git commit: [CXF-6084] Support for validating critical headers, applying a patch on behalf of Daniel Torkian
Repository: cxf Updated Branches: refs/heads/master de0524a87 - afa521931 [CXF-6084] Support for validating critical headers, applying a patch on behalf of Daniel Torkian Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/afa52193 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/afa52193 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/afa52193 Branch: refs/heads/master Commit: afa52193148d7b1a6b60266ff73a92c1005f4c38 Parents: de0524a Author: Sergey Beryozkin sberyoz...@talend.com Authored: Wed Nov 5 12:55:12 2014 + Committer: Sergey Beryozkin sberyoz...@talend.com Committed: Wed Nov 5 12:55:12 2014 + -- .../apache/cxf/rs/security/jose/JoseUtils.java | 23 + .../security/jose/jwe/JweCompactConsumer.java | 4 ++ .../cxf/rs/security/jose/jwe/JweUtils.java | 6 +++ .../security/jose/jws/JwsCompactConsumer.java | 4 +- .../jose/jws/JwsJsonSignatureEntry.java | 7 +++ .../cxf/rs/security/jose/jws/JwsUtils.java | 6 +++ .../security/jose/jws/JwsCompactHeaderTest.java | 49 .../provider/ClientSecretHashVerifier.java | 39 8 files changed, 137 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/afa52193/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java -- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java index b0ba894..23f9936 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java @@ -19,6 +19,9 @@ package org.apache.cxf.rs.security.jose; import java.io.UnsupportedEncodingException; +import java.util.HashSet; +import java.util.List; +import java.util.Set; import org.apache.cxf.common.util.crypto.CryptoUtils; @@ -59,4 +62,24 @@ public final class JoseUtils { public static byte[] decode(String encoded) { return CryptoUtils.decodeSequence(encoded); } + +public static boolean validateCriticalHeaders(JoseHeaders headers) { +ListString critical = headers.getCritical(); +if (critical == null) { +return true; +} +// The crit value MUST NOT be empty [] or contain either duplicate values or crit +if (critical.isEmpty() +|| detectDoubleEntry(critical) +|| critical.contains(JoseConstants.HEADER_CRITICAL)) { +return false; +} + +// Check that the headers contain these critical headers +return headers.asMap().keySet().containsAll(critical); +} +private static boolean detectDoubleEntry(List? list) { +SetObject inputSet = new HashSetObject(list); +return list.size() inputSet.size(); +} } http://git-wip-us.apache.org/repos/asf/cxf/blob/afa52193/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java -- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java index 8673d4d..ab4c9b5 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java @@ -26,6 +26,7 @@ import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.rs.security.jose.JoseHeaders; import org.apache.cxf.rs.security.jose.JoseHeadersReader; import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; public class JweCompactConsumer { @@ -113,4 +114,7 @@ public class JweCompactConsumer { throw new SecurityException(ex); } } +public boolean validateCriticalHeaders() { +return JwsUtils.validateCriticalHeaders(getJweHeaders()); +} } http://git-wip-us.apache.org/repos/asf/cxf/blob/afa52193/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java -- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 4158da6..836a284 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++
git commit: [CXF-6084] Support for validating critical headers, applying a patch on behalf of Daniel Torkian
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes aca6e050f - 360a89355 [CXF-6084] Support for validating critical headers, applying a patch on behalf of Daniel Torkian Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/360a8935 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/360a8935 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/360a8935 Branch: refs/heads/3.0.x-fixes Commit: 360a89355da3b90a6687833e314d751f10d6ef39 Parents: aca6e05 Author: Sergey Beryozkin sberyoz...@talend.com Authored: Wed Nov 5 12:55:12 2014 + Committer: Sergey Beryozkin sberyoz...@talend.com Committed: Wed Nov 5 12:56:06 2014 + -- .../apache/cxf/rs/security/jose/JoseUtils.java | 23 + .../security/jose/jwe/JweCompactConsumer.java | 4 ++ .../cxf/rs/security/jose/jwe/JweUtils.java | 6 +++ .../security/jose/jws/JwsCompactConsumer.java | 4 +- .../jose/jws/JwsJsonSignatureEntry.java | 7 +++ .../cxf/rs/security/jose/jws/JwsUtils.java | 6 +++ .../security/jose/jws/JwsCompactHeaderTest.java | 49 .../provider/ClientSecretHashVerifier.java | 39 8 files changed, 137 insertions(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/360a8935/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java -- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java index b0ba894..23f9936 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/JoseUtils.java @@ -19,6 +19,9 @@ package org.apache.cxf.rs.security.jose; import java.io.UnsupportedEncodingException; +import java.util.HashSet; +import java.util.List; +import java.util.Set; import org.apache.cxf.common.util.crypto.CryptoUtils; @@ -59,4 +62,24 @@ public final class JoseUtils { public static byte[] decode(String encoded) { return CryptoUtils.decodeSequence(encoded); } + +public static boolean validateCriticalHeaders(JoseHeaders headers) { +ListString critical = headers.getCritical(); +if (critical == null) { +return true; +} +// The crit value MUST NOT be empty [] or contain either duplicate values or crit +if (critical.isEmpty() +|| detectDoubleEntry(critical) +|| critical.contains(JoseConstants.HEADER_CRITICAL)) { +return false; +} + +// Check that the headers contain these critical headers +return headers.asMap().keySet().containsAll(critical); +} +private static boolean detectDoubleEntry(List? list) { +SetObject inputSet = new HashSetObject(list); +return list.size() inputSet.size(); +} } http://git-wip-us.apache.org/repos/asf/cxf/blob/360a8935/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java -- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java index 8673d4d..ab4c9b5 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java @@ -26,6 +26,7 @@ import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.rs.security.jose.JoseHeaders; import org.apache.cxf.rs.security.jose.JoseHeadersReader; import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter; +import org.apache.cxf.rs.security.jose.jws.JwsUtils; public class JweCompactConsumer { @@ -113,4 +114,7 @@ public class JweCompactConsumer { throw new SecurityException(ex); } } +public boolean validateCriticalHeaders() { +return JwsUtils.validateCriticalHeaders(getJweHeaders()); +} } http://git-wip-us.apache.org/repos/asf/cxf/blob/360a8935/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java -- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 4158da6..836a284 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++