[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r246483627 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/TomitribeSignatureValidator.java ## @@ -0,0 +1,96 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.httpsignature; + +import java.security.Key; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.logging.Logger; + +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.rs.security.httpsignature.exception.DifferentAlgorithmsException; +import org.apache.cxf.rs.security.httpsignature.exception.InvalidDataToVerifySignatureException; +import org.apache.cxf.rs.security.httpsignature.exception.InvalidSignatureException; +import org.apache.cxf.rs.security.httpsignature.exception.InvalidSignatureHeaderException; +import org.apache.cxf.rs.security.httpsignature.provider.AlgorithmProvider; +import org.apache.cxf.rs.security.httpsignature.provider.PublicKeyProvider; +import org.apache.cxf.rs.security.httpsignature.provider.SecurityProvider; +import org.apache.cxf.rs.security.httpsignature.utils.SignatureHeaderUtils; +import org.tomitribe.auth.signatures.Signature; +import org.tomitribe.auth.signatures.Verifier; + +public final class TomitribeSignatureValidator implements SignatureValidator { +private static final Logger LOG = LogUtils.getL7dLogger(TomitribeSignatureValidator.class); + +@Override +public void validate(Map> messageHeaders, + AlgorithmProvider algorithmProvider, + PublicKeyProvider publicKeyProvider, + SecurityProvider securityProvider, + String method, + String uri) { +Signature signature = extractSignatureFromHeader(messageHeaders.get("Signature").get(0)); + +String providedAlgorithm = algorithmProvider.getAlgorithmName(signature.getKeyId()); +Objects.requireNonNull(providedAlgorithm, "provided algorithm is null"); Review comment: Not needed anymore, `getAlgorithmName` will never return `null` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r246483242 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/SignatureException.java ## @@ -0,0 +1,7 @@ +package org.apache.cxf.rs.security.httpsignature; + +public class SignatureException extends RuntimeException { +public SignatureException(String message) { Review comment: `IllegalArgumentException` is the good candidate I think. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r246483025 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/provider/SecurityProvider.java ## @@ -0,0 +1,33 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.httpsignature.provider; + +import java.security.Provider; + +@FunctionalInterface +public interface SecurityProvider { +/** + * @param keyId is used as lookup to find the correct configured security provider for this keyId + * The keyId is sent in the message together with the signature + * @throws NullPointerException if it can't provide a public key based on keyId Review comment: And here as well, please `IllegalArgumentException` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r246482852 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/provider/PublicKeyProvider.java ## @@ -0,0 +1,33 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.httpsignature.provider; + +import java.security.PublicKey; + +@FunctionalInterface +public interface PublicKeyProvider { +/** + * @param keyId is used as lookup to find the correct configured public key for this keyId + * The keyId is sent in the message together with the signature + * @throws NullPointerException if it can't provide a public key based on keyId Review comment: Same, please `NullPointerException` -> `IllegalArgumentException` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r246482629 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/provider/AlgorithmProvider.java ## @@ -0,0 +1,31 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.httpsignature.provider; + +@FunctionalInterface +public interface AlgorithmProvider { +/** + * @param keyId is used as lookup to find the correct configured algorithm name for this keyId + * The keyId is sent in the message together with the signature + * @throws NullPointerException if it can't provide an algorithm based on keyId Review comment: Might be better to use `IllegalAgumentException` if the provider can't provide an algorithm based on keyId This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228386006 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/VerifySignatureReaderInterceptor.java ## @@ -0,0 +1,85 @@ +package org.apache.cxf.rs.security.httpsignature; + +import org.apache.cxf.common.logging.LogUtils; + +import javax.annotation.Priority; +import javax.ws.rs.Priorities; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.ext.Provider; +import javax.ws.rs.ext.ReaderInterceptor; +import javax.ws.rs.ext.ReaderInterceptorContext; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.util.*; +import java.util.logging.Logger; + +/** + * RS CXF Reader Interceptor which extracts signature data from the message and sends it to the message verifier + * + */ +@Provider +@Priority(Priorities.AUTHENTICATION) +public class VerifySignatureReaderInterceptor implements ReaderInterceptor { +private static final Logger LOG = LogUtils.getL7dLogger(VerifySignatureReaderInterceptor.class); + +private MessageVerifier messageVerifier; + +private boolean enabled; + +public VerifySignatureReaderInterceptor() { +setEnabled(true); +setMessageVerifier(new MessageVerifier(true)); +} + +@Override +public Object aroundReadFrom(ReaderInterceptorContext context) throws IOException, WebApplicationException { +if (!enabled) { +LOG.fine("Verify signature reader interceptor is disabled"); +return context.proceed(); +} +LOG.fine("Starting interceptor message verification process"); + +Map> responseHeaders = context.getHeaders(); + +String messageBody = extractMessageBody(context); Review comment: Could be an issue for streaming use cases (when message body is large), no? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r231751255 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/MessageVerifier.java ## @@ -0,0 +1,242 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.httpsignature; + +import java.nio.charset.StandardCharsets; +import java.security.Key; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.Security; +import java.util.*; +import java.util.logging.Logger; + +import org.apache.cxf.common.logging.LogUtils; +import org.tomitribe.auth.signatures.Signature; +import org.tomitribe.auth.signatures.Verifier; + + +public class MessageVerifier { +private static final Logger LOG = LogUtils.getL7dLogger(MessageVerifier.class); + +private AlgorithmProvider algorithmProvider; +private ExceptionHandler exceptionHandler; +private PublicKeyProvider publicKeyProvider; +private SecurityProvider securityProvider; + +private boolean verifyMessageBody; + +public MessageVerifier(boolean verifyMessageBody) { +this.exceptionHandler = (exception, type) -> new SignatureException("exception of type: " + type + " occurred"); +this.securityProvider = keyId -> Security.getProvider("SunRsaSign"); +this.algorithmProvider = keyId -> DefaultSignatureConstants.SIGNING_ALGORITHM; +this.verifyMessageBody = verifyMessageBody; +} + +public MessageVerifier(PublicKeyProvider publicKeyProvider, + ExceptionHandler exceptionHandler, + SecurityProvider securityProvider, + AlgorithmProvider algorithmProvider, + boolean verifyMessageBody) { +Objects.requireNonNull(publicKeyProvider, "Public key provider cannot be null"); Review comment: You probably meant `Objects.requireNonNull` for each argument, not only for `publicKeyProvider`, right? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228384809 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/MessageVerifier.java ## @@ -0,0 +1,212 @@ +package org.apache.cxf.rs.security.httpsignature; + +import org.apache.cxf.common.logging.LogUtils; +import org.tomitribe.auth.signatures.Signature; +import org.tomitribe.auth.signatures.Verifier; + +import java.nio.charset.StandardCharsets; +import java.security.Key; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.Security; +import java.util.*; +import java.util.logging.Logger; + +public class MessageVerifier { +private ExceptionHandler exceptionHandler; + +private static final Logger LOG = LogUtils.getL7dLogger(MessageVerifier.class); + +public MessageVerifier(boolean verifyMessageBody) { +setExceptionHandler(null); +setSecurityProvider(null); +setAlgorithmProvider(null); +this.verifyMessageBody = verifyMessageBody; +} + +public MessageVerifier(PublicKeyProvider publicKeyProvider, + ExceptionHandler exceptionHandler, + SecurityProvider securityProvider, + AlgorithmProvider algorithmProvider, + boolean verifyMessageBody) +{ +Objects.requireNonNull(publicKeyProvider, "Public key provider cannot be null"); +this.publicKeyProvider = publicKeyProvider; +this.exceptionHandler = exceptionHandler; +this.securityProvider = securityProvider; +this.algorithmProvider = algorithmProvider; +this.verifyMessageBody = verifyMessageBody; +} + +private PublicKeyProvider publicKeyProvider; + +private SecurityProvider securityProvider; + +private AlgorithmProvider algorithmProvider; + +private boolean verifyMessageBody; + +public void setSecurityProvider(SecurityProvider securityProvider) { +if (securityProvider != null) { +this.securityProvider = securityProvider; +} else { +this.securityProvider = (keyId) -> Security.getProvider("SunRsaSign"); +} +} + +public void setPublicKeyProvider(PublicKeyProvider publicKeyProvider) { +this.publicKeyProvider = publicKeyProvider; +} + +public void setAlgorithmProvider(AlgorithmProvider algorithmProvider) { +if (algorithmProvider != null) { +this.algorithmProvider = algorithmProvider; +} else { +this.algorithmProvider = (keyId) -> "rsa-sha256"; +} +} + +public ExceptionHandler getExceptionHandler() { +return exceptionHandler; +} + +public void setExceptionHandler(ExceptionHandler exceptionHandler) { +if (exceptionHandler != null) { +this.exceptionHandler = exceptionHandler; +} else { +this.exceptionHandler = (exception, type) -> new SignatureException("exception of type: " + type + " occurred"); +} +} + +public void verifyMessage(Map> messageHeaders, String messageBody) { +if (verifyMessageBody) { +inspectDigest(messageBody, messageHeaders); +} +verifyMessage(messageHeaders); +} + +public void verifyMessage(Map> messageHeaders) { +inspectIllegalState(); + +inspectMissingSignatureHeader(messageHeaders); + +inspectMultipleSignatureHeaders(messageHeaders); + +Signature signature = extractSignature(messageHeaders.get("Signature").get(0)); + +String providedAlgorithm = algorithmProvider.getAlgorithmName(signature.getKeyId()); +Objects.requireNonNull(providedAlgorithm, "provided algorithm is null"); + +String signatureAlgorithm = signature.getAlgorithm().toString(); +if (!providedAlgorithm.equals(signatureAlgorithm)) { +throw exceptionHandler.handle(new SignatureException("algorithm from header and provided are different"), +SignatureExceptionType.DIFFERENT_ALGORITHMS); +} + +// Replace the algorithm provided by the headers with the algorithm given by the algorithm provider +Signature newSignature = Review comment: This is a bit hacky (I think), may be better: ``` Signature newSignature =new Signature(signature.getKeyId(), providedAlgorithm, signature.getSignature(), signature.getHeaders()); ``` ? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r231090994 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/AlgorithmProvider.java ## @@ -0,0 +1,12 @@ +package org.apache.cxf.rs.security.httpsignature; + +@FunctionalInterface +public interface AlgorithmProvider { + +/** + * + * @param keyId + * @return the algorithm name (which is never {@code null}) + */ +String getAlgorithmName(String keyId); Review comment: Hm ... The usage of this method in this PR implies it could be `null`, the example from the `MessageVerifier` class: ``` String providedAlgorithm = algorithmProvider.getAlgorithmName(signature.getKeyId()); Objects.requireNonNull(providedAlgorithm, "provided algorithm is null"); ``` If it cannot be null, we could add `javadoc` with the exception description to throw and remove such `null` checks since they are not relevant. What do you think? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228386134 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/SignatureException.java ## @@ -0,0 +1,7 @@ +package org.apache.cxf.rs.security.httpsignature; + +public class SignatureException extends RuntimeException { +public SignatureException(String message) { Review comment: You may need default constructor `public SignatureException()` since `RuntimeException` is serializable. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228385543 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/MessageVerifier.java ## @@ -0,0 +1,212 @@ +package org.apache.cxf.rs.security.httpsignature; + +import org.apache.cxf.common.logging.LogUtils; +import org.tomitribe.auth.signatures.Signature; +import org.tomitribe.auth.signatures.Verifier; + +import java.nio.charset.StandardCharsets; +import java.security.Key; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.Security; +import java.util.*; +import java.util.logging.Logger; + +public class MessageVerifier { +private ExceptionHandler exceptionHandler; + +private static final Logger LOG = LogUtils.getL7dLogger(MessageVerifier.class); + +public MessageVerifier(boolean verifyMessageBody) { +setExceptionHandler(null); +setSecurityProvider(null); +setAlgorithmProvider(null); +this.verifyMessageBody = verifyMessageBody; +} + +public MessageVerifier(PublicKeyProvider publicKeyProvider, + ExceptionHandler exceptionHandler, + SecurityProvider securityProvider, + AlgorithmProvider algorithmProvider, + boolean verifyMessageBody) +{ +Objects.requireNonNull(publicKeyProvider, "Public key provider cannot be null"); +this.publicKeyProvider = publicKeyProvider; +this.exceptionHandler = exceptionHandler; +this.securityProvider = securityProvider; +this.algorithmProvider = algorithmProvider; +this.verifyMessageBody = verifyMessageBody; +} + +private PublicKeyProvider publicKeyProvider; Review comment: Minor, could you please move all class fields before constructors? Thank you. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228386250 ## File path: systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/httpsignature/HttpSignatureFilter.java ## @@ -0,0 +1,4 @@ +package org.apache.cxf.systest.jaxrs.security.httpsignature; + +public class HttpSignatureFilter { Review comment: What this class if for? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228385478 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/SecurityProvider.java ## @@ -0,0 +1,15 @@ +package org.apache.cxf.rs.security.httpsignature; + +import java.security.Provider; + +@FunctionalInterface +public interface SecurityProvider { + +/** + * + * @param keyId + * @return the security provider (which is never {@code null}) + * @throws NullPointerException if the provided key ID is {@code null} + */ +Provider getProvider(String keyId); Review comment: `Optional`? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228385451 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/PublicKeyProvider.java ## @@ -0,0 +1,16 @@ +package org.apache.cxf.rs.security.httpsignature; + +import java.security.PublicKey; + +@FunctionalInterface +public interface PublicKeyProvider { + +/** + * + * @param keyId + * @return the public key (which is never {@code null}) + * @throws NullPointerException if the provided key ID is {@code null} + */ +PublicKey getKey(String keyId); Review comment: `Optional`? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228384452 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/MessageVerifier.java ## @@ -0,0 +1,212 @@ +package org.apache.cxf.rs.security.httpsignature; + +import org.apache.cxf.common.logging.LogUtils; +import org.tomitribe.auth.signatures.Signature; +import org.tomitribe.auth.signatures.Verifier; + +import java.nio.charset.StandardCharsets; +import java.security.Key; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.Security; +import java.util.*; +import java.util.logging.Logger; + +public class MessageVerifier { +private ExceptionHandler exceptionHandler; + +private static final Logger LOG = LogUtils.getL7dLogger(MessageVerifier.class); + +public MessageVerifier(boolean verifyMessageBody) { +setExceptionHandler(null); +setSecurityProvider(null); +setAlgorithmProvider(null); +this.verifyMessageBody = verifyMessageBody; +} + +public MessageVerifier(PublicKeyProvider publicKeyProvider, + ExceptionHandler exceptionHandler, + SecurityProvider securityProvider, + AlgorithmProvider algorithmProvider, + boolean verifyMessageBody) +{ +Objects.requireNonNull(publicKeyProvider, "Public key provider cannot be null"); +this.publicKeyProvider = publicKeyProvider; +this.exceptionHandler = exceptionHandler; +this.securityProvider = securityProvider; +this.algorithmProvider = algorithmProvider; +this.verifyMessageBody = verifyMessageBody; +} + +private PublicKeyProvider publicKeyProvider; + +private SecurityProvider securityProvider; + +private AlgorithmProvider algorithmProvider; + +private boolean verifyMessageBody; + +public void setSecurityProvider(SecurityProvider securityProvider) { +if (securityProvider != null) { +this.securityProvider = securityProvider; +} else { +this.securityProvider = (keyId) -> Security.getProvider("SunRsaSign"); +} +} + +public void setPublicKeyProvider(PublicKeyProvider publicKeyProvider) { +this.publicKeyProvider = publicKeyProvider; +} + +public void setAlgorithmProvider(AlgorithmProvider algorithmProvider) { +if (algorithmProvider != null) { +this.algorithmProvider = algorithmProvider; +} else { +this.algorithmProvider = (keyId) -> "rsa-sha256"; +} +} + +public ExceptionHandler getExceptionHandler() { +return exceptionHandler; +} + +public void setExceptionHandler(ExceptionHandler exceptionHandler) { +if (exceptionHandler != null) { +this.exceptionHandler = exceptionHandler; +} else { +this.exceptionHandler = (exception, type) -> new SignatureException("exception of type: " + type + " occurred"); +} +} + +public void verifyMessage(Map> messageHeaders, String messageBody) { +if (verifyMessageBody) { +inspectDigest(messageBody, messageHeaders); +} +verifyMessage(messageHeaders); +} + +public void verifyMessage(Map> messageHeaders) { +inspectIllegalState(); + +inspectMissingSignatureHeader(messageHeaders); + +inspectMultipleSignatureHeaders(messageHeaders); + +Signature signature = extractSignature(messageHeaders.get("Signature").get(0)); Review comment: Move `Signature` and other headers into `HttpSignatureHeaders` class? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228384074 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/MessageSigner.java ## @@ -0,0 +1,74 @@ +package org.apache.cxf.rs.security.httpsignature; + +import org.tomitribe.auth.signatures.Signature; + +import java.io.IOException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.util.Collections; +import java.util.List; +import java.util.Map; + +public class MessageSigner { +private final String digestAlgorithmName; +private final String signatureAlgorithmName; + +/** + * Message signer using standard digest and signing algorithm + */ +public MessageSigner() { +this("rsa-sha256", "SHA-256"); Review comment: Should `rsa-sha256` and `SHA-256` be encapsulated as constants? I see some of them several times in the code. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228383861 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/MessageVerifier.java ## @@ -0,0 +1,212 @@ +package org.apache.cxf.rs.security.httpsignature; + +import org.apache.cxf.common.logging.LogUtils; +import org.tomitribe.auth.signatures.Signature; +import org.tomitribe.auth.signatures.Verifier; + +import java.nio.charset.StandardCharsets; +import java.security.Key; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.Security; +import java.util.*; +import java.util.logging.Logger; + +public class MessageVerifier { +private ExceptionHandler exceptionHandler; + +private static final Logger LOG = LogUtils.getL7dLogger(MessageVerifier.class); + +public MessageVerifier(boolean verifyMessageBody) { +setExceptionHandler(null); Review comment: This `setXxx` are not necessary, `null` is the default value, right? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228383125 ## File path: rt/rs/security/http-signature/src/main/java/org/apache/cxf/rs/security/httpsignature/AlgorithmProvider.java ## @@ -0,0 +1,12 @@ +package org.apache.cxf.rs.security.httpsignature; + +@FunctionalInterface +public interface AlgorithmProvider { + +/** + * + * @param keyId + * @return the algorithm name (which is never {@code null}) + */ +String getAlgorithmName(String keyId); Review comment: May be `Optional` since `null` is not really useful? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228383047 ## File path: rt/rs/security/http-signature/pom.xml ## @@ -0,0 +1,73 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd;> +4.0.0 +bundle +Apache CXF Runtime JOSE Core + +Integrate https://tools.ietf.org/html/draft-cavage-http-signatures-09 as JAX-RS filters for signing and +verifying requests. + +http://cxf.apache.org + +org.apache.cxf +cxf-parent +3.3.0-SNAPSHOT +../../../../parent/pom.xml + + +http-signature + + + +org.tomitribe +tomitribe-http-signatures +1.1 + + +org.apache.cxf +cxf-core +${project.version} Review comment: I think `${project.version}` is not necessary anymore, should come from `cxf-parent` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228382840 ## File path: rt/rs/security/http-signature/pom.xml ## @@ -0,0 +1,73 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd;> +4.0.0 +bundle +Apache CXF Runtime JOSE Core + +Integrate https://tools.ietf.org/html/draft-cavage-http-signatures-09 as JAX-RS filters for signing and +verifying requests. + +http://cxf.apache.org + +org.apache.cxf +cxf-parent +3.3.0-SNAPSHOT +../../../../parent/pom.xml + + +http-signature + + + +org.tomitribe +tomitribe-http-signatures +1.1 Review comment: We may better externalize version in the `parent/pom.xml`, like f.e. `${tomitribe.http.signatures.version}`, it could be helpful for bundling OSGi features. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228382840 ## File path: rt/rs/security/http-signature/pom.xml ## @@ -0,0 +1,73 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd;> +4.0.0 +bundle +Apache CXF Runtime JOSE Core + +Integrate https://tools.ietf.org/html/draft-cavage-http-signatures-09 as JAX-RS filters for signing and +verifying requests. + +http://cxf.apache.org + +org.apache.cxf +cxf-parent +3.3.0-SNAPSHOT +../../../../parent/pom.xml + + +http-signature + + + +org.tomitribe +tomitribe-http-signatures +1.1 Review comment: We may externalize version in the `parent/pom.xml`, like f.e. `${tomitribe.http.signatures.version}`, it could be helpful for bundling OSGi features. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] reta commented on a change in pull request #462: Httpsig
reta commented on a change in pull request #462: Httpsig URL: https://github.com/apache/cxf/pull/462#discussion_r228382663 ## File path: rt/rs/security/http-signature/pom.xml ## @@ -0,0 +1,73 @@ + + +http://maven.apache.org/POM/4.0.0; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance; + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd;> +4.0.0 +bundle +Apache CXF Runtime JOSE Core + +Integrate https://tools.ietf.org/html/draft-cavage-http-signatures-09 as JAX-RS filters for signing and +verifying requests. + +http://cxf.apache.org + +org.apache.cxf +cxf-parent +3.3.0-SNAPSHOT +../../../../parent/pom.xml + + +http-signature + Review comment: Could you please add ``` org.apache.cxf.rs.security.http.signature ``` This is automatic module name for Java 9+, thank you. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services