java
 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java
index 57929c2..3eb4637 100644
--- 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java
+++ 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java
@@ -369,12 +369,12 @@ public final class KeyManagementUtils {
         return props; 
     }
     public static PrivateKey loadPrivateKey(Message m, Properties props, 
-                                            List<X509Certificate> inCerts, 
+                                            X509Certificate inCert, 
                                             KeyOperation keyOper) {
         KeyStore ks = loadPersistKeyStore(m, props);
         
         try {
-            String alias = ks.getCertificateAlias(inCerts.get(0));
+            String alias = ks.getCertificateAlias(inCert);
             return loadPrivateKey(ks, m, props, keyOper, alias);
             
         } catch (Exception ex) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/d09c4eaf/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 4591bc3..e23f605 100644
--- 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -368,11 +368,24 @@ public final class JweUtils {
             // Supporting loading a private key via a certificate for now
             List<X509Certificate> chain = 
KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain());
             KeyManagementUtils.validateCertificateChain(props, chain);
+            X509Certificate cert = chain == null ? null : chain.get(0);
             PrivateKey privateKey = 
-                KeyManagementUtils.loadPrivateKey(m, props, chain, 
KeyOperation.DECRYPT);
+                KeyManagementUtils.loadPrivateKey(m, props, cert, 
KeyOperation.DECRYPT);
             contentEncryptionAlgo = 
inHeaders.getContentEncryptionAlgorithm().getJwaName();
             keyDecryptionProvider = 
getPrivateKeyDecryptionProvider(privateKey, 
                                                                  
inHeaders.getKeyEncryptionAlgorithm());
+        } else if (inHeaders != null && 
inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) {
+            X509Certificate foundCert = 
+                
KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), 
+                                                                
MessageDigestUtils.ALGO_SHA_1,
+                                                                m, props);
+            if (foundCert != null) {
+                PrivateKey privateKey = 
+                    KeyManagementUtils.loadPrivateKey(m, props, foundCert, 
KeyOperation.DECRYPT);
+                contentEncryptionAlgo = 
inHeaders.getContentEncryptionAlgorithm().getJwaName();
+                keyDecryptionProvider = 
getPrivateKeyDecryptionProvider(privateKey, 
+                                                                     
inHeaders.getKeyEncryptionAlgorithm());
+            }
         } else {
             if 
(JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE)))
 {
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, 
KeyOperation.DECRYPT);

Reply via email to