cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: [CXF-5954] Prototyping the code for JAX-RS filters optionally use JWK sets
Date Thu, 04 Sep 2014 15:52:17 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 183b062de -> a588526b9


[CXF-5954] Prototyping the code for JAX-RS filters optionally use JWK sets


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a588526b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a588526b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a588526b

Branch: refs/heads/3.0.x-fixes
Commit: a588526b98144342d114878948119746d2254589
Parents: 183b062
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Thu Sep 4 16:48:51 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Thu Sep 4 16:51:47 2014 +0100

----------------------------------------------------------------------
 .../cxf/rs/security/oauth2/jwk/JsonWebKey.java  | 15 ++++
 .../cxf/rs/security/oauth2/jwk/JsonWebKeys.java | 42 +++++++++-
 .../cxf/rs/security/oauth2/jwk/JwkUtils.java    | 84 ++++++++++++++++++++
 .../jwt/jaxrs/AbstractJweDecryptingFilter.java  | 35 ++++++--
 .../jwt/jaxrs/AbstractJwsReaderProvider.java    | 28 ++++++-
 .../jwt/jaxrs/AbstractJwsWriterProvider.java    | 21 +++--
 .../oauth2/jwt/jaxrs/JweWriterInterceptor.java  | 27 +++++--
 .../rs/security/oauth2/jwk/JsonWebKeyTest.java  |  2 +-
 8 files changed, 228 insertions(+), 26 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a588526b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKey.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKey.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKey.java
index d251c0b..bfb61eb 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKey.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKey.java
@@ -18,12 +18,15 @@
  */
 package org.apache.cxf.rs.security.oauth2.jwk;
 
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
 import java.util.List;
 import java.util.Map;
 
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.rs.security.oauth2.jwt.AbstractJwtObject;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 
 public class JsonWebKey extends AbstractJwtObject {
@@ -156,4 +159,16 @@ public class JsonWebKey extends AbstractJwtObject {
     public Object getProperty(String name) {
         return super.getValue(name);
     }
+    
+    public RSAPublicKey toRSAPublicKey() {
+        String encodedModulus = (String)super.getValue(RSA_MODULUS);
+        String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP);
+        return CryptoUtils.getRSAPublicKey(encodedModulus, encodedPublicExponent);
+    }
+    public RSAPrivateKey toRSAPrivateKey() {
+        String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP);
+        String encodedPrivateExponent = (String)super.getValue(RSA_PRIVATE_EXP);
+        return CryptoUtils.getRSAPrivateKey(encodedPublicExponent, encodedPrivateExponent);
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a588526b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeys.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeys.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeys.java
index 3b699f4..a0dd8db 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeys.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeys.java
@@ -53,7 +53,7 @@ public class JsonWebKeys extends AbstractJwtObject {
         super.setValue(KEYS_PROPERTY, keys);
     }
     
-    public Map<String, JsonWebKey> getKeysMap() {
+    public Map<String, JsonWebKey> getKeyIdMap() {
         List<JsonWebKey> keys = getKeys();
         if (keys == null) {
             return Collections.emptyMap();
@@ -67,4 +67,44 @@ public class JsonWebKeys extends AbstractJwtObject {
         }
         return map;
     }
+    public JsonWebKey getKey(String kid) {
+        return getKeyIdMap().get(kid);
+    }
+    public Map<String, List<JsonWebKey>> getKeyTypeMap() {
+        return getKeyPropertyMap(JsonWebKey.KEY_TYPE);
+    }
+    public Map<String, List<JsonWebKey>> getKeyUseMap() {
+        return getKeyPropertyMap(JsonWebKey.PUBLIC_KEY_USE);
+    }
+    private Map<String, List<JsonWebKey>> getKeyPropertyMap(String propertyName)
{
+        List<JsonWebKey> keys = getKeys();
+        if (keys == null) {
+            return Collections.emptyMap();
+        }
+        Map<String, List<JsonWebKey>> map = new LinkedHashMap<String, List<JsonWebKey>>();
+        for (JsonWebKey key : keys) {
+            String keyType = (String)key.getProperty(propertyName);
+            if (keyType != null) {
+                List<JsonWebKey> list = map.get(keyType);
+                if (list == null) {
+                    list = new LinkedList<JsonWebKey>();
+                    map.put(keyType, list);
+                }
+                list.add(key);
+            }
+        }
+        return map;
+    }
+    public List<JsonWebKey> getKeys(String keyType) {
+        return getKeyTypeMap().get(keyType);
+    }
+    public List<JsonWebKey> getRsaKeys() {
+        return getKeyTypeMap().get(JsonWebKey.KEY_TYPE_RSA);
+    }
+    public List<JsonWebKey> getEllipticKeys() {
+        return getKeyTypeMap().get(JsonWebKey.KEY_TYPE_ELLIPTIC);
+    }
+    public List<JsonWebKey> getSecretKeys() {
+        return getKeyTypeMap().get(JsonWebKey.KEY_TYPE_OCTET);
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a588526b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java
new file mode 100644
index 0000000..1bb1efa
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java
@@ -0,0 +1,84 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.jwk;
+
+import java.io.InputStream;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.List;
+import java.util.Properties;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.ResourceUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
+
+public final class JwkUtils {
+    public static final String JWK_KEY_STORE_TYPE = "jwk";
+    private JwkUtils() {
+        
+    }
+    public static JsonWebKeys loadPersistJwkSet(Message m, Properties props) {
+        return loadPersistJwkSet(m, props, new DefaultJwkSetReaderWriter());
+    }
+    public static JsonWebKeys loadPersistJwkSet(Message m, Properties props, JwkSetReaderWriter
reader) {
+        JsonWebKeys jwkSet = (JsonWebKeys)m.getExchange().get(props.get(CryptoUtils.RSSEC_KEY_STORE_FILE));
+        if (jwkSet == null) {
+            jwkSet = loadJwkSet(props, m.getExchange().getBus(), reader);
+            m.getExchange().put((String)props.get(CryptoUtils.RSSEC_KEY_STORE_FILE), jwkSet);
+        }
+        return jwkSet;
+    }
+    public static JsonWebKeys loadJwkSet(Properties props, Bus bus) {
+        return loadJwkSet(props, bus, new DefaultJwkSetReaderWriter());
+    }
+    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JwkSetReaderWriter reader)
{
+        String keyStoreLoc = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_FILE);
+        try {
+            InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus);
+            return reader.jsonToJwkSet(IOUtils.readStringFromStream(is));
+        } catch (Exception ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    public static RSAPublicKey loadPublicKey(Message m, Properties props) {
+        JsonWebKey jwkKey = loadJsonWebKey(m, props);
+        return jwkKey != null ? jwkKey.toRSAPublicKey() : null;
+    }
+    public static RSAPrivateKey loadPrivateKey(Message m, Properties props) {
+        JsonWebKey jwkKey = loadJsonWebKey(m, props);
+        return jwkKey != null ? jwkKey.toRSAPrivateKey() : null;
+    }
+    public static JsonWebKey loadJsonWebKey(Message m, Properties props) {
+        JsonWebKeys jwkSet = loadPersistJwkSet(m, props);
+        JsonWebKey jwkKey = null;
+        String kid = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_ALIAS);
+        if (kid == null) {
+            List<JsonWebKey> keys = jwkSet.getRsaKeys();
+            if (keys != null && keys.size() == 1) {
+                jwkKey = keys.get(0);
+            }
+        } else {
+            jwkKey = jwkSet.getKey(kid);
+        }
+        
+        return jwkKey;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/a588526b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java
index 036fed0..34da71e 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java
@@ -20,15 +20,22 @@ package org.apache.cxf.rs.security.oauth2.jwt.jaxrs;
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.security.PrivateKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.util.Properties;
 
+import org.apache.cxf.Bus;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.jaxrs.utils.ResourceUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.oauth2.jwe.JweCryptoProperties;
 import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionOutput;
 import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionProvider;
 import org.apache.cxf.rs.security.oauth2.jwe.JweHeaders;
 import org.apache.cxf.rs.security.oauth2.jwe.WrappedKeyJweDecryption;
+import org.apache.cxf.rs.security.oauth2.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.oauth2.jwk.JwkUtils;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 public class AbstractJweDecryptingFilter {
@@ -39,7 +46,7 @@ public class AbstractJweDecryptingFilter {
     private JweCryptoProperties cryptoProperties;
     private String defaultMediaType;
     protected JweDecryptionOutput decrypt(InputStream is) throws IOException {
-        JweDecryptionProvider theDecryptor = getInitializedDecryption();
+        JweDecryptionProvider theDecryptor = getInitializedDecryptionProvider();
         JweDecryptionOutput out = theDecryptor.decrypt(new String(IOUtils.readBytesFromStream(is),
"UTF-8"));
         validateHeaders(out.getHeaders());
         return out;
@@ -51,21 +58,35 @@ public class AbstractJweDecryptingFilter {
     public void setDecryptionProvider(JweDecryptionProvider decryptor) {
         this.decryption = decryptor;
     }
-    protected JweDecryptionProvider getInitializedDecryption() {
+    protected JweDecryptionProvider getInitializedDecryptionProvider() {
         if (decryption != null) {
             return decryption;    
         } 
+        Message m = JAXRSUtils.getCurrentMessage();
+        String propLoc = 
+            (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS);
+        if (propLoc == null) {
+            throw new SecurityException();
+        }
+        Bus bus = m.getExchange().getBus();
         try {
-            PrivateKey pk = CryptoUtils.loadPrivateKey(JAXRSUtils.getCurrentMessage(), 
-                                                       RSSEC_ENCRYPTION_IN_PROPS, 
-                                                       RSSEC_ENCRYPTION_PROPS,
-                                                       CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER);
+            RSAPrivateKey pk = null;
+            Properties props = ResourceUtils.loadProperties(propLoc, bus);
+            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
+                //TODO: Private JWK sets can be JWE encrypted
+                JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props);
+                pk = jwk.toRSAPrivateKey();
+            } else {
+                pk = (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, 
+                                                              CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER);
+            }
             return new WrappedKeyJweDecryption(pk, cryptoProperties);
         } catch (SecurityException ex) {
             throw ex;
         } catch (Exception ex) {
             throw new SecurityException(ex);
         }
+        
     }
 
     public void setCryptoProperties(JweCryptoProperties cryptoProperties) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a588526b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java
index a70e185..2dd6f1d 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java
@@ -18,9 +18,16 @@
  */
 package org.apache.cxf.rs.security.oauth2.jwt.jaxrs;
 
-import java.security.PublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.Properties;
 
+import org.apache.cxf.Bus;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.jaxrs.utils.ResourceUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.oauth2.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.oauth2.jwk.JwkUtils;
 import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureProperties;
 import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.oauth2.jws.PublicKeyJwsSignatureVerifier;
@@ -50,10 +57,23 @@ public class AbstractJwsReaderProvider {
         if (sigVerifier != null) {
             return sigVerifier;    
         } 
+        
+        Message m = JAXRSUtils.getCurrentMessage();
+        String propLoc = 
+            (String)MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_IN_PROPS, RSSEC_SIGNATURE_PROPS);
+        if (propLoc == null) {
+            throw new SecurityException();
+        }
+        Bus bus = m.getExchange().getBus();
         try {
-            PublicKey pk = CryptoUtils.loadPublicKey(JAXRSUtils.getCurrentMessage(), 
-                                                     RSSEC_SIGNATURE_IN_PROPS,
-                                                     RSSEC_SIGNATURE_PROPS);
+            RSAPublicKey pk = null;
+            Properties props = ResourceUtils.loadProperties(propLoc, bus);
+            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
+                JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props);
+                pk = jwk.toRSAPublicKey();
+            } else {
+                pk = (RSAPublicKey)CryptoUtils.loadPublicKey(m, props);
+            }
             return new PublicKeyJwsSignatureVerifier(pk);
         } catch (SecurityException ex) {
             throw ex;

http://git-wip-us.apache.org/repos/asf/cxf/blob/a588526b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java
index 62e83ae..06af4ab 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java
@@ -21,7 +21,6 @@ package org.apache.cxf.rs.security.oauth2.jwt.jaxrs;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.OutputStream;
-import java.security.PrivateKey;
 import java.security.interfaces.RSAPrivateKey;
 import java.util.Properties;
 
@@ -30,6 +29,8 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.oauth2.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.oauth2.jwk.JwkUtils;
 import org.apache.cxf.rs.security.oauth2.jws.JwsCompactProducer;
 import org.apache.cxf.rs.security.oauth2.jws.JwsSignatureProvider;
 import org.apache.cxf.rs.security.oauth2.jws.PrivateKeyJwsSignatureProvider;
@@ -57,13 +58,23 @@ public class AbstractJwsWriterProvider {
             throw new SecurityException();
         }
         try {
+            RSAPrivateKey pk = null;
             Properties props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
-            PrivateKey pk = CryptoUtils.loadPrivateKey(m, props, CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER);
-            if (!(pk instanceof RSAPrivateKey)) {
-                throw new SecurityException();
+            String rsaSignatureAlgo = null;
+            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
+                //TODO: Private JWK sets can be JWE encrypted
+                JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props);
+                pk = jwk.toRSAPrivateKey();
+                rsaSignatureAlgo = jwk.getAlgorithm();
+            } else {
+                pk = (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, 
+                                                              CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER);
+            }
+            if (rsaSignatureAlgo == null) {
+                rsaSignatureAlgo = props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP);
             }
             PrivateKeyJwsSignatureProvider provider = new PrivateKeyJwsSignatureProvider(pk);
-            provider.setDefaultJwtAlgorithm(props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP));
+            provider.setDefaultJwtAlgorithm(rsaSignatureAlgo);
             return provider;
         } catch (SecurityException ex) {
             throw ex;

http://git-wip-us.apache.org/repos/asf/cxf/blob/a588526b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java
index 8dc5458..52e36be 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java
@@ -21,7 +21,6 @@ package org.apache.cxf.rs.security.oauth2.jwt.jaxrs;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.OutputStream;
-import java.security.PublicKey;
 import java.security.interfaces.RSAPublicKey;
 import java.util.Properties;
 import java.util.zip.DeflaterOutputStream;
@@ -46,14 +45,16 @@ import org.apache.cxf.rs.security.oauth2.jwe.JweHeaders;
 import org.apache.cxf.rs.security.oauth2.jwe.JweOutputStream;
 import org.apache.cxf.rs.security.oauth2.jwe.RSAOaepKeyEncryptionAlgorithm;
 import org.apache.cxf.rs.security.oauth2.jwe.WrappedKeyJweEncryption;
+import org.apache.cxf.rs.security.oauth2.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.oauth2.jwk.JwkUtils;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 
 @Priority(Priorities.JWE_WRITE_PRIORITY)
 public class JweWriterInterceptor implements WriterInterceptor {
-    private static final String JSON_ENCRYPTION_OUT_PROPS = "rs.security.encryption.out.properties";
-    private static final String JSON_ENCRYPTION_PROPS = "rs.security.encryption.properties";
+    private static final String RSSEC_ENCRYPTION_OUT_PROPS = "rs.security.encryption.out.properties";
+    private static final String RSSEC_ENCRYPTION_PROPS = "rs.security.encryption.properties";
     private static final String JSON_WEB_ENCRYPTION_CEK_ALGO_PROP = "rs.security.jwe.content.encryption.algorithm";
     private static final String JSON_WEB_ENCRYPTION_KEY_ALGO_PROP = "rs.security.jwe.key.encryption.algorithm";
     private static final String JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP = "rs.security.jwe.zip.algorithm";
@@ -112,18 +113,28 @@ public class JweWriterInterceptor implements WriterInterceptor {
         } 
         Message m = JAXRSUtils.getCurrentMessage();
         String propLoc = 
-            (String)MessageUtils.getContextualProperty(m, JSON_ENCRYPTION_OUT_PROPS, JSON_ENCRYPTION_PROPS);
+            (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_OUT_PROPS, RSSEC_ENCRYPTION_PROPS);
         if (propLoc == null) {
             throw new SecurityException();
         }
         Bus bus = m.getExchange().getBus();
         try {
+            RSAPublicKey pk = null;
+            String rsaKeyEncryptionAlgo = null;
+            
             Properties props = ResourceUtils.loadProperties(propLoc, bus);
-            PublicKey pk = CryptoUtils.loadPublicKey(m, props);
-            if (!(pk instanceof RSAPublicKey)) {
-                throw new SecurityException();
+            if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE)))
{
+                JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props);
+                pk = jwk.toRSAPublicKey();
+                rsaKeyEncryptionAlgo = jwk.getAlgorithm();
+            } else {
+                pk = (RSAPublicKey)CryptoUtils.loadPublicKey(m, props);
+            }
+            if (rsaKeyEncryptionAlgo == null) {
+                rsaKeyEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP);
             }
-            JweHeaders headers = new JweHeaders(props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP),
+            
+            JweHeaders headers = new JweHeaders(rsaKeyEncryptionAlgo,
                                                 props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP));
             String compression = props.getProperty(JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP);
             if (compression != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a588526b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
index dd06e3c..a740b05 100644
--- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
+++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeyTest.java
@@ -82,7 +82,7 @@ public class JsonWebKeyTest extends Assert {
     @Test
     public void testPublicSetAsMap() throws Exception {
         JsonWebKeys jwks = readKeySet("jwkPublicSet.txt");
-        Map<String, JsonWebKey> keysMap = jwks.getKeysMap();
+        Map<String, JsonWebKey> keysMap = jwks.getKeyIdMap();
         assertEquals(2, keysMap.size());
         
         JsonWebKey rsaKey = keysMap.get(RSA_KID_VALUE);


Mime
View raw message