cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/3] cxf git commit: Set a security context up from the JWS cert
Date Mon, 30 Nov 2015 17:21:59 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes c3afe9d03 -> 1c635e00a


Set a security context up from the JWS cert

# Conflicts:
#	rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b455cba4
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b455cba4
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b455cba4

Branch: refs/heads/3.0.x-fixes
Commit: b455cba43da85ab14245e0108c1ad59533a8f6b2
Parents: c3afe9d
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Nov 30 17:14:45 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Nov 30 17:18:28 2015 +0000

----------------------------------------------------------------------
 .../jose/jaxrs/JwsContainerRequestFilter.java   | 26 ++++++++++++++++++++
 .../jose/jws/EcDsaJwsSignatureVerifier.java     |  9 +++++++
 .../cxf/rs/security/jose/jws/JwsUtils.java      | 26 +++++++++++++++++---
 .../jose/jws/PublicKeyJwsSignatureVerifier.java | 19 ++++++++++++++
 4 files changed, 77 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/b455cba4/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
index ab2698f..003e674 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.jose.jaxrs;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.security.Principal;
 
 import javax.annotation.Priority;
 import javax.ws.rs.HttpMethod;
@@ -32,6 +33,8 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.PublicKeyJwsSignatureVerifier;
+import org.apache.cxf.security.SecurityContext;
 
 @PreMatching
 @Priority(Priorities.JWS_SERVER_READ_PRIORITY)
@@ -56,6 +59,29 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider
impleme
         if (ct != null) {
             context.getHeaders().putSingle("Content-Type", ct);
         }
+        
+        SecurityContext securityContext = configureSecurityContext(theSigVerifier);
+        if (securityContext != null) {
+            JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
+        }
     }
     
+    protected SecurityContext configureSecurityContext(JwsSignatureVerifier sigVerifier)
{
+        if (sigVerifier instanceof PublicKeyJwsSignatureVerifier
+            && ((PublicKeyJwsSignatureVerifier)sigVerifier).getX509Certificate()
!= null) {
+            final Principal principal = 
+                ((PublicKeyJwsSignatureVerifier)sigVerifier).getX509Certificate().getSubjectX500Principal();
+            return new SecurityContext() {
+
+                public Principal getUserPrincipal() {
+                    return principal;
+                }
+
+                public boolean isUserInRole(String arg0) {
+                    return false;
+                }
+            };
+        }
+        return null;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/b455cba4/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
index 025cd21..36e8799 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.rs.security.jose.jws;
 
 import java.security.PublicKey;
+import java.security.cert.X509Certificate;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.HashMap;
 import java.util.Map;
@@ -40,6 +41,14 @@ public class EcDsaJwsSignatureVerifier extends PublicKeyJwsSignatureVerifier
{
     public EcDsaJwsSignatureVerifier(PublicKey key, AlgorithmParameterSpec spec, SignatureAlgorithm
supportedAlgo) {
         super(key, spec, supportedAlgo);
     }
+    public EcDsaJwsSignatureVerifier(X509Certificate cert, SignatureAlgorithm supportedAlgo)
{
+        this(cert, null, supportedAlgo);
+    }
+    public EcDsaJwsSignatureVerifier(X509Certificate cert, 
+                                     AlgorithmParameterSpec spec, 
+                                     SignatureAlgorithm supportedAlgo) {
+        super(cert, spec, supportedAlgo);
+    }
     @Override
     public boolean verify(JwsHeaders headers, String unsignedText, byte[] signature) {
         final String algoName = super.getAlgorithm().getJwaName();

http://git-wip-us.apache.org/repos/asf/cxf/blob/b455cba4/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index 2cbc23b..7a020ef 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -143,7 +143,20 @@ public final class JwsUtils {
         return theVerifier;
     }
     public static JwsSignatureVerifier getPublicKeySignatureVerifier(X509Certificate cert,
SignatureAlgorithm algo) {
-        return getPublicKeySignatureVerifier(cert.getPublicKey(), algo);
+        if (algo == null) {
+            LOG.warning("No signature algorithm was defined");
+            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
+        }
+        
+        if (cert != null) {
+            if (cert.getPublicKey() instanceof RSAPublicKey) {
+                return new PublicKeyJwsSignatureVerifier(cert, algo);
+            } else if (cert.getPublicKey() instanceof ECPublicKey) {
+                return new EcDsaJwsSignatureVerifier(cert, algo);
+            }
+        }
+        
+        return null;
     }
     public static JwsSignatureVerifier getPublicKeySignatureVerifier(PublicKey key, SignatureAlgorithm
algo) {
         if (algo == null) {
@@ -346,7 +359,7 @@ public final class JwsUtils {
             } else if (inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) {
                 List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain());
                 KeyManagementUtils.validateCertificateChain(props, chain);
-                return getPublicKeySignatureVerifier(chain.get(0).getPublicKey(), 
+                return getPublicKeySignatureVerifier(chain.get(0), 
                                                      inHeaders.getSignatureAlgorithm());
             } else if (inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null)
{
                 X509Certificate foundCert = 
@@ -354,7 +367,7 @@ public final class JwsUtils {
                                                                     MessageDigestUtils.ALGO_SHA_1,
                                                                     m, props);
                 if (foundCert != null) {
-                    return getPublicKeySignatureVerifier(foundCert.getPublicKey(), 
+                    return getPublicKeySignatureVerifier(foundCert, 
                                                          inHeaders.getSignatureAlgorithm());
                 }
             }
@@ -373,9 +386,16 @@ public final class JwsUtils {
                 && SignatureAlgorithm.NONE.getJwaName().equals(inHeaders.getAlgorithm()))
{
                 theVerifier = new NoneJwsSignatureVerifier();
             } else {
+<<<<<<< HEAD
                 theVerifier = getPublicKeySignatureVerifier(
                               KeyManagementUtils.loadPublicKey(m, props), 
                               SignatureAlgorithm.getAlgorithm(signatureAlgo));
+=======
+                X509Certificate[] certs = KeyManagementUtils.loadX509CertificateOrChain(m,
props);
+                if (certs != null && certs.length > 0) {
+                    theVerifier = getPublicKeySignatureVerifier(certs[0], signatureAlgo);
+                }
+>>>>>>> a400eaa... Set a security context up from the JWS cert
             }
         }
         if (theVerifier == null && !ignoreNullVerifier) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/b455cba4/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
index 65a2a15..b58e74f 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.rs.security.jose.jws;
 
 import java.security.PublicKey;
+import java.security.cert.X509Certificate;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.logging.Logger;
 
@@ -33,6 +34,7 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier
{
     private PublicKey key;
     private AlgorithmParameterSpec signatureSpec;
     private SignatureAlgorithm supportedAlgo;
+    private X509Certificate cert;
     
     public PublicKeyJwsSignatureVerifier(PublicKey key, SignatureAlgorithm supportedAlgorithm)
{
         this(key, null, supportedAlgorithm);
@@ -43,6 +45,20 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier
{
         this.supportedAlgo = supportedAlgo;
         JwsUtils.checkSignatureKeySize(key);
     }
+    public PublicKeyJwsSignatureVerifier(X509Certificate cert, SignatureAlgorithm supportedAlgorithm)
{
+        this(cert, null, supportedAlgorithm);
+    }
+    public PublicKeyJwsSignatureVerifier(X509Certificate cert, 
+                                         AlgorithmParameterSpec spec, 
+                                         SignatureAlgorithm supportedAlgo) {
+        if (cert != null) {
+            this.key = cert.getPublicKey();
+        }
+        this.cert = cert;
+        this.signatureSpec = spec;
+        this.supportedAlgo = supportedAlgo;
+        JwsUtils.checkSignatureKeySize(key);
+    }
     @Override
     public boolean verify(JwsHeaders headers, String unsignedText, byte[] signature) {
         try {
@@ -78,4 +94,7 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier
{
         return supportedAlgo;
     }
 
+    public X509Certificate getX509Certificate() {
+        return cert;
+    }
 }


Mime
View raw message