You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2014/12/04 23:00:23 UTC
cxf git commit: Support for jose store context properties
Repository: cxf
Updated Branches:
refs/heads/master d1a52f292 -> 716f3a148
Support for jose store context properties
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/716f3a14
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/716f3a14
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/716f3a14
Branch: refs/heads/master
Commit: 716f3a148849b4975a8d8b4c86d563ec2058bb54
Parents: d1a52f2
Author: Sergey Beryozkin <sb...@talend.com>
Authored: Thu Dec 4 21:59:57 2014 +0000
Committer: Sergey Beryozkin <sb...@talend.com>
Committed: Thu Dec 4 21:59:57 2014 +0000
----------------------------------------------------------------------
.../security/jose/jaxrs/KeyManagementUtils.java | 35 +++++++++
.../cxf/rs/security/jose/jwe/JweUtils.java | 81 +++++++++-----------
.../cxf/rs/security/jose/jws/JwsUtils.java | 57 ++++++--------
.../jaxrs/security/jwt/JAXRSJweJwsTest.java | 6 +-
.../cxf/systest/jaxrs/security/jwt/server.xml | 3 +-
.../jaxrs/security/public.jwk.properties | 20 -----
6 files changed, 95 insertions(+), 107 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
index 6e256ed..58869d8 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
@@ -217,4 +217,39 @@ public final class KeyManagementUtils {
}
return algo;
}
+
+ public static Properties loadStoreProperties(Message m, boolean required,
+ String storeProp1, String storeProp2) {
+ if (m == null) {
+ if (required) {
+ throw new SecurityException();
+ }
+ return null;
+ }
+ Properties props = null;
+ String propLoc =
+ (String)MessageUtils.getContextualProperty(m, storeProp1, storeProp2);
+ if (propLoc != null) {
+ try {
+ props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
+ } catch (Exception ex) {
+ throw new SecurityException(ex);
+ }
+ } else {
+ String keyFile = (String)m.getContextualProperty(RSSEC_KEY_STORE_FILE);
+ if (keyFile != null) {
+ props = new Properties();
+ props.setProperty(KeyManagementUtils.RSSEC_KEY_STORE_FILE, keyFile);
+ String type = (String)m.getContextualProperty(RSSEC_KEY_STORE_TYPE);
+ if (type == null) {
+ type = "jwk";
+ }
+ props.setProperty(RSSEC_KEY_STORE_TYPE, type);
+ }
+ }
+ if (props == null && required) {
+ throw new SecurityException();
+ }
+ return props;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 956e143..ad05e0f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -26,9 +26,7 @@ import java.util.Properties;
import javax.crypto.SecretKey;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
-import org.apache.cxf.jaxrs.utils.ResourceUtils;
import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.jose.JoseConstants;
import org.apache.cxf.rs.security.jose.JoseHeaders;
import org.apache.cxf.rs.security.jose.JoseUtils;
@@ -216,33 +214,24 @@ public final class JweUtils {
getContentDecryptionAlgorithm(key.getAlgorithm()));
}
public static JweEncryptionProvider loadEncryptionProvider(boolean required) {
- Message m = JAXRSUtils.getCurrentMessage();
- if (m != null) {
- String propLoc =
- (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_OUT_PROPS, RSSEC_ENCRYPTION_PROPS);
- if (propLoc != null) {
- return loadEncryptionProvider(propLoc, m);
- }
- }
- if (required) {
- throw new SecurityException();
- }
- return null;
+ return loadEncryptionProvider(JAXRSUtils.getCurrentMessage(), required);
}
- public static JweEncryptionProvider loadEncryptionProvider(String propLoc, Message m) {
- KeyEncryptionAlgorithm keyEncryptionProvider = null;
- Properties props = null;
- try {
- props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
- } catch (Exception ex) {
- throw new SecurityException(ex);
+ public static JweEncryptionProvider loadEncryptionProvider(Message m, boolean required) {
+
+ Properties props = KeyManagementUtils.loadStoreProperties(m, required,
+ RSSEC_ENCRYPTION_OUT_PROPS, RSSEC_ENCRYPTION_PROPS);
+ if (props == null) {
+ return null;
}
- String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null);
+
+ KeyEncryptionAlgorithm keyEncryptionProvider = null;
+ String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null, null);
String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null);
ContentEncryptionAlgorithm ctEncryptionProvider = null;
if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT);
- keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm());
+ keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm(),
+ getDefaultKeyAlgo(jwk));
if ("direct".equals(keyEncryptionAlgo)) {
contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm());
ctEncryptionProvider = getContentEncryptionAlgorithm(jwk, contentEncryptionAlgo);
@@ -260,33 +249,22 @@ public final class JweUtils {
props.getProperty(JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP));
}
public static JweDecryptionProvider loadDecryptionProvider(boolean required) {
- Message m = JAXRSUtils.getCurrentMessage();
- if (m != null) {
- String propLoc =
- (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS);
- if (propLoc != null) {
- return loadDecryptionProvider(propLoc, m);
- }
- }
- if (required) {
- throw new SecurityException();
- }
- return null;
+ return loadDecryptionProvider(JAXRSUtils.getCurrentMessage(), required);
}
- public static JweDecryptionProvider loadDecryptionProvider(String propLoc, Message m) {
- KeyDecryptionAlgorithm keyDecryptionProvider = null;
- Properties props = null;
- try {
- props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
- } catch (Exception ex) {
- throw new SecurityException(ex);
+ public static JweDecryptionProvider loadDecryptionProvider(Message m, boolean required) {
+ Properties props = KeyManagementUtils.loadStoreProperties(m, required,
+ RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS);
+ if (props == null) {
+ return null;
}
+ KeyDecryptionAlgorithm keyDecryptionProvider = null;
String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null);
SecretKey ctDecryptionKey = null;
- String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null);
+ String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null, null);
if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_DECRYPT);
- keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm());
+ keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm(),
+ getDefaultKeyAlgo(jwk));
if ("direct".equals(keyEncryptionAlgo)) {
contentEncryptionAlgo = getContentEncryptionAlgo(m, props, contentEncryptionAlgo);
ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentEncryptionAlgo);
@@ -422,13 +400,24 @@ public final class JweUtils {
return getDirectKeyJweDecryption(ctDecryptionKey, contentDecryptionAlgo);
}
}
- private static String getKeyEncryptionAlgo(Message m, Properties props, String algo) {
+ private static String getKeyEncryptionAlgo(Message m, Properties props,
+ String algo, String defaultAlgo) {
if (algo == null) {
+ if (defaultAlgo == null) {
+ defaultAlgo = JoseConstants.RSA_OAEP_ALGO;
+ }
return KeyManagementUtils.getKeyAlgorithm(m, props,
- JSON_WEB_ENCRYPTION_KEY_ALGO_PROP, JoseConstants.RSA_OAEP_ALGO);
+ JSON_WEB_ENCRYPTION_KEY_ALGO_PROP, defaultAlgo);
}
return algo;
}
+ private static String getDefaultKeyAlgo(JsonWebKey jwk) {
+ if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) {
+ return JoseConstants.A128GCMKW_ALGO;
+ } else {
+ return JoseConstants.RSA_OAEP_ALGO;
+ }
+ }
private static String getContentEncryptionAlgo(Message m, Properties props, String algo) {
if (algo == null) {
return KeyManagementUtils.getKeyAlgorithm(m, props,
http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index 66be06c..aef782a 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -31,7 +31,6 @@ import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.jaxrs.utils.ResourceUtils;
import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.jose.JoseConstants;
import org.apache.cxf.rs.security.jose.JoseHeaders;
import org.apache.cxf.rs.security.jose.JoseUtils;
@@ -133,39 +132,22 @@ public final class JwsUtils {
return map;
}
public static JwsSignatureProvider loadSignatureProvider(boolean required) {
- Message m = JAXRSUtils.getCurrentMessage();
- if (m != null) {
- String propLoc =
- (String)MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_OUT_PROPS, RSSEC_SIGNATURE_PROPS);
- if (propLoc != null) {
- return loadSignatureProvider(propLoc, m);
- }
- }
- if (required) {
- throw new SecurityException();
- }
- return null;
+ return loadSignatureProvider(JAXRSUtils.getCurrentMessage(), required);
}
- public static JwsSignatureProvider loadSignatureProvider(String propLoc, Message m) {
- return loadSignatureProvider(propLoc, m, false);
+ public static JwsSignatureProvider loadSignatureProvider(Message m, boolean required) {
+ Properties props = KeyManagementUtils.loadStoreProperties(m, required,
+ RSSEC_SIGNATURE_OUT_PROPS, RSSEC_SIGNATURE_PROPS);
+ if (props == null) {
+ return null;
+ }
+ return loadSignatureProvider(m, props, false);
}
public static JwsSignatureVerifier loadSignatureVerifier(boolean required) {
- Message m = JAXRSUtils.getCurrentMessage();
- if (m != null) {
- String propLoc =
- (String)MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_IN_PROPS, RSSEC_SIGNATURE_PROPS);
- if (propLoc != null) {
- return loadSignatureVerifier(propLoc, m);
- }
- }
- if (required) {
- throw new SecurityException();
- }
- return null;
+ return loadSignatureVerifier(JAXRSUtils.getCurrentMessage(), required);
}
public static List<JwsSignatureProvider> loadSignatureProviders(String propLoc, Message m) {
Properties props = loadProperties(m, propLoc);
- JwsSignatureProvider theSigProvider = loadSignatureProvider(propLoc, m, true);
+ JwsSignatureProvider theSigProvider = loadSignatureProvider(m, props, true);
if (theSigProvider != null) {
return Collections.singletonList(theSigProvider);
}
@@ -184,13 +166,18 @@ public final class JwsUtils {
}
return theSigProviders;
}
- public static JwsSignatureVerifier loadSignatureVerifier(String propLoc, Message m) {
- return loadSignatureVerifier(propLoc, m, false);
+ public static JwsSignatureVerifier loadSignatureVerifier(Message m, boolean required) {
+ Properties props = KeyManagementUtils.loadStoreProperties(m, required,
+ RSSEC_SIGNATURE_IN_PROPS, RSSEC_SIGNATURE_PROPS);
+ if (props == null) {
+ return null;
+ }
+ return loadSignatureVerifier(m, props, false);
}
public static List<JwsSignatureVerifier> loadSignatureVerifiers(String propLoc, Message m) {
Properties props = loadProperties(m, propLoc);
- JwsSignatureVerifier theVerifier = loadSignatureVerifier(propLoc, m, true);
+ JwsSignatureVerifier theVerifier = loadSignatureVerifier(m, props, true);
if (theVerifier != null) {
return Collections.singletonList(theVerifier);
}
@@ -213,8 +200,8 @@ public final class JwsUtils {
//TODO: validate JWS specific constraints
return JoseUtils.validateCriticalHeaders(headers);
}
- private static JwsSignatureProvider loadSignatureProvider(String propLoc, Message m, boolean ignoreNullProvider) {
- Properties props = loadProperties(m, propLoc);
+ private static JwsSignatureProvider loadSignatureProvider(Message m, Properties props,
+ boolean ignoreNullProvider) {
JwsSignatureProvider theSigProvider = null;
String rsaSignatureAlgo = null;
if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
@@ -234,8 +221,8 @@ public final class JwsUtils {
}
return theSigProvider;
}
- private static JwsSignatureVerifier loadSignatureVerifier(String propLoc, Message m, boolean ignoreNullVerifier) {
- Properties props = loadProperties(m, propLoc);
+ private static JwsSignatureVerifier loadSignatureVerifier(Message m, Properties props,
+ boolean ignoreNullVerifier) {
JwsSignatureVerifier theVerifier = null;
String rsaSignatureAlgo = null;
if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
index 6520caa..cd113ae 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java
@@ -60,8 +60,6 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase {
"org/apache/cxf/systest/jaxrs/security/bob.rs.properties";
private static final String SERVER_JWEJWS_PROPERTIES =
"org/apache/cxf/systest/jaxrs/security/alice.rs.properties";
- private static final String PUBLIC_JWEJWS_PROPERTIES =
- "org/apache/cxf/systest/jaxrs/security/public.jwk.properties";
private static final String ENCODED_MAC_KEY = "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75"
+ "aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow";
@BeforeClass
@@ -206,10 +204,10 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase {
providers.add(new JwsClientResponseFilter());
bean.setProviders(providers);
- bean.getProperties(true).put("rs.security.encryption.out.properties", PUBLIC_JWEJWS_PROPERTIES);
+ bean.getProperties(true).put("rs.security.keystore.file",
+ "org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt");
bean.getProperties(true).put("rs.security.signature.out.properties", CLIENT_JWEJWS_PROPERTIES);
bean.getProperties(true).put("rs.security.encryption.in.properties", CLIENT_JWEJWS_PROPERTIES);
- bean.getProperties(true).put("rs.security.signature.in.properties", PUBLIC_JWEJWS_PROPERTIES);
PrivateKeyPasswordProvider provider = new PrivateKeyPasswordProviderImpl();
bean.getProperties(true).put("rs.security.signature.key.password.provider", provider);
bean.getProperties(true).put("rs.security.decryption.key.password.provider", provider);
http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
index 64986d9..e07ba5c 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
@@ -110,9 +110,8 @@ under the License.
</jaxrs:providers>
<jaxrs:properties>
<entry key="rs.security.encryption.in.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
- <entry key="rs.security.signature.in.properties" value="org/apache/cxf/systest/jaxrs/security/public.jwk.properties"/>
- <entry key="rs.security.encryption.out.properties" value="org/apache/cxf/systest/jaxrs/security/public.jwk.properties"/>
<entry key="rs.security.signature.out.properties" value="org/apache/cxf/systest/jaxrs/security/alice.rs.properties"/>
+ <entry key="rs.security.keystore.file" value="org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt"/>
<entry key="rs.security.keystore.alias.jwe.out" value="BobCert"/>
<entry key="rs.security.keystore.alias.jws.in" value="BobCert"/>
<entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
deleted file mode 100644
index a5f89b7..0000000
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties
+++ /dev/null
@@ -1,20 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-rs.security.keystore.type=jwk
-rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt