Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 08DEF17ECD for ; Thu, 6 Nov 2014 18:22:45 +0000 (UTC) Received: (qmail 3779 invoked by uid 500); 6 Nov 2014 18:22:45 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 3716 invoked by uid 500); 6 Nov 2014 18:22:44 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 3707 invoked by uid 99); 6 Nov 2014 18:22:44 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Nov 2014 18:22:44 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id A3C198BC48F; Thu, 6 Nov 2014 18:22:44 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Minor updates to JwsUtils Date: Thu, 6 Nov 2014 18:22:44 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master a4ed944b9 -> ddcb197fc Minor updates to JwsUtils Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ddcb197f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ddcb197f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ddcb197f Branch: refs/heads/master Commit: ddcb197fc73ae4a18547f53fc57f99415fb45fbc Parents: a4ed944 Author: Sergey Beryozkin Authored: Thu Nov 6 18:22:22 2014 +0000 Committer: Sergey Beryozkin Committed: Thu Nov 6 18:22:22 2014 +0000 ---------------------------------------------------------------------- .../security/jose/jws/JwsCompactProducer.java | 1 - .../cxf/rs/security/jose/jws/JwsUtils.java | 153 ++++++++++++------- 2 files changed, 96 insertions(+), 58 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/ddcb197f/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java index 1f4c39a..f1413a1 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java @@ -32,7 +32,6 @@ public class JwsCompactProducer { private String plainJwsPayload; private String signature; private String plainRep; - public JwsCompactProducer(String plainJwsPayload) { this(null, null, plainJwsPayload); } http://git-wip-us.apache.org/repos/asf/cxf/blob/ddcb197f/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index 7f880cb..8a5a151 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -42,9 +42,15 @@ public final class JwsUtils { private JwsUtils() { } - public static boolean validateCriticalHeaders(JoseHeaders headers) { - //TODO: validate JWS specific constraints - return JoseUtils.validateCriticalHeaders(headers); + public static String sign(RSAPrivateKey key, String algo, String content) { + return sign(getRSAKeySignatureProvider(key, algo), content); + } + public static String sign(byte[] key, String algo, String content) { + return sign(getHmacSignatureProvider(key, algo), content); + } + public static String verifyAndGetContent(byte[] key, String algo, String content) { + JwsCompactConsumer jws = verify(getHmacSignatureVerifier(key, algo), content); + return jws.getDecodedJwsPayload(); } public static JwsSignatureProvider getSignatureProvider(JsonWebKey jwk) { return getSignatureProvider(jwk, null); @@ -53,19 +59,26 @@ public final class JwsUtils { String rsaSignatureAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); JwsSignatureProvider theSigProvider = null; if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - theSigProvider = new PrivateKeyJwsSignatureProvider(JwkUtils.toRSAPrivateKey(jwk), - rsaSignatureAlgo); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) - && Algorithm.isHmacSign(rsaSignatureAlgo)) { - theSigProvider = - new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE), - rsaSignatureAlgo); + theSigProvider = getRSAKeySignatureProvider(JwkUtils.toRSAPrivateKey(jwk), + rsaSignatureAlgo); + } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { + byte[] key = JoseUtils.decode((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE)); + theSigProvider = getHmacSignatureProvider(key, rsaSignatureAlgo); } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) { theSigProvider = new EcDsaJwsSignatureProvider(JwkUtils.toECPrivateKey(jwk), rsaSignatureAlgo); } return theSigProvider; } + public static JwsSignatureProvider getRSAKeySignatureProvider(RSAPrivateKey key, String algo) { + return new PrivateKeyJwsSignatureProvider(key, algo); + } + public static JwsSignatureProvider getHmacSignatureProvider(byte[] key, String algo) { + if (Algorithm.isHmacSign(algo)) { + return new HmacJwsSignatureProvider(key, algo); + } + return null; + } public static JwsSignatureVerifier getSignatureVerifier(JsonWebKey jwk) { return getSignatureVerifier(jwk, null); } @@ -73,16 +86,24 @@ public final class JwsUtils { String rsaSignatureAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); JwsSignatureVerifier theVerifier = null; if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - theVerifier = new PublicKeyJwsSignatureVerifier(JwkUtils.toRSAPublicKey(jwk), rsaSignatureAlgo); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) - && Algorithm.isHmacSign(rsaSignatureAlgo)) { - theVerifier = - new HmacJwsSignatureVerifier((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE), rsaSignatureAlgo); + theVerifier = getRSAKeySignatureVerifier(JwkUtils.toRSAPublicKey(jwk), rsaSignatureAlgo); + } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { + byte[] key = JoseUtils.decode((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE)); + theVerifier = getHmacSignatureVerifier(key, rsaSignatureAlgo); } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) { theVerifier = new EcDsaJwsSignatureVerifier(JwkUtils.toECPublicKey(jwk), rsaSignatureAlgo); } return theVerifier; } + public static JwsSignatureVerifier getRSAKeySignatureVerifier(RSAPublicKey key, String algo) { + return new PublicKeyJwsSignatureVerifier(key, algo); + } + public static JwsSignatureVerifier getHmacSignatureVerifier(byte[] key, String algo) { + if (Algorithm.isHmacSign(algo)) { + return new HmacJwsSignatureVerifier(key, algo); + } + return null; + } public static MultivaluedMap getJwsJsonSignatureMap( List signatures) { MultivaluedMap map = new MetadataMap(); @@ -94,27 +115,7 @@ public final class JwsUtils { public static JwsSignatureProvider loadSignatureProvider(String propLoc, Message m) { return loadSignatureProvider(propLoc, m, false); } - private static JwsSignatureProvider loadSignatureProvider(String propLoc, Message m, boolean ignoreNullProvider) { - Properties props = loadProperties(m, propLoc); - JwsSignatureProvider theSigProvider = null; - String rsaSignatureAlgo = null; - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN); - if (jwk != null) { - rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); - theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo); - } - } else { - rsaSignatureAlgo = getSignatureAlgo(props, null); - RSAPrivateKey pk = (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(m, props, - KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER); - theSigProvider = new PrivateKeyJwsSignatureProvider(pk, rsaSignatureAlgo); - } - if (theSigProvider == null && !ignoreNullProvider) { - throw new SecurityException(); - } - return theSigProvider; - } + public static List loadSignatureProviders(String propLoc, Message m) { Properties props = loadProperties(m, propLoc); JwsSignatureProvider theSigProvider = loadSignatureProvider(propLoc, m, true); @@ -139,27 +140,7 @@ public final class JwsUtils { public static JwsSignatureVerifier loadSignatureVerifier(String propLoc, Message m) { return loadSignatureVerifier(propLoc, m, false); } - public static JwsSignatureVerifier loadSignatureVerifier(String propLoc, Message m, boolean ignoreNullVerifier) { - Properties props = loadProperties(m, propLoc); - JwsSignatureVerifier theVerifier = null; - String rsaSignatureAlgo = null; - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY); - if (jwk != null) { - rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); - theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo); - } - - } else { - rsaSignatureAlgo = getSignatureAlgo(props, null); - theVerifier = new PublicKeyJwsSignatureVerifier( - (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), rsaSignatureAlgo); - } - if (theVerifier == null && !ignoreNullVerifier) { - throw new SecurityException(); - } - return theVerifier; - } + public static List loadSignatureVerifiers(String propLoc, Message m) { Properties props = loadProperties(m, propLoc); JwsSignatureVerifier theVerifier = loadSignatureVerifier(propLoc, m, true); @@ -181,6 +162,52 @@ public final class JwsUtils { } return theVerifiers; } + public static boolean validateCriticalHeaders(JoseHeaders headers) { + //TODO: validate JWS specific constraints + return JoseUtils.validateCriticalHeaders(headers); + } + private static JwsSignatureProvider loadSignatureProvider(String propLoc, Message m, boolean ignoreNullProvider) { + Properties props = loadProperties(m, propLoc); + JwsSignatureProvider theSigProvider = null; + String rsaSignatureAlgo = null; + if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { + JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN); + if (jwk != null) { + rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); + theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo); + } + } else { + rsaSignatureAlgo = getSignatureAlgo(props, null); + RSAPrivateKey pk = (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(m, props, + KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER); + theSigProvider = getRSAKeySignatureProvider(pk, rsaSignatureAlgo); + } + if (theSigProvider == null && !ignoreNullProvider) { + throw new SecurityException(); + } + return theSigProvider; + } + private static JwsSignatureVerifier loadSignatureVerifier(String propLoc, Message m, boolean ignoreNullVerifier) { + Properties props = loadProperties(m, propLoc); + JwsSignatureVerifier theVerifier = null; + String rsaSignatureAlgo = null; + if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { + JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY); + if (jwk != null) { + rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); + theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo); + } + + } else { + rsaSignatureAlgo = getSignatureAlgo(props, null); + theVerifier = getRSAKeySignatureVerifier( + (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), rsaSignatureAlgo); + } + if (theVerifier == null && !ignoreNullVerifier) { + throw new SecurityException(); + } + return theVerifier; + } private static Properties loadProperties(Message m, String propLoc) { try { return ResourceUtils.loadProperties(propLoc, m.getExchange().getBus()); @@ -191,4 +218,16 @@ public final class JwsUtils { private static String getSignatureAlgo(Properties props, String algo) { return algo == null ? props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP) : algo; } + private static JwsCompactConsumer verify(JwsSignatureVerifier v, String content) { + JwsCompactConsumer jws = new JwsCompactConsumer(content); + if (!jws.verifySignatureWith(v)) { + throw new SecurityException(); + } + return jws; + } + private static String sign(JwsSignatureProvider jwsSig, String content) { + JwsCompactProducer jws = new JwsCompactProducer(content); + jws.signWith(jwsSig); + return jws.getSignedEncodedJws(); + } }