Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D65C818C19 for ; Mon, 30 Nov 2015 17:21:59 +0000 (UTC) Received: (qmail 9600 invoked by uid 500); 30 Nov 2015 17:21:59 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 9520 invoked by uid 500); 30 Nov 2015 17:21:59 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 9508 invoked by uid 99); 30 Nov 2015 17:21:59 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Nov 2015 17:21:59 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 9D130E0991; Mon, 30 Nov 2015 17:21:59 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Mon, 30 Nov 2015 17:21:59 -0000 Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: [1/3] cxf git commit: Set a security context up from the JWS cert Repository: cxf Updated Branches: refs/heads/3.0.x-fixes c3afe9d03 -> 1c635e00a Set a security context up from the JWS cert # Conflicts: # rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b455cba4 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b455cba4 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b455cba4 Branch: refs/heads/3.0.x-fixes Commit: b455cba43da85ab14245e0108c1ad59533a8f6b2 Parents: c3afe9d Author: Colm O hEigeartaigh Authored: Mon Nov 30 17:14:45 2015 +0000 Committer: Colm O hEigeartaigh Committed: Mon Nov 30 17:18:28 2015 +0000 ---------------------------------------------------------------------- .../jose/jaxrs/JwsContainerRequestFilter.java | 26 ++++++++++++++++++++ .../jose/jws/EcDsaJwsSignatureVerifier.java | 9 +++++++ .../cxf/rs/security/jose/jws/JwsUtils.java | 26 +++++++++++++++++--- .../jose/jws/PublicKeyJwsSignatureVerifier.java | 19 ++++++++++++++ 4 files changed, 77 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/b455cba4/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java index ab2698f..003e674 100644 --- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java +++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.jose.jaxrs; import java.io.ByteArrayInputStream; import java.io.IOException; +import java.security.Principal; import javax.annotation.Priority; import javax.ws.rs.HttpMethod; @@ -32,6 +33,8 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.rs.security.jose.common.JoseUtils; import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.jose.jws.PublicKeyJwsSignatureVerifier; +import org.apache.cxf.security.SecurityContext; @PreMatching @Priority(Priorities.JWS_SERVER_READ_PRIORITY) @@ -56,6 +59,29 @@ public class JwsContainerRequestFilter extends AbstractJwsReaderProvider impleme if (ct != null) { context.getHeaders().putSingle("Content-Type", ct); } + + SecurityContext securityContext = configureSecurityContext(theSigVerifier); + if (securityContext != null) { + JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext); + } } + protected SecurityContext configureSecurityContext(JwsSignatureVerifier sigVerifier) { + if (sigVerifier instanceof PublicKeyJwsSignatureVerifier + && ((PublicKeyJwsSignatureVerifier)sigVerifier).getX509Certificate() != null) { + final Principal principal = + ((PublicKeyJwsSignatureVerifier)sigVerifier).getX509Certificate().getSubjectX500Principal(); + return new SecurityContext() { + + public Principal getUserPrincipal() { + return principal; + } + + public boolean isUserInRole(String arg0) { + return false; + } + }; + } + return null; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/b455cba4/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java index 025cd21..36e8799 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureVerifier.java @@ -19,6 +19,7 @@ package org.apache.cxf.rs.security.jose.jws; import java.security.PublicKey; +import java.security.cert.X509Certificate; import java.security.spec.AlgorithmParameterSpec; import java.util.HashMap; import java.util.Map; @@ -40,6 +41,14 @@ public class EcDsaJwsSignatureVerifier extends PublicKeyJwsSignatureVerifier { public EcDsaJwsSignatureVerifier(PublicKey key, AlgorithmParameterSpec spec, SignatureAlgorithm supportedAlgo) { super(key, spec, supportedAlgo); } + public EcDsaJwsSignatureVerifier(X509Certificate cert, SignatureAlgorithm supportedAlgo) { + this(cert, null, supportedAlgo); + } + public EcDsaJwsSignatureVerifier(X509Certificate cert, + AlgorithmParameterSpec spec, + SignatureAlgorithm supportedAlgo) { + super(cert, spec, supportedAlgo); + } @Override public boolean verify(JwsHeaders headers, String unsignedText, byte[] signature) { final String algoName = super.getAlgorithm().getJwaName(); http://git-wip-us.apache.org/repos/asf/cxf/blob/b455cba4/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index 2cbc23b..7a020ef 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -143,7 +143,20 @@ public final class JwsUtils { return theVerifier; } public static JwsSignatureVerifier getPublicKeySignatureVerifier(X509Certificate cert, SignatureAlgorithm algo) { - return getPublicKeySignatureVerifier(cert.getPublicKey(), algo); + if (algo == null) { + LOG.warning("No signature algorithm was defined"); + throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET); + } + + if (cert != null) { + if (cert.getPublicKey() instanceof RSAPublicKey) { + return new PublicKeyJwsSignatureVerifier(cert, algo); + } else if (cert.getPublicKey() instanceof ECPublicKey) { + return new EcDsaJwsSignatureVerifier(cert, algo); + } + } + + return null; } public static JwsSignatureVerifier getPublicKeySignatureVerifier(PublicKey key, SignatureAlgorithm algo) { if (algo == null) { @@ -346,7 +359,7 @@ public final class JwsUtils { } else if (inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) { List chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain()); KeyManagementUtils.validateCertificateChain(props, chain); - return getPublicKeySignatureVerifier(chain.get(0).getPublicKey(), + return getPublicKeySignatureVerifier(chain.get(0), inHeaders.getSignatureAlgorithm()); } else if (inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) { X509Certificate foundCert = @@ -354,7 +367,7 @@ public final class JwsUtils { MessageDigestUtils.ALGO_SHA_1, m, props); if (foundCert != null) { - return getPublicKeySignatureVerifier(foundCert.getPublicKey(), + return getPublicKeySignatureVerifier(foundCert, inHeaders.getSignatureAlgorithm()); } } @@ -373,9 +386,16 @@ public final class JwsUtils { && SignatureAlgorithm.NONE.getJwaName().equals(inHeaders.getAlgorithm())) { theVerifier = new NoneJwsSignatureVerifier(); } else { +<<<<<<< HEAD theVerifier = getPublicKeySignatureVerifier( KeyManagementUtils.loadPublicKey(m, props), SignatureAlgorithm.getAlgorithm(signatureAlgo)); +======= + X509Certificate[] certs = KeyManagementUtils.loadX509CertificateOrChain(m, props); + if (certs != null && certs.length > 0) { + theVerifier = getPublicKeySignatureVerifier(certs[0], signatureAlgo); + } +>>>>>>> a400eaa... Set a security context up from the JWS cert } } if (theVerifier == null && !ignoreNullVerifier) { http://git-wip-us.apache.org/repos/asf/cxf/blob/b455cba4/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java index 65a2a15..b58e74f 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java @@ -19,6 +19,7 @@ package org.apache.cxf.rs.security.jose.jws; import java.security.PublicKey; +import java.security.cert.X509Certificate; import java.security.spec.AlgorithmParameterSpec; import java.util.logging.Logger; @@ -33,6 +34,7 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier { private PublicKey key; private AlgorithmParameterSpec signatureSpec; private SignatureAlgorithm supportedAlgo; + private X509Certificate cert; public PublicKeyJwsSignatureVerifier(PublicKey key, SignatureAlgorithm supportedAlgorithm) { this(key, null, supportedAlgorithm); @@ -43,6 +45,20 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier { this.supportedAlgo = supportedAlgo; JwsUtils.checkSignatureKeySize(key); } + public PublicKeyJwsSignatureVerifier(X509Certificate cert, SignatureAlgorithm supportedAlgorithm) { + this(cert, null, supportedAlgorithm); + } + public PublicKeyJwsSignatureVerifier(X509Certificate cert, + AlgorithmParameterSpec spec, + SignatureAlgorithm supportedAlgo) { + if (cert != null) { + this.key = cert.getPublicKey(); + } + this.cert = cert; + this.signatureSpec = spec; + this.supportedAlgo = supportedAlgo; + JwsUtils.checkSignatureKeySize(key); + } @Override public boolean verify(JwsHeaders headers, String unsignedText, byte[] signature) { try { @@ -78,4 +94,7 @@ public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier { return supportedAlgo; } + public X509Certificate getX509Certificate() { + return cert; + } }