Repository: cxf Updated Branches: refs/heads/master b22f204d1 -> 2024437e2
[CXF-5954] Allowing for reusing the same property file between JWE and JWS Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2024437e Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2024437e Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2024437e Branch: refs/heads/master Commit: 2024437e209e5ef27362297bfa6f1abf65c4ef32 Parents: b22f204 Author: Sergey Beryozkin <[email protected]> Authored: Wed Sep 10 22:08:51 2014 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Sep 10 22:08:51 2014 +0100 ---------------------------------------------------------------------- .../cxf/rs/security/oauth2/jwk/JwkUtils.java | 41 +++++++++++--------- .../jwt/jaxrs/AbstractJweDecryptingFilter.java | 2 +- .../jwt/jaxrs/AbstractJwsReaderProvider.java | 2 +- .../jwt/jaxrs/AbstractJwsWriterProvider.java | 2 +- .../oauth2/jwt/jaxrs/JweWriterInterceptor.java | 2 +- .../jaxrs/security/jwt/JAXRSJweJwsTest.java | 2 +- .../cxf/systest/jaxrs/security/jwt/server.xml | 2 +- .../jaxrs/security/secret.jwk.properties | 3 +- .../jaxrs/security/secret.jws.properties | 19 --------- 9 files changed, 31 insertions(+), 44 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/2024437e/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java index 7beee80..da7c70e 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java @@ -19,8 +19,6 @@ package org.apache.cxf.rs.security.oauth2.jwk; import java.io.InputStream; -import java.security.interfaces.RSAPrivateKey; -import java.security.interfaces.RSAPublicKey; import java.util.List; import java.util.Properties; @@ -58,27 +56,34 @@ public final class JwkUtils { throw new SecurityException(ex); } } - public static RSAPublicKey loadPublicKey(Message m, Properties props) { - JsonWebKey jwkKey = loadJsonWebKey(m, props); - return jwkKey != null ? jwkKey.toRSAPublicKey() : null; - } - public static RSAPrivateKey loadPrivateKey(Message m, Properties props) { - JsonWebKey jwkKey = loadJsonWebKey(m, props); - return jwkKey != null ? jwkKey.toRSAPrivateKey() : null; - } public static JsonWebKey loadJsonWebKey(Message m, Properties props) { + return loadJsonWebKey(m, props, null); + } + public static JsonWebKey loadJsonWebKey(Message m, Properties props, + String keyOper) { JsonWebKeys jwkSet = loadPersistJwkSet(m, props); - JsonWebKey jwkKey = null; String kid = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_ALIAS); - if (kid == null) { - List<JsonWebKey> keys = jwkSet.getRsaKeys(); + if (kid == null && keyOper != null) { + String keyIdProp = null; + if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT)) { + keyIdProp = CryptoUtils.RSSEC_KEY_STORE_ALIAS + ".jwe"; + } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN) + || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY)) { + keyIdProp = CryptoUtils.RSSEC_KEY_STORE_ALIAS + ".jws"; + } + if (keyIdProp != null) { + kid = props.getProperty(keyIdProp); + } + } + if (kid != null) { + return jwkSet.getKey(kid); + } else if (keyOper != null) { + List<JsonWebKey> keys = jwkSet.getKeyUseMap().get(keyOper); if (keys != null && keys.size() == 1) { - jwkKey = keys.get(0); + return keys.get(0); } - } else { - jwkKey = jwkSet.getKey(kid); } - - return jwkKey; + return null; } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/2024437e/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java index 4c67927..6a484ba 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJweDecryptingFilter.java @@ -81,7 +81,7 @@ public class AbstractJweDecryptingFilter { Properties props = ResourceUtils.loadProperties(propLoc, bus); if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { //TODO: Private JWK sets can be JWE encrypted - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props); + JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(jwk.toRSAPrivateKey()); } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { http://git-wip-us.apache.org/repos/asf/cxf/blob/2024437e/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java index 95ae1cc..4d4ea71 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsReaderProvider.java @@ -71,7 +71,7 @@ public class AbstractJwsReaderProvider { Properties props = ResourceUtils.loadProperties(propLoc, bus); JwsSignatureVerifier theVerifier = null; if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props); + JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY); if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { theVerifier = new PublicKeyJwsSignatureVerifier(jwk.toRSAPublicKey()); } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) http://git-wip-us.apache.org/repos/asf/cxf/blob/2024437e/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java index c6c330b..c3afe70 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/AbstractJwsWriterProvider.java @@ -66,7 +66,7 @@ public class AbstractJwsWriterProvider { String rsaSignatureAlgo = null; if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { //TODO: Private JWK sets can be JWE encrypted - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props); + JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN); rsaSignatureAlgo = jwk.getAlgorithm(); if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { theSigProvider = new PrivateKeyJwsSignatureProvider(jwk.toRSAPrivateKey()); http://git-wip-us.apache.org/repos/asf/cxf/blob/2024437e/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java index 2c1f6e0..46f0de4 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/jaxrs/JweWriterInterceptor.java @@ -131,7 +131,7 @@ public class JweWriterInterceptor implements WriterInterceptor { String keyEncryptionAlgo = null; Properties props = ResourceUtils.loadProperties(propLoc, bus); if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props); + JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); keyEncryptionAlgo = jwk.getAlgorithm(); // TODO: Put it into some factory code if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { http://git-wip-us.apache.org/repos/asf/cxf/blob/2024437e/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java index b7eb813..8f6518b 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJweJwsTest.java @@ -153,7 +153,7 @@ public class JAXRSJweJwsTest extends AbstractBusClientServerTestBase { providers.add(new JwsClientResponseFilter()); bean.setProviders(providers); bean.getProperties(true).put("rs.security.signature.properties", - "org/apache/cxf/systest/jaxrs/security/secret.jws.properties"); + "org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"); BookStore bs = bean.create(BookStore.class); String text = bs.echoText("book"); assertEquals("book", text); http://git-wip-us.apache.org/repos/asf/cxf/blob/2024437e/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml index 57cad2d..0befa8a 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/server.xml @@ -153,7 +153,7 @@ under the License. <ref bean="jwsOutFilter"/> </jaxrs:providers> <jaxrs:properties> - <entry key="rs.security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/secret.jws.properties"/> + <entry key="rs.security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/> </jaxrs:properties> </jaxrs:server> <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jwt}/jweaescbchmac";> http://git-wip-us.apache.org/repos/asf/cxf/blob/2024437e/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.jwk.properties ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.jwk.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.jwk.properties index 2016b2d..c512d60 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.jwk.properties +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.jwk.properties @@ -15,7 +15,8 @@ # specific language governing permissions and limitations # under the License. rs.security.keystore.type=jwk -rs.security.keystore.alias=AesWrapKey +rs.security.keystore.alias.jwe=AesWrapKey +rs.security.keystore.alias.jws=HMACKey rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt rs.security.jwe.content.encryption.algorithm=A128GCM rs.security.jwe.key.encryption.algorithm=A128KW http://git-wip-us.apache.org/repos/asf/cxf/blob/2024437e/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.jws.properties ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.jws.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.jws.properties deleted file mode 100644 index d050b71..0000000 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.jws.properties +++ /dev/null @@ -1,19 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -rs.security.keystore.type=jwk -rs.security.keystore.alias=HMACKey -rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt
