Reprsenting PublicKeys loaded from Java KeyStore as JWK, renaming DefaultJwkReaderWriter into JwkReaderWriter
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/066333db Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/066333db Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/066333db Branch: refs/heads/3.1.x-fixes Commit: 066333db4adeabbbc44a8033b4ac80a16a23ed78 Parents: 1b8ab71 Author: Sergey Beryozkin <sberyoz...@gmail.com> Authored: Wed Nov 25 12:58:49 2015 +0000 Committer: Sergey Beryozkin <sberyoz...@gmail.com> Committed: Wed Nov 25 13:18:26 2015 +0000 ---------------------------------------------------------------------- .../rs/security/jose/common/JoseConstants.java | 6 + .../cxf/rs/security/jose/jwe/JweUtils.java | 26 +++- .../jose/jwk/DefaultJwkReaderWriter.java | 49 -------- .../cxf/rs/security/jose/jwk/JsonWebKeys.java | 13 +- .../rs/security/jose/jwk/JwkReaderWriter.java | 27 +++- .../cxf/rs/security/jose/jwk/JwkUtils.java | 123 ++++++++----------- .../cxf/rs/security/jose/jws/JwsUtils.java | 13 +- .../oidc/rp/AbstractTokenValidator.java | 2 + 8 files changed, 129 insertions(+), 130 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/066333db/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java index d7761b4..7069069 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java @@ -132,6 +132,12 @@ public final class JoseConstants { public static final String RSSEC_SIGNATURE_ALGORITHM = "rs.security.signature.algorithm"; /** + * The EC Curve to use with EC keys loaded from Java Key Store. + * JWK EC Keys are expected to use a standard "crv" property instead. + */ + public static final String RSSEC_EC_CURVE = "rs.security.elliptic.curve"; + + /** * The OLD signature algorithm identifier. Use RSSEC_SIGNATURE_ALGORITHM instead. */ @Deprecated http://git-wip-us.apache.org/repos/asf/cxf/blob/066333db/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 8168184..ba902f5 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -50,6 +50,7 @@ import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils; import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm; import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm; import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; +import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys; import org.apache.cxf.rs.security.jose.jwk.JwkUtils; import org.apache.cxf.rs.security.jose.jwk.KeyOperation; import org.apache.cxf.rs.security.jose.jwk.KeyType; @@ -149,7 +150,13 @@ public final class JweUtils { } return keyEncryptionProvider; } - public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key, KeyAlgorithm algo) { + public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key, + KeyAlgorithm algo) { + return getPublicKeyEncryptionProvider(key, null, algo); + } + public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key, + Properties props, + KeyAlgorithm algo) { if (key instanceof RSAPublicKey) { return new RSAKeyEncryptionAlgorithm((RSAPublicKey)key, algo); } else if (key instanceof ECPublicKey) { @@ -158,8 +165,10 @@ public final class JweUtils { if (m != null) { ctAlgo = getContentAlgo((String)m.get(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM)); } + String curve = props == null ? JsonWebKey.EC_CURVE_P256 + : props.getProperty(JoseConstants.RSSEC_EC_CURVE, JsonWebKey.EC_CURVE_P256); return new EcdhAesWrapKeyEncryptionAlgorithm((ECPublicKey)key, - JsonWebKey.EC_CURVE_P256, + curve, algo, ctAlgo == null ? ContentAlgorithm.A128GCM : ctAlgo); } @@ -358,6 +367,7 @@ public final class JweUtils { } else { keyEncryptionProvider = getPublicKeyEncryptionProvider( KeyManagementUtils.loadPublicKey(m, props), + props, keyAlgo); if (includeCert) { headers.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(m, props)); @@ -775,5 +785,15 @@ public final class JweUtils { throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE); } } - + public static JsonWebKeys loadPublicKeyEncryptionKeys(Message m, Properties props) { + String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE); + if ("jwk".equals(storeType)) { + return JwkUtils.loadPublicJwkSet(m, props); + } else { + //TODO: consider loading all the public keys in the store + PublicKey key = KeyManagementUtils.loadPublicKey(m, props); + JsonWebKey jwk = JwkUtils.fromPublicKey(key, props, JoseConstants.RSSEC_ENCRYPTION_KEY_ALGORITHM); + return new JsonWebKeys(jwk); + } + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/066333db/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java deleted file mode 100644 index dec8006..0000000 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java +++ /dev/null @@ -1,49 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwk; - -import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter; - - - - - -public class DefaultJwkReaderWriter extends JsonMapObjectReaderWriter - implements JwkReaderWriter { - @Override - public String jwkSetToJson(JsonWebKeys jwks) { - return toJson(jwks); - } - @Override - public JsonWebKeys jsonToJwkSet(String jwksJson) { - JsonWebKeys jwks = new JsonWebKeys(); - fromJson(jwks, jwksJson); - return jwks; - } - @Override - public String jwkToJson(JsonWebKey jwk) { - return toJson(jwk); - } - @Override - public JsonWebKey jsonToJwk(String jwkJson) { - JsonWebKey jwk = new JsonWebKey(); - fromJson(jwk, jwkJson); - return jwk; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/066333db/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java index 28011b3..ce53af8 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java @@ -29,6 +29,15 @@ import org.apache.cxf.jaxrs.json.basic.JsonMapObject; public class JsonWebKeys extends JsonMapObject { public static final String KEYS_PROPERTY = "keys"; + public JsonWebKeys() { + + } + public JsonWebKeys(JsonWebKey key) { + setInitKey(key); + } + private void setInitKey(JsonWebKey key) { + setKey(key); + } public List<JsonWebKey> getKeys() { List<?> list = (List<?>)super.getProperty(KEYS_PROPERTY); if (list != null && !list.isEmpty()) { @@ -48,7 +57,9 @@ public class JsonWebKeys extends JsonMapObject { return null; } } - + public void setKey(JsonWebKey key) { + setKeys(Collections.singletonList(key)); + } public void setKeys(List<JsonWebKey> keys) { super.setProperty(KEYS_PROPERTY, keys); } http://git-wip-us.apache.org/repos/asf/cxf/blob/066333db/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java index 679b7aa..bbbaaac 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java @@ -18,10 +18,27 @@ */ package org.apache.cxf.rs.security.jose.jwk; +import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter; -public interface JwkReaderWriter { - String jwkToJson(JsonWebKey jwk); - JsonWebKey jsonToJwk(String jwkJson); - String jwkSetToJson(JsonWebKeys jwkSet); - JsonWebKeys jsonToJwkSet(String jwkSetJson); + + + + +public class JwkReaderWriter extends JsonMapObjectReaderWriter { + public String jwkSetToJson(JsonWebKeys jwks) { + return toJson(jwks); + } + public JsonWebKeys jsonToJwkSet(String jwksJson) { + JsonWebKeys jwks = new JsonWebKeys(); + fromJson(jwks, jwksJson); + return jwks; + } + public String jwkToJson(JsonWebKey jwk) { + return toJson(jwk); + } + public JsonWebKey jsonToJwk(String jwkJson) { + JsonWebKey jwk = new JsonWebKey(); + fromJson(jwk, jwkJson); + return jwk; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/066333db/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java index 3fca28d..c0bbcba 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java @@ -115,16 +115,16 @@ public final class JwkUtils { return readJwkSet(IOUtils.readStringFromStream(is)); } public static JsonWebKey readJwkKey(String jwkJson) { - return new DefaultJwkReaderWriter().jsonToJwk(jwkJson); + return new JwkReaderWriter().jsonToJwk(jwkJson); } public static JsonWebKeys readJwkSet(String jwksJson) { - return new DefaultJwkReaderWriter().jsonToJwkSet(jwksJson); + return new JwkReaderWriter().jsonToJwkSet(jwksJson); } public static String jwkKeyToJson(JsonWebKey jwkKey) { - return new DefaultJwkReaderWriter().jwkToJson(jwkKey); + return new JwkReaderWriter().jwkToJson(jwkKey); } public static String jwkSetToJson(JsonWebKeys jwkSet) { - return new DefaultJwkReaderWriter().jwkSetToJson(jwkSet); + return new JwkReaderWriter().jwkSetToJson(jwkSet); } public static String encodeJwkKey(JsonWebKey jwkKey) { return Base64UrlUtility.encode(jwkKeyToJson(jwkKey)); @@ -139,13 +139,10 @@ public final class JwkUtils { return readJwkSet(JoseUtils.decodeToString(jwksJson)); } public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) { - return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter()); + return encryptJwkSet(jwkSet, createDefaultEncryption(password)); } - public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password, JwkReaderWriter writer) { - return encryptJwkSet(jwkSet, createDefaultEncryption(password), writer); - } - public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter writer) { - return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkSetToJson(jwkSet)), + public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe) { + return jwe.encrypt(StringUtils.toBytesUTF8(new JwkReaderWriter().jwkSetToJson(jwkSet)), toJweHeaders("jwk-set+json")); } public static String encryptJwkSet(JsonWebKeys jwkSet, PublicKey key, KeyAlgorithm keyAlgo, @@ -162,13 +159,10 @@ public final class JwkUtils { "jwk-set+json"); } public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) { - return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter()); - } - public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password, JwkReaderWriter reader) { - return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password), reader); + return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password)); } - public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe, JwkReaderWriter reader) { - return reader.jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText()); + public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe) { + return new JwkReaderWriter().jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText()); } public static JsonWebKeys decryptJwkSet(PrivateKey key, KeyAlgorithm keyAlgo, ContentAlgorithm ctAlgo, String jsonJwkSet) { @@ -181,25 +175,20 @@ public final class JwkUtils { String jsonJwkSet) { return readJwkSet(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwkSet))); } - public static JsonWebKeys decryptJwkSet(InputStream is, char[] password) throws IOException { - return decryptJwkSet(is, password, new DefaultJwkReaderWriter()); - } - public static JsonWebKeys decryptJwkSet(InputStream is, char[] password, JwkReaderWriter reader) + public static JsonWebKeys decryptJwkSet(InputStream is, char[] password) throws IOException { - return decryptJwkSet(is, createDefaultDecryption(password), reader); + return decryptJwkSet(is, createDefaultDecryption(password)); } - public static JsonWebKeys decryptJwkSet(InputStream is, JweDecryptionProvider jwe, JwkReaderWriter reader) + public static JsonWebKeys decryptJwkSet(InputStream is, JweDecryptionProvider jwe) throws IOException { - return reader.jsonToJwkSet(jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText()); + return new JwkReaderWriter().jsonToJwkSet( + jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText()); } - public static String encryptJwkKey(JsonWebKey jwk, char[] password) { - return encryptJwkKey(jwk, password, new DefaultJwkReaderWriter()); + public static String encryptJwkKey(JsonWebKey jwkKey, char[] password) { + return encryptJwkKey(jwkKey, createDefaultEncryption(password)); } - public static String encryptJwkKey(JsonWebKey jwkKey, char[] password, JwkReaderWriter writer) { - return encryptJwkKey(jwkKey, createDefaultEncryption(password), writer); - } - public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter writer) { - return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkToJson(jwkKey)), + public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe) { + return jwe.encrypt(StringUtils.toBytesUTF8(new JwkReaderWriter().jwkToJson(jwkKey)), toJweHeaders("jwk+json")); } public static String encryptJwkKey(JsonWebKey jwkKey, PublicKey key, KeyAlgorithm keyAlgo, @@ -216,10 +205,7 @@ public final class JwkUtils { return JwsUtils.sign(key, algo, jwkKeyToJson(jwkKey), "jwk+json"); } public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) { - return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter()); - } - public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password, JwkReaderWriter reader) { - return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password), reader); + return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password)); } public static JsonWebKey decryptJwkKey(PrivateKey key, KeyAlgorithm keyAlgo, ContentAlgorithm ctAlgo, String jsonJwk) { @@ -232,29 +218,26 @@ public final class JwkUtils { String jsonJwk) { return readJwkKey(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwk))); } - public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe, JwkReaderWriter reader) { - return reader.jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText()); + public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe) { + return new JwkReaderWriter().jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText()); } - public static JsonWebKey decryptJwkKey(InputStream is, char[] password) throws IOException { - return decryptJwkKey(is, password, new DefaultJwkReaderWriter()); - } - public static JsonWebKey decryptJwkKey(InputStream is, char[] password, JwkReaderWriter reader) + public static JsonWebKey decryptJwkKey(InputStream is, char[] password) throws IOException { - return decryptJwkKey(is, createDefaultDecryption(password), reader); + return decryptJwkKey(is, createDefaultDecryption(password)); } - public static JsonWebKey decryptJwkKey(InputStream is, JweDecryptionProvider jwe, JwkReaderWriter reader) + public static JsonWebKey decryptJwkKey(InputStream is, JweDecryptionProvider jwe) throws IOException { - return reader.jsonToJwk(jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText()); + return new JwkReaderWriter().jsonToJwk( + jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText()); } - public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb) { - return loadJwkSet(m, props, cb, new DefaultJwkReaderWriter()); + public static JsonWebKeys loadPublicJwkSet(Message m, Properties props) { + return loadJwkSet(m, props, null); } - public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb, - JwkReaderWriter reader) { + public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb) { String key = (String)props.get(JoseConstants.RSSEC_KEY_STORE_FILE); JsonWebKeys jwkSet = key != null ? (JsonWebKeys)m.getExchange().get(key) : null; if (jwkSet == null) { - jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb, reader); + jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb); if (key != null) { m.getExchange().put(key, jwkSet); } @@ -262,16 +245,12 @@ public final class JwkUtils { return jwkSet; } public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb) { - return loadJwkSet(props, bus, cb, new DefaultJwkReaderWriter()); - } - public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb, - JwkReaderWriter reader) { JweDecryptionProvider decryption = cb != null ? new AesCbcHmacJweDecryption(new PbesHmacAesWrapKeyDecryptionAlgorithm( cb.getPassword(props))) : null; - return loadJwkSet(props, bus, decryption, reader); + return loadJwkSet(props, bus, decryption); } - public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider jwe, JwkReaderWriter reader) { + public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider jwe) { String keyContent = null; String keyStoreLoc = props.getProperty(JoseConstants.RSSEC_KEY_STORE_FILE); if (keyStoreLoc != null) { @@ -293,25 +272,21 @@ public final class JwkUtils { if (jwe != null) { keyContent = jwe.decrypt(keyContent).getContentText(); } + JwkReaderWriter reader = new JwkReaderWriter(); if (props.getProperty(JoseConstants.RSSEC_KEY_STORE_JWKKEY) == null) { return reader.jsonToJwkSet(keyContent); } else { - JsonWebKey key = reader.jsonToJwk(keyContent); - JsonWebKeys keys = new JsonWebKeys(); - keys.setKeys(Collections.singletonList(key)); - return keys; + JsonWebKey jwk = reader.jsonToJwk(keyContent); + return new JsonWebKeys(jwk); } } + public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper) { return loadJsonWebKey(m, props, keyOper, null); } public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper, String inHeaderKid) { - return loadJsonWebKey(m, props, keyOper, inHeaderKid, new DefaultJwkReaderWriter()); - } - public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper, String inHeaderKid, - JwkReaderWriter reader) { PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper); - JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader); + JsonWebKeys jwkSet = loadJwkSet(m, props, cb); String kid = null; if (inHeaderKid != null && MessageUtils.getContextualBoolean(m, JoseConstants.RSSEC_ACCEPT_PUBLIC_KEY, false)) { @@ -329,15 +304,11 @@ public final class JwkUtils { } return null; } - public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, KeyOperation keyOper) { - return loadJsonWebKeys(m, props, keyOper, new DefaultJwkReaderWriter()); - } - - public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, - KeyOperation keyOper, - JwkReaderWriter reader) { + public static List<JsonWebKey> loadJsonWebKeys(Message m, + Properties props, + KeyOperation keyOper) { PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper); - JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader); + JsonWebKeys jwkSet = loadJwkSet(m, props, cb); String kid = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIAS, keyOper); if (kid != null) { return Collections.singletonList(jwkSet.getKey(kid)); @@ -401,6 +372,16 @@ public final class JwkUtils { jwk.setProperty(JsonWebKey.RSA_PUBLIC_EXP, encodedPublicExponent); return jwk; } + public static JsonWebKey fromPublicKey(PublicKey key, Properties props, String algoProp) { + // EC keys can be supported once we figure out how to get a curve name + // from an EC key instance or if a curve property is introduced + if (key instanceof RSAPublicKey) { + return JwkUtils.fromRSAPublicKey((RSAPublicKey)key, algoProp); + } else { + return JwkUtils.fromECPublicKey((ECPublicKey)key, + props.getProperty(JoseConstants.RSSEC_EC_CURVE)); + } + } public static JsonWebKey fromX509CertificateChain(List<X509Certificate> chain, String algo) { JsonWebKey jwk = new JsonWebKey(); jwk.setAlgorithm(algo); http://git-wip-us.apache.org/repos/asf/cxf/blob/066333db/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index e20388f..710baa7 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -45,6 +45,7 @@ import org.apache.cxf.rs.security.jose.common.KeyManagementUtils; import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils; import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm; import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; +import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys; import org.apache.cxf.rs.security.jose.jwk.JwkUtils; import org.apache.cxf.rs.security.jose.jwk.KeyOperation; import org.apache.cxf.rs.security.jose.jwk.KeyType; @@ -503,5 +504,15 @@ public final class JwsUtils { throw new JwsException(JwsException.Error.INVALID_KEY); } } - + public static JsonWebKeys loadPublicVerificationKeys(Message m, Properties props) { + String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE); + if ("jwk".equals(storeType)) { + return JwkUtils.loadPublicJwkSet(m, props); + } else { + //TODO: consider loading all the public keys in the store + PublicKey key = KeyManagementUtils.loadPublicKey(m, props); + JsonWebKey jwk = JwkUtils.fromPublicKey(key, props, JoseConstants.RSSEC_SIGNATURE_ALGORITHM); + return new JsonWebKeys(jwk); + } + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/066333db/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java index 6ee14ac..6011577 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java @@ -122,6 +122,8 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume } else if (keys.getKeys().size() == 1) { key = keys.getKeys().get(0); } + //jwkSetClient returns the most up-to-date keys + keyMap.clear(); keyMap.putAll(keys.getKeyIdMap()); } }
