cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6728] Making sure RS232 is not selected as a default algo when EC keys are loaded from JKS
Date Wed, 01 Mar 2017 12:27:26 GMT
Repository: cxf
Updated Branches:
  refs/heads/master f47802902 -> cf6599e91


[CXF-6728] Making sure RS232 is not selected as a default algo when EC keys are loaded from
JKS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/cf6599e9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/cf6599e9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/cf6599e9

Branch: refs/heads/master
Commit: cf6599e91ecf2caf2424511fba76b804d4c48de2
Parents: f478029
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Mar 1 12:27:10 2017 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Mar 1 12:27:10 2017 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/jose/jws/JwsUtils.java      | 41 +++++++++++++++-----
 .../cxf/rs/security/jose/jws/JwsUtilsTest.java  | 13 +++++++
 2 files changed, 44 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/cf6599e9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index 7aafc46..74f5c6f 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -154,12 +154,15 @@ public final class JwsUtils {
         return theVerifier;
     }
     public static JwsSignatureVerifier getPublicKeySignatureVerifier(X509Certificate cert,
SignatureAlgorithm algo) {
-        if (algo == null) {
-            LOG.warning("No signature algorithm was defined");
-            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
-        }
-
         if (cert != null) {
+            if (algo == null) {
+                algo = getDefaultPublicKeyAlgorithm(cert.getPublicKey());
+            }
+            if (algo == null) {
+                LOG.warning("No signature algorithm was defined");
+                throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
+            }    
+            
             if (cert.getPublicKey() instanceof RSAPublicKey) {
                 return new PublicKeyJwsSignatureVerifier(cert, algo);
             } else if (cert.getPublicKey() instanceof ECPublicKey) {
@@ -376,6 +379,10 @@ public final class JwsUtils {
                 theSigProvider = new NoneJwsSignatureProvider();
             } else {
                 PrivateKey pk = KeyManagementUtils.loadPrivateKey(m, props, KeyOperation.SIGN);
+                if (signatureAlgo == null) {
+                    signatureAlgo = getDefaultPrivateKeyAlgorithm(pk);
+                }
+                
                 theSigProvider = getPrivateKeySignatureProvider(pk, signatureAlgo);
                 if (includeCert) {
                     headers.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(m,
props));
@@ -402,7 +409,7 @@ public final class JwsUtils {
         return loadSignatureVerifier(PhaseInterceptorChain.getCurrentMessage(),
                                      props, inHeaders, false);
     }
-    private static JwsSignatureVerifier loadSignatureVerifier(Message m,
+    public static JwsSignatureVerifier loadSignatureVerifier(Message m,
                                                               Properties props,
                                                               JwsHeaders inHeaders,
                                                               boolean ignoreNullVerifier)
{
@@ -477,10 +484,6 @@ public final class JwsUtils {
                                                SignatureAlgorithm algo,
                                                SignatureAlgorithm defaultAlgo) {
         if (algo == null) {
-            if (defaultAlgo == null) {
-                defaultAlgo = SignatureAlgorithm.RS256;
-            }
-
             // Check for deprecated identifier first
             String sigAlgo = null;
             if (props != null) {
@@ -518,6 +521,24 @@ public final class JwsUtils {
             return SignatureAlgorithm.RS256;
         }
     }
+    private static SignatureAlgorithm getDefaultPrivateKeyAlgorithm(PrivateKey key) {
+        if (key instanceof RSAPrivateKey) {
+            return SignatureAlgorithm.RS256;
+        } else if (key instanceof ECPrivateKey) {
+            return SignatureAlgorithm.ES256;
+        } else {
+            return null;
+        }
+    }
+    private static SignatureAlgorithm getDefaultPublicKeyAlgorithm(PublicKey key) {
+        if (key instanceof RSAPublicKey) {
+            return SignatureAlgorithm.RS256;
+        } else if (key instanceof ECPublicKey) {
+            return SignatureAlgorithm.ES256;
+        } else {
+            return null;
+        }
+    }
     public static JwsCompactConsumer verify(JwsSignatureVerifier v, String content) {
         JwsCompactConsumer jws = new JwsCompactConsumer(content);
         if (!jws.verifySignatureWith(v)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/cf6599e9/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java
b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java
index f6a8deb..6f28ef4 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jws/JwsUtilsTest.java
@@ -52,6 +52,19 @@ public class JwsUtilsTest extends Assert {
         assertEquals("alice", headers.getKeyId());
     }
     @Test
+    public void testLoadSignatureVerifierFromJKS() throws Exception {
+        Properties p = new Properties();
+        p.put(JoseConstants.RSSEC_KEY_STORE_FILE,
+            "org/apache/cxf/rs/security/jose/jws/alice.jks");
+        p.put(JoseConstants.RSSEC_KEY_STORE_PSWD, "password");
+        p.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "alice");
+        JwsSignatureVerifier jws = JwsUtils.loadSignatureVerifier(createMessage(),
+                                                                  p,
+                                                                  new JwsHeaders(),
+                                                                  false);
+        assertNotNull(jws);
+    }
+    @Test
     public void testLoadVerificationKey() throws Exception {
         Properties p = new Properties();
         p.put(JoseConstants.RSSEC_KEY_STORE_FILE,


Mime
View raw message