Return-Path: 
 <commits-return-40754-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A996718262
	for <apmail-cxf-commits-archive@www.apache.org>;
 Tue, 16 Feb 2016 17:10:16 +0000 (UTC)
Received: (qmail 78375 invoked by uid 500); 16 Feb 2016 17:10:16 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 78267 invoked by uid 500); 16 Feb 2016 17:10:16 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 78110 invoked by uid 99); 16 Feb 2016 17:10:16 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Feb 2016 17:10:16 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id 39C63E0577; Tue, 16 Feb 2016 17:10:16 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: coheigea@apache.org
To: commits@cxf.apache.org
Message-Id: <a8e340b89ac2473dbd522df9909d9969@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: cxf git commit: Add the ability to sign/encrypt UserInfoService
 responses using asymmetric keys
Date: Tue, 16 Feb 2016 17:10:16 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 609fcadef -> d3e47e330


Add the ability to sign/encrypt UserInfoService responses using asymmetric keys


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d3e47e33
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d3e47e33
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d3e47e33

Branch: refs/heads/3.1.x-fixes
Commit: d3e47e3306696eaab28a00aaf879f10f57b3c792
Parents: 609fcad
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Feb 16 17:06:39 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Feb 16 17:09:09 2016 +0000

----------------------------------------------------------------------
 .../oauth2/provider/OAuthServerJoseJwtProducer.java   | 14 +++++++++++---
 .../cxf/rs/security/oidc/idp/UserInfoService.java     |  8 ++++++--
 2 files changed, 17 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d3e47e33/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java
index 24e6a16..35a323f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.java
@@ -25,6 +25,7 @@ import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
@@ -35,12 +36,12 @@ public class OAuthServerJoseJwtProducer extends OAuthJoseJwtProducer {
     public String processJwt(JwtToken jwt, Client client) {
         return processJwt(jwt, 
                          getInitializedEncryptionProvider(client),
-                         getInitializedSignatureProvider(client.getClientSecret()));
+                         getInitializedSignatureProvider(client));
     }
     
     protected JweEncryptionProvider getInitializedEncryptionProvider(Client c) {
         JweEncryptionProvider theEncryptionProvider = null;
-        if (encryptWithClientCertificates) {
+        if (encryptWithClientCertificates && c != null && !c.getApplicationCertificates().isEmpty()) {
             X509Certificate cert = 
                 (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0));
             theEncryptionProvider = JweUtils.createJweEncryptionProvider((RSAPublicKey)cert.getPublicKey(), 
@@ -48,12 +49,19 @@ public class OAuthServerJoseJwtProducer extends OAuthJoseJwtProducer {
                                                                          ContentAlgorithm.A128GCM, 
                                                                          null);
         }
-        if (theEncryptionProvider == null) {
+        if (theEncryptionProvider == null && c != null && c.getClientSecret() != null) {
             theEncryptionProvider = super.getInitializedEncryptionProvider(c.getClientSecret());
         }
         return theEncryptionProvider;
         
     }
+    
+    protected JwsSignatureProvider getInitializedSignatureProvider(Client c) {
+        if (c == null) {
+            return null;
+        }
+        return super.getInitializedSignatureProvider(c.getClientSecret());
+    }
 
     public void setEncryptWithClientCertificates(boolean encryptWithClientCertificates) {
         if (isEncryptWithClientSecret()) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/d3e47e33/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
index 9955bf9..5edf228 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
@@ -26,6 +26,7 @@ import javax.ws.rs.core.Response;
 
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtProducer;
@@ -64,8 +65,11 @@ public class UserInfoService extends OAuthServerJoseJwtProducer {
         Object responseEntity = userInfo;
         // UserInfo may be returned in a clear form as JSON
         if (super.isJwsRequired() || super.isJweRequired()) {
-            responseEntity = super.processJwt(new JwtToken(userInfo),
-                                              oauthDataProvider.getClient(oauth.getClientId()));
+            Client client = null;
+            if (oauthDataProvider != null) {
+                client = oauthDataProvider.getClient(oauth.getClientId());
+            }
+            responseEntity = super.processJwt(new JwtToken(userInfo), client);
         }
         return Response.ok(responseEntity).build();