Repository: cxf Updated Branches: refs/heads/master ebf24b72c -> 2c9464299
Updating OAuth2 Client to hold the whole public cert chain if needed Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2c946429 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2c946429 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2c946429 Branch: refs/heads/master Commit: 2c9464299c2ec61779dd0e885802c2b6072df191 Parents: ebf24b7 Author: Sergey Beryozkin <sberyoz...@talend.com> Authored: Wed Jul 9 21:43:37 2014 +0100 Committer: Sergey Beryozkin <sberyoz...@talend.com> Committed: Wed Jul 9 21:43:37 2014 +0100 ---------------------------------------------------------------------- .../cxf/rs/security/oauth2/common/Client.java | 12 ++++---- .../oauth2/common/OAuthAuthorizationData.java | 11 ++++---- .../oauth2/services/AbstractTokenService.java | 29 ++++++++++++-------- .../services/RedirectionBasedGrantService.java | 2 +- .../utils/crypto/ModelEncryptionSupport.java | 6 ++-- .../security/oauth2/OAuthDataProviderImpl.java | 3 +- 6 files changed, 36 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java index 88a3c4a..f87370b 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java @@ -38,7 +38,7 @@ public class Client implements Serializable { private String applicationDescription; private String applicationWebUri; private String applicationLogoUri; - private String applicationCertificate; + private List<String> applicationCertificates = new LinkedList<String>(); private List<String> redirectUris = new LinkedList<String>(); private boolean isConfidential; @@ -283,16 +283,16 @@ public class Client implements Serializable { this.registeredAudiences = registeredAudiences; } - public String getApplicationCertificate() { - return applicationCertificate; + public List<String> getApplicationCertificates() { + return applicationCertificates; } /* - * Set the optional Base64 encoded Application Public X509 Certificate + * Set the Base64 encoded Application Public X509 Certificate * It can be used in combination with the clientSecret property to support * Basic or other password-aware authentication on top of 2-way TLS. */ - public void setApplicationCertificate(String applicationCertificate) { - this.applicationCertificate = applicationCertificate; + public void setApplicationCertificates(List<String> applicationCertificates) { + this.applicationCertificates = applicationCertificates; } } http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java index 0b98d08..5c3201f 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth2.common; import java.io.Serializable; import java.util.HashMap; +import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -48,7 +49,7 @@ public class OAuthAuthorizationData implements Serializable { private String applicationWebUri; private String applicationDescription; private String applicationLogoUri; - private String applicationCertificate; + private List<String> applicationCertificates = new LinkedList<String>(); private Map<String, String> extraApplicationProperties = new HashMap<String, String>(); private List<? extends Permission> permissions; @@ -263,12 +264,12 @@ public class OAuthAuthorizationData implements Serializable { this.audience = audience; } - public String getApplicationCertificate() { - return applicationCertificate; + public List<String> getApplicationCertificates() { + return applicationCertificates; } - public void setApplicationCertificate(String applicationCertificate) { - this.applicationCertificate = applicationCertificate; + public void setApplicationCertificates(List<String> applicationCertificates) { + this.applicationCertificates = applicationCertificates; } } http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java index 8c79579..c70e6d6 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java @@ -23,6 +23,7 @@ import java.security.Principal; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.util.Arrays; +import java.util.List; import javax.security.auth.x500.X500Principal; import javax.ws.rs.core.MediaType; @@ -77,9 +78,9 @@ public class AbstractTokenService extends AbstractOAuthService { client = getClientFromBasicAuthScheme(); } } - if (client != null && client.getApplicationCertificate() != null) { + if (client != null && !client.getApplicationCertificates().isEmpty()) { // Validate the client application certificates - compareTlsCertificates(getTlsSessionInfo(), client.getApplicationCertificate()); + compareTlsCertificates(getTlsSessionInfo(), client.getApplicationCertificates()); } if (client == null) { reportInvalidClient(); @@ -151,18 +152,24 @@ public class AbstractTokenService extends AbstractOAuthService { return null; } - protected void compareTlsCertificates(TLSSessionInfo tlsInfo, String base64EncodedCert) { + protected void compareTlsCertificates(TLSSessionInfo tlsInfo, + List<String> base64EncodedCerts) { if (tlsInfo != null) { Certificate[] clientCerts = tlsInfo.getPeerCertificates(); - try { - X509Certificate cert = (X509Certificate)clientCerts[0]; - byte[] encodedKey = cert.getEncoded(); - byte[] clientKey = Base64Utility.decode(base64EncodedCert); - if (Arrays.equals(encodedKey, clientKey)) { + if (clientCerts.length == base64EncodedCerts.size()) { + try { + for (int i = 0; i < clientCerts.length; i++) { + X509Certificate x509Cert = (X509Certificate)clientCerts[i]; + byte[] encodedKey = x509Cert.getEncoded(); + byte[] clientKey = Base64Utility.decode(base64EncodedCerts.get(i)); + if (!Arrays.equals(encodedKey, clientKey)) { + reportInvalidClient(); + } + } return; - } - } catch (Exception ex) { - // throw exception later + } catch (Exception ex) { + // throw exception later + } } } reportInvalidClient(); http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index 67f12ea..b42d6c3 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -196,7 +196,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService secData.setApplicationDescription(client.getApplicationDescription()); secData.setApplicationLogoUri(client.getApplicationLogoUri()); secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); - secData.setApplicationName(client.getApplicationCertificate()); + secData.setApplicationCertificates(client.getApplicationCertificates()); Map<String, String> extraProperties = client.getProperties(); secData.setExtraApplicationProperties(extraProperties); String replyTo = getMessageContext().getUriInfo() http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java index ce76c0a..d8b4444 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java @@ -328,7 +328,7 @@ public final class ModelEncryptionSupport { getStringPart(parts[3]), getStringPart(parts[4])); c.setApplicationDescription(getStringPart(parts[5])); c.setApplicationLogoUri(getStringPart(parts[6])); - c.setApplicationLogoUri(getStringPart(parts[7])); + c.setApplicationCertificates(parseSimpleList(parts[7])); c.setAllowedGrantTypes(parseSimpleList(parts[8])); c.setRegisteredScopes(parseSimpleList(parts[9])); c.setRedirectUris(parseSimpleList(parts[10])); @@ -360,8 +360,8 @@ public final class ModelEncryptionSupport { // 6: app logo URI state.append(tokenizeString(client.getApplicationLogoUri())); state.append(SEP); - // 7: app certificate - state.append(tokenizeString(client.getApplicationCertificate())); + // 7: app certificates + state.append(client.getApplicationCertificates()); state.append(SEP); // 8: grants state.append(client.getAllowedGrantTypes().toString()); http://git-wip-us.apache.org/repos/asf/cxf/blob/2c946429/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java index 23b681d..bf6d618 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/OAuthDataProviderImpl.java @@ -20,6 +20,7 @@ package org.apache.cxf.systest.jaxrs.security.oauth2; import java.io.InputStream; import java.security.cert.Certificate; +import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -57,7 +58,7 @@ public class OAuthDataProviderImpl implements OAuthDataProvider { null, null); client2.getAllowedGrantTypes().add("custom_grant"); - client2.setApplicationCertificate(encodedCert); + client2.setApplicationCertificates(Collections.singletonList(encodedCert)); clients.put(client2.getClientId(), client2); }