Repository: cxf Updated Branches: refs/heads/master 22e5d261a -> 6ce2f6a37
[CXF-5944] Making it simpler to create algo implementations from JWK Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6ce2f6a3 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6ce2f6a3 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6ce2f6a3 Branch: refs/heads/master Commit: 6ce2f6a373781e4f2dbc1cb66bf1243072b039ef Parents: 22e5d26 Author: Sergey Beryozkin <[email protected]> Authored: Thu Sep 18 21:46:04 2014 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Thu Sep 18 21:46:04 2014 +0100 ---------------------------------------------------------------------- .../jose/jaxrs/AbstractJweDecryptingFilter.java | 23 ++----- .../jose/jaxrs/AbstractJwsReaderProvider.java | 21 +++--- .../jose/jaxrs/AbstractJwsWriterProvider.java | 26 +++----- .../jose/jaxrs/JweWriterInterceptor.java | 21 +----- .../cxf/rs/security/jose/jwe/JweUtils.java | 68 ++++++++++++++++++++ .../cxf/rs/security/jose/jwk/JsonWebKey.java | 53 --------------- .../cxf/rs/security/jose/jwk/JwkUtils.java | 61 ++++++++++++++++++ .../cxf/rs/security/jose/jws/JwsUtils.java | 61 ++++++++++++++++++ .../rs/security/jose/jwk/JsonWebKeyTest.java | 6 +- 9 files changed, 216 insertions(+), 124 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java index fbd91d4..1906622 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java @@ -23,8 +23,6 @@ import java.io.InputStream; import java.security.interfaces.RSAPrivateKey; import java.util.Properties; -import javax.crypto.SecretKey; - import org.apache.cxf.Bus; import org.apache.cxf.helpers.IOUtils; import org.apache.cxf.jaxrs.utils.JAXRSUtils; @@ -33,14 +31,13 @@ import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; import org.apache.cxf.rs.security.jose.jwa.Algorithm; import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption; -import org.apache.cxf.rs.security.jose.jwe.AesGcmWrapKeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.AesWrapKeyDecryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.JweCryptoProperties; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput; import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider; import org.apache.cxf.rs.security.jose.jwe.JweHeaders; +import org.apache.cxf.rs.security.jose.jwe.JweUtils; +import org.apache.cxf.rs.security.jose.jwe.KeyDecryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.RSAOaepKeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.WrappedKeyDecryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.WrappedKeyJweDecryption; import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; import org.apache.cxf.rs.security.jose.jwk.JwkUtils; @@ -78,23 +75,11 @@ public class AbstractJweDecryptingFilter { } Bus bus = m.getExchange().getBus(); try { - WrappedKeyDecryptionAlgorithm keyDecryptionProvider = null; + KeyDecryptionAlgorithm keyDecryptionProvider = null; Properties props = ResourceUtils.loadProperties(propLoc, bus); if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { - //TODO: Private JWK sets can be JWE encrypted JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(jwk.toRSAPrivateKey()); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { - SecretKey key = jwk.toSecretKey(); - if (Algorithm.isAesKeyWrap(jwk.getAlgorithm())) { - keyDecryptionProvider = new AesWrapKeyDecryptionAlgorithm(key); - } else if (Algorithm.isAesGcmKeyWrap(jwk.getAlgorithm())) { - keyDecryptionProvider = new AesGcmWrapKeyDecryptionAlgorithm(key); - } - } else { - // TODO: support elliptic curve keys - } + keyDecryptionProvider = JweUtils.getKeyDecryptionAlgorithm(jwk); } else { keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm( (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER)); http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java index 0a39c6b..ac9366a 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java @@ -26,18 +26,19 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.jaxrs.utils.ResourceUtils; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.jose.jwa.Algorithm; import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; import org.apache.cxf.rs.security.jose.jwk.JwkUtils; -import org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider; import org.apache.cxf.rs.security.jose.jws.JwsSignatureProperties; import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jws.PublicKeyJwsSignatureVerifier; import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; public class AbstractJwsReaderProvider { private static final String RSSEC_SIGNATURE_IN_PROPS = "rs.security.signature.in.properties"; private static final String RSSEC_SIGNATURE_PROPS = "rs.security.signature.properties"; + private static final String JSON_WEB_SIGNATURE_ALGO_PROP = "rs.security.jws.content.signature.algorithm"; + private JwsSignatureVerifier sigVerifier; private JwsSignatureProperties sigProperties; @@ -70,17 +71,11 @@ public class AbstractJwsReaderProvider { try { Properties props = ResourceUtils.loadProperties(propLoc, bus); JwsSignatureVerifier theVerifier = null; + String rsaSignatureAlgo = null; if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY); - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - theVerifier = new PublicKeyJwsSignatureVerifier(jwk.toRSAPublicKey()); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) - && Algorithm.isHmacSign(jwk.getAlgorithm())) { - theVerifier = - new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE)); - } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) { - theVerifier = new PublicKeyJwsSignatureVerifier(jwk.toECPublicKey()); - } + rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); + theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo); } else { theVerifier = new PublicKeyJwsSignatureVerifier( @@ -102,5 +97,7 @@ public class AbstractJwsReaderProvider { this.defaultMediaType = defaultMediaType; } - + private String getSignatureAlgo(Properties props, String algo) { + return algo == null ? props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP) : algo; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java index 6fc81f0..701e058 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java @@ -29,13 +29,11 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.jaxrs.utils.ResourceUtils; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.jose.jwa.Algorithm; import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; import org.apache.cxf.rs.security.jose.jwk.JwkUtils; -import org.apache.cxf.rs.security.jose.jws.EcDsaJwsSignatureProvider; -import org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider; import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer; import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jws.PrivateKeyJwsSignatureProvider; import org.apache.cxf.rs.security.jose.jwt.JwtHeaders; import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; @@ -66,30 +64,19 @@ public class AbstractJwsWriterProvider { JwsSignatureProvider theSigProvider = null; String rsaSignatureAlgo = null; if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { - //TODO: Private JWK sets can be JWE encrypted JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN); - rsaSignatureAlgo = jwk.getAlgorithm(); - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - theSigProvider = new PrivateKeyJwsSignatureProvider(jwk.toRSAPrivateKey()); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) - && Algorithm.isHmacSign(rsaSignatureAlgo)) { - theSigProvider = - new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE)); - } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) { - theSigProvider = new EcDsaJwsSignatureProvider(jwk.toECPrivateKey()); - } + rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); + theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo); } else { + rsaSignatureAlgo = getSignatureAlgo(props, null); RSAPrivateKey pk = (RSAPrivateKey)CryptoUtils.loadPrivateKey(m, props, CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER); theSigProvider = new PrivateKeyJwsSignatureProvider(pk); } - if (rsaSignatureAlgo == null) { - rsaSignatureAlgo = props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP); - } - headers.setAlgorithm(rsaSignatureAlgo); if (theSigProvider == null) { throw new SecurityException(); } + headers.setAlgorithm(rsaSignatureAlgo); return theSigProvider; } catch (SecurityException ex) { throw ex; @@ -102,4 +89,7 @@ public class AbstractJwsWriterProvider { p.signWith(theSigProvider); IOUtils.copy(new ByteArrayInputStream(p.getSignedEncodedJws().getBytes("UTF-8")), os); } + private String getSignatureAlgo(Properties props, String algo) { + return algo == null ? props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP) : algo; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java index 1daf285..9d5fc9c 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java @@ -26,7 +26,6 @@ import java.util.Properties; import java.util.zip.DeflaterOutputStream; import javax.annotation.Priority; -import javax.crypto.SecretKey; import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.MediaType; import javax.ws.rs.ext.WriterInterceptor; @@ -42,13 +41,12 @@ import org.apache.cxf.message.MessageUtils; import org.apache.cxf.rs.security.jose.jwa.Algorithm; import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption; import org.apache.cxf.rs.security.jose.jwe.AesGcmContentEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.AesGcmWrapKeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.AesWrapKeyEncryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.JweCompactProducer; import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider; import org.apache.cxf.rs.security.jose.jwe.JweEncryptionState; import org.apache.cxf.rs.security.jose.jwe.JweHeaders; import org.apache.cxf.rs.security.jose.jwe.JweOutputStream; +import org.apache.cxf.rs.security.jose.jwe.JweUtils; import org.apache.cxf.rs.security.jose.jwe.KeyEncryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.RSAOaepKeyEncryptionAlgorithm; import org.apache.cxf.rs.security.jose.jwe.WrappedKeyJweEncryption; @@ -138,21 +136,8 @@ public class JweWriterInterceptor implements WriterInterceptor { Properties props = ResourceUtils.loadProperties(propLoc, bus); if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(CryptoUtils.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); - keyEncryptionAlgo = jwk.getAlgorithm(); - // TODO: Put it into some factory code - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(jwk.toRSAPublicKey(), - getKeyEncryptionAlgo(props, keyEncryptionAlgo)); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { - SecretKey key = jwk.toSecretKey(); - if (Algorithm.isAesKeyWrap(keyEncryptionAlgo)) { - keyEncryptionProvider = new AesWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); - } else if (Algorithm.isAesGcmKeyWrap(keyEncryptionAlgo)) { - keyEncryptionProvider = new AesGcmWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); - } - } else { - // TODO: support elliptic curve keys - } + keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm()); + keyEncryptionProvider = JweUtils.getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo); } else { keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm( http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java new file mode 100644 index 0000000..c3aa6d4 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -0,0 +1,68 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.jwe; + +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.jose.jwa.Algorithm; +import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; +import org.apache.cxf.rs.security.jose.jwk.JwkUtils; + +public final class JweUtils { + private JweUtils() { + + } + public static KeyEncryptionAlgorithm getKeyEncryptionAlgorithm(JsonWebKey jwk) { + return getKeyEncryptionAlgorithm(jwk, null); + } + public static KeyEncryptionAlgorithm getKeyEncryptionAlgorithm(JsonWebKey jwk, String defaultAlgorithm) { + String keyEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); + KeyEncryptionAlgorithm keyEncryptionProvider = null; + if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { + keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(JwkUtils.toRSAPublicKey(jwk), + keyEncryptionAlgo); + } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { + SecretKey key = JwkUtils.toSecretKey(jwk); + if (Algorithm.isAesKeyWrap(keyEncryptionAlgo)) { + keyEncryptionProvider = new AesWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); + } else if (Algorithm.isAesGcmKeyWrap(keyEncryptionAlgo)) { + keyEncryptionProvider = new AesGcmWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); + } + } else { + // TODO: support elliptic curve keys + } + return keyEncryptionProvider; + } + public static KeyDecryptionAlgorithm getKeyDecryptionAlgorithm(JsonWebKey jwk) { + KeyDecryptionAlgorithm keyDecryptionProvider = null; + if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { + keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk)); + } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { + SecretKey key = JwkUtils.toSecretKey(jwk); + if (Algorithm.isAesKeyWrap(jwk.getAlgorithm())) { + keyDecryptionProvider = new AesWrapKeyDecryptionAlgorithm(key); + } else if (Algorithm.isAesGcmKeyWrap(jwk.getAlgorithm())) { + keyDecryptionProvider = new AesGcmWrapKeyDecryptionAlgorithm(key); + } + } else { + // TODO: support elliptic curve keys + } + return keyDecryptionProvider; + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java index 510e7a7..63c1008 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java @@ -18,20 +18,12 @@ */ package org.apache.cxf.rs.security.jose.jwk; -import java.security.interfaces.ECPrivateKey; -import java.security.interfaces.ECPublicKey; -import java.security.interfaces.RSAPrivateKey; -import java.security.interfaces.RSAPublicKey; import java.util.List; import java.util.Map; -import javax.crypto.SecretKey; - import org.apache.cxf.helpers.CastUtils; -import org.apache.cxf.rs.security.jose.jwa.Algorithm; import org.apache.cxf.rs.security.jose.jwt.AbstractJwtObject; import org.apache.cxf.rs.security.jose.jwt.JwtConstants; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; public class JsonWebKey extends AbstractJwtObject { @@ -165,49 +157,4 @@ public class JsonWebKey extends AbstractJwtObject { return super.getValue(name); } - public RSAPublicKey toRSAPublicKey() { - String encodedModulus = (String)super.getValue(RSA_MODULUS); - String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP); - return CryptoUtils.getRSAPublicKey(encodedModulus, encodedPublicExponent); - } - public RSAPrivateKey toRSAPrivateKey() { - String encodedModulus = (String)super.getValue(RSA_MODULUS); - String encodedPrivateExponent = (String)super.getValue(RSA_PRIVATE_EXP); - String encodedPrimeP = (String)super.getValue(RSA_FIRST_PRIME_FACTOR); - if (encodedPrimeP == null) { - return CryptoUtils.getRSAPrivateKey(encodedModulus, encodedPrivateExponent); - } else { - String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP); - String encodedPrimeQ = (String)super.getValue(RSA_SECOND_PRIME_FACTOR); - String encodedPrimeExpP = (String)super.getValue(RSA_FIRST_PRIME_CRT); - String encodedPrimeExpQ = (String)super.getValue(RSA_SECOND_PRIME_CRT); - String encodedCrtCoefficient = (String)super.getValue(RSA_FIRST_CRT_COEFFICIENT); - return CryptoUtils.getRSAPrivateKey(encodedModulus, - encodedPublicExponent, - encodedPrivateExponent, - encodedPrimeP, - encodedPrimeQ, - encodedPrimeExpP, - encodedPrimeExpQ, - encodedCrtCoefficient); - } - } - public ECPublicKey toECPublicKey() { - String eCurve = (String)super.getValue(EC_CURVE); - String encodedXCoord = (String)super.getValue(EC_X_COORDINATE); - String encodedYCoord = (String)super.getValue(EC_Y_COORDINATE); - return CryptoUtils.getECPublicKey(eCurve, encodedXCoord, encodedYCoord); - } - public ECPrivateKey toECPrivateKey() { - String eCurve = (String)super.getValue(EC_CURVE); - String encodedPrivateKey = (String)super.getValue(EC_PRIVATE_KEY); - return CryptoUtils.getECPrivateKey(eCurve, encodedPrivateKey); - } - - public SecretKey toSecretKey() { - return CryptoUtils.createSecretKeySpec((String)getProperty(OCTET_KEY_VALUE), - Algorithm.toJavaName(getAlgorithm())); - } - - } http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java index 8b5b0e9..3e61fd4 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java @@ -20,10 +20,16 @@ package org.apache.cxf.rs.security.jose.jwk; import java.io.InputStream; import java.io.UnsupportedEncodingException; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.ECPublicKey; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; import java.util.Collections; import java.util.List; import java.util.Properties; +import javax.crypto.SecretKey; + import org.apache.cxf.Bus; import org.apache.cxf.helpers.IOUtils; import org.apache.cxf.jaxrs.utils.ResourceUtils; @@ -47,6 +53,18 @@ public final class JwkUtils { private JwkUtils() { } + public static JsonWebKey readJwkKey(String jwkJson) { + return new DefaultJwkReaderWriter().jsonToJwk(jwkJson); + } + public static JsonWebKeys readJwkSet(String jwksJson) { + return new DefaultJwkReaderWriter().jsonToJwkSet(jwksJson); + } + public static String jwkKeyToJson(JsonWebKey jwkKey) { + return new DefaultJwkReaderWriter().jwkToJson(jwkKey); + } + public static String jwkSetToJson(JsonWebKeys jwkSet) { + return new DefaultJwkReaderWriter().jwkSetToJson(jwkSet); + } public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) { return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter()); } @@ -178,6 +196,49 @@ public final class JwkUtils { } return null; } + public static RSAPublicKey toRSAPublicKey(JsonWebKey jwk) { + String encodedModulus = (String)jwk.getProperty(JsonWebKey.RSA_MODULUS); + String encodedPublicExponent = (String)jwk.getProperty(JsonWebKey.RSA_PUBLIC_EXP); + return CryptoUtils.getRSAPublicKey(encodedModulus, encodedPublicExponent); + } + public static RSAPrivateKey toRSAPrivateKey(JsonWebKey jwk) { + String encodedModulus = (String)jwk.getProperty(JsonWebKey.RSA_MODULUS); + String encodedPrivateExponent = (String)jwk.getProperty(JsonWebKey.RSA_PRIVATE_EXP); + String encodedPrimeP = (String)jwk.getProperty(JsonWebKey.RSA_FIRST_PRIME_FACTOR); + if (encodedPrimeP == null) { + return CryptoUtils.getRSAPrivateKey(encodedModulus, encodedPrivateExponent); + } else { + String encodedPublicExponent = (String)jwk.getProperty(JsonWebKey.RSA_PUBLIC_EXP); + String encodedPrimeQ = (String)jwk.getProperty(JsonWebKey.RSA_SECOND_PRIME_FACTOR); + String encodedPrimeExpP = (String)jwk.getProperty(JsonWebKey.RSA_FIRST_PRIME_CRT); + String encodedPrimeExpQ = (String)jwk.getProperty(JsonWebKey.RSA_SECOND_PRIME_CRT); + String encodedCrtCoefficient = (String)jwk.getProperty(JsonWebKey.RSA_FIRST_CRT_COEFFICIENT); + return CryptoUtils.getRSAPrivateKey(encodedModulus, + encodedPublicExponent, + encodedPrivateExponent, + encodedPrimeP, + encodedPrimeQ, + encodedPrimeExpP, + encodedPrimeExpQ, + encodedCrtCoefficient); + } + } + public static ECPublicKey toECPublicKey(JsonWebKey jwk) { + String eCurve = (String)jwk.getProperty(JsonWebKey.EC_CURVE); + String encodedXCoord = (String)jwk.getProperty(JsonWebKey.EC_X_COORDINATE); + String encodedYCoord = (String)jwk.getProperty(JsonWebKey.EC_Y_COORDINATE); + return CryptoUtils.getECPublicKey(eCurve, encodedXCoord, encodedYCoord); + } + public static ECPrivateKey toECPrivateKey(JsonWebKey jwk) { + String eCurve = (String)jwk.getProperty(JsonWebKey.EC_CURVE); + String encodedPrivateKey = (String)jwk.getProperty(JsonWebKey.EC_PRIVATE_KEY); + return CryptoUtils.getECPrivateKey(eCurve, encodedPrivateKey); + } + + public static SecretKey toSecretKey(JsonWebKey jwk) { + return CryptoUtils.createSecretKeySpec((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE), + Algorithm.toJavaName(jwk.getAlgorithm())); + } private static byte[] stringToBytes(String str) { try { return str.getBytes("UTF-8"); http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java new file mode 100644 index 0000000..a8b81c0 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -0,0 +1,61 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.jose.jws; + +import org.apache.cxf.rs.security.jose.jwa.Algorithm; +import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; +import org.apache.cxf.rs.security.jose.jwk.JwkUtils; + +public final class JwsUtils { + private JwsUtils() { + + } + public static JwsSignatureProvider getSignatureProvider(JsonWebKey jwk) { + return getSignatureProvider(jwk, null); + } + public static JwsSignatureProvider getSignatureProvider(JsonWebKey jwk, String defaultAlgorithm) { + String rsaSignatureAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); + JwsSignatureProvider theSigProvider = null; + if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { + theSigProvider = new PrivateKeyJwsSignatureProvider(JwkUtils.toRSAPrivateKey(jwk)); + } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) + && Algorithm.isHmacSign(rsaSignatureAlgo)) { + theSigProvider = + new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE)); + } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) { + theSigProvider = new EcDsaJwsSignatureProvider(JwkUtils.toECPrivateKey(jwk)); + } + return theSigProvider; + } + public static JwsSignatureVerifier getSignatureVerifier(JsonWebKey jwk, String defaultAlgorithm) { + String rsaSignatureAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); + JwsSignatureVerifier theVerifier = null; + if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { + theVerifier = new PublicKeyJwsSignatureVerifier(JwkUtils.toRSAPublicKey(jwk)); + } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType()) + && Algorithm.isHmacSign(rsaSignatureAlgo)) { + theVerifier = + new HmacJwsSignatureProvider((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE)); + } else if (JsonWebKey.KEY_TYPE_ELLIPTIC.equals(jwk.getKeyType())) { + theVerifier = new PublicKeyJwsSignatureVerifier(JwkUtils.toECPublicKey(jwk)); + } + return theVerifier; + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/6ce2f6a3/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java index d4e460b..d0fadf3 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeyTest.java @@ -214,11 +214,9 @@ public class JsonWebKeyTest extends Assert { public JsonWebKeys readKeySet(String fileName) throws Exception { InputStream is = JsonWebKeyTest.class.getResourceAsStream(fileName); String s = IOUtils.readStringFromStream(is); - JwkReaderWriter reader = new DefaultJwkReaderWriter(); - return reader.jsonToJwkSet(s); + return JwkUtils.readJwkSet(s); } public JsonWebKey readKey(String key) throws Exception { - JwkReaderWriter reader = new DefaultJwkReaderWriter(); - return reader.jsonToJwk(key); + return JwkUtils.readJwkKey(key); } }
