Repository: cxf Updated Branches: refs/heads/master 2c62312b6 -> b6a5a8799
[CXF-6053] Adding more JwsJson tests, slightly modifies patch from Daniel Torkian applied Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b6a5a879 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b6a5a879 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b6a5a879 Branch: refs/heads/master Commit: b6a5a8799e1de06e47715e5a775556f6b8b750d5 Parents: 2c62312 Author: Sergey Beryozkin <[email protected]> Authored: Tue Nov 4 10:45:29 2014 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Nov 4 10:45:29 2014 +0000 ---------------------------------------------------------------------- .../jaxrs/AbstractJwsJsonReaderProvider.java | 7 +++++ .../jose/jaxrs/JwsJsonClientResponseFilter.java | 3 ++- .../jaxrs/JwsJsonContainerRequestFilter.java | 4 ++- .../cxf/rs/security/jose/jws/JwsUtils.java | 12 ++++++--- .../jaxrs/security/jwt/JAXRSJwsJsonTest.java | 27 +++++++++++++++++++- .../jaxrs/security/jwt/serverJwsJson.xml | 13 ++++++++++ .../jaxrs/security/certs/jwkPrivateSet.txt | 5 ++++ 7 files changed, 64 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/b6a5a879/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java index 7272df9..17f31b5 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsJsonReaderProvider.java @@ -36,6 +36,7 @@ public class AbstractJwsJsonReaderProvider { private List<JwsSignatureVerifier> sigVerifiers; private String defaultMediaType; + private boolean strictVerification; public void setSignatureVerifier(JwsSignatureVerifier signatureVerifier) { setSignatureVerifiers(Collections.singletonList(signatureVerifier)); @@ -75,5 +76,11 @@ public class AbstractJwsJsonReaderProvider { public void setDefaultMediaType(String defaultMediaType) { this.defaultMediaType = defaultMediaType; } + public boolean isStrictVerification() { + return strictVerification; + } + public void setStrictVerification(boolean strictVerification) { + this.strictVerification = strictVerification; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/b6a5a879/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java index 273aba1..ecd0912 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonClientResponseFilter.java @@ -39,7 +39,8 @@ public class JwsJsonClientResponseFilter extends AbstractJwsJsonReaderProvider i public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException { List<JwsSignatureVerifier> theSigVerifiers = getInitializedSigVerifiers(); JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(res.getEntityStream())); - if (!p.verifySignatureWith(theSigVerifiers)) { + if (isStrictVerification() && p.getSignatureEntries().size() != theSigVerifiers.size() + || !p.verifySignatureWith(theSigVerifiers)) { throw new SecurityException(); } byte[] bytes = p.getDecodedJwsPayloadBytes(); http://git-wip-us.apache.org/repos/asf/cxf/blob/b6a5a879/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java index 6b7ffdf..93cf0eb 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java @@ -42,7 +42,9 @@ public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider List<JwsSignatureVerifier> theSigVerifiers = getInitializedSigVerifiers(); JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream())); - if (!p.verifySignatureWith(theSigVerifiers)) { + + if (isStrictVerification() && p.getSignatureEntries().size() != theSigVerifiers.size() + || !p.verifySignatureWith(theSigVerifiers)) { context.abortWith(JAXRSUtils.toResponse(400)); return; } http://git-wip-us.apache.org/repos/asf/cxf/blob/b6a5a879/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index 21cb1e1..93abfd5 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -94,8 +94,10 @@ public final class JwsUtils { String rsaSignatureAlgo = null; if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN); - rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); - theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo); + if (jwk != null) { + rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); + theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo); + } } else { rsaSignatureAlgo = getSignatureAlgo(props, null); RSAPrivateKey pk = (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(m, props, @@ -137,8 +139,10 @@ public final class JwsUtils { String rsaSignatureAlgo = null; if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY); - rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); - theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo); + if (jwk != null) { + rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); + theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo); + } } else { rsaSignatureAlgo = getSignatureAlgo(props, null); http://git-wip-us.apache.org/repos/asf/cxf/blob/b6a5a879/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJwsJsonTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJwsJsonTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJwsJsonTest.java index f515da1..cbd1b13 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJwsJsonTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/JAXRSJwsJsonTest.java @@ -20,6 +20,7 @@ package org.apache.cxf.systest.jaxrs.security.jwt; import java.net.URL; +import java.util.ArrayList; import java.util.LinkedList; import java.util.List; @@ -58,7 +59,31 @@ public class JAXRSJwsJsonTest extends AbstractBusClientServerTestBase { assertEquals("book", book.getName()); assertEquals(123L, book.getId()); } - private BookStore createBookStore(String address, String properties) throws Exception { + + @Test + public void testJwsJsonBookDoubleHmac() throws Exception { + String address = "https://localhost:"; + PORT + "/jwsjsonhmac2"; + List<String> properties = new ArrayList<String>(); + properties.add("org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"); + properties.add("org/apache/cxf/systest/jaxrs/security/secret.jwk.hmac.properties"); + BookStore bs = createBookStore(address, properties); + Book book = bs.echoBook(new Book("book", 123L)); + assertEquals("book", book.getName()); + assertEquals(123L, book.getId()); + } + + @Test + public void testJwsJsonBookDoubleHmacSinglePropsFile() throws Exception { + String address = "https://localhost:"; + PORT + "/jwsjsonhmac2"; + List<String> properties = new ArrayList<String>(); + properties.add("org/apache/cxf/systest/jaxrs/security/secret.jwk.hmac2.properties"); + BookStore bs = createBookStore(address, properties); + Book book = bs.echoBook(new Book("book", 123L)); + assertEquals("book", book.getName()); + assertEquals(123L, book.getId()); + } + + private BookStore createBookStore(String address, Object properties) throws Exception { JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); SpringBusFactory bf = new SpringBusFactory(); URL busFile = JAXRSJwsJsonTest.class.getResource("client.xml"); http://git-wip-us.apache.org/repos/asf/cxf/blob/b6a5a879/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/serverJwsJson.xml ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/serverJwsJson.xml b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/serverJwsJson.xml index 2e3911d..a5e3608 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/serverJwsJson.xml +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jwt/serverJwsJson.xml @@ -58,5 +58,18 @@ under the License. <entry key="rs.security.signature.list.properties" value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties"/> </jaxrs:properties> </jaxrs:server> + <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-jws-json}/jwsjsonhmac2";> + <jaxrs:serviceBeans> + <ref bean="serviceBean"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="jwsInFilter"/> + <ref bean="jwsOutFilter"/> + </jaxrs:providers> + <jaxrs:properties> + <entry key="rs.security.signature.list.properties" + value="org/apache/cxf/systest/jaxrs/security/secret.jwk.properties,org/apache/cxf/systest/jaxrs/security/secret.jwk.hmac.properties"/> + </jaxrs:properties> + </jaxrs:server> </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/b6a5a879/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt index 3aab043..0dde577 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt @@ -16,6 +16,11 @@ "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow", "kid":"HMACKey"}, + {"kty":"oct", + "alg":"HS512", + "k":"SFM1MTJTZWNyZXRLZXlUb1NpZ25Db250ZW50LkhTNTEyU2VjcmV0S2V5VG9TaWduQ29udGVudC5IUzUxMlNlY3JldEtleVRvU2lnbkNvbnRlbnQuSFM1MTJTZWNyZXRLZXlUb1NpZ25Db250ZW50LkhTNTEyU2VjcmV0S2V5VG9TaWduQ29udGVudC5IUzUxMlNlY3JldEtleVRvU2lnbkNvbnRlbnQuSFM1MTJTZWNyZXRLZXlUb1NpZ25Db250ZW50LkhTNTEyU2VjcmV0S2V5VG9TaWduQ29udGVudC5IUzUxMlNlY3JldEtleVRvU2lnbkNvbnRlbnQuSFM1MTJTZWNyZXRLZXlUb1NpZ25Db250ZW50LkhTNTEyU2VjcmV0S2V5VG9TaWduQ29udGVudC5IUzUxMlNlY3JldEtleVRvU2lnbkNvbnRlbnQuSFM1MTJTZWNyZXRLZXlUb1NpZ25Db250ZW50LkhTNTEyU2VjcmV0S2V5VG9TaWduQ29udGVudC4", + "kid":"HMAC512Key"}, + {"kty":"EC", "crv":"P-256", "x":"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4",
