You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/04/03 12:37:19 UTC
cxf git commit: [CXF-6133] Replacing SecurityException with
JwsExceptiion in the jws code
Repository: cxf
Updated Branches:
refs/heads/master ff1068002 -> 318cfdaeb
[CXF-6133] Replacing SecurityException with JwsExceptiion in the jws code
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/318cfdae
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/318cfdae
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/318cfdae
Branch: refs/heads/master
Commit: 318cfdaeb15b8d230829d120f894bec6f15bc836
Parents: ff10680
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Fri Apr 3 11:36:59 2015 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Fri Apr 3 11:36:59 2015 +0100
----------------------------------------------------------------------
.../cxf/rs/security/jose/JoseException.java | 10 ++----
.../apache/cxf/rs/security/jose/JoseUtils.java | 9 +++--
.../jaxrs/AbstractJwsJsonReaderProvider.java | 7 +++-
.../jaxrs/AbstractJwsJsonWriterProvider.java | 7 +++-
.../jose/jaxrs/JwsClientResponseFilter.java | 3 +-
.../jose/jaxrs/JwsJsonClientResponseFilter.java | 3 +-
.../jaxrs/JwtAuthenticationClientFilter.java | 3 +-
.../jose/jaxrs/JwtAuthenticationFilter.java | 7 ++--
.../jose/jaxrs/JwtJwsAuthenticationFilter.java | 3 +-
.../cxf/rs/security/jose/jwe/JweException.java | 32 ++++++++++++-----
.../jose/jws/AbstractJwsSignatureProvider.java | 11 +++---
.../jose/jws/EcDsaJwsSignatureVerifier.java | 7 ++--
.../jose/jws/HmacJwsSignatureProvider.java | 10 +++---
.../jose/jws/HmacJwsSignatureVerifier.java | 13 +++++--
.../security/jose/jws/JwsCompactConsumer.java | 17 ++++++---
.../cxf/rs/security/jose/jws/JwsException.java | 28 ++++++++++-----
.../rs/security/jose/jws/JwsJsonConsumer.java | 38 ++++++++++----------
.../security/jose/jws/JwsJsonOutputStream.java | 38 +++++++++-----------
.../rs/security/jose/jws/JwsJsonProducer.java | 15 +++++---
.../jose/jws/JwsJsonSignatureEntry.java | 20 +++++++----
.../rs/security/jose/jws/JwsOutputStream.java | 16 +++------
.../cxf/rs/security/jose/jws/JwsUtils.java | 26 +++++++++-----
.../jws/PrivateKeyJwsSignatureProvider.java | 14 +++-----
.../jose/jws/PublicKeyJwsSignatureVerifier.java | 16 ++++++---
24 files changed, 212 insertions(+), 141 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
index 79fbad2..a71a098 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseException.java
@@ -22,16 +22,12 @@ public class JoseException extends RuntimeException {
private static final long serialVersionUID = 4118589816228511524L;
public JoseException() {
-
+
}
- public JoseException(String text) {
- super(text);
+ public JoseException(String error) {
+ super(error);
}
public JoseException(Throwable cause) {
super(cause);
}
- public JoseException(String text, Throwable cause) {
- super(text, cause);
- }
- //Jose Error enum can be introduced too
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
index 122c3eb..f3e25c1 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java
@@ -22,12 +22,14 @@ import java.io.UnsupportedEncodingException;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
public final class JoseUtils {
-
+ private static final Logger LOG = LogUtils.getL7dLogger(JoseUtils.class);
private JoseUtils() {
}
@@ -57,7 +59,8 @@ public final class JoseUtils {
if (requestContext == null && headerContext != null
|| requestContext != null && headerContext == null
|| !requestContext.equals(headerContext)) {
- throw new SecurityException();
+ LOG.warning("Invalid JOSE context property");
+ throw new JoseException();
}
}
@@ -86,7 +89,7 @@ public final class JoseUtils {
try {
return new String(decode(encoded), "UTF-8");
} catch (UnsupportedEncodingException ex) {
- throw new SecurityException(ex);
+ throw new JoseException(ex);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
index 17f31b5..094991e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
@@ -22,15 +22,19 @@ import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
public class AbstractJwsJsonReaderProvider {
+ protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwsJsonReaderProvider.class);
private static final String RSSEC_SIGNATURE_IN_LIST_PROPS = "rs.security.signature.in.list.properties";
private static final String RSSEC_SIGNATURE_LIST_PROPS = "rs.security.signature.list.properties";
@@ -53,7 +57,8 @@ public class AbstractJwsJsonReaderProvider {
Object propLocsProp =
MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_IN_LIST_PROPS, RSSEC_SIGNATURE_LIST_PROPS);
if (propLocsProp == null) {
- throw new SecurityException();
+ LOG.warning("JWS JSON init properties resource is not identified");
+ throw new JwsException(JwsException.Error.NO_INIT_PROPERTIES);
}
List<String> propLocs = null;
if (propLocsProp instanceof String) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
index db10c62..d5068e2 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonWriterProvider.java
@@ -25,18 +25,22 @@ import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
import org.apache.cxf.rs.security.jose.jws.JwsJsonProducer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
public class AbstractJwsJsonWriterProvider {
+ protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwsJsonWriterProvider.class);
private static final String RSSEC_SIGNATURE_OUT_LIST_PROPS = "rs.security.signature.out.list.properties";
private static final String RSSEC_SIGNATURE_LIST_PROPS = "rs.security.signature.list.properties";
@@ -57,7 +61,8 @@ public class AbstractJwsJsonWriterProvider {
Object propLocsProp =
MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_OUT_LIST_PROPS, RSSEC_SIGNATURE_LIST_PROPS);
if (propLocsProp == null) {
- throw new SecurityException();
+ LOG.warning("JWS JSON init properties resource is not identified");
+ throw new JwsException(JwsException.Error.NO_INIT_PROPERTIES);
}
List<String> propLocs = null;
if (propLocsProp instanceof String) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
index 46a5813..e70bead 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java
@@ -29,6 +29,7 @@ import javax.ws.rs.client.ClientResponseFilter;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.rs.security.jose.JoseUtils;
import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
@Priority(Priorities.JWS_CLIENT_READ_PRIORITY)
@@ -38,7 +39,7 @@ public class JwsClientResponseFilter extends AbstractJwsReaderProvider implement
JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(p.getJoseHeaders());
if (!p.verifySignatureWith(theSigVerifier)) {
- throw new SecurityException();
+ throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
}
byte[] bytes = p.getDecodedJwsPayloadBytes();
res.setEntityStream(new ByteArrayInputStream(bytes));
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
index ecd0912..728c19d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
@@ -29,6 +29,7 @@ import javax.ws.rs.client.ClientResponseFilter;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.rs.security.jose.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
@@ -41,7 +42,7 @@ public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider i
JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
if (isStrictVerification() && p.getSignatureEntries().size() != theSigVerifiers.size()
|| !p.verifySignatureWith(theSigVerifiers)) {
- throw new SecurityException();
+ throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
}
byte[] bytes = p.getDecodedJwsPayloadBytes();
res.setEntityStream(new ByteArrayInputStream(bytes));
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
index d8bd8c2..821a36a 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationClientFilter.java
@@ -31,6 +31,7 @@ import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
import org.apache.cxf.rs.security.jose.JoseHeaders;
import org.apache.cxf.rs.security.jose.JoseUtils;
import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
@@ -58,7 +59,7 @@ public class JwtAuthenticationClientFilter extends AbstractJoseJwtProducer
}
}
if (jwt == null) {
- throw new SecurityException();
+ throw new JoseException("JWT token is not available");
}
JoseUtils.setJoseMessageContextProperty(jwt.getHeaders(),
getContextPropertyValue());
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index 32de426..0c32f55 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -19,6 +19,7 @@
package org.apache.cxf.rs.security.jose.jaxrs;
import java.io.IOException;
+import java.util.logging.Logger;
import javax.annotation.Priority;
import javax.ws.rs.Priorities;
@@ -27,9 +28,11 @@ import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.HttpHeaders;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.common.security.SimpleSecurityContext;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
import org.apache.cxf.rs.security.jose.JoseUtils;
import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
@@ -38,7 +41,7 @@ import org.apache.cxf.security.SecurityContext;
@PreMatching
@Priority(Priorities.AUTHENTICATION)
public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements ContainerRequestFilter {
-
+ protected static final Logger LOG = LogUtils.getL7dLogger(JwtAuthenticationFilter.class);
private boolean jweOnly;
@Override
@@ -46,7 +49,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
String auth = requestContext.getHeaderString(HttpHeaders.AUTHORIZATION);
String[] parts = auth == null ? null : auth.split(" ");
if (parts == null || !"JWT".equals(parts[0]) || parts.length != 2) {
- throw new SecurityException();
+ throw new JoseException("JWT scheme is expected");
}
JwtToken jwt = super.getJwtToken(parts[1], jweOnly);
JoseUtils.setMessageContextProperty(jwt.getHeaders());
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java
index bf1754c..63b18a8 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtJwsAuthenticationFilter.java
@@ -28,6 +28,7 @@ import javax.ws.rs.core.HttpHeaders;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.jose.JoseException;
import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
@@ -44,7 +45,7 @@ public class JwtJwsAuthenticationFilter extends AbstractJwsReaderProvider implem
String authHeader = context.getHeaderString(HttpHeaders.AUTHORIZATION);
String[] schemeData = authHeader.split(" ");
if (schemeData.length != 2 || !JWT_SCHEME_PROPERTY.equals(schemeData[0])) {
- throw new SecurityException();
+ throw new JoseException("JWT scheme is expected");
}
JwsJwtCompactConsumer p = new JwsJwtCompactConsumer(schemeData[1]);
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
index 8a6424e..fdfd4ca 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
@@ -23,17 +23,31 @@ import org.apache.cxf.rs.security.jose.JoseException;
public class JweException extends JoseException {
private static final long serialVersionUID = 4118589816228511524L;
- public JweException() {
-
+ private Error status;
+ public JweException(Error status) {
+ this(status, null);
}
- public JweException(String text) {
- super(text);
- }
- public JweException(Throwable cause) {
+ public JweException(Error status, Throwable cause) {
super(cause);
+ this.status = status;
+ }
+ public Error getError() {
+ return status;
}
- public JweException(String text, Throwable cause) {
- super(text, cause);
+ public static enum Error {
+ NO_ENCRYPTOR,
+ NO_DECRYPTOR,
+ NO_INIT_PROPERTIES,
+ KEY_ALGORITHM_NOT_SET,
+ CONTENT_ALGORITHM_NOT_SET,
+ INVALID_KEY_ALGORITHM,
+ INVALID_CONTENT_ALGORITHM,
+ INVALID_CONTENT_KEY,
+ KEY_ENCRYPTION_FAILURE,
+ CONTENT_ENCRYPTION_FAILURE,
+ KEY_DECRYPTION_FAILURE,
+ CONTENT_DECRYPTION_FAILURE,
+ INVALID_COMPACT_JWE,
+ INVALID_JSON_JWE
}
- // Jwe Error enum can be introduced too
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
index 4b77c47..57ceb17 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
@@ -64,11 +64,14 @@ public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvid
protected abstract JwsSignature doCreateJwsSignature(JoseHeaders headers);
protected void checkAlgorithm(String algo) {
- String error = "Invalid signature algorithm";
if (algo == null) {
- LOG.warning(error + ":" + algo);
- throw new JwsException(error);
+ LOG.warning("Signature algorithm is not set");
+ throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
+ }
+ if (!isValidAlgorithmFamily(algo)) {
+ LOG.warning("Invalid signature algorithm: " + algo);
+ throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
}
}
-
+ protected abstract boolean isValidAlgorithmFamily(String algo);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
index b0bdae4..1a287c4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
@@ -43,8 +43,11 @@ public class EcDsaJwsSignatureVerifier extends PublicKeyJwsSignatureVerifier {
}
@Override
public boolean verify(JoseHeaders headers, String unsignedText, byte[] signature) {
- if (SIGNATURE_LENGTH_MAP.get(super.getAlgorithm().getJwaName()) != signature.length) {
- throw new SecurityException();
+ final String algoName = super.getAlgorithm().getJwaName();
+ if (SIGNATURE_LENGTH_MAP.get(algoName) != signature.length) {
+ LOG.warning("Algorithm " + algoName + " signature length is " + SIGNATURE_LENGTH_MAP.get(algoName)
+ + ", actual length is " + signature.length);
+ throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
}
byte[] der = signatureToDer(signature);
return super.verify(headers, unsignedText, der);
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
index f272dad..d904de9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureProvider.java
@@ -46,7 +46,8 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider {
try {
this.key = Base64UrlUtility.decode(encodedKey);
} catch (Base64Exception ex) {
- throw new SecurityException();
+ LOG.warning("Hmac key can not be decoded");
+ throw new JwsException(JwsException.Error.INVALID_KEY, ex);
}
}
@@ -68,10 +69,7 @@ public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider {
};
}
@Override
- protected void checkAlgorithm(String algo) {
- super.checkAlgorithm(algo);
- if (!AlgorithmUtils.isHmacSign(algo)) {
- throw new SecurityException();
- }
+ protected boolean isValidAlgorithmFamily(String algo) {
+ return AlgorithmUtils.isHmacSign(algo);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
index c02ee70..528ccc7 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
@@ -20,7 +20,9 @@ package org.apache.cxf.rs.security.jose.jws;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.crypto.HmacUtils;
import org.apache.cxf.rs.security.jose.JoseHeaders;
import org.apache.cxf.rs.security.jose.JoseUtils;
@@ -28,6 +30,7 @@ import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
+ protected static final Logger LOG = LogUtils.getL7dLogger(HmacJwsSignatureVerifier.class);
private byte[] key;
private AlgorithmParameterSpec hmacSpec;
private SignatureAlgorithm supportedAlgo;
@@ -62,10 +65,14 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
}
protected String checkAlgorithm(String algo) {
- if (algo == null
- || !AlgorithmUtils.isHmacSign(algo)
+ if (algo == null) {
+ LOG.warning("Signature algorithm is not set");
+ throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
+ }
+ if (!AlgorithmUtils.isHmacSign(algo)
|| !algo.equals(supportedAlgo.getJwaName())) {
- throw new SecurityException();
+ LOG.warning("Invalid signature algorithm: " + algo);
+ throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
}
return algo;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
index c6ee9cd..27f9551 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java
@@ -20,7 +20,9 @@ package org.apache.cxf.rs.security.jose.jws;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.JoseHeaders;
import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
@@ -28,6 +30,7 @@ import org.apache.cxf.rs.security.jose.JoseUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
public class JwsCompactConsumer {
+ protected static final Logger LOG = LogUtils.getL7dLogger(JwsCompactConsumer.class);
private JoseHeadersReaderWriter reader = new JoseHeadersReaderWriter();
private String encodedSequence;
private String encodedSignature;
@@ -51,7 +54,8 @@ public class JwsCompactConsumer {
if (parts.length == 2 && encodedJws.endsWith(".")) {
encodedSignature = "";
} else {
- throw new SecurityException("Invalid JWS Compact sequence");
+ LOG.warning("Compact JWS does not have 3 parts");
+ throw new JwsException(JwsException.Error.INVALID_COMPACT_JWS);
}
} else {
encodedSignature = parts[2];
@@ -59,7 +63,8 @@ public class JwsCompactConsumer {
String encodedJwsPayload = parts[1];
if (encodedDetachedPayload != null) {
if (!StringUtils.isEmpty(encodedJwsPayload)) {
- throw new SecurityException("Invalid JWS Compact sequence");
+ LOG.warning("Compact JWS includes a payload expected to be detached");
+ throw new JwsException(JwsException.Error.INVALID_COMPACT_JWS);
}
encodedJwsPayload = encodedDetachedPayload;
}
@@ -87,8 +92,9 @@ public class JwsCompactConsumer {
}
public JoseHeaders getJoseHeaders() {
JoseHeaders joseHeaders = reader.fromJsonHeaders(headersJson);
- if (joseHeaders.getUpdateCount() != null) {
- throw new SecurityException("Duplicate headers have been detected");
+ if (joseHeaders.getUpdateCount() != null) {
+ LOG.warning("Duplicate headers have been detected");
+ throw new JwsException(JwsException.Error.INVALID_COMPACT_JWS);
}
return joseHeaders;
}
@@ -97,9 +103,10 @@ public class JwsCompactConsumer {
if (validator.verify(getJoseHeaders(), getUnsignedEncodedSequence(), getDecodedSignature())) {
return true;
}
- } catch (SecurityException ex) {
+ } catch (JwsException ex) {
// ignore
}
+ LOG.warning("Invalid Signature");
return false;
}
public boolean verifySignatureWith(JsonWebKey key) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java
index 5073c7d..ccaa9b8 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsException.java
@@ -23,17 +23,27 @@ import org.apache.cxf.rs.security.jose.JoseException;
public class JwsException extends JoseException {
private static final long serialVersionUID = 4118589816228511524L;
- public JwsException() {
-
+ private Error status;
+ public JwsException(Error status) {
+ this(status, null);
}
- public JwsException(String text) {
- super(text);
- }
- public JwsException(Throwable cause) {
+ public JwsException(Error status, Throwable cause) {
super(cause);
+ this.status = status;
+ }
+ public Error getError() {
+ return status;
}
- public JwsException(String text, Throwable cause) {
- super(text, cause);
+ public static enum Error {
+ NO_PROVIDER,
+ NO_VERIFIER,
+ NO_INIT_PROPERTIES,
+ ALGORITHM_NOT_SET,
+ INVALID_ALGORITHM,
+ INVALID_KEY,
+ SIGNATURE_FAILURE,
+ INVALID_SIGNATURE,
+ INVALID_COMPACT_JWS,
+ INVALID_JSON_JWS
}
- // Jws Error enum can be introduced too
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
index ce9bf27..2eaf128 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
@@ -23,9 +23,11 @@ import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
+import java.util.logging.Logger;
import javax.ws.rs.core.MultivaluedMap;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.jaxrs.provider.json.JsonMapObject;
@@ -35,7 +37,7 @@ import org.apache.cxf.rs.security.jose.JoseUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
public class JwsJsonConsumer {
-
+ protected static final Logger LOG = LogUtils.getL7dLogger(JwsJsonConsumer.class);
private String jwsSignedDocument;
private String encodedJwsPayload;
private List<JwsJsonSignatureEntry> signatureEntries = new LinkedList<JwsJsonSignatureEntry>();
@@ -60,15 +62,20 @@ public class JwsJsonConsumer {
encodedJwsPayload = (String)jsonObjectMap.get("payload");
if (encodedJwsPayload == null) {
encodedJwsPayload = encodedDetachedPayload;
+ } else if (encodedDetachedPayload != null) {
+ LOG.warning("JSON JWS includes a payload expected to be detached");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
if (encodedJwsPayload == null) {
- throw new SecurityException("Invalid JWS JSON sequence: no payload is available");
+ LOG.warning("JSON JWS has no payload");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
List<Map<String, Object>> signatureArray = CastUtils.cast((List<?>)jsonObjectMap.get("signatures"));
if (signatureArray != null) {
if (jsonObjectMap.containsKey("signature")) {
- throw new SecurityException("Invalid JWS JSON sequence");
+ LOG.warning("JSON JWS has a flattened 'signature' element and a 'signatures' object");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
for (Map<String, Object> signatureEntry : signatureArray) {
this.signatureEntries.add(getSignatureObject(signatureEntry));
@@ -77,7 +84,8 @@ public class JwsJsonConsumer {
this.signatureEntries.add(getSignatureObject(jsonObjectMap));
}
if (signatureEntries.isEmpty()) {
- throw new SecurityException("Invalid JWS JSON sequence: no signatures are available");
+ LOG.warning("JSON JWS has no signatures");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
}
protected JwsJsonSignatureEntry getSignatureObject(Map<String, Object> signatureEntry) {
@@ -128,37 +136,29 @@ public class JwsJsonConsumer {
}
public boolean verifySignatureWith(List<JwsSignatureVerifier> validators) {
try {
- verifyAndGetNonValidated(validators);
- return true;
- } catch (SecurityException ex) {
- return false;
+ if (verifyAndGetNonValidated(validators).isEmpty()) {
+ return true;
+ }
+ } catch (JwsException ex) {
+ // ignore
}
+ LOG.warning("One of JSON JWS signatures is invalid");
+ return false;
}
public List<JwsJsonSignatureEntry> verifyAndGetNonValidated(List<JwsSignatureVerifier> validators) {
- if (validators.size() > signatureEntries.size()) {
- throw new SecurityException("Too many signature validators");
- }
// TODO: more effective approach is needed
List<JwsJsonSignatureEntry> validatedSignatures = new LinkedList<JwsJsonSignatureEntry>();
for (JwsSignatureVerifier validator : validators) {
- boolean validated = false;
List<JwsJsonSignatureEntry> theSignatureEntries =
getSignatureEntryMap().get(validator.getAlgorithm().getJwaName());
if (theSignatureEntries != null) {
for (JwsJsonSignatureEntry sigEntry : theSignatureEntries) {
if (sigEntry.verifySignatureWith(validator)) {
validatedSignatures.add(sigEntry);
- validated = true;
break;
}
}
}
- if (!validated) {
- throw new SecurityException();
- }
- }
- if (validatedSignatures.isEmpty()) {
- throw new SecurityException();
}
List<JwsJsonSignatureEntry> nonValidatedSignatures = new LinkedList<JwsJsonSignatureEntry>();
for (JwsJsonSignatureEntry sigEntry : signatureEntries) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java
index 85f0356..7fe6059 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonOutputStream.java
@@ -59,11 +59,7 @@ public class JwsJsonOutputStream extends FilterOutputStream {
executor.execute(new Runnable() {
public void run() {
for (JwsSignature signature : signatures) {
- try {
- signature.update(b, off, len);
- } catch (Throwable ex) {
- throw new SecurityException();
- }
+ signature.update(b, off, len);
}
}
});
@@ -76,29 +72,29 @@ public class JwsJsonOutputStream extends FilterOutputStream {
return;
}
out.write(StringUtils.toBytesUTF8("\",\"signatures\":["));
- try {
- shutdownExecutor();
- for (int i = 0; i < signatures.size(); i++) {
- if (i > 0) {
- out.write(new byte[]{','});
- }
- out.write(StringUtils.toBytesUTF8("{\"protected\":\""
- + protectedHeaders.get(i)
- + "\",\"signature\":\""));
- byte[] sign = signatures.get(i).sign();
- Base64UrlUtility.encodeAndStream(sign, 0, sign.length, out);
- out.write(StringUtils.toBytesUTF8("\"}"));
+ shutdownExecutor();
+ for (int i = 0; i < signatures.size(); i++) {
+ if (i > 0) {
+ out.write(new byte[]{','});
}
- } catch (Exception ex) {
- throw new SecurityException();
+ out.write(StringUtils.toBytesUTF8("{\"protected\":\""
+ + protectedHeaders.get(i)
+ + "\",\"signature\":\""));
+ byte[] sign = signatures.get(i).sign();
+ Base64UrlUtility.encodeAndStream(sign, 0, sign.length, out);
+ out.write(StringUtils.toBytesUTF8("\"}"));
}
out.write(StringUtils.toBytesUTF8("]}"));
flushed = true;
}
- private void shutdownExecutor() throws Exception {
+ private void shutdownExecutor() {
executor.shutdown();
while (!executor.isTerminated()) {
- executor.awaitTermination(1, TimeUnit.MILLISECONDS);
+ try {
+ executor.awaitTermination(1, TimeUnit.MILLISECONDS);
+ } catch (InterruptedException ex) {
+ throw new RuntimeException(ex);
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
index 5620232..46ce4ea 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
@@ -22,9 +22,11 @@ import java.security.interfaces.RSAPrivateKey;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
+import java.util.logging.Logger;
import javax.ws.rs.core.MultivaluedMap;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.JoseConstants;
@@ -32,6 +34,7 @@ import org.apache.cxf.rs.security.jose.JoseHeaders;
import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
public class JwsJsonProducer {
+ protected static final Logger LOG = LogUtils.getL7dLogger(JwsJsonProducer.class);
private boolean supportFlattened;
private String plainPayload;
private String encodedPayload;
@@ -57,7 +60,8 @@ public class JwsJsonProducer {
}
public String getJwsJsonSignedDocument(boolean detached) {
if (signatures.isEmpty()) {
- throw new SecurityException("Signature is not available");
+ LOG.warning("Signature is not available");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
StringBuilder sb = new StringBuilder();
sb.append("{");
@@ -124,12 +128,14 @@ public class JwsJsonProducer {
checkCriticalHeaders(unprotectedHeader);
if (!Collections.disjoint(unionHeaders.asMap().keySet(),
unprotectedHeader.asMap().keySet())) {
- throw new SecurityException("Protected and unprotected headers have duplicate values");
+ LOG.warning("Protected and unprotected headers have duplicate values");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
unionHeaders.asMap().putAll(unprotectedHeader.asMap());
}
if (unionHeaders.getAlgorithm() == null) {
- throw new SecurityException("Algorithm header is not set");
+ LOG.warning("Algorithm header is not set");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
String sequenceToBeSigned;
if (protectedHeader != null) {
@@ -163,7 +169,8 @@ public class JwsJsonProducer {
}
private static void checkCriticalHeaders(JoseHeaders unprotected) {
if (unprotected.asMap().containsKey(JoseConstants.HEADER_CRITICAL)) {
- throw new SecurityException();
+ LOG.warning("Unprotected headers contain critical headers");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java
index 5b249ad..9ef258e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonSignatureEntry.java
@@ -19,7 +19,9 @@
package org.apache.cxf.rs.security.jose.jws;
import java.util.Collections;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.JoseConstants;
@@ -30,6 +32,7 @@ import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
public class JwsJsonSignatureEntry {
+ protected static final Logger LOG = LogUtils.getL7dLogger(JwsJsonSignatureEntry.class);
private String encodedJwsPayload;
private String encodedProtectedHeader;
private String encodedSignature;
@@ -43,7 +46,8 @@ public class JwsJsonSignatureEntry {
String encodedSignature,
JoseHeaders unprotectedHeader) {
if (encodedProtectedHeader == null && unprotectedHeader == null || encodedSignature == null) {
- throw new SecurityException("Invalid security entry");
+ LOG.warning("Invalid Signature entry");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
this.encodedJwsPayload = encodedJwsPayload;
@@ -64,7 +68,8 @@ public class JwsJsonSignatureEntry {
if (unprotectedHeader != null) {
if (!Collections.disjoint(unionHeaders.asMap().keySet(),
unprotectedHeader.asMap().keySet())) {
- throw new SecurityException("Protected and unprotected headers have duplicate values");
+ LOG.warning("Protected and unprotected headers have duplicate values");
+ throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
}
unionHeaders.asMap().putAll(unprotectedHeader.asMap());
}
@@ -108,12 +113,15 @@ public class JwsJsonSignatureEntry {
}
public boolean verifySignatureWith(JwsSignatureVerifier validator) {
try {
- return validator.verify(getUnionHeader(),
- getUnsignedEncodedSequence(),
- getDecodedSignature());
- } catch (SecurityException ex) {
+ if (validator.verify(getUnionHeader(),
+ getUnsignedEncodedSequence(),
+ getDecodedSignature())) {
+ return true;
+ }
+ } catch (JwsException ex) {
// ignore
}
+ LOG.warning("Invalid Signature Entry");
return false;
}
public boolean verifySignatureWith(JsonWebKey key) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java
index b9d572a..53b592f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsOutputStream.java
@@ -41,11 +41,7 @@ public class JwsOutputStream extends FilterOutputStream {
@Override
public void write(byte b[], int off, int len) throws IOException {
- try {
- signature.update(b, off, len);
- } catch (Throwable ex) {
- throw new SecurityException();
- }
+ signature.update(b, off, len);
out.write(b, off, len);
out.flush();
}
@@ -54,13 +50,9 @@ public class JwsOutputStream extends FilterOutputStream {
if (flushed) {
return;
}
- try {
- byte[] finalBytes = signature.sign();
- out.write(new byte[]{'.'});
- Base64UrlUtility.encodeAndStream(finalBytes, 0, finalBytes.length, out);
- } catch (Exception ex) {
- throw new SecurityException();
- }
+ byte[] finalBytes = signature.sign();
+ out.write(new byte[]{'.'});
+ Base64UrlUtility.encodeAndStream(finalBytes, 0, finalBytes.length, out);
flushed = true;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index f66087f..d4b759a 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -25,9 +25,11 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Properties;
+import java.util.logging.Logger;
import javax.ws.rs.core.MultivaluedMap;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.jaxrs.utils.ResourceUtils;
@@ -43,6 +45,7 @@ import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
public final class JwsUtils {
+ private static final Logger LOG = LogUtils.getL7dLogger(JwsUtils.class);
private static final String JSON_WEB_SIGNATURE_ALGO_PROP = "rs.security.jws.content.signature.algorithm";
private static final String RSSEC_SIGNATURE_OUT_PROPS = "rs.security.signature.out.properties";
private static final String RSSEC_SIGNATURE_IN_PROPS = "rs.security.signature.in.properties";
@@ -168,7 +171,7 @@ public final class JwsUtils {
return loadSignatureVerifier(m, props, headers, false);
}
public static List<JwsSignatureProvider> loadSignatureProviders(String propLoc, Message m) {
- Properties props = loadProperties(m, propLoc);
+ Properties props = loadJwsProperties(m, propLoc);
JwsSignatureProvider theSigProvider = loadSignatureProvider(m, props, null, true);
if (theSigProvider != null) {
return Collections.singletonList(theSigProvider);
@@ -184,13 +187,14 @@ public final class JwsUtils {
}
}
if (theSigProviders == null) {
- throw new SecurityException();
+ LOG.warning("Providers are not available");
+ throw new JwsException(JwsException.Error.NO_PROVIDER);
}
return theSigProviders;
}
public static List<JwsSignatureVerifier> loadSignatureVerifiers(String propLoc, Message m) {
- Properties props = loadProperties(m, propLoc);
+ Properties props = loadJwsProperties(m, propLoc);
JwsSignatureVerifier theVerifier = loadSignatureVerifier(m, props, null, true);
if (theVerifier != null) {
return Collections.singletonList(theVerifier);
@@ -206,7 +210,8 @@ public final class JwsUtils {
}
}
if (theVerifiers == null) {
- throw new SecurityException();
+ LOG.warning("Verifiers are not available");
+ throw new JwsException(JwsException.Error.NO_VERIFIER);
}
return theVerifiers;
}
@@ -243,7 +248,8 @@ public final class JwsUtils {
}
}
if (theSigProvider == null && !ignoreNullProvider) {
- throw new SecurityException();
+ LOG.warning("Provider is not available");
+ throw new JwsException(JwsException.Error.NO_PROVIDER);
}
return theSigProvider;
}
@@ -279,15 +285,17 @@ public final class JwsUtils {
(RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), rsaSignatureAlgo);
}
if (theVerifier == null && !ignoreNullVerifier) {
- throw new SecurityException();
+ LOG.warning("Verifier is not available");
+ throw new JwsException(JwsException.Error.NO_VERIFIER);
}
return theVerifier;
}
- private static Properties loadProperties(Message m, String propLoc) {
+ private static Properties loadJwsProperties(Message m, String propLoc) {
try {
return ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("JWS init properties are not available");
+ throw new JwsException(JwsException.Error.NO_INIT_PROPERTIES);
}
}
private static String getSignatureAlgo(Message m, Properties props, String algo, String defaultAlgo) {
@@ -311,7 +319,7 @@ public final class JwsUtils {
public static JwsCompactConsumer verify(JwsSignatureVerifier v, String content) {
JwsCompactConsumer jws = new JwsCompactConsumer(content);
if (!jws.verifySignatureWith(v)) {
- throw new SecurityException();
+ throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
}
return jws;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
index 292ecf6..cb7b5ab 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PrivateKeyJwsSignatureProvider.java
@@ -57,15 +57,8 @@ public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider
protected JwsSignature doCreateJwsSignature(Signature s) {
return new PrivateKeyJwsSignature(s);
}
- @Override
- protected void checkAlgorithm(String algo) {
- super.checkAlgorithm(algo);
- if (!isValidAlgorithmFamily(algo)) {
- throw new SecurityException();
- }
- //TODO: validate "A key of size 2048 bits or larger MUST be used" for PS-SHA algorithms
- }
+ @Override
protected boolean isValidAlgorithmFamily(String algo) {
return AlgorithmUtils.isRsaSign(algo);
}
@@ -80,7 +73,7 @@ public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider
try {
s.update(src, off, len);
} catch (SignatureException ex) {
- throw new SecurityException();
+ throw new JwsException(JwsException.Error.SIGNATURE_FAILURE, ex);
}
}
@@ -89,9 +82,10 @@ public class PrivateKeyJwsSignatureProvider extends AbstractJwsSignatureProvider
try {
return s.sign();
} catch (SignatureException ex) {
- throw new SecurityException();
+ throw new JwsException(JwsException.Error.SIGNATURE_FAILURE, ex);
}
}
}
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/318cfdae/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
index 7e8fd80..fb163ad 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
@@ -20,7 +20,9 @@ package org.apache.cxf.rs.security.jose.jws;
import java.security.PublicKey;
import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
+import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.common.util.crypto.CryptoUtils;
import org.apache.cxf.rs.security.jose.JoseHeaders;
@@ -28,6 +30,7 @@ import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
+ protected static final Logger LOG = LogUtils.getL7dLogger(PublicKeyJwsSignatureVerifier.class);
private PublicKey key;
private AlgorithmParameterSpec signatureSpec;
private SignatureAlgorithm supportedAlgo;
@@ -49,14 +52,19 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
AlgorithmUtils.toJavaName(checkAlgorithm(headers.getAlgorithm())),
signatureSpec);
} catch (Exception ex) {
- throw new SecurityException(ex);
+ LOG.warning("Invalid signature");
+ throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
}
}
protected String checkAlgorithm(String algo) {
- if (algo == null
- || !isValidAlgorithmFamily(algo)
+ if (algo == null) {
+ LOG.warning("Signature algorithm is not set");
+ throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
+ }
+ if (!isValidAlgorithmFamily(algo)
|| !algo.equals(supportedAlgo.getJwaName())) {
- throw new SecurityException();
+ LOG.warning("Invalid signature algorithm: " + algo);
+ throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
}
return algo;
}