Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BE8E81015E for ; Thu, 4 Dec 2014 22:00:23 +0000 (UTC) Received: (qmail 60197 invoked by uid 500); 4 Dec 2014 22:00:23 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 60136 invoked by uid 500); 4 Dec 2014 22:00:23 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 60127 invoked by uid 99); 4 Dec 2014 22:00:23 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Dec 2014 22:00:23 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 243FAA1CF8B; Thu, 4 Dec 2014 22:00:23 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <3131196554f14de1a4c50102af8b3262@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: Support for jose store context properties Date: Thu, 4 Dec 2014 22:00:23 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master d1a52f292 -> 716f3a148 Support for jose store context properties Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/716f3a14 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/716f3a14 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/716f3a14 Branch: refs/heads/master Commit: 716f3a148849b4975a8d8b4c86d563ec2058bb54 Parents: d1a52f2 Author: Sergey Beryozkin Authored: Thu Dec 4 21:59:57 2014 +0000 Committer: Sergey Beryozkin Committed: Thu Dec 4 21:59:57 2014 +0000 ---------------------------------------------------------------------- .../security/jose/jaxrs/KeyManagementUtils.java | 35 +++++++++ .../cxf/rs/security/jose/jwe/JweUtils.java | 81 +++++++++----------- .../cxf/rs/security/jose/jws/JwsUtils.java | 57 ++++++-------- .../jaxrs/security/jwt/JAXRSJweJwsTest.java | 6 +- .../cxf/systest/jaxrs/security/jwt/server.xml | 3 +- .../jaxrs/security/public.jwk.properties | 20 ----- 6 files changed, 95 insertions(+), 107 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java index 6e256ed..58869d8 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java @@ -217,4 +217,39 @@ public final class KeyManagementUtils { } return algo; } + + public static Properties loadStoreProperties(Message m, boolean required, + String storeProp1, String storeProp2) { + if (m == null) { + if (required) { + throw new SecurityException(); + } + return null; + } + Properties props = null; + String propLoc = + (String)MessageUtils.getContextualProperty(m, storeProp1, storeProp2); + if (propLoc != null) { + try { + props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus()); + } catch (Exception ex) { + throw new SecurityException(ex); + } + } else { + String keyFile = (String)m.getContextualProperty(RSSEC_KEY_STORE_FILE); + if (keyFile != null) { + props = new Properties(); + props.setProperty(KeyManagementUtils.RSSEC_KEY_STORE_FILE, keyFile); + String type = (String)m.getContextualProperty(RSSEC_KEY_STORE_TYPE); + if (type == null) { + type = "jwk"; + } + props.setProperty(RSSEC_KEY_STORE_TYPE, type); + } + } + if (props == null && required) { + throw new SecurityException(); + } + return props; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 956e143..ad05e0f 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -26,9 +26,7 @@ import java.util.Properties; import javax.crypto.SecretKey; import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; import org.apache.cxf.rs.security.jose.JoseConstants; import org.apache.cxf.rs.security.jose.JoseHeaders; import org.apache.cxf.rs.security.jose.JoseUtils; @@ -216,33 +214,24 @@ public final class JweUtils { getContentDecryptionAlgorithm(key.getAlgorithm())); } public static JweEncryptionProvider loadEncryptionProvider(boolean required) { - Message m = JAXRSUtils.getCurrentMessage(); - if (m != null) { - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_OUT_PROPS, RSSEC_ENCRYPTION_PROPS); - if (propLoc != null) { - return loadEncryptionProvider(propLoc, m); - } - } - if (required) { - throw new SecurityException(); - } - return null; + return loadEncryptionProvider(JAXRSUtils.getCurrentMessage(), required); } - public static JweEncryptionProvider loadEncryptionProvider(String propLoc, Message m) { - KeyEncryptionAlgorithm keyEncryptionProvider = null; - Properties props = null; - try { - props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus()); - } catch (Exception ex) { - throw new SecurityException(ex); + public static JweEncryptionProvider loadEncryptionProvider(Message m, boolean required) { + + Properties props = KeyManagementUtils.loadStoreProperties(m, required, + RSSEC_ENCRYPTION_OUT_PROPS, RSSEC_ENCRYPTION_PROPS); + if (props == null) { + return null; } - String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null); + + KeyEncryptionAlgorithm keyEncryptionProvider = null; + String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null, null); String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null); ContentEncryptionAlgorithm ctEncryptionProvider = null; if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); - keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm()); + keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm(), + getDefaultKeyAlgo(jwk)); if ("direct".equals(keyEncryptionAlgo)) { contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm()); ctEncryptionProvider = getContentEncryptionAlgorithm(jwk, contentEncryptionAlgo); @@ -260,33 +249,22 @@ public final class JweUtils { props.getProperty(JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP)); } public static JweDecryptionProvider loadDecryptionProvider(boolean required) { - Message m = JAXRSUtils.getCurrentMessage(); - if (m != null) { - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS); - if (propLoc != null) { - return loadDecryptionProvider(propLoc, m); - } - } - if (required) { - throw new SecurityException(); - } - return null; + return loadDecryptionProvider(JAXRSUtils.getCurrentMessage(), required); } - public static JweDecryptionProvider loadDecryptionProvider(String propLoc, Message m) { - KeyDecryptionAlgorithm keyDecryptionProvider = null; - Properties props = null; - try { - props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus()); - } catch (Exception ex) { - throw new SecurityException(ex); + public static JweDecryptionProvider loadDecryptionProvider(Message m, boolean required) { + Properties props = KeyManagementUtils.loadStoreProperties(m, required, + RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS); + if (props == null) { + return null; } + KeyDecryptionAlgorithm keyDecryptionProvider = null; String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null); SecretKey ctDecryptionKey = null; - String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null); + String keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, null, null); if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_DECRYPT); - keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm()); + keyEncryptionAlgo = getKeyEncryptionAlgo(m, props, jwk.getAlgorithm(), + getDefaultKeyAlgo(jwk)); if ("direct".equals(keyEncryptionAlgo)) { contentEncryptionAlgo = getContentEncryptionAlgo(m, props, contentEncryptionAlgo); ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentEncryptionAlgo); @@ -422,13 +400,24 @@ public final class JweUtils { return getDirectKeyJweDecryption(ctDecryptionKey, contentDecryptionAlgo); } } - private static String getKeyEncryptionAlgo(Message m, Properties props, String algo) { + private static String getKeyEncryptionAlgo(Message m, Properties props, + String algo, String defaultAlgo) { if (algo == null) { + if (defaultAlgo == null) { + defaultAlgo = JoseConstants.RSA_OAEP_ALGO; + } return KeyManagementUtils.getKeyAlgorithm(m, props, - JSON_WEB_ENCRYPTION_KEY_ALGO_PROP, JoseConstants.RSA_OAEP_ALGO); + JSON_WEB_ENCRYPTION_KEY_ALGO_PROP, defaultAlgo); } return algo; } + private static String getDefaultKeyAlgo(JsonWebKey jwk) { + if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { + return JoseConstants.A128GCMKW_ALGO; + } else { + return JoseConstants.RSA_OAEP_ALGO; + } + } private static String getContentEncryptionAlgo(Message m, Properties props, String algo) { if (algo == null) { return KeyManagementUtils.getKeyAlgorithm(m, props, http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index 66be06c..aef782a 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -31,7 +31,6 @@ import org.apache.cxf.jaxrs.impl.MetadataMap; import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.jaxrs.utils.ResourceUtils; import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; import org.apache.cxf.rs.security.jose.JoseConstants; import org.apache.cxf.rs.security.jose.JoseHeaders; import org.apache.cxf.rs.security.jose.JoseUtils; @@ -133,39 +132,22 @@ public final class JwsUtils { return map; } public static JwsSignatureProvider loadSignatureProvider(boolean required) { - Message m = JAXRSUtils.getCurrentMessage(); - if (m != null) { - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_OUT_PROPS, RSSEC_SIGNATURE_PROPS); - if (propLoc != null) { - return loadSignatureProvider(propLoc, m); - } - } - if (required) { - throw new SecurityException(); - } - return null; + return loadSignatureProvider(JAXRSUtils.getCurrentMessage(), required); } - public static JwsSignatureProvider loadSignatureProvider(String propLoc, Message m) { - return loadSignatureProvider(propLoc, m, false); + public static JwsSignatureProvider loadSignatureProvider(Message m, boolean required) { + Properties props = KeyManagementUtils.loadStoreProperties(m, required, + RSSEC_SIGNATURE_OUT_PROPS, RSSEC_SIGNATURE_PROPS); + if (props == null) { + return null; + } + return loadSignatureProvider(m, props, false); } public static JwsSignatureVerifier loadSignatureVerifier(boolean required) { - Message m = JAXRSUtils.getCurrentMessage(); - if (m != null) { - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_IN_PROPS, RSSEC_SIGNATURE_PROPS); - if (propLoc != null) { - return loadSignatureVerifier(propLoc, m); - } - } - if (required) { - throw new SecurityException(); - } - return null; + return loadSignatureVerifier(JAXRSUtils.getCurrentMessage(), required); } public static List loadSignatureProviders(String propLoc, Message m) { Properties props = loadProperties(m, propLoc); - JwsSignatureProvider theSigProvider = loadSignatureProvider(propLoc, m, true); + JwsSignatureProvider theSigProvider = loadSignatureProvider(m, props, true); if (theSigProvider != null) { return Collections.singletonList(theSigProvider); } @@ -184,13 +166,18 @@ public final class JwsUtils { } return theSigProviders; } - public static JwsSignatureVerifier loadSignatureVerifier(String propLoc, Message m) { - return loadSignatureVerifier(propLoc, m, false); + public static JwsSignatureVerifier loadSignatureVerifier(Message m, boolean required) { + Properties props = KeyManagementUtils.loadStoreProperties(m, required, + RSSEC_SIGNATURE_IN_PROPS, RSSEC_SIGNATURE_PROPS); + if (props == null) { + return null; + } + return loadSignatureVerifier(m, props, false); } public static List loadSignatureVerifiers(String propLoc, Message m) { Properties props = loadProperties(m, propLoc); - JwsSignatureVerifier theVerifier = loadSignatureVerifier(propLoc, m, true); + JwsSignatureVerifier theVerifier = loadSignatureVerifier(m, props, true); if (theVerifier != null) { return Collections.singletonList(theVerifier); } @@ -213,8 +200,8 @@ public final class JwsUtils { //TODO: validate JWS specific constraints return JoseUtils.validateCriticalHeaders(headers); } - private static JwsSignatureProvider loadSignatureProvider(String propLoc, Message m, boolean ignoreNullProvider) { - Properties props = loadProperties(m, propLoc); + private static JwsSignatureProvider loadSignatureProvider(Message m, Properties props, + boolean ignoreNullProvider) { JwsSignatureProvider theSigProvider = null; String rsaSignatureAlgo = null; if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { @@ -234,8 +221,8 @@ public final class JwsUtils { } return theSigProvider; } - private static JwsSignatureVerifier loadSignatureVerifier(String propLoc, Message m, boolean ignoreNullVerifier) { - Properties props = loadProperties(m, propLoc); + private static JwsSignatureVerifier loadSignatureVerifier(Message m, Properties props, + boolean ignoreNullVerifier) { JwsSignatureVerifier theVerifier = null; String rsaSignatureAlgo = null; if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java index 6520caa..cd113ae 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java @@ -60,8 +60,6 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase { "org/apache/cxf/systest/jaxrs/security/bob.rs.properties"; private static final String SERVER_JWEJWS_PROPERTIES = "org/apache/cxf/systest/jaxrs/security/alice.rs.properties"; - private static final String PUBLIC_JWEJWS_PROPERTIES = - "org/apache/cxf/systest/jaxrs/security/public.jwk.properties"; private static final String ENCODED_MAC_KEY = "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75" + "aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"; @BeforeClass @@ -206,10 +204,10 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase { providers.add(new JwsClientResponseFilter()); bean.setProviders(providers); - bean.getProperties(true).put("rs.security.encryption.out.properties", PUBLIC_JWEJWS_PROPERTIES); + bean.getProperties(true).put("rs.security.keystore.file", + "org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt"); bean.getProperties(true).put("rs.security.signature.out.properties", CLIENT_JWEJWS_PROPERTIES); bean.getProperties(true).put("rs.security.encryption.in.properties", CLIENT_JWEJWS_PROPERTIES); - bean.getProperties(true).put("rs.security.signature.in.properties", PUBLIC_JWEJWS_PROPERTIES); PrivateKeyPasswordProvider provider = new PrivateKeyPasswordProviderImpl(); bean.getProperties(true).put("rs.security.signature.key.password.provider", provider); bean.getProperties(true).put("rs.security.decryption.key.password.provider", provider); http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml index 64986d9..e07ba5c 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml @@ -110,9 +110,8 @@ under the License. - - + http://git-wip-us.apache.org/repos/asf/cxf/blob/716f3a14/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties deleted file mode 100644 index a5f89b7..0000000 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/public.jwk.properties +++ /dev/null @@ -1,20 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -# -rs.security.keystore.type=jwk -rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt