[GitHub] [knox] smolnar82 commented on a change in pull request #397: KNOX-2527 - Added support for HMAC signature/verification in JWT token authority

Thu, 21 Jan 2021 06:46:03 -0800 


smolnar82 commented on a change in pull request #397:
URL: https://github.com/apache/knox/pull/397#discussion_r561936179



##########
File path: 
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java
##########
@@ -167,23 +152,71 @@ public JWT issueToken(Principal p, List<String> 
audiences, String algorithm, lon
       claimArray[3] = String.valueOf(expires);
     }
 
-    JWT token;
-    if (SUPPORTED_SIG_ALGS.contains(algorithm)) {
-      token = new JWTToken(algorithm, claimArray, audiences);
-      try {
-        RSAPrivateKey key = getSigningKey(signingKeystoreName, 
signingKeystoreAlias, signingKeystorePassphrase);
-        // allowWeakKey to not break existing 1024 bit certificates
-        JWSSigner signer = new RSASSASigner(key, true);
-        token.sign(signer);
-      } catch (KeystoreServiceException e) {
-        throw new TokenServiceException(e);
+    final JWT token = SUPPORTED_PKI_SIG_ALGS.contains(algorithm) || 
SUPPORTED_HMAC_SIG_ALGS.contains(algorithm) ? new JWTToken(algorithm, 
claimArray, audiences) : null;
+    if (token != null) {
+      signToken(algorithm, signingKeystoreName, signingKeystoreAlias, 
signingKeystorePassphrase, token);
+      return token;
+    } else {
+      throw new TokenServiceException("Cannot issue token - Unsupported 
algorithm: " + algorithm);
+    }
+  }
+
+  private void signToken(String algorithm, String signingKeystoreName, String 
signingKeystoreAlias, char[] signingKeystorePassphrase, JWT token) throws 
TokenServiceException {
+    if (TokenUtils.useHMAC(getHmacSecret(), signingKeystoreName)) {

Review comment:
       This makes sense; I fixed the code.

##########
File path: 
gateway-server/src/main/java/org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.java
##########
@@ -205,31 +238,37 @@ private String getSigningKeyAlias(String 
signingKeystoreAlias) {
   }
 
   @Override
-  public boolean verifyToken(JWT token)
-      throws TokenServiceException {
+  public boolean verifyToken(JWT token) throws TokenServiceException {
     return verifyToken(token, null);
   }
 
   @Override
-  public boolean verifyToken(JWT token, RSAPublicKey publicKey)
-      throws TokenServiceException {
-    boolean rc;
-    PublicKey key;
+  public boolean verifyToken(JWT token, RSAPublicKey publicKey) throws 
TokenServiceException {
+    return TokenUtils.useHMAC(getHmacSecret(), 
config.getSigningKeystoreName()) ? verifyTokenUsingHMAC(token) : 
verifyTokenUsingRSA(token, publicKey);

Review comment:
       This makes sense; I fixed the code.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to