You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2017/03/01 12:27:26 UTC
cxf git commit: [CXF-6728] Making sure RS232 is not selected as a
default algo when EC keys are loaded from JKS
Repository: cxf
Updated Branches:
refs/heads/master f47802902 -> cf6599e91
[CXF-6728] Making sure RS232 is not selected as a default algo when EC keys are loaded from JKS
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cf6599e9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cf6599e9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cf6599e9
Branch: refs/heads/master
Commit: cf6599e91ecf2caf2424511fba76b804d4c48de2
Parents: f478029
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Mar 1 12:27:10 2017 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Mar 1 12:27:10 2017 +0000
----------------------------------------------------------------------
.../cxf/rs/security/jose/jws/JwsUtils.java | 41 +++++++++++++++-----
.../cxf/rs/security/jose/jws/JwsUtilsTest.java | 13 +++++++
2 files changed, 44 insertions(+), 10 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/cf6599e9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index 7aafc46..74f5c6f 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -154,12 +154,15 @@ public final class JwsUtils {
return theVerifier;
}
public static JwsSignatureVerifier getPublicKeySignatureVerifier(X509Certificate cert, SignatureAlgorithm algo) {
- if (algo == null) {
- LOG.warning("No signature algorithm was defined");
- throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
- }
-
if (cert != null) {
+ if (algo == null) {
+ algo = getDefaultPublicKeyAlgorithm(cert.getPublicKey());
+ }
+ if (algo == null) {
+ LOG.warning("No signature algorithm was defined");
+ throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
+ }
+
if (cert.getPublicKey() instanceof RSAPublicKey) {
return new PublicKeyJwsSignatureVerifier(cert, algo);
} else if (cert.getPublicKey() instanceof ECPublicKey) {
@@ -376,6 +379,10 @@ public final class JwsUtils {
theSigProvider = new NoneJwsSignatureProvider();
} else {
PrivateKey pk = KeyManagementUtils.loadPrivateKey(m, props, KeyOperation.SIGN);
+ if (signatureAlgo == null) {
+ signatureAlgo = getDefaultPrivateKeyAlgorithm(pk);
+ }
+
theSigProvider = getPrivateKeySignatureProvider(pk, signatureAlgo);
if (includeCert) {
headers.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(m, props));
@@ -402,7 +409,7 @@ public final class JwsUtils {
return loadSignatureVerifier(PhaseInterceptorChain.getCurrentMessage(),
props, inHeaders, false);
}
- private static JwsSignatureVerifier loadSignatureVerifier(Message m,
+ public static JwsSignatureVerifier loadSignatureVerifier(Message m,
Properties props,
JwsHeaders inHeaders,
boolean ignoreNullVerifier) {
@@ -477,10 +484,6 @@ public final class JwsUtils {
SignatureAlgorithm algo,
SignatureAlgorithm defaultAlgo) {
if (algo == null) {
- if (defaultAlgo == null) {
- defaultAlgo = SignatureAlgorithm.RS256;
- }
-
// Check for deprecated identifier first
String sigAlgo = null;
if (props != null) {
@@ -518,6 +521,24 @@ public final class JwsUtils {
return SignatureAlgorithm.RS256;
}
}
+ private static SignatureAlgorithm getDefaultPrivateKeyAlgorithm(PrivateKey key) {
+ if (key instanceof RSAPrivateKey) {
+ return SignatureAlgorithm.RS256;
+ } else if (key instanceof ECPrivateKey) {
+ return SignatureAlgorithm.ES256;
+ } else {
+ return null;
+ }
+ }
+ private static SignatureAlgorithm getDefaultPublicKeyAlgorithm(PublicKey key) {
+ if (key instanceof RSAPublicKey) {
+ return SignatureAlgorithm.RS256;
+ } else if (key instanceof ECPublicKey) {
+ return SignatureAlgorithm.ES256;
+ } else {
+ return null;
+ }
+ }
public static JwsCompactConsumer verify(JwsSignatureVerifier v, String content) {
JwsCompactConsumer jws = new JwsCompactConsumer(content);
if (!jws.verifySignatureWith(v)) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/cf6599e9/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java
index f6a8deb..6f28ef4 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java
@@ -52,6 +52,19 @@ public class JwsUtilsTest extends Assert {
assertEquals("alice", headers.getKeyId());
}
@Test
+ public void testLoadSignatureVerifierFromJKS() throws Exception {
+ Properties p = new Properties();
+ p.put(JoseConstants.RSSEC_KEY_STORE_FILE,
+ "org/apache/cxf/rs/security/jose/jws/alice.jks");
+ p.put(JoseConstants.RSSEC_KEY_STORE_PSWD, "password");
+ p.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "alice");
+ JwsSignatureVerifier jws = JwsUtils.loadSignatureVerifier(createMessage(),
+ p,
+ new JwsHeaders(),
+ false);
+ assertNotNull(jws);
+ }
+ @Test
public void testLoadVerificationKey() throws Exception {
Properties p = new Properties();
p.put(JoseConstants.RSSEC_KEY_STORE_FILE,