Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3750A113A2 for ; Thu, 22 May 2014 13:16:10 +0000 (UTC) Received: (qmail 35800 invoked by uid 500); 22 May 2014 13:16:10 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 35732 invoked by uid 500); 22 May 2014 13:16:10 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 35725 invoked by uid 99); 22 May 2014 13:16:10 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 May 2014 13:16:10 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id B236B99DB49; Thu, 22 May 2014 13:16:09 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <1c2c96c95f31495d899694d4e6b28f38@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: git commit: [CXF-5311] Adding some basic signer helpers Date: Thu, 22 May 2014 13:16:09 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master 3aa98577a -> e03c1d9c2 [CXF-5311] Adding some basic signer helpers Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e03c1d9c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e03c1d9c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e03c1d9c Branch: refs/heads/master Commit: e03c1d9c28b0e7dd523b9b78649f8876994173bd Parents: 3aa9857 Author: Sergey Beryozkin Authored: Thu May 22 14:15:50 2014 +0100 Committer: Sergey Beryozkin Committed: Thu May 22 14:15:50 2014 +0100 ---------------------------------------------------------------------- .../oauth2/jws/HmacJwsSignatureProvider.java | 59 +++++++++++++++++++ .../security/oauth2/jws/JwsCompactConsumer.java | 11 ++-- .../security/oauth2/jws/JwsCompactProducer.java | 2 +- .../oauth2/jws/JwsSignatureProvider.java | 25 -------- .../oauth2/jws/JwsSignatureValidator.java | 2 +- .../oauth2/jws/JwsSignatureVerifier.java | 25 ++++++++ .../jws/PrivateKeyJwsSignatureProvider.java | 61 ++++++++++++++++++++ .../jws/PublicKeyJwsSignatureVerifier.java | 52 +++++++++++++++++ .../cxf/rs/security/oauth2/jwt/JwtHeaders.java | 14 +++++ .../oauth2/jws/JwsCompactReaderWriterTest.java | 48 +++------------ .../oauth2/utils/crypto/CryptoUtils.java | 8 +-- 11 files changed, 233 insertions(+), 74 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java new file mode 100644 index 0000000..3d50ff5 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java @@ -0,0 +1,59 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jws; + +import java.util.Arrays; + +import org.apache.cxf.common.util.Base64Exception; +import org.apache.cxf.rs.security.oauth2.jwt.Algorithms; +import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; +import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; +import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils; + +public class HmacJwsSignatureProvider implements JwsSignatureVerifier, JwsSignatureValidator { + private byte[] key; + public HmacJwsSignatureProvider(byte[] key) { + this.key = key; + } + public HmacJwsSignatureProvider(String encodedKey) { + try { + this.key = Base64UrlUtility.decode(encodedKey); + } catch (Base64Exception ex) { + throw new SecurityException(); + } + } + + @Override + public byte[] sign(JwtHeaders headers, String unsignedText) { + return computeMac(headers, unsignedText); + } + + @Override + public boolean verify(JwtHeaders headers, String unsignedText, byte[] signature) { + byte[] expected = computeMac(headers, unsignedText); + return Arrays.equals(expected, signature); + } + + private byte[] computeMac(JwtHeaders headers, String text) { + return HmacUtils.computeHmac(key, + Algorithms.toJavaName(headers.getAlgorithm()), + text); + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java index a7ac432..eb80170 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java @@ -91,14 +91,17 @@ public class JwsCompactConsumer { } return token; } - public void validateSignatureWith(JwsSignatureValidator validator) { - validator.validate(getJwtHeaders(), getUnsignedEncodedToken(), getDecodedSignature()); + public boolean verifySignatureWith(JwsSignatureValidator validator) { + if (!validator.verify(getJwtHeaders(), getUnsignedEncodedToken(), getDecodedSignature())) { + throw new SecurityException(); + } + return true; } private static String decodeToString(String encoded) { try { return new String(decode(encoded), "UTF-8"); } catch (UnsupportedEncodingException ex) { - throw new OAuthServiceException(ex); + throw new SecurityException(ex); } } @@ -107,7 +110,7 @@ public class JwsCompactConsumer { try { return Base64UrlUtility.decode(encoded); } catch (Base64Exception ex) { - throw new OAuthServiceException(ex); + throw new SecurityException(ex); } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java index d3b6931..88ec0f6 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactProducer.java @@ -65,7 +65,7 @@ public class JwsCompactProducer { } return getUnsignedEncodedToken() + "." + (noSignature ? "" : signature); } - public void signWith(JwsSignatureProvider signer) { + public void signWith(JwsSignatureVerifier signer) { setSignatureOctets(signer.sign(token.getHeaders(), getUnsignedEncodedToken())); } http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java deleted file mode 100644 index 1e3c44f..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureProvider.java +++ /dev/null @@ -1,25 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jws; - -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; - -public interface JwsSignatureProvider { - byte[] sign(JwtHeaders headers, String text); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureValidator.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureValidator.java index c1ebe71..e6bdc59a 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureValidator.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureValidator.java @@ -21,5 +21,5 @@ package org.apache.cxf.rs.security.oauth2.jws; import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; public interface JwsSignatureValidator { - void validate(JwtHeaders headers, String unsignedText, byte[] signature); + boolean verify(JwtHeaders headers, String unsignedText, byte[] signature); } http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureVerifier.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureVerifier.java new file mode 100644 index 0000000..ed90e48 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsSignatureVerifier.java @@ -0,0 +1,25 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jws; + +import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; + +public interface JwsSignatureVerifier { + byte[] sign(JwtHeaders headers, String unsignedText); +} http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PrivateKeyJwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PrivateKeyJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PrivateKeyJwsSignatureProvider.java new file mode 100644 index 0000000..3c6990e --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PrivateKeyJwsSignatureProvider.java @@ -0,0 +1,61 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jws; + +import java.security.PrivateKey; +import java.security.SecureRandom; +import java.security.spec.AlgorithmParameterSpec; + +import org.apache.cxf.rs.security.oauth2.jwt.Algorithms; +import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; + +public class PrivateKeyJwsSignatureProvider implements JwsSignatureVerifier { + private PrivateKey key; + private SecureRandom random; + private AlgorithmParameterSpec signatureSpec; + + public PrivateKeyJwsSignatureProvider(PrivateKey key) { + this(key, null); + } + public PrivateKeyJwsSignatureProvider(PrivateKey key, AlgorithmParameterSpec spec) { + this(key, null, spec); + } + public PrivateKeyJwsSignatureProvider(PrivateKey key, SecureRandom random, AlgorithmParameterSpec spec) { + this.key = key; + this.random = random; + this.signatureSpec = spec; + } + + + @Override + public byte[] sign(JwtHeaders headers, String unsignedText) { + try { + return CryptoUtils.signData(unsignedText.getBytes("UTF-8"), + key, + Algorithms.toJavaName(headers.getAlgorithm()), + random, + signatureSpec); + } catch (Exception ex) { + throw new SecurityException(ex); + } + } + + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PublicKeyJwsSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PublicKeyJwsSignatureVerifier.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PublicKeyJwsSignatureVerifier.java new file mode 100644 index 0000000..8e453e9 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/PublicKeyJwsSignatureVerifier.java @@ -0,0 +1,52 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jws; + +import java.security.PublicKey; +import java.security.spec.AlgorithmParameterSpec; + +import org.apache.cxf.rs.security.oauth2.jwt.Algorithms; +import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; + +public class PublicKeyJwsSignatureVerifier implements JwsSignatureValidator { + private PublicKey key; + private AlgorithmParameterSpec signatureSpec; + public PublicKeyJwsSignatureVerifier(PublicKey key) { + this(key, null); + } + public PublicKeyJwsSignatureVerifier(PublicKey key, AlgorithmParameterSpec spec) { + this.key = key; + this.signatureSpec = spec; + } + @Override + public boolean verify(JwtHeaders headers, String unsignedText, byte[] signature) { + try { + return CryptoUtils.verifySignature(unsignedText.getBytes("UTF-8"), + signature, + key, + Algorithms.toJavaName(headers.getAlgorithm()), + signatureSpec); + } catch (Exception ex) { + throw new SecurityException(ex); + } + } + + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeaders.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeaders.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeaders.java index 96cc6f7..8470bbd 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeaders.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtHeaders.java @@ -30,10 +30,24 @@ public class JwtHeaders extends AbstractJwtObject { public JwtHeaders() { } + public JwtHeaders(String algorithm) { + init(algorithm); + } + + public JwtHeaders(Algorithms algo) { + init(algo.getJwtName()); + } + public JwtHeaders(Map values) { super(values); } + private void init(String algo) { + setType(JwtConstants.TYPE_JWT); + this.setAlgorithm(algo); + } + + public void setType(String type) { setHeader(JwtConstants.HEADER_TYPE, type); } http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactReaderWriterTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactReaderWriterTest.java index 078895a..1385d64 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactReaderWriterTest.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactReaderWriterTest.java @@ -33,9 +33,7 @@ import org.apache.cxf.rs.security.oauth2.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter; import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenWriter; import org.apache.cxf.rs.security.oauth2.jwt.jwk.JsonWebKey; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils; import org.junit.Assert; import org.junit.Test; @@ -86,14 +84,9 @@ public class JwsCompactReaderWriterTest extends Assert { @Test public void testWriteJwsSignedByMacSpecExample() throws Exception { - JwtHeaders headers = new JwtHeaders(); - headers.setType(JwtConstants.TYPE_JWT); - headers.setAlgorithm(Algorithms.HmacSHA256.getJwtName()); + JwtHeaders headers = new JwtHeaders(Algorithms.HmacSHA256.getJwtName()); JwsCompactProducer jws = initSpecJwtTokenWriter(headers); - String plain = jws.getUnsignedEncodedToken(); - - byte[] mac = computeMac(plain); - jws.setSignatureOctets(mac); + jws.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY)); assertEquals(ENCODED_TOKEN_SIGNED_BY_MAC, jws.getSignedEncodedToken()); @@ -101,9 +94,7 @@ public class JwsCompactReaderWriterTest extends Assert { @Test public void testWriteReadJwsUnsigned() throws Exception { - JwtHeaders headers = new JwtHeaders(); - headers.setType(JwtConstants.TYPE_JWT); - headers.setAlgorithm(JwtConstants.PLAIN_TEXT_ALGO); + JwtHeaders headers = new JwtHeaders(JwtConstants.PLAIN_TEXT_ALGO); JwtClaims claims = new JwtClaims(); claims.setIssuer("https://jwt-idp.example.com"); @@ -126,9 +117,7 @@ public class JwsCompactReaderWriterTest extends Assert { @Test public void testReadJwsSignedByMacSpecExample() throws Exception { JwsCompactConsumer jws = new JwsCompactConsumer(ENCODED_TOKEN_SIGNED_BY_MAC); - String plain = jws.getUnsignedEncodedToken(); - byte[] mac = computeMac(plain); - Arrays.equals(mac, jws.getDecodedSignature()); + assertTrue(jws.verifySignatureWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY))); JwtToken token = jws.getJwtToken(); JwtHeaders headers = token.getHeaders(); assertEquals(JwtConstants.TYPE_JWT, headers.getType()); @@ -155,9 +144,7 @@ public class JwsCompactReaderWriterTest extends Assert { } private void doTestWriteJwsWithJwkSignedByMac(Object jsonWebKey) throws Exception { - JwtHeaders headers = new JwtHeaders(); - headers.setType(JwtConstants.TYPE_JWT); - headers.setAlgorithm(Algorithms.HmacSHA256.getJwtName()); + JwtHeaders headers = new JwtHeaders(Algorithms.HmacSHA256.getJwtName()); headers.setHeader(JwtConstants.HEADER_JSON_WEB_KEY, jsonWebKey); @@ -168,11 +155,7 @@ public class JwsCompactReaderWriterTest extends Assert { JwtToken token = new JwtToken(headers, claims); JwsCompactProducer jws = new JwsCompactProducer(token, getWriter()); - - String plain = jws.getUnsignedEncodedToken(); - - byte[] mac = computeMac(plain); - jws.setSignatureOctets(mac); + jws.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY)); assertEquals(ENCODED_TOKEN_WITH_JSON_KEY_SIGNED_BY_MAC, jws.getSignedEncodedToken()); } @@ -180,9 +163,7 @@ public class JwsCompactReaderWriterTest extends Assert { @Test public void testReadJwsWithJwkSignedByMac() throws Exception { JwsCompactConsumer jws = new JwsCompactConsumer(ENCODED_TOKEN_WITH_JSON_KEY_SIGNED_BY_MAC); - String plain = jws.getUnsignedEncodedToken(); - byte[] mac = computeMac(plain); - Arrays.equals(mac, jws.getDecodedSignature()); + assertTrue(jws.verifySignatureWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY))); JwtToken token = jws.getJwtToken(); JwtHeaders headers = token.getHeaders(); assertEquals(JwtConstants.TYPE_JWT, headers.getType()); @@ -209,13 +190,8 @@ public class JwsCompactReaderWriterTest extends Assert { JwtHeaders headers = new JwtHeaders(); headers.setAlgorithm(Algorithms.SHA256withRSA.getJwtName()); JwsCompactProducer jws = initSpecJwtTokenWriter(headers); - String plain = jws.getUnsignedEncodedToken(); - PrivateKey key = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED, RSA_PRIVATE_EXPONENT_ENCODED); - byte[] sig = CryptoUtils.signData(plain.getBytes("UTF-8"), key, - Algorithms.SHA256withRSA.getJavaName()); - - jws.setSignatureOctets(sig); + jws.signWith(new PrivateKeyJwsSignatureProvider(key)); assertEquals(ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY, jws.getSignedEncodedToken()); } @@ -223,10 +199,8 @@ public class JwsCompactReaderWriterTest extends Assert { @Test public void testReadJwsSignedByPrivateKey() throws Exception { JwsCompactConsumer jws = new JwsCompactConsumer(ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY); - String plain = jws.getUnsignedEncodedToken(); RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED); - CryptoUtils.verifySignature(plain.getBytes("UTF-8"), jws.getDecodedSignature(), key, - Algorithms.SHA256withRSA.getJavaName()); + assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key))); JwtToken token = jws.getJwtToken(); JwtHeaders headers = token.getHeaders(); assertEquals(Algorithms.SHA256withRSA.getJwtName(), headers.getAlgorithm()); @@ -244,10 +218,6 @@ public class JwsCompactReaderWriterTest extends Assert { return new JwsCompactProducer(token, getWriter()); } - private byte[] computeMac(String plain) throws Exception { - byte[] key = Base64UrlUtility.decode(ENCODED_MAC_KEY); - return HmacUtils.computeHmac(key, Algorithms.HmacSHA256.getJavaName(), plain); - } private JwtTokenWriter getWriter() { JwtTokenReaderWriter jsonWriter = new JwtTokenReaderWriter(); http://git-wip-us.apache.org/repos/asf/cxf/blob/e03c1d9c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java index afc2345..1039d9e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtils.java @@ -160,11 +160,11 @@ public final class CryptoUtils { } } - public static void verifySignature(byte[] data, byte[] signature, PublicKey key, String signAlgo) { - verifySignature(data, signature, key, signAlgo, null); + public static boolean verifySignature(byte[] data, byte[] signature, PublicKey key, String signAlgo) { + return verifySignature(data, signature, key, signAlgo, null); } - public static void verifySignature(byte[] data, byte[] signature, PublicKey key, String signAlgo, + public static boolean verifySignature(byte[] data, byte[] signature, PublicKey key, String signAlgo, AlgorithmParameterSpec params) { try { Signature s = Signature.getInstance(signAlgo); @@ -173,7 +173,7 @@ public final class CryptoUtils { s.setParameter(params); } s.update(data); - s.verify(signature); + return s.verify(signature); } catch (Exception ex) { throw new SecurityException(ex); }