Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CFB4917AF1 for ; Mon, 10 Nov 2014 18:20:34 +0000 (UTC) Received: (qmail 87636 invoked by uid 500); 10 Nov 2014 18:20:34 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 87571 invoked by uid 500); 10 Nov 2014 18:20:34 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 87560 invoked by uid 99); 10 Nov 2014 18:20:34 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Nov 2014 18:20:34 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 4C6668C1E05; Mon, 10 Nov 2014 18:20:34 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <2e789d028ebb4d4d93e3359da7b942ac@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Jose utils updates Date: Mon, 10 Nov 2014 18:20:34 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master d8d0dbe20 -> 316ce8676 Jose utils updates Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/316ce867 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/316ce867 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/316ce867 Branch: refs/heads/master Commit: 316ce867658c3524778786e7075c7a7fc2baa771 Parents: d8d0dbe Author: Sergey Beryozkin Authored: Mon Nov 10 18:20:01 2014 +0000 Committer: Sergey Beryozkin Committed: Mon Nov 10 18:20:01 2014 +0000 ---------------------------------------------------------------------- .../jose/jaxrs/JweContainerRequestFilter.java | 4 ++ .../jose/jaxrs/JweWriterInterceptor.java | 5 +- .../jose/jaxrs/JwsContainerRequestFilter.java | 5 +- .../jaxrs/JwsJsonContainerRequestFilter.java | 5 +- .../jose/jaxrs/JwsJsonWriterInterceptor.java | 5 +- .../jose/jaxrs/JwsWriterInterceptor.java | 4 ++ .../cxf/rs/security/jose/jwe/JweUtils.java | 50 +++++++++----- .../cxf/rs/security/jose/jwk/JwkUtils.java | 62 ++++++++++++++++++ .../cxf/rs/security/jose/jws/JwsUtils.java | 22 +++++-- .../utils/crypto/JwtAccessTokenUtils.java | 68 ++++++++++++++------ 10 files changed, 184 insertions(+), 46 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java index c58fe7e..a362f76 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java @@ -22,6 +22,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import javax.annotation.Priority; +import javax.ws.rs.HttpMethod; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerRequestFilter; import javax.ws.rs.container.PreMatching; @@ -34,6 +35,9 @@ import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput; public class JweContainerRequestFilter extends AbstractJweDecryptingFilter implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext context) throws IOException { + if (HttpMethod.GET.equals(context.getMethod())) { + return; + } JweDecryptionOutput out = decrypt(context.getEntityStream()); byte[] bytes = out.getContent(); context.setEntityStream(new ByteArrayInputStream(bytes)); http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java index 9ae670e..73a749b 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java @@ -54,7 +54,10 @@ public class JweWriterInterceptor implements WriterInterceptor { private JoseHeadersWriter writer = new JoseHeadersReaderWriter(); @Override public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { - + if (ctx.getEntity() == null) { + ctx.proceed(); + return; + } OutputStream actualOs = ctx.getOutputStream(); JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider(); http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java index de736f0..e3b4ba4 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java @@ -22,6 +22,7 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import javax.annotation.Priority; +import javax.ws.rs.HttpMethod; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerRequestFilter; import javax.ws.rs.container.PreMatching; @@ -37,7 +38,9 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; public class JwsContainerRequestFilter extends AbstractJwsReaderProvider implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext context) throws IOException { - + if (HttpMethod.GET.equals(context.getMethod())) { + return; + } JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream())); if (!p.verifySignatureWith(theSigVerifier)) { http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java index 93cf0eb..7512536 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java @@ -23,6 +23,7 @@ import java.io.IOException; import java.util.List; import javax.annotation.Priority; +import javax.ws.rs.HttpMethod; import javax.ws.rs.container.ContainerRequestContext; import javax.ws.rs.container.ContainerRequestFilter; import javax.ws.rs.container.PreMatching; @@ -39,7 +40,9 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider implements ContainerRequestFilter { @Override public void filter(ContainerRequestContext context) throws IOException { - + if (HttpMethod.GET.equals(context.getMethod())) { + return; + } List theSigVerifiers = getInitializedSigVerifiers(); JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream())); http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java index 1417cf0..443a738 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java @@ -47,7 +47,10 @@ public class JwsJsonWriterInterceptor extends AbstractJwsJsonWriterProvider impl private boolean useJwsOutputStream; @Override public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { - + if (ctx.getEntity() == null) { + ctx.proceed(); + return; + } List sigProviders = getInitializedSigProviders(); OutputStream actualOs = ctx.getOutputStream(); if (useJwsOutputStream) { http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java index 5a42b8d..36850c4 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java @@ -48,6 +48,10 @@ public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements W private JoseHeadersWriter writer = new JoseHeadersReaderWriter(); @Override public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { + if (ctx.getEntity() == null) { + ctx.proceed(); + return; + } JoseHeaders headers = new JoseHeaders(); JwsSignatureProvider sigProvider = getInitializedSigProvider(headers); setContentTypeIfNeeded(headers, ctx); http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 6dc2466..628e234 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -40,27 +40,44 @@ public final class JweUtils { private JweUtils() { } - public String encrypt(RSAPublicKey key, String keyAlgo, String contentAlgo, byte[] content) { + public static String encrypt(RSAPublicKey key, String keyAlgo, String contentAlgo, byte[] content) { + return encrypt(key, keyAlgo, contentAlgo, content, null); + } + public static String encrypt(RSAPublicKey key, String keyAlgo, String contentAlgo, byte[] content, String ct) { KeyEncryptionAlgorithm keyEncryptionProvider = getRSAKeyEncryptionAlgorithm(key, keyAlgo); - return encrypt(keyEncryptionProvider, contentAlgo, content); + return encrypt(keyEncryptionProvider, contentAlgo, content, ct); + } + public static String encrypt(SecretKey key, String keyAlgo, String contentAlgo, byte[] content) { + return encrypt(key, keyAlgo, contentAlgo, content, null); + } + public static String encrypt(SecretKey key, String keyAlgo, String contentAlgo, byte[] content, String ct) { + if (keyAlgo != null) { + KeyEncryptionAlgorithm keyEncryptionProvider = getSecretKeyEncryptionAlgorithm(key, keyAlgo); + return encrypt(keyEncryptionProvider, contentAlgo, content, ct); + } else { + return encryptDirect(key, contentAlgo, content, ct); + } } - public String encrypt(SecretKey key, String keyAlgo, String contentAlgo, byte[] content) { - KeyEncryptionAlgorithm keyEncryptionProvider = getSecretKeyEncryptionAlgorithm(key, keyAlgo); - return encrypt(keyEncryptionProvider, contentAlgo, content); + public static String encryptDirect(SecretKey key, String contentAlgo, byte[] content) { + return encryptDirect(key, contentAlgo, content, null); } - public String encryptDirect(SecretKey key, String contentAlgo, byte[] content) { + public static String encryptDirect(SecretKey key, String contentAlgo, byte[] content, String ct) { JweEncryptionProvider jwe = getDirectKeyJweEncryption(key, contentAlgo); - return jwe.encrypt(content, null); + return jwe.encrypt(content, ct); } - public byte[] decrypt(RSAPrivateKey key, String keyAlgo, String contentAlgo, String content) { + public static byte[] decrypt(RSAPrivateKey key, String keyAlgo, String contentAlgo, String content) { KeyDecryptionAlgorithm keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(key, keyAlgo); return decrypt(keyDecryptionProvider, contentAlgo, content); } - public byte[] decrypt(SecretKey key, String keyAlgo, String contentAlgo, String content) { - KeyDecryptionAlgorithm keyDecryptionProvider = getSecretKeyDecryptionAlgorithm(key, keyAlgo); - return decrypt(keyDecryptionProvider, contentAlgo, content); + public static byte[] decrypt(SecretKey key, String keyAlgo, String contentAlgo, String content) { + if (keyAlgo != null) { + KeyDecryptionAlgorithm keyDecryptionProvider = getSecretKeyDecryptionAlgorithm(key, keyAlgo); + return decrypt(keyDecryptionProvider, contentAlgo, content); + } else { + return decryptDirect(key, contentAlgo, content); + } } - public byte[] decryptDirect(SecretKey key, String contentAlgo, String content) { + public static byte[] decryptDirect(SecretKey key, String contentAlgo, String content) { JweDecryptionProvider jwe = getDirectKeyJweDecryption(key, contentAlgo); return jwe.decrypt(content).getContent(); } @@ -160,10 +177,10 @@ public final class JweUtils { } return null; } - public static JweEncryptionProvider getDirectKeyJweEncryption(SecretKey key, String algorithm) { + public static DirectKeyJweEncryption getDirectKeyJweEncryption(SecretKey key, String algorithm) { return new DirectKeyJweEncryption(getContentEncryptionAlgorithm(key, algorithm)); } - public static JweDecryptionProvider getDirectKeyJweDecryption(SecretKey key, String algorithm) { + public static DirectKeyJweDecryption getDirectKeyJweDecryption(SecretKey key, String algorithm) { return new DirectKeyJweDecryption(key, getContentDecryptionAlgorithm(algorithm)); } public static JweEncryptionProvider loadEncryptionProvider(String propLoc, Message m) { @@ -305,9 +322,10 @@ public final class JweUtils { private static String getContentEncryptionAlgo(Properties props, String algo) { return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP) : algo; } - private static String encrypt(KeyEncryptionAlgorithm keyEncryptionProvider, String contentAlgo, byte[] content) { + private static String encrypt(KeyEncryptionAlgorithm keyEncryptionProvider, + String contentAlgo, byte[] content, String ct) { JweEncryptionProvider jwe = createJweEncryptionProvider(keyEncryptionProvider, contentAlgo, null); - return jwe.encrypt(content, null); + return jwe.encrypt(content, ct); } private static byte[] decrypt(KeyDecryptionAlgorithm keyDecryptionProvider, String contentAlgo, String content) { JweDecryptionProvider jwe = createJweDecryptionProvider(keyDecryptionProvider, contentAlgo); http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java index 3ebbbc6..05ade0d 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java @@ -40,6 +40,7 @@ import org.apache.cxf.common.util.crypto.CryptoUtils; import org.apache.cxf.helpers.IOUtils; import org.apache.cxf.jaxrs.utils.ResourceUtils; import org.apache.cxf.message.Message; +import org.apache.cxf.rs.security.jose.JoseUtils; import org.apache.cxf.rs.security.jose.jaxrs.KeyManagementUtils; import org.apache.cxf.rs.security.jose.jaxrs.PrivateKeyPasswordProvider; import org.apache.cxf.rs.security.jose.jwa.Algorithm; @@ -47,10 +48,12 @@ import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption; import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider; import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider; +import org.apache.cxf.rs.security.jose.jwe.JweUtils; import org.apache.cxf.rs.security.jose.jwe.KeyDecryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.KeyEncryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyDecryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyEncryptionAlgorithm; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; public final class JwkUtils { public static final String JWK_KEY_STORE_TYPE = "jwk"; @@ -83,6 +86,18 @@ public final class JwkUtils { public static String jwkSetToJson(JsonWebKeys jwkSet) { return new DefaultJwkReaderWriter().jwkSetToJson(jwkSet); } + public static String encodeJwkKey(JsonWebKey jwkKey) { + return Base64UrlUtility.encode(jwkKeyToJson(jwkKey)); + } + public static String encodeJwkSet(JsonWebKeys jwkSet) { + return Base64UrlUtility.encode(jwkSetToJson(jwkSet)); + } + public static JsonWebKey decodeJwkKey(String jwkJson) { + return readJwkKey(JoseUtils.decodeToString(jwkJson)); + } + public static JsonWebKeys decodeJwkSet(String jwksJson) { + return readJwkSet(JoseUtils.decodeToString(jwksJson)); + } public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) { return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter()); } @@ -92,6 +107,17 @@ public final class JwkUtils { public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter writer) { return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkSetToJson(jwkSet)), "jwk-set+json"); } + public static String encryptJwkSet(JsonWebKeys jwkSet, RSAPublicKey key, String keyAlgo, String contentAlgo) { + return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkSetToJson(jwkSet)), + "jwk-set+json"); + } + public static String signJwkSet(JsonWebKeys jwkSet, RSAPrivateKey key, String algo) { + return JwsUtils.sign(key, algo, jwkSetToJson(jwkSet), "jwk-set+json"); + } + public static String encryptJwkSet(JsonWebKeys jwkSet, SecretKey key, String keyAlgo, String contentAlgo) { + return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkSetToJson(jwkSet)), + "jwk-set+json"); + } public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) { return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter()); } @@ -101,6 +127,15 @@ public final class JwkUtils { public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe, JwkReaderWriter reader) { return reader.jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText()); } + public static JsonWebKeys decryptJwkSet(RSAPrivateKey key, String keyAlgo, String ctAlgo, String jsonJwkSet) { + return readJwkSet(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwkSet))); + } + public static JsonWebKeys verifyJwkSet(RSAPublicKey key, String keyAlgo, String jsonJwk) { + return readJwkSet(JwsUtils.verify(key, keyAlgo, jsonJwk)); + } + public static JsonWebKeys decryptJwkSet(SecretKey key, String keyAlgo, String ctAlgo, String jsonJwkSet) { + return readJwkSet(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwkSet))); + } public static JsonWebKeys decryptJwkSet(InputStream is, char[] password) throws IOException { return decryptJwkSet(is, password, new DefaultJwkReaderWriter()); } @@ -121,12 +156,32 @@ public final class JwkUtils { public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter writer) { return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkToJson(jwkKey)), "jwk+json"); } + public static String encryptJwkKey(JsonWebKey jwkKey, RSAPublicKey key, String keyAlgo, String contentAlgo) { + return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkKeyToJson(jwkKey)), + "jwk+json"); + } + public static String encryptJwkKey(JsonWebKey jwkKey, SecretKey key, String keyAlgo, String contentAlgo) { + return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkKeyToJson(jwkKey)), + "jwk+json"); + } + public static String signJwkKey(JsonWebKey jwkKey, RSAPrivateKey key, String algo) { + return JwsUtils.sign(key, algo, jwkKeyToJson(jwkKey), "jwk+json"); + } public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) { return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter()); } public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password, JwkReaderWriter reader) { return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password), reader); } + public static JsonWebKey decryptJwkKey(RSAPrivateKey key, String keyAlgo, String ctAlgo, String jsonJwk) { + return readJwkKey(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwk))); + } + public static JsonWebKey verifyJwkKey(RSAPublicKey key, String keyAlgo, String jsonJwk) { + return readJwkKey(JwsUtils.verify(key, keyAlgo, jsonJwk)); + } + public static JsonWebKey decryptJwkKey(SecretKey key, String keyAlgo, String ctAlgo, String jsonJwk) { + return readJwkKey(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwk))); + } public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe, JwkReaderWriter reader) { return reader.jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText()); } @@ -353,4 +408,11 @@ public final class JwkUtils { jwk.setProperty(JsonWebKey.RSA_MODULUS, encodedModulus); return jwk; } + private static String toString(byte[] bytes) { + try { + return new String(bytes, "UTF-8"); + } catch (Exception ex) { + throw new RuntimeException(ex); + } + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index aa59142..9e2edf0 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -43,16 +43,22 @@ public final class JwsUtils { } public static String sign(RSAPrivateKey key, String algo, String content) { - return sign(getRSAKeySignatureProvider(key, algo), content); + return sign(key, algo, content, null); + } + public static String sign(RSAPrivateKey key, String algo, String content, String ct) { + return sign(getRSAKeySignatureProvider(key, algo), content, ct); } public static String sign(byte[] key, String algo, String content) { - return sign(getHmacSignatureProvider(key, algo), content); + return sign(key, algo, content, null); + } + public static String sign(byte[] key, String algo, String content, String ct) { + return sign(getHmacSignatureProvider(key, algo), content, ct); } - public static String verifyAndGetContent(RSAPublicKey key, String algo, String content) { + public static String verify(RSAPublicKey key, String algo, String content) { JwsCompactConsumer jws = verify(getRSAKeySignatureVerifier(key, algo), content); return jws.getDecodedJwsPayload(); } - public static String verifyAndGetContent(byte[] key, String algo, String content) { + public static String verify(byte[] key, String algo, String content) { JwsCompactConsumer jws = verify(getHmacSignatureVerifier(key, algo), content); return jws.getDecodedJwsPayload(); } @@ -229,8 +235,12 @@ public final class JwsUtils { } return jws; } - private static String sign(JwsSignatureProvider jwsSig, String content) { - JwsCompactProducer jws = new JwsCompactProducer(content); + private static String sign(JwsSignatureProvider jwsSig, String content, String ct) { + JoseHeaders headers = new JoseHeaders(); + if (ct != null) { + headers.setContentType(ct); + } + JwsCompactProducer jws = new JwsCompactProducer(headers, content); jws.signWith(jwsSig); return jws.getSignedEncodedJws(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/316ce867/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java index fd97257..84be13a 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java @@ -18,22 +18,25 @@ */ package org.apache.cxf.rs.security.oauth2.utils.crypto; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; + import javax.crypto.SecretKey; import org.apache.cxf.common.util.StringUtils; +import org.apache.cxf.rs.security.jose.JoseConstants; import org.apache.cxf.rs.security.jose.JoseHeaders; import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.jose.jwe.AesGcmContentDecryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.AesGcmContentEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.ContentEncryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.DirectKeyJweDecryption; -import org.apache.cxf.rs.security.jose.jwe.DirectKeyJweEncryption; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider; import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider; +import org.apache.cxf.rs.security.jose.jwe.JweUtils; import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer; import org.apache.cxf.rs.security.jose.jws.JwsSignature; import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; +import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jwt.JwtToken; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; @@ -43,23 +46,25 @@ public final class JwtAccessTokenUtils { private JwtAccessTokenUtils() { } - - public static ServerAccessToken toAccessToken(JwtToken jwt, + public static ServerAccessToken encryptToAccessToken(JwtToken jwt, Client client, SecretKey key) { - ContentEncryptionAlgorithm contentEncryption = - new AesGcmContentEncryptionAlgorithm(key, null, Algorithm.A128GCM.getJwtName()); - JweEncryptionProvider jweEncryption = new DirectKeyJweEncryption(contentEncryption); - return toAccessToken(jwt, client, jweEncryption); + JweEncryptionProvider jweEncryption = + JweUtils.getDirectKeyJweEncryption(key, Algorithm.A128GCM.getJwtName()); + return encryptToAccessToken(jwt, client, jweEncryption); } - - public static ServerAccessToken toAccessToken(JwtToken jwt, + public static ServerAccessToken encryptToAccessToken(JwtToken jwt, Client client, JweEncryptionProvider jweEncryption) { String jwtString = new JwsJwtCompactProducer(jwt) .signWith(new NoneSignatureProvider()); String tokenId = jweEncryption.encrypt(getBytes(jwtString), null); + return toAccessToken(jwt, client, tokenId); + } + private static ServerAccessToken toAccessToken(JwtToken jwt, + Client client, + String tokenId) { Long issuedAt = jwt.getClaims().getIssuedAt(); Long notBefore = jwt.getClaims().getNotBefore(); if (issuedAt == null) { @@ -72,21 +77,44 @@ public final class JwtAccessTokenUtils { } else { expiresIn = notBefore - issuedAt; } - + return new BearerAccessToken(client, tokenId, issuedAt, expiresIn); - } - public static JwtToken fromAccessTokenId(String tokenId, SecretKey key) { - DirectKeyJweDecryption jweDecryption = - new DirectKeyJweDecryption(key, - new AesGcmContentDecryptionAlgorithm(Algorithm.A128GCM.getJwtName())); - return fromAccessTokenId(tokenId, jweDecryption); + public static JwtToken decryptFromfromAccessToken(String tokenId, SecretKey key) { + DirectKeyJweDecryption jweDecryption = JweUtils.getDirectKeyJweDecryption(key, Algorithm.A128GCM.getJwtName()); + return decryptFromAccessToken(tokenId, jweDecryption); } - public static JwtToken fromAccessTokenId(String tokenId, JweDecryptionProvider jweDecryption) { + public static JwtToken decryptFromAccessToken(String tokenId, JweDecryptionProvider jweDecryption) { String decrypted = jweDecryption.decrypt(tokenId).getContentText(); JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(decrypted); return consumer.getJwtToken(); } + public static ServerAccessToken signToAccessToken(JwtToken jwt, + Client client, + RSAPrivateKey key) { + JwsSignatureProvider jws = + JwsUtils.getRSAKeySignatureProvider(key, JoseConstants.RS_SHA_256_ALGO); + return signToAccessToken(jwt, client, jws); + + } + public static ServerAccessToken signToAccessToken(JwtToken jwt, + Client client, + JwsSignatureProvider jws) { + String jwtString = new JwsJwtCompactProducer(jwt).signWith(jws); + return toAccessToken(jwt, client, jwtString); + } + public static JwtToken verifyAccessToken(String tokenId, RSAPublicKey key) { + JwsSignatureVerifier jws = JwsUtils.getRSAKeySignatureVerifier(key, JoseConstants.RS_SHA_256_ALGO); + return verifyAccessToken(tokenId, jws); + } + public static JwtToken verifyAccessToken(String tokenId, JwsSignatureVerifier jws) { + JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(tokenId); + if (consumer.verifySignatureWith(jws)) { + return consumer.getJwtToken(); + } else { + throw new SecurityException(); + } + } private static class NoneSignatureProvider implements JwsSignatureProvider { @Override