You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/12/04 18:14:13 UTC
cxf git commit: Optional use of default JOSE algorithms by filters
Repository: cxf
Updated Branches:
refs/heads/master 13e01e23e -> d1a52f292
Optional use of default JOSE algorithms by filters
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d1a52f29
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d1a52f29
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d1a52f29
Branch: refs/heads/master
Commit: d1a52f2929b89af4a19f73cc274932c95ad0fbf1
Parents: 13e01e2
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Thu Dec 4 17:13:56 2014 +0000
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Thu Dec 4 17:13:56 2014 +0000
----------------------------------------------------------------------
.../security/jose/jaxrs/KeyManagementUtils.java | 81 +++++++++++++++-----
.../cxf/rs/security/jose/jwe/JweUtils.java | 38 +++++----
.../cxf/rs/security/jose/jwk/JwkUtils.java | 47 ++----------
.../cxf/rs/security/jose/jws/JwsUtils.java | 19 +++--
.../jaxrs/security/jwt/JAXRSJweJwsTest.java | 1 +
.../cxf/systest/jaxrs/security/jwt/server.xml | 1 +
.../jaxrs/security/public.jwk.properties | 3 -
7 files changed, 105 insertions(+), 85 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/d1a52f29/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
index cc69b84..6e256ed 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
@@ -30,10 +30,12 @@ import java.util.List;
import java.util.Properties;
import org.apache.cxf.Bus;
+import org.apache.cxf.common.util.PropertyUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.jaxrs.utils.ResourceUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.security.SecurityContext;
@@ -51,6 +53,7 @@ public final class KeyManagementUtils {
public static final String RSSEC_KEY_PSWD_PROVIDER = "rs.security.key.password.provider";
public static final String RSSEC_SIG_KEY_PSWD_PROVIDER = "rs.security.signature.key.password.provider";
public static final String RSSEC_DECRYPT_KEY_PSWD_PROVIDER = "rs.security.decryption.key.password.provider";
+ public static final String RSSEC_DEFAULT_ALGORITHMS = "rs.security.default.algorithms";
private KeyManagementUtils() {
}
@@ -81,41 +84,74 @@ public final class KeyManagementUtils {
}
return propLoc;
}
- public static PrivateKey loadPrivateKey(Properties props, Bus bus, PrivateKeyPasswordProvider provider) {
- KeyStore keyStore = loadKeyStore(props, bus);
- return loadPrivateKey(keyStore, props, bus, provider);
- }
- public static PrivateKey loadPrivateKey(KeyStore keyStore,
+ private static PrivateKey loadPrivateKey(KeyStore keyStore,
+ Message m,
Properties props,
Bus bus,
- PrivateKeyPasswordProvider provider) {
+ PrivateKeyPasswordProvider provider,
+ String keyOper) {
String keyPswd = props.getProperty(RSSEC_KEY_PSWD);
- String alias = props.getProperty(RSSEC_KEY_STORE_ALIAS);
+ String alias = getKeyId(m, props, RSSEC_KEY_STORE_ALIAS, keyOper);
char[] keyPswdChars = provider != null ? provider.getPassword(props)
: keyPswd != null ? keyPswd.toCharArray() : null;
return CryptoUtils.loadPrivateKey(keyStore, keyPswdChars, alias);
}
- public static PrivateKey loadPrivateKey(Message m, String keyStoreLocProp, String passwordProviderProp) {
- return loadPrivateKey(m, keyStoreLocProp, null, passwordProviderProp);
+ public static PrivateKey loadPrivateKey(Message m, String keyStoreLocProp, String keyOper) {
+ return loadPrivateKey(m, keyStoreLocProp, null, keyOper);
}
public static PrivateKey loadPrivateKey(Message m, String keyStoreLocPropPreferred,
- String keyStoreLocPropDefault, String passwordProviderProp) {
+ String keyStoreLocPropDefault, String keyOper) {
String keyStoreLoc = getMessageProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault);
Bus bus = m.getExchange().getBus();
try {
Properties props = ResourceUtils.loadProperties(keyStoreLoc, bus);
- return KeyManagementUtils.loadPrivateKey(m, props, passwordProviderProp);
+ return loadPrivateKey(m, props, keyOper);
} catch (Exception ex) {
throw new SecurityException(ex);
}
}
- public static PrivateKey loadPrivateKey(Message m, Properties props, String passwordProviderProp) {
- Bus bus = m.getExchange().getBus();
- KeyStore keyStore = KeyManagementUtils.loadPersistKeyStore(m, props);
+
+ public static String getKeyId(Message m, Properties props, String preferredPropertyName, String keyOper) {
+ String kid = null;
+ String altPropertyName = null;
+ if (keyOper != null) {
+ if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) || keyOper.equals(JsonWebKey.KEY_OPER_DECRYPT)) {
+ altPropertyName = preferredPropertyName + ".jwe";
+ } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN) || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY)) {
+ altPropertyName = preferredPropertyName + ".jws";
+ }
+ String direction = m.getExchange().getOutMessage() == m ? ".out" : ".in";
+ kid = (String)MessageUtils.getContextualProperty(m, preferredPropertyName, altPropertyName + direction);
+ }
+
+ if (kid == null) {
+ kid = props.getProperty(preferredPropertyName);
+ }
+ if (kid == null && altPropertyName != null) {
+ kid = props.getProperty(altPropertyName);
+ }
+ return kid;
+ }
+ public static PrivateKeyPasswordProvider loadPasswordProvider(Message m, Properties props, String keyOper) {
PrivateKeyPasswordProvider cb =
- (PrivateKeyPasswordProvider)m.getContextualProperty(passwordProviderProp);
+ (PrivateKeyPasswordProvider)m.getContextualProperty(RSSEC_KEY_PSWD_PROVIDER);
+ if (cb == null && keyOper != null) {
+ String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? RSSEC_SIG_KEY_PSWD_PROVIDER
+ : keyOper.equals(JsonWebKey.KEY_OPER_DECRYPT)
+ ? RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null;
+ if (propName != null) {
+ cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName);
+ }
+ }
+ return cb;
+ }
+
+ public static PrivateKey loadPrivateKey(Message m, Properties props, String keyOper) {
+ Bus bus = m.getExchange().getBus();
+ KeyStore keyStore = loadPersistKeyStore(m, props);
+ PrivateKeyPasswordProvider cb = loadPasswordProvider(m, props, keyOper);
if (cb != null && m.getExchange().getInMessage() != null) {
SecurityContext sc = m.getExchange().getInMessage().get(SecurityContext.class);
if (sc != null) {
@@ -125,13 +161,13 @@ public final class KeyManagementUtils {
}
}
}
- return KeyManagementUtils.loadPrivateKey(keyStore, props, bus, cb);
+ return loadPrivateKey(keyStore, m, props, bus, cb, keyOper);
}
public static KeyStore loadPersistKeyStore(Message m, Properties props) {
- KeyStore keyStore = (KeyStore)m.getExchange().get(props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE));
+ KeyStore keyStore = (KeyStore)m.getExchange().get(props.get(RSSEC_KEY_STORE_FILE));
if (keyStore == null) {
- keyStore = KeyManagementUtils.loadKeyStore(props, m.getExchange().getBus());
- m.getExchange().put((String)props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE), keyStore);
+ keyStore = loadKeyStore(props, m.getExchange().getBus());
+ m.getExchange().put((String)props.get(RSSEC_KEY_STORE_FILE), keyStore);
}
return keyStore;
}
@@ -174,4 +210,11 @@ public final class KeyManagementUtils {
return null;
}
}
+ public static String getKeyAlgorithm(Message m, Properties props, String propName, String defaultAlg) {
+ String algo = props.getProperty(propName);
+ if (algo == null && PropertyUtils.isTrue(m.getContextualProperty(RSSEC_DEFAULT_ALGORITHMS))) {
+ algo = defaultAlg;
+ }
+ return algo;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/d1a52f29/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 06859f3..956e143 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -231,30 +231,28 @@ public final class JweUtils {
}
public static JweEncryptionProvider loadEncryptionProvider(String propLoc, Message m) {
KeyEncryptionAlgorithm keyEncryptionProvider = null;
- String keyEncryptionAlgo = null;
Properties props = null;
try {
props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
} catch (Exception ex) {
throw new SecurityException(ex);
}
-
- String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
+ String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null);
+ String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null);
ContentEncryptionAlgorithm ctEncryptionProvider = null;
if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
- keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm());
+ keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm());
if ("direct".equals(keyEncryptionAlgo)) {
- contentEncryptionAlgo = getContentEncryptionAlgo(props, jwk.getAlgorithm());
+ contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm());
ctEncryptionProvider = getContentEncryptionAlgorithm(jwk, contentEncryptionAlgo);
} else {
keyEncryptionProvider = getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo);
}
-
} else {
keyEncryptionProvider = getRSAKeyEncryptionAlgorithm(
(RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props),
- getKeyEncryptionAlgo(props, keyEncryptionAlgo));
+ keyEncryptionAlgo);
}
return createJweEncryptionProvider(keyEncryptionProvider,
ctEncryptionProvider,
@@ -283,14 +281,14 @@ public final class JweUtils {
} catch (Exception ex) {
throw new SecurityException(ex);
}
- String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP);
+ String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null);
SecretKey ctDecryptionKey = null;
- String keyEncryptionAlgo = getKeyEncryptionAlgo(props, null);
+ String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null);
if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_DECRYPT);
- keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm());
+ keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm());
if ("direct".equals(keyEncryptionAlgo)) {
- contentEncryptionAlgo = getContentEncryptionAlgo(props, contentEncryptionAlgo);
+ contentEncryptionAlgo = getContentEncryptionAlgo(m, props, contentEncryptionAlgo);
ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentEncryptionAlgo);
} else {
keyDecryptionProvider = getKeyDecryptionAlgorithm(jwk, keyEncryptionAlgo);
@@ -298,7 +296,7 @@ public final class JweUtils {
} else {
keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(
(RSAPrivateKey)KeyManagementUtils.loadPrivateKey(
- m, props, KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER), keyEncryptionAlgo);
+ m, props, JsonWebKey.KEY_OPER_DECRYPT), keyEncryptionAlgo);
}
return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentEncryptionAlgo);
}
@@ -424,11 +422,19 @@ public final class JweUtils {
return getDirectKeyJweDecryption(ctDecryptionKey, contentDecryptionAlgo);
}
}
- private static String getKeyEncryptionAlgo(Properties props, String algo) {
- return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP) : algo;
+ private static String getKeyEncryptionAlgo(Message m, Properties props, String algo) {
+ if (algo == null) {
+ return KeyManagementUtils.getKeyAlgorithm(m, props,
+ JSON_WEB_ENCRYPTION_KEY_ALGO_PROP, JoseConstants.RSA_OAEP_ALGO);
+ }
+ return algo;
}
- private static String getContentEncryptionAlgo(Properties props, String algo) {
- return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP) : algo;
+ private static String getContentEncryptionAlgo(Message m, Properties props, String algo) {
+ if (algo == null) {
+ return KeyManagementUtils.getKeyAlgorithm(m, props,
+ JSON_WEB_ENCRYPTION_CEK_ALGO_PROP, JoseConstants.A128GCM_ALGO);
+ }
+ return algo;
}
private static String encrypt(KeyEncryptionAlgorithm keyEncryptionProvider,
String contentAlgo, byte[] content, String ct) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/d1a52f29/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
index 817bdcd..cbdaa99 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
@@ -41,7 +41,6 @@ import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.ResourceUtils;
import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.jose.JoseConstants;
import org.apache.cxf.rs.security.jose.JoseUtils;
import org.apache.cxf.rs.security.jose.jaxrs.KeyManagementUtils;
@@ -256,9 +255,10 @@ public final class JwkUtils {
}
public static JsonWebKey loadJsonWebKey(Message m, Properties props, String keyOper, JwkReaderWriter reader) {
- PrivateKeyPasswordProvider cb = loadPasswordProvider(m, props, keyOper);
+ PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper);
JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
- String kid = getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS, keyOper);
+ String kid =
+ KeyManagementUtils.getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS, keyOper);
if (kid != null) {
return jwkSet.getKey(kid);
} else if (keyOper != null) {
@@ -275,13 +275,13 @@ public final class JwkUtils {
public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, String keyOper,
JwkReaderWriter reader) {
- PrivateKeyPasswordProvider cb = loadPasswordProvider(m, props, keyOper);
+ PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper);
JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
- String kid = getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS, keyOper);
+ String kid = KeyManagementUtils.getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS, keyOper);
if (kid != null) {
return Collections.singletonList(jwkSet.getKey(kid));
}
- String kids = getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIASES, keyOper);
+ String kids = KeyManagementUtils.getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIASES, keyOper);
if (kids != null) {
String[] values = kids.split(",");
List<JsonWebKey> keys = new ArrayList<JsonWebKey>(values.length);
@@ -386,40 +386,7 @@ public final class JwkUtils {
return jwk;
}
- private static String getKeyId(Message m, Properties props, String preferredPropertyName, String keyOper) {
- String kid = null;
- String altPropertyName = null;
- if (keyOper != null) {
- if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) || keyOper.equals(JsonWebKey.KEY_OPER_DECRYPT)) {
- altPropertyName = preferredPropertyName + ".jwe";
- } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN) || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY)) {
- altPropertyName = preferredPropertyName + ".jws";
- }
- String direction = m.getExchange().getOutMessage() == m ? ".out" : ".in";
- kid = (String)MessageUtils.getContextualProperty(m, altPropertyName, altPropertyName + direction);
- }
-
- if (kid == null) {
- kid = props.getProperty(preferredPropertyName);
- }
- if (kid == null && altPropertyName != null) {
- kid = props.getProperty(altPropertyName);
- }
- return kid;
- }
- private static PrivateKeyPasswordProvider loadPasswordProvider(Message m, Properties props, String keyOper) {
- PrivateKeyPasswordProvider cb =
- (PrivateKeyPasswordProvider)m.getContextualProperty(KeyManagementUtils.RSSEC_KEY_PSWD_PROVIDER);
- if (cb == null && keyOper != null) {
- String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER
- : keyOper.equals(JsonWebKey.KEY_OPER_DECRYPT)
- ? KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null;
- if (propName != null) {
- cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName);
- }
- }
- return cb;
- }
+
private static JweEncryptionProvider createDefaultEncryption(char[] password) {
KeyEncryptionAlgorithm keyEncryption =
new PbesHmacAesWrapKeyEncryptionAlgorithm(password, Algorithm.PBES2_HS256_A128KW.getJwtName());
http://git-wip-us.apache.org/repos/asf/cxf/blob/d1a52f29/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index e9d228a..66be06c 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -32,6 +32,7 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.jaxrs.utils.ResourceUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.JoseConstants;
import org.apache.cxf.rs.security.jose.JoseHeaders;
import org.apache.cxf.rs.security.jose.JoseUtils;
import org.apache.cxf.rs.security.jose.jaxrs.KeyManagementUtils;
@@ -219,13 +220,13 @@ public final class JwsUtils {
if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN);
if (jwk != null) {
- rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm());
+ rsaSignatureAlgo = getSignatureAlgo(m, props, jwk.getAlgorithm());
theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo);
}
} else {
- rsaSignatureAlgo = getSignatureAlgo(props, null);
+ rsaSignatureAlgo = getSignatureAlgo(m, props, null);
RSAPrivateKey pk = (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(m, props,
- KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER);
+ JsonWebKey.KEY_OPER_SIGN);
theSigProvider = getRSAKeySignatureProvider(pk, rsaSignatureAlgo);
}
if (theSigProvider == null && !ignoreNullProvider) {
@@ -240,12 +241,12 @@ public final class JwsUtils {
if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY);
if (jwk != null) {
- rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm());
+ rsaSignatureAlgo = getSignatureAlgo(m, props, jwk.getAlgorithm());
theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo);
}
} else {
- rsaSignatureAlgo = getSignatureAlgo(props, null);
+ rsaSignatureAlgo = getSignatureAlgo(m, props, null);
theVerifier = getRSAKeySignatureVerifier(
(RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), rsaSignatureAlgo);
}
@@ -261,8 +262,12 @@ public final class JwsUtils {
throw new SecurityException(ex);
}
}
- private static String getSignatureAlgo(Properties props, String algo) {
- return algo == null ? props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP) : algo;
+ private static String getSignatureAlgo(Message m, Properties props, String algo) {
+ if (algo == null) {
+ return KeyManagementUtils.getKeyAlgorithm(m, props,
+ JSON_WEB_SIGNATURE_ALGO_PROP, JoseConstants.RS_SHA_256_ALGO);
+ }
+ return algo;
}
private static JwsCompactConsumer verify(JwsSignatureVerifier v, String content) {
JwsCompactConsumer jws = new JwsCompactConsumer(content);
http://git-wip-us.apache.org/repos/asf/cxf/blob/d1a52f29/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
index 08ea2cc..6520caa 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
@@ -217,6 +217,7 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase {
WebClient.getConfig(bs).getRequestContext().put("rs.security.keystore.alias.jwe.out", "AliceCert");
WebClient.getConfig(bs).getRequestContext().put("rs.security.keystore.alias.jws.in", "AliceCert");
+ WebClient.getConfig(bs).getRequestContext().put("rs.security.default.algorithms", "true");
String text = bs.echoText("book");
assertEquals("book", text);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/d1a52f29/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
index d357cb9..64986d9 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
@@ -117,6 +117,7 @@ under the License.
<entry key="rs.security.keystore.alias.jws.in" value="BobCert"/>
<entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
<entry key="rs.security.decryption.key.password.provider" value-ref="keyPasswordProvider"/>
+ <entry key="rs.security.default.algorithms" value="true"/>
</jaxrs:properties>
</jaxrs:server>
<bean id="jackson" class="com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider"/>
http://git-wip-us.apache.org/repos/asf/cxf/blob/d1a52f29/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
index 6cb973e..a5f89b7 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
@@ -18,6 +18,3 @@
#
rs.security.keystore.type=jwk
rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
-rs.security.jwe.content.encryption.algorithm=A128GCM
-rs.security.jwe.key.encryption.algorithm=RSA-OAEP
-rs.security.jws.content.signature.algorithm=RS256