cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject git commit: Updating JwsSignatureVerifier to return the algorithm it actually supports
Date Wed, 22 Oct 2014 15:45:13 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes e027dc7d5 -> 8aa4b2772


Updating JwsSignatureVerifier to return the algorithm it actually supports


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8aa4b277
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8aa4b277
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8aa4b277

Branch: refs/heads/3.0.x-fixes
Commit: 8aa4b2772024b71cc8770376586e4abe743db38f
Parents: e027dc7
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Wed Oct 22 16:44:00 2014 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Wed Oct 22 16:44:56 2014 +0100

----------------------------------------------------------------------
 .../jose/jws/EcDsaJwsSignatureVerifier.java     |  3 --
 .../jose/jws/HmacJwsSignatureVerifier.java      | 29 ++++++++------------
 .../security/jose/jws/JwsSignatureVerifier.java |  1 +
 .../cxf/rs/security/jose/jws/JwsUtils.java      |  3 +-
 .../jose/jws/PublicKeyJwsSignatureVerifier.java |  9 +++---
 .../security/jose/jws/JwsCompactHeaderTest.java | 17 ++++++++----
 .../jose/jws/JwsCompactReaderWriterTest.java    | 12 +++++---
 .../cxf/systest/jaxrs/security/jwt/server.xml   |  1 +
 .../systest/jaxrs/security/bob.jwk.properties   |  1 +
 .../jaxrs/security/jws.ec.public.properties     |  1 +
 10 files changed, 42 insertions(+), 35 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
index 97a8991..6670367 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
@@ -24,9 +24,6 @@ import java.security.spec.AlgorithmParameterSpec;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 
 public class EcDsaJwsSignatureVerifier extends PublicKeyJwsSignatureVerifier {
-    public EcDsaJwsSignatureVerifier(PublicKey key) {
-        this(key, null);
-    }
     public EcDsaJwsSignatureVerifier(PublicKey key, String supportedAlgo) {
         this(key, null, supportedAlgo);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
index e6ac50d..3bdf335 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java
@@ -21,10 +21,9 @@ package org.apache.cxf.rs.security.jose.jws;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Arrays;
 
-import org.apache.cxf.common.util.Base64Exception;
-import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.common.util.crypto.HmacUtils;
 import org.apache.cxf.rs.security.jose.JoseHeaders;
+import org.apache.cxf.rs.security.jose.JoseUtils;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
 
 public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
@@ -32,28 +31,18 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier
{
     private AlgorithmParameterSpec hmacSpec;
     private String supportedAlgo;
     
-    public HmacJwsSignatureVerifier(byte[] key) {
-        this(key, null);
+    public HmacJwsSignatureVerifier(String encodedKey, String supportedAlgo) {
+        this(JoseUtils.decode(encodedKey), supportedAlgo);
     }
-    public HmacJwsSignatureVerifier(byte[] key, AlgorithmParameterSpec spec) {
-        this(key, spec, null);
+    public HmacJwsSignatureVerifier(byte[] key, String supportedAlgo) {
+        this(key, null, supportedAlgo);
     }
     public HmacJwsSignatureVerifier(byte[] key, AlgorithmParameterSpec spec, String supportedAlgo)
{
         this.key = key;
         this.hmacSpec = spec;
         this.supportedAlgo = supportedAlgo;
     }
-    public HmacJwsSignatureVerifier(String encodedKey) {
-        this(encodedKey, null);
-    }
-    public HmacJwsSignatureVerifier(String encodedKey, String supportedAlgo) {
-        try {
-            this.key = Base64UrlUtility.decode(encodedKey);
-        } catch (Base64Exception ex) {
-            throw new SecurityException();
-        }
-        this.supportedAlgo = supportedAlgo;
-    }
+    
     
     @Override
     public boolean verify(JoseHeaders headers, String unsignedText, byte[] signature) {
@@ -71,9 +60,13 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier {
     protected String checkAlgorithm(String algo) {
         if (algo == null 
             || !Algorithm.isHmacSign(algo)
-            || supportedAlgo != null && !supportedAlgo.equals(algo)) {
+            || !algo.equals(supportedAlgo)) {
             throw new SecurityException();
         }
         return algo;
     }
+    @Override
+    public String getAlgorithm() {
+        return supportedAlgo;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java
index 82e4f6b..492c676 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java
@@ -22,4 +22,5 @@ import org.apache.cxf.rs.security.jose.JoseHeaders;
 
 public interface JwsSignatureVerifier {
     boolean verify(JoseHeaders headers, String unsignedText, byte[] signature);
+    String getAlgorithm();
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index 30e3b8c..c9741a2 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -122,8 +122,9 @@ public final class JwsUtils {
             theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo);
             
         } else {
+            rsaSignatureAlgo = getSignatureAlgo(props, null);
             theVerifier = new PublicKeyJwsSignatureVerifier(
-                              (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props));
+                              (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), rsaSignatureAlgo);
         }
         return theVerifier;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
index 9f910e8..3ff9d66 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
@@ -31,9 +31,6 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier
{
     private AlgorithmParameterSpec signatureSpec;
     private String supportedAlgo;
     
-    public PublicKeyJwsSignatureVerifier(PublicKey key) {
-        this(key, null);
-    }
     public PublicKeyJwsSignatureVerifier(PublicKey key, String supportedAlgorithm) {
         this(key, null, supportedAlgorithm);
     }
@@ -57,7 +54,7 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier
{
     protected String checkAlgorithm(String algo) {
         if (algo == null 
             || !isValidAlgorithmFamily(algo)
-            || supportedAlgo != null && !supportedAlgo.equals(algo)) {
+            || !algo.equals(supportedAlgo)) {
             throw new SecurityException();
         }
         return algo;
@@ -65,5 +62,9 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier
{
     protected boolean isValidAlgorithmFamily(String algo) {
         return Algorithm.isRsaShaSign(algo);
     }
+    @Override
+    public String getAlgorithm() {
+        return supportedAlgo;
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java
b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java
index 0cc0a07..942a856 100644
--- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactHeaderTest.java
@@ -18,6 +18,8 @@
  */
 package org.apache.cxf.rs.security.jose.jws;
 
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+
 import org.junit.Assert;
 import org.junit.Test;
 
@@ -114,21 +116,24 @@ public class JwsCompactHeaderTest extends Assert {
     public void verifyJwsWithMissingAlgHeaderField() throws Exception {
         JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(MISSING_ALG_HEADER_FIELD_IN_JWS);
 
-        assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+        assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,

+                                                                                 Algorithm.HmacSHA256.getJwtName())));
     }
 
     @Test
     public void verifyJwsWithTwoAlgHeaderFieldsBogusFieldFirst() throws Exception {
         JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(TWO_ALG_HEADER_FIELDS_IN_JWS_BOGUS_FIRST);
 
-        assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+        assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+                                                                                 Algorithm.HmacSHA256.getJwtName())));
     }
 
     @Test
     public void verifyJwsWithTwoAlgHeaderFieldsBogusFieldLast() throws Exception {
         JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(TWO_ALG_HEADER_FIELDS_IN_JWS_BOGUS_LAST);
 
-        assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+        assertFalse(jwsConsumer.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+                                                                                 Algorithm.HmacSHA256.getJwtName())));
     }
     
     @Test
@@ -137,9 +142,11 @@ public class JwsCompactHeaderTest extends Assert {
         
         JwsCompactConsumer jwsConsumerAltered = new JwsCompactConsumer(ALG_HEADER_VALUE_NONE_IN_JWS);
 
-        assertTrue(jwsConsumerOriginal.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+        assertTrue(jwsConsumerOriginal.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+                                                               Algorithm.HmacSHA256.getJwtName())));
         
-        assertFalse(jwsConsumerAltered.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+        assertFalse(jwsConsumerAltered.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+                                                               Algorithm.HmacSHA256.getJwtName())));
     }
 
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
index e37b854..6b34b94 100644
--- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsCompactReaderWriterTest.java
@@ -129,7 +129,8 @@ public class JwsCompactReaderWriterTest extends Assert {
     @Test
     public void testReadJwsSignedByMacSpecExample() throws Exception {
         JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_SIGNED_BY_MAC);
-        assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+        assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+                                                                        Algorithm.HmacSHA256.getJwtName())));
         JwtToken token = jws.getJwtToken();
         JoseHeaders headers = token.getHeaders();
         assertEquals(JoseConstants.TYPE_JWT, headers.getType());
@@ -176,7 +177,8 @@ public class JwsCompactReaderWriterTest extends Assert {
     @Test
     public void testReadJwsWithJwkSignedByMac() throws Exception {
         JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_WITH_JSON_KEY_SIGNED_BY_MAC);
-        assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY)));
+        assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY,
+                                                                        Algorithm.HmacSHA256.getJwtName())));
         JwtToken token = jws.getJwtToken();
         JoseHeaders headers = token.getHeaders();
         assertEquals(JoseConstants.TYPE_JWT, headers.getType());
@@ -223,7 +225,8 @@ public class JwsCompactReaderWriterTest extends Assert {
                                                            EC_X_POINT_ENCODED, 
                                                            EC_Y_POINT_ENCODED);
         JwsJwtCompactConsumer jwsConsumer = new JwsJwtCompactConsumer(signedJws);
-        assertTrue(jwsConsumer.verifySignatureWith(new EcDsaJwsSignatureVerifier(publicKey)));
+        assertTrue(jwsConsumer.verifySignatureWith(new EcDsaJwsSignatureVerifier(publicKey,
+                                                   Algorithm.SHA256withECDSA.getJwtName())));
         JwtToken token = jwsConsumer.getJwtToken();
         JoseHeaders headersReceived = token.getHeaders();
         assertEquals(Algorithm.SHA256withECDSA.getJwtName(), headersReceived.getAlgorithm());
@@ -234,7 +237,8 @@ public class JwsCompactReaderWriterTest extends Assert {
     public void testReadJwsSignedByPrivateKey() throws Exception {
         JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_SIGNED_BY_PRIVATE_KEY);
         RSAPublicKey key = CryptoUtils.getRSAPublicKey(RSA_MODULUS_ENCODED, RSA_PUBLIC_EXPONENT_ENCODED);
-        assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key)));
+        assertTrue(jws.verifySignatureWith(new PublicKeyJwsSignatureVerifier(key, 
+                                                                             JoseConstants.RS_SHA_256_ALGO)));
         JwtToken token = jws.getJwtToken();
         JoseHeaders headers = token.getHeaders();
         assertEquals(Algorithm.SHA256withRSA.getJwtName(), headers.getAlgorithm());

http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
index bdefd30..67e926d 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml
@@ -72,6 +72,7 @@ under the License.
     
     <bean id="hmacSigVerifier" class="org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureVerifier">
         <constructor-arg value="AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"/>
+        <constructor-arg value="HS256"/>
     </bean>
     <bean id="jwsHmacInFilter" class="org.apache.cxf.rs.security.jose.jaxrs.JwsContainerRequestFilter">
        <property name="signatureVerifier" ref="hmacSigVerifier"/>

http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties
index 8d43f81..b57af21 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.properties
@@ -21,3 +21,4 @@ rs.security.keystore.alias=2011-04-29
 rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
 rs.security.jwe.content.encryption.algorithm=A128GCM
 rs.security.jwe.key.encryption.algorithm=RSA-OAEP
+rs.security.jws.content.signature.algorithm=RS256

http://git-wip-us.apache.org/repos/asf/cxf/blob/8aa4b277/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties
index 9d67710..5178e85 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties
@@ -17,3 +17,4 @@
 rs.security.keystore.type=jwk
 rs.security.keystore.alias=ECKey
 rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
+rs.security.jws.content.signature.algorithm=ES256
\ No newline at end of file


Mime
View raw message