cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Reprsenting PublicKeys loaded from Java KeyStore as JWK, renaming DefaultJwkReaderWriter into JwkReaderWriter
Date Wed, 25 Nov 2015 12:59:08 GMT
Repository: cxf
Updated Branches:
  refs/heads/master b4640accd -> 9db5da883


Reprsenting PublicKeys loaded from Java KeyStore as JWK, renaming DefaultJwkReaderWriter into
JwkReaderWriter


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9db5da88
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9db5da88
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9db5da88

Branch: refs/heads/master
Commit: 9db5da883399a610b0c21a6deaf7064a195fc0f5
Parents: b4640ac
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Nov 25 12:58:49 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Nov 25 12:58:49 2015 +0000

----------------------------------------------------------------------
 .../rs/security/jose/common/JoseConstants.java  |   6 +
 .../cxf/rs/security/jose/jwe/JweUtils.java      |  26 +++-
 .../jose/jwk/DefaultJwkReaderWriter.java        |  49 --------
 .../cxf/rs/security/jose/jwk/JsonWebKeys.java   |  13 +-
 .../rs/security/jose/jwk/JwkReaderWriter.java   |  27 +++-
 .../cxf/rs/security/jose/jwk/JwkUtils.java      | 123 ++++++++-----------
 .../cxf/rs/security/jose/jws/JwsUtils.java      |  13 +-
 .../oidc/rp/AbstractTokenValidator.java         |   2 +
 8 files changed, 129 insertions(+), 130 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/9db5da88/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
index d7761b4..7069069 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java
@@ -132,6 +132,12 @@ public final class JoseConstants {
     public static final String RSSEC_SIGNATURE_ALGORITHM = "rs.security.signature.algorithm";
     
     /**
+     * The EC Curve to use with EC keys loaded from Java Key Store. 
+     * JWK EC Keys are expected to use a standard "crv" property instead.
+     */
+    public static final String RSSEC_EC_CURVE = "rs.security.elliptic.curve";
+    
+    /**
      * The OLD signature algorithm identifier. Use RSSEC_SIGNATURE_ALGORITHM instead.
      */
     @Deprecated

http://git-wip-us.apache.org/repos/asf/cxf/blob/9db5da88/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 8168184..ba902f5 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -50,6 +50,7 @@ import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 import org.apache.cxf.rs.security.jose.jwk.KeyOperation;
 import org.apache.cxf.rs.security.jose.jwk.KeyType;
@@ -149,7 +150,13 @@ public final class JweUtils {
         }
         return keyEncryptionProvider;
     }
-    public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key, KeyAlgorithm
algo) {
+    public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key, 
+                                                                       KeyAlgorithm algo)
{
+        return getPublicKeyEncryptionProvider(key, null, algo);
+    }
+    public static KeyEncryptionProvider getPublicKeyEncryptionProvider(PublicKey key, 
+                                                                       Properties props,
+                                                                       KeyAlgorithm algo)
{
         if (key instanceof RSAPublicKey) {
             return new RSAKeyEncryptionAlgorithm((RSAPublicKey)key, algo);
         } else if (key instanceof ECPublicKey) {
@@ -158,8 +165,10 @@ public final class JweUtils {
             if (m != null) {
                 ctAlgo = getContentAlgo((String)m.get(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM));
             }
+            String curve = props == null ? JsonWebKey.EC_CURVE_P256 
+                : props.getProperty(JoseConstants.RSSEC_EC_CURVE, JsonWebKey.EC_CURVE_P256);
             return new EcdhAesWrapKeyEncryptionAlgorithm((ECPublicKey)key, 
-                                                         JsonWebKey.EC_CURVE_P256, 
+                                                         curve, 
                                                          algo, 
                                                          ctAlgo == null ? ContentAlgorithm.A128GCM
: ctAlgo);
         }
@@ -358,6 +367,7 @@ public final class JweUtils {
         } else {
             keyEncryptionProvider = getPublicKeyEncryptionProvider(
                 KeyManagementUtils.loadPublicKey(m, props), 
+                props,
                 keyAlgo);
             if (includeCert) {
                 headers.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(m,
props));
@@ -775,5 +785,15 @@ public final class JweUtils {
             throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
         }
     }
-    
+    public static JsonWebKeys loadPublicKeyEncryptionKeys(Message m, Properties props) {
+        String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE);
+        if ("jwk".equals(storeType)) {
+            return JwkUtils.loadPublicJwkSet(m, props);
+        } else {
+            //TODO: consider loading all the public keys in the store
+            PublicKey key = KeyManagementUtils.loadPublicKey(m, props);
+            JsonWebKey jwk = JwkUtils.fromPublicKey(key, props, JoseConstants.RSSEC_ENCRYPTION_KEY_ALGORITHM);
+            return new JsonWebKeys(jwk);
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9db5da88/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
deleted file mode 100644
index dec8006..0000000
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
-
-
-
-
-
-public class DefaultJwkReaderWriter extends JsonMapObjectReaderWriter
-    implements JwkReaderWriter {
-    @Override
-    public String jwkSetToJson(JsonWebKeys jwks) {
-        return toJson(jwks);
-    }
-    @Override
-    public JsonWebKeys jsonToJwkSet(String jwksJson) {
-        JsonWebKeys jwks = new JsonWebKeys();
-        fromJson(jwks, jwksJson);
-        return jwks;
-    }
-    @Override
-    public String jwkToJson(JsonWebKey jwk) {
-        return toJson(jwk);
-    }
-    @Override
-    public JsonWebKey jsonToJwk(String jwkJson) {
-        JsonWebKey jwk = new JsonWebKey();
-        fromJson(jwk, jwkJson);
-        return jwk;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/9db5da88/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
index 28011b3..ce53af8 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
@@ -29,6 +29,15 @@ import org.apache.cxf.jaxrs.json.basic.JsonMapObject;
 
 public class JsonWebKeys extends JsonMapObject {
     public static final String KEYS_PROPERTY = "keys";
+    public JsonWebKeys() {
+        
+    }
+    public JsonWebKeys(JsonWebKey key) {
+        setInitKey(key);
+    }
+    private void setInitKey(JsonWebKey key) {
+        setKey(key);
+    }
     public List<JsonWebKey> getKeys() {
         List<?> list = (List<?>)super.getProperty(KEYS_PROPERTY);
         if (list != null && !list.isEmpty()) {
@@ -48,7 +57,9 @@ public class JsonWebKeys extends JsonMapObject {
             return null;
         }
     }
-
+    public void setKey(JsonWebKey key) {
+        setKeys(Collections.singletonList(key));
+    } 
     public void setKeys(List<JsonWebKey> keys) {
         super.setProperty(KEYS_PROPERTY, keys);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9db5da88/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
index 679b7aa..bbbaaac 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
@@ -18,10 +18,27 @@
  */
 package org.apache.cxf.rs.security.jose.jwk;
 
+import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
 
-public interface JwkReaderWriter {
-    String jwkToJson(JsonWebKey jwk);
-    JsonWebKey jsonToJwk(String jwkJson);
-    String jwkSetToJson(JsonWebKeys jwkSet);
-    JsonWebKeys jsonToJwkSet(String jwkSetJson);
+
+
+
+
+public class JwkReaderWriter extends JsonMapObjectReaderWriter {
+    public String jwkSetToJson(JsonWebKeys jwks) {
+        return toJson(jwks);
+    }
+    public JsonWebKeys jsonToJwkSet(String jwksJson) {
+        JsonWebKeys jwks = new JsonWebKeys();
+        fromJson(jwks, jwksJson);
+        return jwks;
+    }
+    public String jwkToJson(JsonWebKey jwk) {
+        return toJson(jwk);
+    }
+    public JsonWebKey jsonToJwk(String jwkJson) {
+        JsonWebKey jwk = new JsonWebKey();
+        fromJson(jwk, jwkJson);
+        return jwk;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9db5da88/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
index 3fca28d..c0bbcba 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
@@ -115,16 +115,16 @@ public final class JwkUtils {
         return readJwkSet(IOUtils.readStringFromStream(is));
     }
     public static JsonWebKey readJwkKey(String jwkJson) {
-        return new DefaultJwkReaderWriter().jsonToJwk(jwkJson);
+        return new JwkReaderWriter().jsonToJwk(jwkJson);
     }
     public static JsonWebKeys readJwkSet(String jwksJson) {
-        return new DefaultJwkReaderWriter().jsonToJwkSet(jwksJson);
+        return new JwkReaderWriter().jsonToJwkSet(jwksJson);
     }
     public static String jwkKeyToJson(JsonWebKey jwkKey) {
-        return new DefaultJwkReaderWriter().jwkToJson(jwkKey);
+        return new JwkReaderWriter().jwkToJson(jwkKey);
     }
     public static String jwkSetToJson(JsonWebKeys jwkSet) {
-        return new DefaultJwkReaderWriter().jwkSetToJson(jwkSet);
+        return new JwkReaderWriter().jwkSetToJson(jwkSet);
     }
     public static String encodeJwkKey(JsonWebKey jwkKey) {
         return Base64UrlUtility.encode(jwkKeyToJson(jwkKey));
@@ -139,13 +139,10 @@ public final class JwkUtils {
         return readJwkSet(JoseUtils.decodeToString(jwksJson));
     }
     public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) {
-        return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter());
+        return encryptJwkSet(jwkSet, createDefaultEncryption(password));
     }
-    public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password, JwkReaderWriter
writer) {
-        return encryptJwkSet(jwkSet, createDefaultEncryption(password), writer);
-    }
-    public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter
writer) {
-        return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkSetToJson(jwkSet)), 
+    public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe) {
+        return jwe.encrypt(StringUtils.toBytesUTF8(new JwkReaderWriter().jwkSetToJson(jwkSet)),

                            toJweHeaders("jwk-set+json"));
     }
     public static String encryptJwkSet(JsonWebKeys jwkSet, PublicKey key, KeyAlgorithm keyAlgo,

@@ -162,13 +159,10 @@ public final class JwkUtils {
                                 "jwk-set+json");
     }
     public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) {
-        return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password, JwkReaderWriter
reader) {
-        return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password), reader);
+        return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password));
     }
-    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe,
JwkReaderWriter reader) {
-        return reader.jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText());
+    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe)
{
+        return new JwkReaderWriter().jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText());
     }
     public static JsonWebKeys decryptJwkSet(PrivateKey key, KeyAlgorithm keyAlgo, ContentAlgorithm
ctAlgo,
                                             String jsonJwkSet) {
@@ -181,25 +175,20 @@ public final class JwkUtils {
                                             String jsonJwkSet) {
         return readJwkSet(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwkSet)));
     }
-    public static JsonWebKeys decryptJwkSet(InputStream is, char[] password) throws IOException
{
-        return decryptJwkSet(is, password, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKeys decryptJwkSet(InputStream is, char[] password, JwkReaderWriter
reader) 
+    public static JsonWebKeys decryptJwkSet(InputStream is, char[] password) 
         throws IOException {
-        return decryptJwkSet(is, createDefaultDecryption(password), reader);
+        return decryptJwkSet(is, createDefaultDecryption(password));
     }
-    public static JsonWebKeys decryptJwkSet(InputStream is, JweDecryptionProvider jwe, JwkReaderWriter
reader)
+    public static JsonWebKeys decryptJwkSet(InputStream is, JweDecryptionProvider jwe)
         throws IOException {
-        return reader.jsonToJwkSet(jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
+        return new JwkReaderWriter().jsonToJwkSet(
+            jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
     }
-    public static String encryptJwkKey(JsonWebKey jwk, char[] password) {
-        return encryptJwkKey(jwk, password, new DefaultJwkReaderWriter());
+    public static String encryptJwkKey(JsonWebKey jwkKey, char[] password) {
+        return encryptJwkKey(jwkKey, createDefaultEncryption(password));
     }
-    public static String encryptJwkKey(JsonWebKey jwkKey, char[] password, JwkReaderWriter
writer) {
-        return encryptJwkKey(jwkKey, createDefaultEncryption(password), writer);
-    }
-    public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter
writer) {
-        return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkToJson(jwkKey)), 
+    public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe) {
+        return jwe.encrypt(StringUtils.toBytesUTF8(new JwkReaderWriter().jwkToJson(jwkKey)),

                            toJweHeaders("jwk+json"));
     }
     public static String encryptJwkKey(JsonWebKey jwkKey, PublicKey key, KeyAlgorithm keyAlgo,

@@ -216,10 +205,7 @@ public final class JwkUtils {
         return JwsUtils.sign(key, algo, jwkKeyToJson(jwkKey), "jwk+json");
     }
     public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) {
-        return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password, JwkReaderWriter
reader) {
-        return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password), reader);
+        return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password));
     }
     public static JsonWebKey decryptJwkKey(PrivateKey key, KeyAlgorithm keyAlgo, ContentAlgorithm
ctAlgo, 
                                            String jsonJwk) {
@@ -232,29 +218,26 @@ public final class JwkUtils {
                                            String jsonJwk) {
         return readJwkKey(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwk)));
     }
-    public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe,
JwkReaderWriter reader) {
-        return reader.jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText());
+    public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe)
{
+        return new JwkReaderWriter().jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText());
     }
-    public static JsonWebKey decryptJwkKey(InputStream is, char[] password) throws IOException
{
-        return decryptJwkKey(is, password, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKey decryptJwkKey(InputStream is, char[] password, JwkReaderWriter
reader) 
+    public static JsonWebKey decryptJwkKey(InputStream is, char[] password) 
         throws IOException {
-        return decryptJwkKey(is, createDefaultDecryption(password), reader);
+        return decryptJwkKey(is, createDefaultDecryption(password));
     }
-    public static JsonWebKey decryptJwkKey(InputStream is, JweDecryptionProvider jwe, JwkReaderWriter
reader) 
+    public static JsonWebKey decryptJwkKey(InputStream is, JweDecryptionProvider jwe) 
         throws IOException {
-        return reader.jsonToJwk(jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
+        return new JwkReaderWriter().jsonToJwk(
+            jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
     }
-    public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider
cb) {
-        return loadJwkSet(m, props, cb, new DefaultJwkReaderWriter());
+    public static JsonWebKeys loadPublicJwkSet(Message m, Properties props) {
+        return loadJwkSet(m, props, null);
     }
-    public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider
cb, 
-                                         JwkReaderWriter reader) {
+    public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider
cb) {
         String key = (String)props.get(JoseConstants.RSSEC_KEY_STORE_FILE);
         JsonWebKeys jwkSet = key != null ? (JsonWebKeys)m.getExchange().get(key) : null;
         if (jwkSet == null) {
-            jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb, reader);
+            jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb);
             if (key != null) {
                 m.getExchange().put(key, jwkSet);
             }
@@ -262,16 +245,12 @@ public final class JwkUtils {
         return jwkSet;
     }
     public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider
cb) {
-        return loadJwkSet(props, bus, cb, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider
cb, 
-                                         JwkReaderWriter reader) {
         JweDecryptionProvider decryption = cb != null
             ? new AesCbcHmacJweDecryption(new PbesHmacAesWrapKeyDecryptionAlgorithm(
                 cb.getPassword(props))) : null;
-        return loadJwkSet(props, bus, decryption, reader);
+        return loadJwkSet(props, bus, decryption);
     }
-    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider
jwe, JwkReaderWriter reader) {
+    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider
jwe) {
         String keyContent = null;
         String keyStoreLoc = props.getProperty(JoseConstants.RSSEC_KEY_STORE_FILE);
         if (keyStoreLoc != null) {
@@ -293,25 +272,21 @@ public final class JwkUtils {
         if (jwe != null) {
             keyContent = jwe.decrypt(keyContent).getContentText();
         }
+        JwkReaderWriter reader = new JwkReaderWriter();
         if (props.getProperty(JoseConstants.RSSEC_KEY_STORE_JWKKEY) == null) {
             return reader.jsonToJwkSet(keyContent);
         } else {
-            JsonWebKey key = reader.jsonToJwk(keyContent);
-            JsonWebKeys keys = new JsonWebKeys();
-            keys.setKeys(Collections.singletonList(key));
-            return keys;
+            JsonWebKey jwk = reader.jsonToJwk(keyContent);
+            return new JsonWebKeys(jwk);
         }
     }
+    
     public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper)
{
         return loadJsonWebKey(m, props, keyOper, null);
     }
     public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper,
String inHeaderKid) {
-        return loadJsonWebKey(m, props, keyOper, inHeaderKid, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper,
String inHeaderKid, 
-                                            JwkReaderWriter reader) {
         PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props,
keyOper);
-        JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
+        JsonWebKeys jwkSet = loadJwkSet(m, props, cb);
         String kid = null;
         if (inHeaderKid != null 
             && MessageUtils.getContextualBoolean(m, JoseConstants.RSSEC_ACCEPT_PUBLIC_KEY,
false)) {
@@ -329,15 +304,11 @@ public final class JwkUtils {
         }
         return null;
     }
-    public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, KeyOperation
keyOper) {
-        return loadJsonWebKeys(m, props, keyOper, new DefaultJwkReaderWriter());
-    }
-
-    public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, 
-                                                   KeyOperation keyOper, 
-                                                   JwkReaderWriter reader) {
+    public static List<JsonWebKey> loadJsonWebKeys(Message m, 
+                                                   Properties props, 
+                                                   KeyOperation keyOper) {
         PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props,
keyOper);
-        JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
+        JsonWebKeys jwkSet = loadJwkSet(m, props, cb);
         String kid = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIAS,
keyOper);
         if (kid != null) {
             return Collections.singletonList(jwkSet.getKey(kid));
@@ -401,6 +372,16 @@ public final class JwkUtils {
         jwk.setProperty(JsonWebKey.RSA_PUBLIC_EXP, encodedPublicExponent);
         return jwk;
     }
+    public static JsonWebKey fromPublicKey(PublicKey key, Properties props, String algoProp)
{
+        // EC keys can  be supported once we figure out how to get a curve name 
+        // from an EC key instance or if a curve property is introduced
+        if (key instanceof RSAPublicKey) {
+            return JwkUtils.fromRSAPublicKey((RSAPublicKey)key, algoProp);
+        } else {
+            return JwkUtils.fromECPublicKey((ECPublicKey)key, 
+                                         props.getProperty(JoseConstants.RSSEC_EC_CURVE));
+        }
+    }
     public static JsonWebKey fromX509CertificateChain(List<X509Certificate> chain,
String algo) {
         JsonWebKey jwk = new JsonWebKey();
         jwk.setAlgorithm(algo);

http://git-wip-us.apache.org/repos/asf/cxf/blob/9db5da88/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index e20388f..710baa7 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -45,6 +45,7 @@ import org.apache.cxf.rs.security.jose.common.KeyManagementUtils;
 import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
+import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 import org.apache.cxf.rs.security.jose.jwk.KeyOperation;
 import org.apache.cxf.rs.security.jose.jwk.KeyType;
@@ -503,5 +504,15 @@ public final class JwsUtils {
             throw new JwsException(JwsException.Error.INVALID_KEY);
         }
     }
-    
+    public static JsonWebKeys loadPublicVerificationKeys(Message m, Properties props) {
+        String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE);
+        if ("jwk".equals(storeType)) {
+            return JwkUtils.loadPublicJwkSet(m, props);
+        } else {
+            //TODO: consider loading all the public keys in the store
+            PublicKey key = KeyManagementUtils.loadPublicKey(m, props);
+            JsonWebKey jwk = JwkUtils.fromPublicKey(key, props, JoseConstants.RSSEC_SIGNATURE_ALGORITHM);
+            return new JsonWebKeys(jwk);
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9db5da88/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 6ee14ac..6011577 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -122,6 +122,8 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
                 } else if (keys.getKeys().size() == 1) {
                     key = keys.getKeys().get(0);
                 }
+                //jwkSetClient returns the most up-to-date keys
+                keyMap.clear();
                 keyMap.putAll(keys.getKeyIdMap());
             }
         }


Mime
View raw message