cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Some more work about making it easier for conusmer to propagate/deal with JWE or JWS Json payloads where more than one recipient is set
Date Tue, 01 Mar 2016 17:22:28 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 4b691b349 -> 4a667d9af


Some more work about making it easier for conusmer to propagate/deal with JWE or JWS Json
payloads where more than one recipient is set


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4a667d9a
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4a667d9a
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4a667d9a

Branch: refs/heads/3.1.x-fixes
Commit: 4a667d9af965273d815d7519cde1e4c9c287df3b
Parents: 4b691b3
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Mar 1 17:21:23 2016 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Mar 1 17:22:15 2016 +0000

----------------------------------------------------------------------
 .../jose/jaxrs/AbstractJweJsonDecryptingFilter.java   | 14 ++++++++++++--
 .../jose/jaxrs/AbstractJwsJsonReaderProvider.java     | 12 ++++++++++++
 .../jose/jaxrs/JwsJsonClientResponseFilter.java       | 12 ++++--------
 .../jose/jaxrs/JwsJsonContainerRequestFilter.java     | 13 ++++---------
 .../cxf/rs/security/jose/jwe/JweJsonConsumer.java     |  4 +++-
 .../cxf/rs/security/jose/jws/JwsJsonProducer.java     |  6 ------
 6 files changed, 35 insertions(+), 26 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/4a667d9a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java
index c63e39d..5dc52d9 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweJsonDecryptingFilter.java
@@ -23,19 +23,29 @@ import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 
 import org.apache.cxf.helpers.IOUtils;
+import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
 import org.apache.cxf.rs.security.jose.jwe.JweJsonConsumer;
+import org.apache.cxf.rs.security.jose.jwe.JweJsonEncryptionEntry;
 import org.apache.cxf.rs.security.jose.jwe.JweUtils;
 
 public class AbstractJweJsonDecryptingFilter {
     private JweDecryptionProvider decryption;
     private String defaultMediaType;
     protected JweDecryptionOutput decrypt(InputStream is) throws IOException {
-        JweJsonConsumer jwe = new JweJsonConsumer(new String(IOUtils.readBytesFromStream(is),

+        JweJsonConsumer c = new JweJsonConsumer(new String(IOUtils.readBytesFromStream(is),

                                                                    StandardCharsets.UTF_8));
-        return jwe.decryptWith(getInitializedDecryptionProvider(jwe.getProtectedHeader()));
+        JweDecryptionProvider theProvider = getInitializedDecryptionProvider(c.getProtectedHeader());
+        //TODO: support the extra properties that can be matched against per-recipient headers
+        // which will be needed if we have multiple entries with the same key encryption
algorithm
+        JweJsonEncryptionEntry entry = c.getJweDecryptionEntry(theProvider);
+        JweDecryptionOutput out = c.decryptWith(theProvider, entry);
+        
+        JAXRSUtils.getCurrentMessage().put(JweJsonConsumer.class, c);
+        JAXRSUtils.getCurrentMessage().put(JweJsonEncryptionEntry.class, entry);
+        return out;
     }
 
     protected void validateHeaders(JweHeaders headers) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/4a667d9a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
index c2c3031..5b328e4 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java
@@ -31,6 +31,8 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.jose.common.JoseConstants;
 import org.apache.cxf.rs.security.jose.jws.JwsException;
+import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer;
+import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
@@ -94,4 +96,14 @@ public class AbstractJwsJsonReaderProvider {
         this.strictVerification = strictVerification;
     }
     
+    protected void validate(JwsJsonConsumer c, List<JwsSignatureVerifier> theSigVerifiers)
throws JwsException {
+        
+        List<JwsJsonSignatureEntry> remaining = c.verifyAndGetNonValidated(theSigVerifiers,
+                                                                           isStrictVerification());
+        if (!remaining.isEmpty()) {
+            JAXRSUtils.getCurrentMessage().put("jws.json.remaining.entries", remaining);
+        }
+        JAXRSUtils.getCurrentMessage().put(JwsJsonConsumer.class, c);
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/4a667d9a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
index b9550e4..dc9a352 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java
@@ -29,7 +29,6 @@ import javax.ws.rs.client.ClientResponseFilter;
 
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.rs.security.jose.common.JoseUtils;
-import org.apache.cxf.rs.security.jose.jws.JwsException;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsJsonSignatureEntry;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
@@ -39,17 +38,14 @@ public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider
i
     @Override
     public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException
{
         List<JwsSignatureVerifier> theSigVerifiers = getInitializedSigVerifiers();
-        JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
-        if (isStrictVerification() && p.getSignatureEntries().size() != theSigVerifiers.size()
-            || !p.verifySignatureWith(theSigVerifiers)) {
-            throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
-        }
-        byte[] bytes = p.getDecodedJwsPayloadBytes();
+        JwsJsonConsumer c = new JwsJsonConsumer(IOUtils.readStringFromStream(res.getEntityStream()));
+        validate(c, theSigVerifiers);
+        byte[] bytes = c.getDecodedJwsPayloadBytes();
         res.setEntityStream(new ByteArrayInputStream(bytes));
         res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
         
         // the list is guaranteed to be non-empty
-        JwsJsonSignatureEntry sigEntry = p.getSignatureEntries().get(0);
+        JwsJsonSignatureEntry sigEntry = c.getSignatureEntries().get(0);
         String ct = JoseUtils.checkContentType(sigEntry.getUnionHeader().getContentType(),
getDefaultMediaType());
         if (ct != null) {
             res.getHeaders().putSingle("Content-Type", ct);

http://git-wip-us.apache.org/repos/asf/cxf/blob/4a667d9a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
index 1f42701..3b705a3 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -49,25 +49,20 @@ public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider
             context.abortWith(JAXRSUtils.toResponse(400));
             return;
         }
-        JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
-        
+        JwsJsonConsumer c = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
         try {
-            List<JwsJsonSignatureEntry> remaining = p.verifyAndGetNonValidated(theSigVerifiers,
-                                                                               isStrictVerification());
-            if (!remaining.isEmpty()) {
-                JAXRSUtils.getCurrentMessage().put("jws.json.remaining.entries", remaining);
-            }
+            validate(c, theSigVerifiers);
         } catch (JwsException ex) {
             context.abortWith(JAXRSUtils.toResponse(400));
             return;
         }
         
-        byte[] bytes = p.getDecodedJwsPayloadBytes();
+        byte[] bytes = c.getDecodedJwsPayloadBytes();
         context.setEntityStream(new ByteArrayInputStream(bytes));
         context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length));
         
         // the list is guaranteed to be non-empty
-        JwsJsonSignatureEntry sigEntry = p.getSignatureEntries().get(0);
+        JwsJsonSignatureEntry sigEntry = c.getSignatureEntries().get(0);
         String ct = JoseUtils.checkContentType(sigEntry.getUnionHeader().getContentType(),
getDefaultMediaType());
         if (ct != null) {
             context.getHeaders().putSingle("Content-Type", ct);

http://git-wip-us.apache.org/repos/asf/cxf/blob/4a667d9a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
index 4c2a694..0d98455 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
@@ -81,7 +81,9 @@ public class JweJsonConsumer {
         return input;
     }
 
-    private JweJsonEncryptionEntry getJweDecryptionEntry(JweDecryptionProvider jwe) {
+    public JweJsonEncryptionEntry getJweDecryptionEntry(JweDecryptionProvider jwe) {
+        //TODO: support a similar method that will check per-recipient unprotected headers
+        // which will be needed if we have multiple entries with the same key encryption
algorithm
         for (Map.Entry<JweJsonEncryptionEntry, JweHeaders> entry : recipientsMap.entrySet())
{
             KeyAlgorithm keyAlgo = entry.getValue().getKeyEncryptionAlgorithm();
             if (keyAlgo != null && keyAlgo.equals(jwe.getKeyAlgorithm())

http://git-wip-us.apache.org/repos/asf/cxf/blob/4a667d9a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
index e96a630..e75e68a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.java
@@ -94,12 +94,6 @@ public class JwsJsonProducer {
         return signatures;
     }
     
-    /*
-     * TODO
-    public MultivaluedMap<SignatureAlgorithm, JwsJsonSignatureEntry> getSignatureEntryMap()
{
-        return JwsUtils.getJwsJsonSignatureMap(signatures);
-    }
-    */
     public String signWith(List<JwsSignatureProvider> signers) {
         for (JwsSignatureProvider signer : signers) {
             signWith(signer);    


Mime
View raw message