cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Checking if the refresh token has expired and minor changes to JwkUtils
Date Thu, 26 Nov 2015 09:48:34 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes ea2453e13 -> cf2592377


Checking if the refresh token has expired and minor changes to JwkUtils


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cf259237
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cf259237
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cf259237

Branch: refs/heads/3.1.x-fixes
Commit: cf25923774acf5cabb2775da729f9f51d8347e5d
Parents: ea2453e
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Nov 26 09:42:29 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Nov 26 09:48:13 2015 +0000

----------------------------------------------------------------------
 .../rs/security/jose/jwa/AlgorithmUtils.java    |  3 ++
 .../cxf/rs/security/jose/jwk/JwkUtils.java      | 31 ++++++++++++--------
 .../provider/AbstractOAuthDataProvider.java     |  4 ++-
 3 files changed, 24 insertions(+), 14 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/cf259237/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java
index 0145b5d..d52054b 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/AlgorithmUtils.java
@@ -197,6 +197,9 @@ public final class AlgorithmUtils {
     public static boolean isRsa(String algo) {
         return isRsaKeyWrap(algo) || isRsaSign(algo);
     }
+    public static boolean isEc(String algo) {
+        return isEcDsaSign(algo) || isEcdhEsWrap(algo);
+    }
     public static boolean isRsaKeyWrap(String algo) {
         return RSA_CEK_SET.contains(algo);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/cf259237/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
index eca04a5..38c299a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
@@ -349,9 +349,7 @@ public final class JwkUtils {
         return KeyManagementUtils.toX509CertificateChain(base64EncodedChain);
     }
     public static JsonWebKey fromECPublicKey(ECPublicKey pk, String curve) {
-        JsonWebKey jwk = new JsonWebKey();
-        jwk.setKeyType(KeyType.EC);
-        jwk.setProperty(JsonWebKey.EC_CURVE, curve);
+        JsonWebKey jwk = prepareECJwk(curve);
         jwk.setProperty(JsonWebKey.EC_X_COORDINATE, 
                         Base64UrlUtility.encode(pk.getW().getAffineX().toByteArray()));
         jwk.setProperty(JsonWebKey.EC_Y_COORDINATE, 
@@ -359,9 +357,7 @@ public final class JwkUtils {
         return jwk;
     }
     public static JsonWebKey fromECPrivateKey(ECPrivateKey pk, String curve) {
-        JsonWebKey jwk = new JsonWebKey();
-        jwk.setKeyType(KeyType.EC);
-        jwk.setProperty(JsonWebKey.EC_CURVE, curve);
+        JsonWebKey jwk = prepareECJwk(curve);
         jwk.setProperty(JsonWebKey.EC_PRIVATE_KEY, 
                         Base64UrlUtility.encode(pk.getS().toByteArray()));
         return jwk;
@@ -375,10 +371,11 @@ public final class JwkUtils {
     public static JsonWebKey fromPublicKey(PublicKey key, Properties props, String algoProp)
{
         JsonWebKey jwk = null;
         if (key instanceof RSAPublicKey) {
-            jwk = JwkUtils.fromRSAPublicKey((RSAPublicKey)key, props.getProperty(algoProp));
+            String algo = props.getProperty(algoProp);
+            jwk = JwkUtils.fromRSAPublicKey((RSAPublicKey)key, algo);
         } else {
-            jwk = JwkUtils.fromECPublicKey((ECPublicKey)key, 
-                                         props.getProperty(JoseConstants.RSSEC_EC_CURVE));
+            jwk = JwkUtils.fromECPublicKey((ECPublicKey)key,
+                                           props.getProperty(JoseConstants.RSSEC_EC_CURVE));
         }
         String kid = props.getProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS);
         if (kid != null) {
@@ -475,16 +472,24 @@ public final class JwkUtils {
         return new AesCbcHmacJweDecryption(keyDecryption);
     }
     private static JsonWebKey prepareRSAJwk(BigInteger modulus, String algo) {
-        if (!AlgorithmUtils.isRsa(algo)) {
-            throw new JwkException("Invalid algorithm");
-        }
         JsonWebKey jwk = new JsonWebKey();
         jwk.setKeyType(KeyType.RSA);
-        jwk.setAlgorithm(algo);
+        if (algo != null) {
+            if (!AlgorithmUtils.isRsa(algo)) {
+                throw new JwkException("Invalid algorithm");
+            }
+            jwk.setAlgorithm(algo);
+        }
         String encodedModulus = Base64UrlUtility.encode(modulus.toByteArray());
         jwk.setProperty(JsonWebKey.RSA_MODULUS, encodedModulus);
         return jwk;
     }
+    private static JsonWebKey prepareECJwk(String curve) {
+        JsonWebKey jwk = new JsonWebKey();
+        jwk.setKeyType(KeyType.EC);
+        jwk.setProperty(JsonWebKey.EC_CURVE, curve);
+        return jwk;
+    }
     private static String toString(byte[] bytes) {
         try {
             return new String(bytes, StandardCharsets.UTF_8);

http://git-wip-us.apache.org/repos/asf/cxf/blob/cf259237/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index d40d668..0346c09 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -29,6 +29,7 @@ import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
 import org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 
 public abstract class AbstractOAuthDataProvider implements OAuthDataProvider {
     private long accessTokenLifetime = 3600L;
@@ -52,7 +53,8 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider
{
     public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey,
                                                 List<String> restrictedScopes) throws
OAuthServiceException {
         RefreshToken oldRefreshToken = revokeRefreshAndAccessTokens(client, refreshTokenKey);
-        if (oldRefreshToken == null) {
+        if (oldRefreshToken == null 
+            || OAuthUtils.isExpired(oldRefreshToken.getIssuedAt(), oldRefreshToken.getExpiresIn()))
{
             throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
         }
         return doRefreshAccessToken(client, oldRefreshToken, restrictedScopes);


Mime
View raw message