Repository: cxf Updated Branches: refs/heads/master a602c9df3 -> d09c4eafb
Add support for selecting a key for decryption using the sha-1 hash in the header Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d09c4eaf Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d09c4eaf Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d09c4eaf Branch: refs/heads/master Commit: d09c4eafbb8d570c2bfd69270726511cee420645 Parents: e51a7bd Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Mon Oct 26 16:06:58 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Mon Oct 26 16:21:07 2015 +0000 ---------------------------------------------------------------------- .../rs/security/jose/common/KeyManagementUtils.java | 4 ++-- .../apache/cxf/rs/security/jose/jwe/JweUtils.java | 15 ++++++++++++++- 2 files changed, 16 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/d09c4eaf/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java index 57929c2..3eb4637 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/KeyManagementUtils.java @@ -369,12 +369,12 @@ public final class KeyManagementUtils { return props; } public static PrivateKey loadPrivateKey(Message m, Properties props, - List<X509Certificate> inCerts, + X509Certificate inCert, KeyOperation keyOper) { KeyStore ks = loadPersistKeyStore(m, props); try { - String alias = ks.getCertificateAlias(inCerts.get(0)); + String alias = ks.getCertificateAlias(inCert); return loadPrivateKey(ks, m, props, keyOper, alias); } catch (Exception ex) { http://git-wip-us.apache.org/repos/asf/cxf/blob/d09c4eaf/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 4591bc3..e23f605 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -368,11 +368,24 @@ public final class JweUtils { // Supporting loading a private key via a certificate for now List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain()); KeyManagementUtils.validateCertificateChain(props, chain); + X509Certificate cert = chain == null ? null : chain.get(0); PrivateKey privateKey = - KeyManagementUtils.loadPrivateKey(m, props, chain, KeyOperation.DECRYPT); + KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT); contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm().getJwaName(); keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, inHeaders.getKeyEncryptionAlgorithm()); + } else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) { + X509Certificate foundCert = + KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), + MessageDigestUtils.ALGO_SHA_1, + m, props); + if (foundCert != null) { + PrivateKey privateKey = + KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT); + contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm().getJwaName(); + keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, + inHeaders.getKeyEncryptionAlgorithm()); + } } else { if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.DECRYPT);