You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/11/25 14:20:46 UTC
[3/3] cxf git commit: Reprsenting PublicKeys loaded from Java
KeyStore as JWK, renaming DefaultJwkReaderWriter into JwkReaderWriter
Reprsenting PublicKeys loaded from Java KeyStore as JWK, renaming DefaultJwkReaderWriter into JwkReaderWriter
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/64506829
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/64506829
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/64506829
Branch: refs/heads/3.0.x-fixes
Commit: 6450682971ffbedf5df1e1dab0f07c12c0b5a772
Parents: c2d9dca
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Nov 25 12:58:49 2015 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Nov 25 13:20:26 2015 +0000
----------------------------------------------------------------------
.../rs/security/jose/common/JoseConstants.java | 6 +
.../cxf/rs/security/jose/jwe/JweUtils.java | 26 +++-
.../jose/jwk/DefaultJwkReaderWriter.java | 49 --------
.../cxf/rs/security/jose/jwk/JsonWebKeys.java | 13 +-
.../rs/security/jose/jwk/JwkReaderWriter.java | 27 +++-
.../cxf/rs/security/jose/jwk/JwkUtils.java | 123 ++++++++-----------
.../cxf/rs/security/jose/jws/JwsUtils.java | 13 +-
.../oidc/rp/AbstractTokenValidator.java | 2 +
8 files changed, 129 insertions(+), 130 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/64506829/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
index cc990b5..daf7c5a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
@@ -127,6 +127,12 @@ public final class JoseConstants {
public static final String RSSEC_SIGNATURE_ALGORITHM = "rs.security.signature.algorithm";
/**
+ * The EC Curve to use with EC keys loaded from Java Key Store.
+ * JWK EC Keys are expected to use a standard "crv" property instead.
+ */
+ public static final String RSSEC_EC_CURVE = "rs.security.elliptic.curve";
+
+ /**
* The OLD signature algorithm identifier. Use RSSEC_SIGNATURE_ALGORITHM instead.
*/
@Deprecated
http://git-wip-us.apache.org/repos/asf/cxf/blob/64506829/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index a40c619..1da11fc 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -50,6 +50,7 @@ import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jwk.KeyOperation;
import org.apache.cxf.rs.security.jose.jwk.KeyType;
@@ -149,7 +150,13 @@ public final class JweUtils {
}
return keyEncryptionProvider;
}
- public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key, KeyAlgorithm algo) {
+ public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key,
+ KeyAlgorithm algo) {
+ return getPublicKeyEncryptionProvider(key, null, algo);
+ }
+ public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key,
+ Properties props,
+ KeyAlgorithm algo) {
if (key instanceof RSAPublicKey) {
return new RSAKeyEncryptionAlgorithm((RSAPublicKey)key, algo);
} else if (key instanceof ECPublicKey) {
@@ -158,8 +165,10 @@ public final class JweUtils {
if (m != null) {
ctAlgo = getContentAlgo((String)m.get(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM));
}
+ String curve = props == null ? JsonWebKey.EC_CURVE_P256
+ : props.getProperty(JoseConstants.RSSEC_EC_CURVE, JsonWebKey.EC_CURVE_P256);
return new EcdhAesWrapKeyEncryptionAlgorithm((ECPublicKey)key,
- JsonWebKey.EC_CURVE_P256,
+ curve,
algo,
ctAlgo == null ? ContentAlgorithm.A128GCM : ctAlgo);
}
@@ -341,6 +350,7 @@ public final class JweUtils {
} else {
keyEncryptionProvider = getPublicKeyEncryptionProvider(
KeyManagementUtils.loadPublicKey(m, props),
+ props,
keyAlgo);
if (includeCert) {
headers.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(m, props));
@@ -718,5 +728,15 @@ public final class JweUtils {
throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
}
}
-
+ public static JsonWebKeys loadPublicKeyEncryptionKeys(Message m, Properties props) {
+ String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE);
+ if ("jwk".equals(storeType)) {
+ return JwkUtils.loadPublicJwkSet(m, props);
+ } else {
+ //TODO: consider loading all the public keys in the store
+ PublicKey key = KeyManagementUtils.loadPublicKey(m, props);
+ JsonWebKey jwk = JwkUtils.fromPublicKey(key, props, JoseConstants.RSSEC_ENCRYPTION_KEY_ALGORITHM);
+ return new JsonWebKeys(jwk);
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/64506829/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
deleted file mode 100644
index dec8006..0000000
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
-
-
-
-
-
-public class DefaultJwkReaderWriter extends JsonMapObjectReaderWriter
- implements JwkReaderWriter {
- @Override
- public String jwkSetToJson(JsonWebKeys jwks) {
- return toJson(jwks);
- }
- @Override
- public JsonWebKeys jsonToJwkSet(String jwksJson) {
- JsonWebKeys jwks = new JsonWebKeys();
- fromJson(jwks, jwksJson);
- return jwks;
- }
- @Override
- public String jwkToJson(JsonWebKey jwk) {
- return toJson(jwk);
- }
- @Override
- public JsonWebKey jsonToJwk(String jwkJson) {
- JsonWebKey jwk = new JsonWebKey();
- fromJson(jwk, jwkJson);
- return jwk;
- }
-}
http://git-wip-us.apache.org/repos/asf/cxf/blob/64506829/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
index 28011b3..ce53af8 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
@@ -29,6 +29,15 @@ import org.apache.cxf.jaxrs.json.basic.JsonMapObject;
public class JsonWebKeys extends JsonMapObject {
public static final String KEYS_PROPERTY = "keys";
+ public JsonWebKeys() {
+
+ }
+ public JsonWebKeys(JsonWebKey key) {
+ setInitKey(key);
+ }
+ private void setInitKey(JsonWebKey key) {
+ setKey(key);
+ }
public List<JsonWebKey> getKeys() {
List<?> list = (List<?>)super.getProperty(KEYS_PROPERTY);
if (list != null && !list.isEmpty()) {
@@ -48,7 +57,9 @@ public class JsonWebKeys extends JsonMapObject {
return null;
}
}
-
+ public void setKey(JsonWebKey key) {
+ setKeys(Collections.singletonList(key));
+ }
public void setKeys(List<JsonWebKey> keys) {
super.setProperty(KEYS_PROPERTY, keys);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/64506829/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
index 679b7aa..bbbaaac 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
@@ -18,10 +18,27 @@
*/
package org.apache.cxf.rs.security.jose.jwk;
+import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
-public interface JwkReaderWriter {
- String jwkToJson(JsonWebKey jwk);
- JsonWebKey jsonToJwk(String jwkJson);
- String jwkSetToJson(JsonWebKeys jwkSet);
- JsonWebKeys jsonToJwkSet(String jwkSetJson);
+
+
+
+
+public class JwkReaderWriter extends JsonMapObjectReaderWriter {
+ public String jwkSetToJson(JsonWebKeys jwks) {
+ return toJson(jwks);
+ }
+ public JsonWebKeys jsonToJwkSet(String jwksJson) {
+ JsonWebKeys jwks = new JsonWebKeys();
+ fromJson(jwks, jwksJson);
+ return jwks;
+ }
+ public String jwkToJson(JsonWebKey jwk) {
+ return toJson(jwk);
+ }
+ public JsonWebKey jsonToJwk(String jwkJson) {
+ JsonWebKey jwk = new JsonWebKey();
+ fromJson(jwk, jwkJson);
+ return jwk;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/64506829/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
index cd609f5..f927330 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
@@ -114,16 +114,16 @@ public final class JwkUtils {
return readJwkSet(IOUtils.readStringFromStream(is));
}
public static JsonWebKey readJwkKey(String jwkJson) {
- return new DefaultJwkReaderWriter().jsonToJwk(jwkJson);
+ return new JwkReaderWriter().jsonToJwk(jwkJson);
}
public static JsonWebKeys readJwkSet(String jwksJson) {
- return new DefaultJwkReaderWriter().jsonToJwkSet(jwksJson);
+ return new JwkReaderWriter().jsonToJwkSet(jwksJson);
}
public static String jwkKeyToJson(JsonWebKey jwkKey) {
- return new DefaultJwkReaderWriter().jwkToJson(jwkKey);
+ return new JwkReaderWriter().jwkToJson(jwkKey);
}
public static String jwkSetToJson(JsonWebKeys jwkSet) {
- return new DefaultJwkReaderWriter().jwkSetToJson(jwkSet);
+ return new JwkReaderWriter().jwkSetToJson(jwkSet);
}
public static String encodeJwkKey(JsonWebKey jwkKey) {
return Base64UrlUtility.encode(jwkKeyToJson(jwkKey));
@@ -138,13 +138,10 @@ public final class JwkUtils {
return readJwkSet(JoseUtils.decodeToString(jwksJson));
}
public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) {
- return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter());
+ return encryptJwkSet(jwkSet, createDefaultEncryption(password));
}
- public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password, JwkReaderWriter writer) {
- return encryptJwkSet(jwkSet, createDefaultEncryption(password), writer);
- }
- public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter writer) {
- return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkSetToJson(jwkSet)),
+ public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe) {
+ return jwe.encrypt(StringUtils.toBytesUTF8(new JwkReaderWriter().jwkSetToJson(jwkSet)),
toJweHeaders("jwk-set+json"));
}
public static String encryptJwkSet(JsonWebKeys jwkSet, PublicKey key, KeyAlgorithm keyAlgo,
@@ -161,13 +158,10 @@ public final class JwkUtils {
"jwk-set+json");
}
public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) {
- return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter());
- }
- public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password, JwkReaderWriter reader) {
- return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password), reader);
+ return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password));
}
- public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe, JwkReaderWriter reader) {
- return reader.jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText());
+ public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe) {
+ return new JwkReaderWriter().jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText());
}
public static JsonWebKeys decryptJwkSet(PrivateKey key, KeyAlgorithm keyAlgo, ContentAlgorithm ctAlgo,
String jsonJwkSet) {
@@ -180,25 +174,20 @@ public final class JwkUtils {
String jsonJwkSet) {
return readJwkSet(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwkSet)));
}
- public static JsonWebKeys decryptJwkSet(InputStream is, char[] password) throws IOException {
- return decryptJwkSet(is, password, new DefaultJwkReaderWriter());
- }
- public static JsonWebKeys decryptJwkSet(InputStream is, char[] password, JwkReaderWriter reader)
+ public static JsonWebKeys decryptJwkSet(InputStream is, char[] password)
throws IOException {
- return decryptJwkSet(is, createDefaultDecryption(password), reader);
+ return decryptJwkSet(is, createDefaultDecryption(password));
}
- public static JsonWebKeys decryptJwkSet(InputStream is, JweDecryptionProvider jwe, JwkReaderWriter reader)
+ public static JsonWebKeys decryptJwkSet(InputStream is, JweDecryptionProvider jwe)
throws IOException {
- return reader.jsonToJwkSet(jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
+ return new JwkReaderWriter().jsonToJwkSet(
+ jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
}
- public static String encryptJwkKey(JsonWebKey jwk, char[] password) {
- return encryptJwkKey(jwk, password, new DefaultJwkReaderWriter());
+ public static String encryptJwkKey(JsonWebKey jwkKey, char[] password) {
+ return encryptJwkKey(jwkKey, createDefaultEncryption(password));
}
- public static String encryptJwkKey(JsonWebKey jwkKey, char[] password, JwkReaderWriter writer) {
- return encryptJwkKey(jwkKey, createDefaultEncryption(password), writer);
- }
- public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter writer) {
- return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkToJson(jwkKey)),
+ public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe) {
+ return jwe.encrypt(StringUtils.toBytesUTF8(new JwkReaderWriter().jwkToJson(jwkKey)),
toJweHeaders("jwk+json"));
}
public static String encryptJwkKey(JsonWebKey jwkKey, PublicKey key, KeyAlgorithm keyAlgo,
@@ -215,10 +204,7 @@ public final class JwkUtils {
return JwsUtils.sign(key, algo, jwkKeyToJson(jwkKey), "jwk+json");
}
public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) {
- return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter());
- }
- public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password, JwkReaderWriter reader) {
- return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password), reader);
+ return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password));
}
public static JsonWebKey decryptJwkKey(PrivateKey key, KeyAlgorithm keyAlgo, ContentAlgorithm ctAlgo,
String jsonJwk) {
@@ -231,29 +217,26 @@ public final class JwkUtils {
String jsonJwk) {
return readJwkKey(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwk)));
}
- public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe, JwkReaderWriter reader) {
- return reader.jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText());
+ public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe) {
+ return new JwkReaderWriter().jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText());
}
- public static JsonWebKey decryptJwkKey(InputStream is, char[] password) throws IOException {
- return decryptJwkKey(is, password, new DefaultJwkReaderWriter());
- }
- public static JsonWebKey decryptJwkKey(InputStream is, char[] password, JwkReaderWriter reader)
+ public static JsonWebKey decryptJwkKey(InputStream is, char[] password)
throws IOException {
- return decryptJwkKey(is, createDefaultDecryption(password), reader);
+ return decryptJwkKey(is, createDefaultDecryption(password));
}
- public static JsonWebKey decryptJwkKey(InputStream is, JweDecryptionProvider jwe, JwkReaderWriter reader)
+ public static JsonWebKey decryptJwkKey(InputStream is, JweDecryptionProvider jwe)
throws IOException {
- return reader.jsonToJwk(jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
+ return new JwkReaderWriter().jsonToJwk(
+ jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
}
- public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb) {
- return loadJwkSet(m, props, cb, new DefaultJwkReaderWriter());
+ public static JsonWebKeys loadPublicJwkSet(Message m, Properties props) {
+ return loadJwkSet(m, props, null);
}
- public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb,
- JwkReaderWriter reader) {
+ public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb) {
String key = (String)props.get(JoseConstants.RSSEC_KEY_STORE_FILE);
JsonWebKeys jwkSet = key != null ? (JsonWebKeys)m.getExchange().get(key) : null;
if (jwkSet == null) {
- jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb, reader);
+ jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb);
if (key != null) {
m.getExchange().put(key, jwkSet);
}
@@ -261,16 +244,12 @@ public final class JwkUtils {
return jwkSet;
}
public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb) {
- return loadJwkSet(props, bus, cb, new DefaultJwkReaderWriter());
- }
- public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb,
- JwkReaderWriter reader) {
JweDecryptionProvider decryption = cb != null
? new AesCbcHmacJweDecryption(new PbesHmacAesWrapKeyDecryptionAlgorithm(
cb.getPassword(props))) : null;
- return loadJwkSet(props, bus, decryption, reader);
+ return loadJwkSet(props, bus, decryption);
}
- public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider jwe, JwkReaderWriter reader) {
+ public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider jwe) {
String keyContent = null;
String keyStoreLoc = props.getProperty(JoseConstants.RSSEC_KEY_STORE_FILE);
if (keyStoreLoc != null) {
@@ -292,25 +271,21 @@ public final class JwkUtils {
if (jwe != null) {
keyContent = jwe.decrypt(keyContent).getContentText();
}
+ JwkReaderWriter reader = new JwkReaderWriter();
if (props.getProperty(JoseConstants.RSSEC_KEY_STORE_JWKKEY) == null) {
return reader.jsonToJwkSet(keyContent);
} else {
- JsonWebKey key = reader.jsonToJwk(keyContent);
- JsonWebKeys keys = new JsonWebKeys();
- keys.setKeys(Collections.singletonList(key));
- return keys;
+ JsonWebKey jwk = reader.jsonToJwk(keyContent);
+ return new JsonWebKeys(jwk);
}
}
+
public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper) {
return loadJsonWebKey(m, props, keyOper, null);
}
public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper, String inHeaderKid) {
- return loadJsonWebKey(m, props, keyOper, inHeaderKid, new DefaultJwkReaderWriter());
- }
- public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper, String inHeaderKid,
- JwkReaderWriter reader) {
PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper);
- JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
+ JsonWebKeys jwkSet = loadJwkSet(m, props, cb);
String kid = null;
if (inHeaderKid != null
&& MessageUtils.getContextualBoolean(m, JoseConstants.RSSEC_ACCEPT_PUBLIC_KEY, false)) {
@@ -328,15 +303,11 @@ public final class JwkUtils {
}
return null;
}
- public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, KeyOperation keyOper) {
- return loadJsonWebKeys(m, props, keyOper, new DefaultJwkReaderWriter());
- }
-
- public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props,
- KeyOperation keyOper,
- JwkReaderWriter reader) {
+ public static List<JsonWebKey> loadJsonWebKeys(Message m,
+ Properties props,
+ KeyOperation keyOper) {
PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper);
- JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
+ JsonWebKeys jwkSet = loadJwkSet(m, props, cb);
String kid = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIAS, keyOper);
if (kid != null) {
return Collections.singletonList(jwkSet.getKey(kid));
@@ -400,6 +371,16 @@ public final class JwkUtils {
jwk.setProperty(JsonWebKey.RSA_PUBLIC_EXP, encodedPublicExponent);
return jwk;
}
+ public static JsonWebKey fromPublicKey(PublicKey key, Properties props, String algoProp) {
+ // EC keys can be supported once we figure out how to get a curve name
+ // from an EC key instance or if a curve property is introduced
+ if (key instanceof RSAPublicKey) {
+ return JwkUtils.fromRSAPublicKey((RSAPublicKey)key, algoProp);
+ } else {
+ return JwkUtils.fromECPublicKey((ECPublicKey)key,
+ props.getProperty(JoseConstants.RSSEC_EC_CURVE));
+ }
+ }
public static JsonWebKey fromX509CertificateChain(List<X509Certificate> chain, String algo) {
JsonWebKey jwk = new JsonWebKey();
jwk.setAlgorithm(algo);
http://git-wip-us.apache.org/repos/asf/cxf/blob/64506829/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index cda4538..2cbc23b 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -46,6 +46,7 @@ import org.apache.cxf.rs.security.jose.common.KeyManagementUtils;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jwk.KeyOperation;
import org.apache.cxf.rs.security.jose.jwk.KeyType;
@@ -459,5 +460,15 @@ public final class JwsUtils {
throw new JwsException(JwsException.Error.INVALID_KEY);
}
}
-
+ public static JsonWebKeys loadPublicVerificationKeys(Message m, Properties props) {
+ String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE);
+ if ("jwk".equals(storeType)) {
+ return JwkUtils.loadPublicJwkSet(m, props);
+ } else {
+ //TODO: consider loading all the public keys in the store
+ PublicKey key = KeyManagementUtils.loadPublicKey(m, props);
+ JsonWebKey jwk = JwkUtils.fromPublicKey(key, props, JoseConstants.RSSEC_SIGNATURE_ALGORITHM);
+ return new JsonWebKeys(jwk);
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/64506829/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 6ee14ac..6011577 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -122,6 +122,8 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
} else if (keys.getKeys().size() == 1) {
key = keys.getKeys().get(0);
}
+ //jwkSetClient returns the most up-to-date keys
+ keyMap.clear();
keyMap.putAll(keys.getKeyIdMap());
}
}