cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: Updating OAuth2 Client to hold the whole public cert chain if needed
Date Wed, 09 Jul 2014 20:44:00 GMT
Repository: cxf
Updated Branches:
  refs/heads/master ebf24b72c -> 2c9464299


Updating OAuth2 Client to hold the whole public cert chain if needed


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2c946429
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2c946429
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2c946429

Branch: refs/heads/master
Commit: 2c9464299c2ec61779dd0e885802c2b6072df191
Parents: ebf24b7
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Wed Jul 9 21:43:37 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Wed Jul 9 21:43:37 2014 +0100

----------------------------------------------------------------------
 .../cxf/rs/security/oauth2/common/Client.java   | 12 ++++----
 .../oauth2/common/OAuthAuthorizationData.java   | 11 ++++----
 .../oauth2/services/AbstractTokenService.java   | 29 ++++++++++++--------
 .../services/RedirectionBasedGrantService.java  |  2 +-
 .../utils/crypto/ModelEncryptionSupport.java    |  6 ++--
 .../security/oauth2/OAuthDataProviderImpl.java  |  3 +-
 6 files changed, 36 insertions(+), 27 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
index 88a3c4a..f87370b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java
@@ -38,7 +38,7 @@ public class Client implements Serializable {
     private String applicationDescription;
     private String applicationWebUri;
     private String applicationLogoUri;
-    private String applicationCertificate;
+    private List<String> applicationCertificates = new LinkedList<String>();
     private List<String> redirectUris = new LinkedList<String>();
     
     private boolean isConfidential;
@@ -283,16 +283,16 @@ public class Client implements Serializable {
         this.registeredAudiences = registeredAudiences;
     }
 
-    public String getApplicationCertificate() {
-        return applicationCertificate;
+    public List<String> getApplicationCertificates() {
+        return applicationCertificates;
     }
 
     /*
-     * Set the optional Base64 encoded Application Public X509 Certificate
+     * Set the Base64 encoded Application Public X509 Certificate
      * It can be used in combination with the clientSecret property to support 
      * Basic or other password-aware authentication on top of 2-way TLS.
      */
-    public void setApplicationCertificate(String applicationCertificate) {
-        this.applicationCertificate = applicationCertificate;
+    public void setApplicationCertificates(List<String> applicationCertificates) {
+        this.applicationCertificates = applicationCertificates;
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
index 0b98d08..5c3201f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth2.common;
 
 import java.io.Serializable;
 import java.util.HashMap;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 
@@ -48,7 +49,7 @@ public class OAuthAuthorizationData implements Serializable {
     private String applicationWebUri;
     private String applicationDescription;
     private String applicationLogoUri;
-    private String applicationCertificate;
+    private List<String> applicationCertificates = new LinkedList<String>();
     private Map<String, String> extraApplicationProperties = new HashMap<String,
String>();
     
     private List<? extends Permission> permissions;
@@ -263,12 +264,12 @@ public class OAuthAuthorizationData implements Serializable {
         this.audience = audience;
     }
 
-    public String getApplicationCertificate() {
-        return applicationCertificate;
+    public List<String> getApplicationCertificates() {
+        return applicationCertificates;
     }
 
-    public void setApplicationCertificate(String applicationCertificate) {
-        this.applicationCertificate = applicationCertificate;
+    public void setApplicationCertificates(List<String> applicationCertificates) {
+        this.applicationCertificates = applicationCertificates;
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index 8c79579..c70e6d6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -23,6 +23,7 @@ import java.security.Principal;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.List;
 
 import javax.security.auth.x500.X500Principal;
 import javax.ws.rs.core.MediaType;
@@ -77,9 +78,9 @@ public class AbstractTokenService extends AbstractOAuthService {
                 client = getClientFromBasicAuthScheme();
             }
         }
-        if (client != null && client.getApplicationCertificate() != null) {
+        if (client != null && !client.getApplicationCertificates().isEmpty()) {
             // Validate the client application certificates
-            compareTlsCertificates(getTlsSessionInfo(), client.getApplicationCertificate());
+            compareTlsCertificates(getTlsSessionInfo(), client.getApplicationCertificates());
         }
         if (client == null) {
             reportInvalidClient();
@@ -151,18 +152,24 @@ public class AbstractTokenService extends AbstractOAuthService {
         return null;
     }
     
-    protected void compareTlsCertificates(TLSSessionInfo tlsInfo, String base64EncodedCert)
{
+    protected void compareTlsCertificates(TLSSessionInfo tlsInfo, 
+                                          List<String> base64EncodedCerts) {
         if (tlsInfo != null) {
             Certificate[] clientCerts = tlsInfo.getPeerCertificates();
-            try {
-                X509Certificate cert = (X509Certificate)clientCerts[0];
-                byte[] encodedKey = cert.getEncoded();
-                byte[] clientKey = Base64Utility.decode(base64EncodedCert);
-                if (Arrays.equals(encodedKey, clientKey)) {
+            if (clientCerts.length == base64EncodedCerts.size()) {
+                try {
+                    for (int i = 0; i < clientCerts.length; i++) {
+                        X509Certificate x509Cert = (X509Certificate)clientCerts[i];
+                        byte[] encodedKey = x509Cert.getEncoded();
+                        byte[] clientKey = Base64Utility.decode(base64EncodedCerts.get(i));
+                        if (!Arrays.equals(encodedKey, clientKey)) {
+                            reportInvalidClient();
+                        }
+                    }
                     return;
-                }
-            } catch (Exception ex) {
-                // throw exception later
+                } catch (Exception ex) {
+                    // throw exception later
+                }    
             }
         }
         reportInvalidClient();

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 67f12ea..b42d6c3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -196,7 +196,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         secData.setApplicationDescription(client.getApplicationDescription());
         secData.setApplicationLogoUri(client.getApplicationLogoUri());
         secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
-        secData.setApplicationName(client.getApplicationCertificate());
+        secData.setApplicationCertificates(client.getApplicationCertificates());
         Map<String, String> extraProperties = client.getProperties();
         secData.setExtraApplicationProperties(extraProperties);
         String replyTo = getMessageContext().getUriInfo()

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
index ce76c0a..d8b4444 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
@@ -328,7 +328,7 @@ public final class ModelEncryptionSupport {
                               getStringPart(parts[3]), getStringPart(parts[4]));
         c.setApplicationDescription(getStringPart(parts[5]));
         c.setApplicationLogoUri(getStringPart(parts[6]));
-        c.setApplicationLogoUri(getStringPart(parts[7]));
+        c.setApplicationCertificates(parseSimpleList(parts[7]));
         c.setAllowedGrantTypes(parseSimpleList(parts[8]));
         c.setRegisteredScopes(parseSimpleList(parts[9]));
         c.setRedirectUris(parseSimpleList(parts[10]));
@@ -360,8 +360,8 @@ public final class ModelEncryptionSupport {
         // 6: app logo URI
         state.append(tokenizeString(client.getApplicationLogoUri()));
         state.append(SEP);
-        // 7: app certificate
-        state.append(tokenizeString(client.getApplicationCertificate()));
+        // 7: app certificates
+        state.append(client.getApplicationCertificates());
         state.append(SEP);
         // 8: grants
         state.append(client.getAllowedGrantTypes().toString());

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
index 23b681d..bf6d618 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java
@@ -20,6 +20,7 @@ package org.apache.cxf.systest.jaxrs.security.oauth2;
 
 import java.io.InputStream;
 import java.security.cert.Certificate;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -57,7 +58,7 @@ public class OAuthDataProviderImpl implements OAuthDataProvider {
                                     null,
                                     null);
         client2.getAllowedGrantTypes().add("custom_grant");
-        client2.setApplicationCertificate(encodedCert);
+        client2.setApplicationCertificates(Collections.singletonList(encodedCert));
         clients.put(client2.getClientId(), client2);
     }
 


Mime
View raw message