You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/10/22 17:44:16 UTC
git commit: Updating JwsSignatureVerifier to return the algorithm it
actually supports
Repository: cxf
Updated Branches:
refs/heads/master 1858ea6bc -> 1ebe682c6
Updating JwsSignatureVerifier to return the algorithm it actually supports
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1ebe682c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1ebe682c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1ebe682c
Branch: refs/heads/master
Commit: 1ebe682c694893295f16b2c56a499a25808b7e45
Parents: 1858ea6
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Wed Oct 22 16:44:00 2014 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Wed Oct 22 16:44:00 2014 +0100
----------------------------------------------------------------------
.../jose/jws/EcDsaJwsSignatureVerifier.java | 3 --
.../jose/jws/HmacJwsSignatureVerifier.java | 29 ++++++++------------
.../security/jose/jws/JwsSignatureVerifier.java | 1 +
.../cxf/rs/security/jose/jws/JwsUtils.java | 3 +-
.../jose/jws/PublicKeyJwsSignatureVerifier.java | 9 +++---
.../security/jose/jws/JwsCompactHeaderTest.java | 17 ++++++++----
.../jose/jws/JwsCompactReaderWriterTest.java | 12 +++++---
.../cxf/systest/jaxrs/security/jwt/server.xml | 1 +
.../systest/jaxrs/security/bob.jwk.properties | 1 +
.../jaxrs/security/jws.ec.public.properties | 1 +
10 files changed, 42 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
index 97a8991..6670367 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
@@ -24,9 +24,6 @@ import java.security.spec.AlgorithmParameterSpec;
import org.apache.cxf.rs.security.jose.jwa.Algorithm;
public class EcDsaJwsSignatureVerifier extends PublicKeyJwsSignatureVerifier {
- public EcDsaJwsSignatureVerifier(PublicKey key) {
- this(key, null);
- }
public EcDsaJwsSignatureVerifier(PublicKey key, String supportedAlgo) {
this(key, null, supportedAlgo);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
index e6ac50d..3bdf335 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
@@ -21,10 +21,9 @@ package org.apache.cxf.rs.security.jose.jws;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
-import org.apache.cxf.common.util.Base64Exception;
-import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.crypto.HmacUtils;
import org.apache.cxf.rs.security.jose.JoseHeaders;
+import org.apache.cxf.rs.security.jose.JoseUtils;
import org.apache.cxf.rs.security.jose.jwa.Algorithm;
public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
@@ -32,28 +31,18 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
private AlgorithmParameterSpec hmacSpec;
private String supportedAlgo;
- public HmacJwsSignatureVerifier(byte[] key) {
- this(key, null);
+ public HmacJwsSignatureVerifier(String encodedKey, String supportedAlgo) {
+ this(JoseUtils.decode(encodedKey), supportedAlgo);
}
- public HmacJwsSignatureVerifier(byte[] key, AlgorithmParameterSpec spec) {
- this(key, spec, null);
+ public HmacJwsSignatureVerifier(byte[] key, String supportedAlgo) {
+ this(key, null, supportedAlgo);
}
public HmacJwsSignatureVerifier(byte[] key, AlgorithmParameterSpec spec, String supportedAlgo) {
this.key = key;
this.hmacSpec = spec;
this.supportedAlgo = supportedAlgo;
}
- public HmacJwsSignatureVerifier(String encodedKey) {
- this(encodedKey, null);
- }
- public HmacJwsSignatureVerifier(String encodedKey, String supportedAlgo) {
- try {
- this.key = Base64UrlUtility.decode(encodedKey);
- } catch (Base64Exception ex) {
- throw new SecurityException();
- }
- this.supportedAlgo = supportedAlgo;
- }
+
@Override
public boolean verify(JoseHeaders headers, String unsignedText, byte[] signature) {
@@ -71,9 +60,13 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
protected String checkAlgorithm(String algo) {
if (algo == null
|| !Algorithm.isHmacSign(algo)
- || supportedAlgo != null && !supportedAlgo.equals(algo)) {
+ || !algo.equals(supportedAlgo)) {
throw new SecurityException();
}
return algo;
}
+ @Override
+ public String getAlgorithm() {
+ return supportedAlgo;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java
index 82e4f6b..492c676 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java
@@ -22,4 +22,5 @@ import org.apache.cxf.rs.security.jose.JoseHeaders;
public interface JwsSignatureVerifier {
boolean verify(JoseHeaders headers, String unsignedText, byte[] signature);
+ String getAlgorithm();
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index 30e3b8c..c9741a2 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -122,8 +122,9 @@ public final class JwsUtils {
theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo);
} else {
+ rsaSignatureAlgo = getSignatureAlgo(props, null);
theVerifier = new PublicKeyJwsSignatureVerifier(
- (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props));
+ (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), rsaSignatureAlgo);
}
return theVerifier;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
index 9f910e8..3ff9d66 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
@@ -31,9 +31,6 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
private AlgorithmParameterSpec signatureSpec;
private String supportedAlgo;
- public PublicKeyJwsSignatureVerifier(PublicKey key) {
- this(key, null);
- }
public PublicKeyJwsSignatureVerifier(PublicKey key, String supportedAlgorithm) {
this(key, null, supportedAlgorithm);
}
@@ -57,7 +54,7 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
protected String checkAlgorithm(String algo) {
if (algo == null
|| !isValidAlgorithmFamily(algo)
- || supportedAlgo != null && !supportedAlgo.equals(algo)) {
+ || !algo.equals(supportedAlgo)) {
throw new SecurityException();
}
return algo;
@@ -65,5 +62,9 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
protected boolean isValidAlgorithmFamily(String algo) {
return Algorithm.isRsaShaSign(algo);
}
+ @Override
+ public String getAlgorithm() {
+ return supportedAlgo;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java
index 0cc0a07..942a856 100644
--- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java
@@ -18,6 +18,8 @@
*/
package org.apache.cxf.rs.security.jose.jws;
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+
import org.junit.Assert;
import org.junit.Test;
@@ -114,21 +116,24 @@ public class JwsCompactHeaderTest extends Assert {
public void verifyJwsWithMissingAlgHeaderField() throws Exception {
JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(MISSING_ALG_HEADER_FIELD_IN_JWS);
- assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+ assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+ Algorithm.HmacSHA256.getJwtName())));
}
@Test
public void verifyJwsWithTwoAlgHeaderFieldsBogusFieldFirst() throws Exception {
JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(TWO_ALG_HEADER_FIELDS_IN_JWS_BOGUS_FIRST);
- assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+ assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+ Algorithm.HmacSHA256.getJwtName())));
}
@Test
public void verifyJwsWithTwoAlgHeaderFieldsBogusFieldLast() throws Exception {
JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(TWO_ALG_HEADER_FIELDS_IN_JWS_BOGUS_LAST);
- assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+ assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+ Algorithm.HmacSHA256.getJwtName())));
}
@Test
@@ -137,9 +142,11 @@ public class JwsCompactHeaderTest extends Assert {
JwsCompactConsumer jwsConsumerAltered = new JwsCompactConsumer(ALG_HEADER_VALUE_NONE_IN_JWS);
- assertTrue(jwsConsumerOriginal.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+ assertTrue(jwsConsumerOriginal.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+ Algorithm.HmacSHA256.getJwtName())));
- assertFalse(jwsConsumerAltered.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+ assertFalse(jwsConsumerAltered.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+ Algorithm.HmacSHA256.getJwtName())));
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
index e37b854..6b34b94 100644
--- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
@@ -129,7 +129,8 @@ public class JwsCompactReaderWriterTest extends Assert {
@Test
public void testReadJwsSignedByMacSpecExample() throws Exception {
JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_SIGNED_BY_MAC);
- assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+ assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+ Algorithm.HmacSHA256.getJwtName())));
JwtToken token = jws.getJwtToken();
JoseHeaders headers = token.getHeaders();
assertEquals(JoseConstants.TYPE_JWT, headers.getType());
@@ -176,7 +177,8 @@ public class JwsCompactReaderWriterTest extends Assert {
@Test
public void testReadJwsWithJwkSignedByMac() throws Exception {
JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_WITH_JSON_KEY_SIGNED_BY_MAC);
- assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+ assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+ Algorithm.HmacSHA256.getJwtName())));
JwtToken token = jws.getJwtToken();
JoseHeaders headers = token.getHeaders();
assertEquals(JoseConstants.TYPE_JWT, headers.getType());
@@ -223,7 +225,8 @@ public class JwsCompactReaderWriterTest extends Assert {
EC_X_POINT_ENCODED,
EC_Y_POINT_ENCODED);
JwsJwtCompactConsumer jwsConsumer = new JwsJwtCompactConsumer(signedJws);
- assertTrue(jwsConsumer.verifySignatureWith(new EcDsaJwsSignatureVerifier(publicKey)));
+ assertTrue(jwsConsumer.verifySignatureWith(new EcDsaJwsSignatureVerifier(publicKey,
+ Algorithm.SHA256withECDSA.getJwtName())));
JwtToken token = jwsConsumer.getJwtToken();
JoseHeaders headersReceived = token.getHeaders();
assertEquals(Algorithm.SHA256withECDSA.getJwtName(), headersReceived.getAlgorithm());
@@ -234,7 +237,8 @@ public class JwsCompactReaderWriterTest extends Assert {
public void testReadJwsSignedByPrivateKey() throws Exception {
JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY);
RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED);
- assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key)));
+ assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key,
+ JoseConstants.RS_SHA_256_ALGO)));
JwtToken token = jws.getJwtToken();
JoseHeaders headers = token.getHeaders();
assertEquals(Algorithm.SHA256withRSA.getJwtName(), headers.getAlgorithm());
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
index d235dfc..b03b94c 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
@@ -71,6 +71,7 @@ under the License.
<bean id="hmacSigVerifier" class="org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureVerifier">
<constructor-arg value="AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"/>
+ <constructor-arg value="HS256"/>
</bean>
<bean id="jwsHmacInFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwsContainerRequestFilter">
<property name="signatureVerifier" ref="hmacSigVerifier"/>
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties
index 8d43f81..b57af21 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties
@@ -21,3 +21,4 @@ rs.security.keystore.alias=2011-04-29
rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
rs.security.jwe.content.encryption.algorithm=A128GCM
rs.security.jwe.key.encryption.algorithm=RSA-OAEP
+rs.security.jws.content.signature.algorithm=RS256
http://git-wip-us.apache.org/repos/asf/cxf/blob/1ebe682c/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties
index 9d67710..5178e85 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties
@@ -17,3 +17,4 @@
rs.security.keystore.type=jwk
rs.security.keystore.alias=ECKey
rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
+rs.security.jws.content.signature.algorithm=ES256
\ No newline at end of file