You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/11/16 12:15:21 UTC
cxf git commit: Updating the OAuth2 utility code to load client
secret providers
Repository: cxf
Updated Branches:
refs/heads/master 4ced4ae4f -> 591a3ac7f
Updating the OAuth2 utility code to load client secret providers
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/591a3ac7
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/591a3ac7
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/591a3ac7
Branch: refs/heads/master
Commit: 591a3ac7f19177d87f2964eb9f5849b334294359
Parents: 4ced4ae
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Mon Nov 16 11:15:06 2015 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Mon Nov 16 11:15:06 2015 +0000
----------------------------------------------------------------------
.../cxf/rs/security/jose/jwe/JweUtils.java | 39 ++++++++++-------
.../security/jose/jwe/JweJsonProducerTest.java | 2 +-
.../provider/AbstractOAuthJoseJwtConsumer.java | 40 +++++------------
.../provider/AbstractOAuthJoseJwtProducer.java | 33 +++-----------
.../security/oauth2/utils/OAuthConstants.java | 5 ++-
.../rs/security/oauth2/utils/OAuthUtils.java | 46 ++++++++++++++++++++
6 files changed, 91 insertions(+), 74 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/591a3ac7/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 08e5bf9..8168184 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -216,26 +216,30 @@ public final class JweUtils {
return getContentEncryptionProvider(jwk, null);
}
public static ContentEncryptionProvider getContentEncryptionProvider(JsonWebKey jwk,
- String defaultAlgorithm) {
- String ctEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm();
- ContentEncryptionProvider contentEncryptionProvider = null;
+ ContentAlgorithm defaultAlgorithm) {
+ ContentAlgorithm ctAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm
+ : getContentAlgo(jwk.getAlgorithm());
KeyType keyType = jwk.getKeyType();
if (KeyType.OCTET == keyType) {
- return getContentEncryptionProvider(JwkUtils.toSecretKey(jwk),
- getContentAlgo(ctEncryptionAlgo));
+ return getContentEncryptionProvider(JwkUtils.toSecretKey(jwk), ctAlgo);
+ } else {
+ return null;
}
- return contentEncryptionProvider;
}
public static ContentEncryptionProvider getContentEncryptionProvider(SecretKey key,
ContentAlgorithm algorithm) {
+ return getContentEncryptionProvider(key.getEncoded(), algorithm);
+ }
+ public static ContentEncryptionProvider getContentEncryptionProvider(byte[] key,
+ ContentAlgorithm algorithm) {
if (AlgorithmUtils.isAesGcm(algorithm.getJwaName())) {
return new AesGcmContentEncryptionAlgorithm(key, null, algorithm);
}
return null;
}
- public static ContentEncryptionProvider getContentEncryptionProvider(String algorithm) {
- if (AlgorithmUtils.isAesGcm(algorithm)) {
- return new AesGcmContentEncryptionAlgorithm(getContentAlgo(algorithm));
+ public static ContentEncryptionProvider getContentEncryptionProvider(ContentAlgorithm algorithm) {
+ if (AlgorithmUtils.isAesGcm(algorithm.getJwaName())) {
+ return new AesGcmContentEncryptionAlgorithm(algorithm);
}
return null;
}
@@ -264,9 +268,11 @@ public final class JweUtils {
getContentAlgo(key.getAlgorithm()));
}
public static JweEncryption getDirectKeyJweEncryption(SecretKey key, ContentAlgorithm algo) {
+ return getDirectKeyJweEncryption(key.getEncoded(), algo);
+ }
+ public static JweEncryption getDirectKeyJweEncryption(byte[] key, ContentAlgorithm algo) {
if (AlgorithmUtils.isAesCbcHmac(algo.getJwaName())) {
- return new AesCbcHmacJweEncryption(algo, key.getEncoded(),
- null, new DirectKeyEncryptionAlgorithm());
+ return new AesCbcHmacJweEncryption(algo, key, null, new DirectKeyEncryptionAlgorithm());
} else {
return new JweEncryption(new DirectKeyEncryptionAlgorithm(),
getContentEncryptionProvider(key, algo));
@@ -276,6 +282,9 @@ public final class JweUtils {
return getDirectKeyJweDecryption(JwkUtils.toSecretKey(key), getContentAlgo(key.getAlgorithm()));
}
public static JweDecryption getDirectKeyJweDecryption(SecretKey key, ContentAlgorithm algorithm) {
+ return getDirectKeyJweDecryption(key.getEncoded(), algorithm);
+ }
+ public static JweDecryption getDirectKeyJweDecryption(byte[] key, ContentAlgorithm algorithm) {
if (AlgorithmUtils.isAesCbcHmac(algorithm.getJwaName())) {
return new AesCbcHmacJweDecryption(new DirectKeyDecryptionAlgorithm(key), algorithm);
} else {
@@ -318,7 +327,7 @@ public final class JweUtils {
contentAlgo = getContentEncryptionAlgorithm(m, props,
ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()),
ContentAlgorithm.A128GCM);
- ctEncryptionProvider = getContentEncryptionProvider(jwk, contentAlgo.getJwaName());
+ ctEncryptionProvider = getContentEncryptionProvider(jwk, contentAlgo);
} else {
keyAlgo = getKeyEncryptionAlgorithm(m, props,
KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()),
@@ -486,9 +495,9 @@ public final class JweUtils {
}
public static JweEncryptionProvider createJweEncryptionProvider(KeyEncryptionProvider keyEncryptionProvider,
JweHeaders headers) {
- String contentEncryptionAlgo = headers.getContentEncryptionAlgorithm().getJwaName();
- if (AlgorithmUtils.isAesCbcHmac(contentEncryptionAlgo)) {
- return new AesCbcHmacJweEncryption(getContentAlgo(contentEncryptionAlgo), keyEncryptionProvider);
+ ContentAlgorithm contentEncryptionAlgo = headers.getContentEncryptionAlgorithm();
+ if (AlgorithmUtils.isAesCbcHmac(contentEncryptionAlgo.getJwaName())) {
+ return new AesCbcHmacJweEncryption(contentEncryptionAlgo, keyEncryptionProvider);
} else {
return new JweEncryption(keyEncryptionProvider,
getContentEncryptionProvider(contentEncryptionAlgo));
http://git-wip-us.apache.org/repos/asf/cxf/blob/591a3ac7/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
index 67d7105..fb3785d 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
@@ -282,7 +282,7 @@ public class JweJsonProducerTest extends Assert {
KeyEncryptionProvider keyEncryption1 =
JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey1, KeyAlgorithm.A128KW);
ContentEncryptionProvider contentEncryption =
- JweUtils.getContentEncryptionProvider(AlgorithmUtils.A128GCM_ALGO);
+ JweUtils.getContentEncryptionProvider(ContentAlgorithm.A128GCM);
JweEncryptionProvider jwe1 = new JweEncryption(keyEncryption1, contentEncryption);
KeyEncryptionProvider keyEncryption2 =
JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey2, KeyAlgorithm.A128KW);
http://git-wip-us.apache.org/repos/asf/cxf/blob/591a3ac7/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
index 175346e..4e6e7a7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
@@ -18,21 +18,12 @@
*/
package org.apache.cxf.rs.security.oauth2.provider;
-import java.util.Properties;
-
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
-import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
-import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.rt.security.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsumer {
@@ -46,29 +37,18 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum
}
protected JwsSignatureVerifier getInitializedSignatureVerifier(String clientSecret) {
- if (verifyWithClientSecret) {
- Properties props = JwsUtils.loadSignatureInProperties(false);
- SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm(
- props.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM));
- sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256;
- if (AlgorithmUtils.isHmacSign(sigAlgo)) {
- return JwsUtils.getHmacSignatureVerifier(clientSecret, sigAlgo);
- }
+ if (verifyWithClientSecret && !StringUtils.isEmpty(clientSecret)) {
+ return OAuthUtils.getClientSecretSignatureVerifier(clientSecret);
+ } else {
+ return null;
}
- return null;
}
protected JweDecryptionProvider getInitializedDecryptionProvider(String clientSecret) {
- JweDecryptionProvider theDecryptionProvider = null;
- if (decryptWithClientSecret) {
- SecretKey key = CryptoUtils.decodeSecretKey(clientSecret);
- Properties props = JweUtils.loadEncryptionInProperties(false);
- ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm(
- props.getProperty(OAuthConstants.CLIENT_SECRET_ENCRYPTION_ALGORITHM));
- ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM;
- theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ctAlgo);
+ if (decryptWithClientSecret && !StringUtils.isEmpty(clientSecret)) {
+ return OAuthUtils.getClientSecretDecryptionProvider(clientSecret);
+ } else {
+ return null;
}
- return theDecryptionProvider;
-
}
public void setDecryptWithClientSecret(boolean decryptWithClientSecret) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/591a3ac7/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
index 5e1c870..4563842 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
@@ -18,22 +18,12 @@
*/
package org.apache.cxf.rs.security.oauth2.provider;
-import java.util.Properties;
-
-import javax.crypto.SecretKey;
-
import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
-import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
-import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
-import org.apache.cxf.rt.security.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProducer {
private boolean encryptWithClientSecret;
@@ -47,26 +37,17 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc
protected JwsSignatureProvider getInitializedSignatureProvider(String clientSecret) {
if (signWithClientSecret && !StringUtils.isEmpty(clientSecret)) {
- Properties props = JwsUtils.loadSignatureOutProperties(false);
- SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm(
- props.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM));
- sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256;
- if (AlgorithmUtils.isHmacSign(sigAlgo)) {
- return JwsUtils.getHmacSignatureProvider(clientSecret, sigAlgo);
- }
+ return OAuthUtils.getClientSecretSignatureProvider(clientSecret);
+ } else {
+ return null;
}
- return null;
}
protected JweEncryptionProvider getInitializedEncryptionProvider(String clientSecret) {
if (encryptWithClientSecret && !StringUtils.isEmpty(clientSecret)) {
- SecretKey key = CryptoUtils.decodeSecretKey(clientSecret);
- Properties props = JweUtils.loadEncryptionOutProperties(false);
- ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm(
- props.getProperty(OAuthConstants.CLIENT_SECRET_ENCRYPTION_ALGORITHM));
- ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM;
- return JweUtils.getDirectKeyJweEncryption(key, ctAlgo);
+ return OAuthUtils.getClientSecretEncryptionProvider(clientSecret);
+ } else {
+ return null;
}
- return null;
}
public void setEncryptWithClientSecret(boolean encryptWithClientSecret) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/591a3ac7/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
index e15f85e..b8f3687 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthConstants.java
@@ -131,8 +131,9 @@ public final class OAuthConstants {
// Client Secret (JWS) Signature Algorithm
public static final String CLIENT_SECRET_SIGNATURE_ALGORITHM = "client.secret.signature.algorithm";
- // Client Secret (JWE) Encryption Algorithm
- public static final String CLIENT_SECRET_ENCRYPTION_ALGORITHM = "client.secret.encryption.algorithm";
+ // Client Secret (JWE) Content Encryption Algorithm
+ public static final String CLIENT_SECRET_CONTENT_ENCRYPTION_ALGORITHM =
+ "client.secret.content.encryption.algorithm";
// Client Secret Encrypting Algorithm
private OAuthConstants() {
http://git-wip-us.apache.org/repos/asf/cxf/blob/591a3ac7/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index ad190df..51a67a2 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -23,6 +23,7 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
+import java.util.Properties;
import java.util.Set;
import javax.servlet.http.HttpSession;
@@ -34,6 +35,15 @@ import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.model.URITemplate;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
+import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
+import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
@@ -253,5 +263,41 @@ public final class OAuthUtils {
return clientToken;
}
+ public static JwsSignatureProvider getClientSecretSignatureProvider(String clientSecret) {
+ return JwsUtils.getHmacSignatureProvider(clientSecret, getClientSecretSignatureAlgorithm());
+ }
+ public static JwsSignatureVerifier getClientSecretSignatureVerifier(String clientSecret) {
+ return JwsUtils.getHmacSignatureVerifier(clientSecret, getClientSecretSignatureAlgorithm());
+ }
+
+ public static JweDecryptionProvider getClientSecretDecryptionProvider(String clientSecret) {
+ byte[] key = StringUtils.toBytesUTF8(clientSecret);
+ return JweUtils.getDirectKeyJweDecryption(key, getClientSecretContentAlgorithm());
+ }
+
+ public static JweEncryptionProvider getClientSecretEncryptionProvider(String clientSecret) {
+ byte[] key = StringUtils.toBytesUTF8(clientSecret);
+ return JweUtils.getDirectKeyJweEncryption(key, getClientSecretContentAlgorithm());
+ }
+ private static ContentAlgorithm getClientSecretContentAlgorithm() {
+ Properties props = JweUtils.loadEncryptionInProperties(false);
+ ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm(
+ props.getProperty(OAuthConstants.CLIENT_SECRET_CONTENT_ENCRYPTION_ALGORITHM));
+ ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM;
+ return ctAlgo;
+ }
+
+ private static SignatureAlgorithm getClientSecretSignatureAlgorithm() {
+ Properties sigProps = JwsUtils.loadSignatureOutProperties(false);
+ SignatureAlgorithm sigAlgo = SignatureAlgorithm.getAlgorithm(
+ sigProps.getProperty(OAuthConstants.CLIENT_SECRET_SIGNATURE_ALGORITHM));
+ sigAlgo = sigAlgo != null ? sigAlgo : SignatureAlgorithm.HS256;
+ if (!AlgorithmUtils.isHmacSign(sigAlgo)) {
+ // Must be HS-based for the symmetric signature
+ throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
+ } else {
+ return sigAlgo;
+ }
+ }
}