You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/07/09 22:44:00 UTC
git commit: Updating OAuth2 Client to hold the whole public cert
chain if needed
Repository: cxf
Updated Branches:
refs/heads/master ebf24b72c -> 2c9464299
Updating OAuth2 Client to hold the whole public cert chain if needed
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2c946429
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2c946429
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2c946429
Branch: refs/heads/master
Commit: 2c9464299c2ec61779dd0e885802c2b6072df191
Parents: ebf24b7
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Wed Jul 9 21:43:37 2014 +0100
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Wed Jul 9 21:43:37 2014 +0100
----------------------------------------------------------------------
.../cxf/rs/security/oauth2/common/Client.java | 12 ++++----
.../oauth2/common/OAuthAuthorizationData.java | 11 ++++----
.../oauth2/services/AbstractTokenService.java | 29 ++++++++++++--------
.../services/RedirectionBasedGrantService.java | 2 +-
.../utils/crypto/ModelEncryptionSupport.java | 6 ++--
.../security/oauth2/OAuthDataProviderImpl.java | 3 +-
6 files changed, 36 insertions(+), 27 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
index 88a3c4a..f87370b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
@@ -38,7 +38,7 @@ public class Client implements Serializable {
private String applicationDescription;
private String applicationWebUri;
private String applicationLogoUri;
- private String applicationCertificate;
+ private List<String> applicationCertificates = new LinkedList<String>();
private List<String> redirectUris = new LinkedList<String>();
private boolean isConfidential;
@@ -283,16 +283,16 @@ public class Client implements Serializable {
this.registeredAudiences = registeredAudiences;
}
- public String getApplicationCertificate() {
- return applicationCertificate;
+ public List<String> getApplicationCertificates() {
+ return applicationCertificates;
}
/*
- * Set the optional Base64 encoded Application Public X509 Certificate
+ * Set the Base64 encoded Application Public X509 Certificate
* It can be used in combination with the clientSecret property to support
* Basic or other password-aware authentication on top of 2-way TLS.
*/
- public void setApplicationCertificate(String applicationCertificate) {
- this.applicationCertificate = applicationCertificate;
+ public void setApplicationCertificates(List<String> applicationCertificates) {
+ this.applicationCertificates = applicationCertificates;
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
index 0b98d08..5c3201f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth2.common;
import java.io.Serializable;
import java.util.HashMap;
+import java.util.LinkedList;
import java.util.List;
import java.util.Map;
@@ -48,7 +49,7 @@ public class OAuthAuthorizationData implements Serializable {
private String applicationWebUri;
private String applicationDescription;
private String applicationLogoUri;
- private String applicationCertificate;
+ private List<String> applicationCertificates = new LinkedList<String>();
private Map<String, String> extraApplicationProperties = new HashMap<String, String>();
private List<? extends Permission> permissions;
@@ -263,12 +264,12 @@ public class OAuthAuthorizationData implements Serializable {
this.audience = audience;
}
- public String getApplicationCertificate() {
- return applicationCertificate;
+ public List<String> getApplicationCertificates() {
+ return applicationCertificates;
}
- public void setApplicationCertificate(String applicationCertificate) {
- this.applicationCertificate = applicationCertificate;
+ public void setApplicationCertificates(List<String> applicationCertificates) {
+ this.applicationCertificates = applicationCertificates;
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index 8c79579..c70e6d6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -23,6 +23,7 @@ import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
+import java.util.List;
import javax.security.auth.x500.X500Principal;
import javax.ws.rs.core.MediaType;
@@ -77,9 +78,9 @@ public class AbstractTokenService extends AbstractOAuthService {
client = getClientFromBasicAuthScheme();
}
}
- if (client != null && client.getApplicationCertificate() != null) {
+ if (client != null && !client.getApplicationCertificates().isEmpty()) {
// Validate the client application certificates
- compareTlsCertificates(getTlsSessionInfo(), client.getApplicationCertificate());
+ compareTlsCertificates(getTlsSessionInfo(), client.getApplicationCertificates());
}
if (client == null) {
reportInvalidClient();
@@ -151,18 +152,24 @@ public class AbstractTokenService extends AbstractOAuthService {
return null;
}
- protected void compareTlsCertificates(TLSSessionInfo tlsInfo, String base64EncodedCert) {
+ protected void compareTlsCertificates(TLSSessionInfo tlsInfo,
+ List<String> base64EncodedCerts) {
if (tlsInfo != null) {
Certificate[] clientCerts = tlsInfo.getPeerCertificates();
- try {
- X509Certificate cert = (X509Certificate)clientCerts[0];
- byte[] encodedKey = cert.getEncoded();
- byte[] clientKey = Base64Utility.decode(base64EncodedCert);
- if (Arrays.equals(encodedKey, clientKey)) {
+ if (clientCerts.length == base64EncodedCerts.size()) {
+ try {
+ for (int i = 0; i < clientCerts.length; i++) {
+ X509Certificate x509Cert = (X509Certificate)clientCerts[i];
+ byte[] encodedKey = x509Cert.getEncoded();
+ byte[] clientKey = Base64Utility.decode(base64EncodedCerts.get(i));
+ if (!Arrays.equals(encodedKey, clientKey)) {
+ reportInvalidClient();
+ }
+ }
return;
- }
- } catch (Exception ex) {
- // throw exception later
+ } catch (Exception ex) {
+ // throw exception later
+ }
}
}
reportInvalidClient();
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 67f12ea..b42d6c3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -196,7 +196,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
secData.setApplicationDescription(client.getApplicationDescription());
secData.setApplicationLogoUri(client.getApplicationLogoUri());
secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
- secData.setApplicationName(client.getApplicationCertificate());
+ secData.setApplicationCertificates(client.getApplicationCertificates());
Map<String, String> extraProperties = client.getProperties();
secData.setExtraApplicationProperties(extraProperties);
String replyTo = getMessageContext().getUriInfo()
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
index ce76c0a..d8b4444 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
@@ -328,7 +328,7 @@ public final class ModelEncryptionSupport {
getStringPart(parts[3]), getStringPart(parts[4]));
c.setApplicationDescription(getStringPart(parts[5]));
c.setApplicationLogoUri(getStringPart(parts[6]));
- c.setApplicationLogoUri(getStringPart(parts[7]));
+ c.setApplicationCertificates(parseSimpleList(parts[7]));
c.setAllowedGrantTypes(parseSimpleList(parts[8]));
c.setRegisteredScopes(parseSimpleList(parts[9]));
c.setRedirectUris(parseSimpleList(parts[10]));
@@ -360,8 +360,8 @@ public final class ModelEncryptionSupport {
// 6: app logo URI
state.append(tokenizeString(client.getApplicationLogoUri()));
state.append(SEP);
- // 7: app certificate
- state.append(tokenizeString(client.getApplicationCertificate()));
+ // 7: app certificates
+ state.append(client.getApplicationCertificates());
state.append(SEP);
// 8: grants
state.append(client.getAllowedGrantTypes().toString());
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
index 23b681d..bf6d618 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
@@ -20,6 +20,7 @@ package org.apache.cxf.systest.jaxrs.security.oauth2;
import java.io.InputStream;
import java.security.cert.Certificate;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -57,7 +58,7 @@ public class OAuthDataProviderImpl implements OAuthDataProvider {
null,
null);
client2.getAllowedGrantTypes().add("custom_grant");
- client2.setApplicationCertificate(encodedCert);
+ client2.setApplicationCertificates(Collections.singletonList(encodedCert));
clients.put(client2.getClientId(), client2);
}