cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Updating JwsJson consumers to make the non-validated parts available if needed
Date Tue, 01 Mar 2016 14:13:45 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 407e8c596 -> 525cd3ca7


Updating JwsJson consumers to make the non-validated parts available if needed


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/525cd3ca
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/525cd3ca
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/525cd3ca

Branch: refs/heads/3.0.x-fixes
Commit: 525cd3ca76bb9497c3889b2f40ae6df8c3ff2415
Parents: 407e8c5
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Mar 1 14:12:30 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Mar 1 14:13:09 2016 +0000

----------------------------------------------------------------------
 .../jaxrs/JwsJsonContainerRequestFilter.java    | 15 ++++++-
 .../rs/security/jose/jws/JwsJsonConsumer.java   | 47 ++++++++++++++------
 .../security/jose/jws/JwsJsonConsumerTest.java  | 39 ++++++++++++++++
 3 files changed, 86 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/525cd3ca/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
index d35ec19..1f42701 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -31,6 +31,7 @@ import javax.ws.rs.container.PreMatching;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsException;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
@@ -44,13 +45,23 @@ public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider
             return;
         }
         List<JwsSignatureVerifier> theSigVerifiers = getInitializedSigVerifiers();
+        if (theSigVerifiers.isEmpty()) {
+            context.abortWith(JAXRSUtils.toResponse(400));
+            return;
+        }
         JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
         
-        if (isStrictVerification() && p.getSignatureEntries().size() != theSigVerifiers.size()

-            || !p.verifySignatureWith(theSigVerifiers)) {
+        try {
+            List<JwsJsonSignatureEntry> remaining = p.verifyAndGetNonValidated(theSigVerifiers,
+                                                                               isStrictVerification());
+            if (!remaining.isEmpty()) {
+                JAXRSUtils.getCurrentMessage().put("jws.json.remaining.entries", remaining);
+            }
+        } catch (JwsException ex) {
             context.abortWith(JAXRSUtils.toResponse(400));
             return;
         }
+        
         byte[] bytes = p.getDecodedJwsPayloadBytes();
         context.setEntityStream(new ByteArrayInputStream(bytes));
         context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));

http://git-wip-us.apache.org/repos/asf/cxf/blob/525cd3ca/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
index 3ad5b45..e8d9a41 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java
@@ -140,19 +140,29 @@ public class JwsJsonConsumer {
     public boolean verifySignatureWith(byte[] key, SignatureAlgorithm algo) {
         return verifySignatureWith(JwsUtils.getHmacSignatureVerifier(key, algo));
     }
+    
     public boolean verifySignatureWith(List<JwsSignatureVerifier> validators) {
+        return verifySignatureWith(validators, false);
+    }
+    
+    public boolean verifySignatureWith(List<JwsSignatureVerifier> validators, 
+                                       boolean validateAll) {
         try {
-            if (verifyAndGetNonValidated(validators).isEmpty()) {
-                return true;
-            }
+            verifyAndGetNonValidated(validators, validateAll);
         } catch (JwsException ex) {
-            // ignore
+            LOG.warning("One of JSON JWS signatures is invalid");
+            return false;
         }
-        LOG.warning("One of JSON JWS signatures is invalid");
-        return false;
+        return true;
     }
+    
     public List<JwsJsonSignatureEntry> verifyAndGetNonValidated(List<JwsSignatureVerifier>
validators) {
-        // TODO: more effective approach is needed
+        return verifyAndGetNonValidated(validators, false);
+    }
+    
+        
+    public List<JwsJsonSignatureEntry> verifyAndGetNonValidated(List<JwsSignatureVerifier>
validators,
+                                                                boolean validateAll) {  
 
         List<JwsJsonSignatureEntry> validatedSignatures = new LinkedList<JwsJsonSignatureEntry>();
         for (JwsSignatureVerifier validator : validators) {
             List<JwsJsonSignatureEntry> theSignatureEntries = 
@@ -166,24 +176,35 @@ public class JwsJsonConsumer {
                 }
             }
         }
+        if (validatedSignatures.isEmpty()) {
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);    
+        }
         List<JwsJsonSignatureEntry> nonValidatedSignatures = new LinkedList<JwsJsonSignatureEntry>();
         for (JwsJsonSignatureEntry sigEntry : signatures) {
             if (!validatedSignatures.contains(sigEntry)) {        
                 nonValidatedSignatures.add(sigEntry);
             }
         }
+        if (validateAll && !nonValidatedSignatures.isEmpty()) {
+            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);    
+        }
         return nonValidatedSignatures;
     }
-    
+    public String verifyAndProduce(List<JwsSignatureVerifier> validators) {
+        List<JwsJsonSignatureEntry> nonValidated = verifyAndGetNonValidated(validators,
false);
+        if (!nonValidated.isEmpty()) {
+            JwsJsonProducer producer = new JwsJsonProducer(getDecodedJwsPayload());
+            producer.getSignatureEntries().addAll(nonValidated);
+            return producer.getJwsJsonSignedDocument();
+        } else {
+            return null;
+        }
+    }
     public boolean verifySignatureWith(JsonWebKey key) {
         return verifySignatureWith(JwsUtils.getSignatureVerifier(key));
     }
     public boolean verifySignatureWith(JsonWebKey key, SignatureAlgorithm algo) {
         return verifySignatureWith(JwsUtils.getSignatureVerifier(key, algo));
     }
-    public JwsJsonProducer toProducer() {
-        JwsJsonProducer p = new JwsJsonProducer(getDecodedJwsPayload());
-        p.getSignatureEntries().addAll(signatures);
-        return p;
-    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/525cd3ca/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumerTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumerTest.java
b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumerTest.java
index a8be83a..964400d 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumerTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumerTest.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.rs.security.jose.jws;
 
 import java.io.InputStream;
+import java.util.Collections;
 import java.util.List;
 
 import org.apache.cxf.rs.security.jose.common.JoseConstants;
@@ -96,6 +97,44 @@ public class JwsJsonConsumerTest extends Assert {
         assertNotNull(ecKey);
         assertTrue(sigEntries.get(1).verifySignatureWith(ecKey));
     }
+    @Test
+    public void testVerifySingleEntryInDualSignedDocument() throws Exception {
+        JwsJsonConsumer consumer = new JwsJsonConsumer(DUAL_SIGNED_DOCUMENT); 
+        JsonWebKeys jwks = readKeySet("jwkPublicJsonConsumerSet.txt");
+        
+        List<JwsJsonSignatureEntry> sigEntries = consumer.getSignatureEntries();
+        assertEquals(2, sigEntries.size());
+        // 1st signature
+        String firstKid = (String)sigEntries.get(0).getKeyId();
+        assertEquals(KID_OF_THE_FIRST_SIGNER, firstKid);
+        JsonWebKey rsaKey = jwks.getKey(firstKid);
+        assertNotNull(rsaKey);
+        JwsSignatureVerifier jws = JwsUtils.getSignatureVerifier(rsaKey);
+        assertTrue(consumer.verifySignatureWith(jws));
+        List<JwsJsonSignatureEntry> remainingEntries =
+            consumer.verifyAndGetNonValidated(Collections.singletonList(jws));
+        assertEquals(1, remainingEntries.size());
+        assertEquals(KID_OF_THE_SECOND_SIGNER, remainingEntries.get(0).getKeyId());
+        
+    }
+    
+    @Test(expected = JwsException.class)
+    public void testFailVerifyAllWithSingleValidator() throws Exception {
+        JwsJsonConsumer consumer = new JwsJsonConsumer(DUAL_SIGNED_DOCUMENT); 
+        JsonWebKeys jwks = readKeySet("jwkPublicJsonConsumerSet.txt");
+        
+        List<JwsJsonSignatureEntry> sigEntries = consumer.getSignatureEntries();
+        assertEquals(2, sigEntries.size());
+        // 1st signature
+        String firstKid = (String)sigEntries.get(0).getKeyId();
+        assertEquals(KID_OF_THE_FIRST_SIGNER, firstKid);
+        JsonWebKey rsaKey = jwks.getKey(firstKid);
+        assertNotNull(rsaKey);
+        JwsSignatureVerifier jws = JwsUtils.getSignatureVerifier(rsaKey);
+        assertTrue(consumer.verifySignatureWith(jws));
+        consumer.verifyAndGetNonValidated(Collections.singletonList(jws), true);
+        fail();
+    }
     public JsonWebKeys readKeySet(String fileName) throws Exception {
         InputStream is = JwsJsonConsumerTest.class.getResourceAsStream(fileName);
         return JwkUtils.readJwkSet(is);


Mime
View raw message