Use clients preferred algorithm, if any, to sign

2013-08-02 14:35:35 -04:00 · 2013-08-02 14:35:35 -04:00 · 0059c7b4cc
parent 2fb138aa19
commit 0059c7b4cc
3 changed files with 37 additions and 7 deletions
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
@ -72,8 +72,7 @@ public interface JwtSigningAndValidationService {
 	 * @param alg the name of the algorithm to use, as specified in JWS s.6
 	 * @return the signed jwt
 	 */
-	//TODO: implement later; only need signJwt(Jwt jwt) for now
-	//public Jwt signJwt(Jwt jwt, String alg);
+	public void signJwt(SignedJWT jwt, JWSAlgorithm alg);

 	/**
 	 * TODO: method to sign a jwt using a specified algorithm and a key id
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
@ -215,6 +215,33 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid

 	}

+	@Override
+	public void signJwt(SignedJWT jwt, JWSAlgorithm alg) {
+
+		JWSSigner signer = null;
+		
+		for (JWSSigner s : signers.values()) {
+			if (s.supportedAlgorithms().contains(alg)) {
+				signer = s;
+				break;
+			}
+		}
+		
+		if (signer == null) {
+			//If we can't find an algorithm that matches, we can't sign
+			logger.error("No matching algirthm found for alg=" + alg);
+			
+		}
+		
+		try {
+			jwt.sign(signer);
+		} catch (JOSEException e) {
+
+			logger.error("Failed to sign JWT, error was: ", e);
+		}
+		
+	}
+	
 	@Override
 	public boolean validateSignature(SignedJWT jwt) {

@ -266,4 +293,5 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 		return algs;

 	}
+
 }
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java
@ -89,9 +89,14 @@ public class ConnectTokenEnhancer implements TokenEnhancer {

 		claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it

-		// TODO: use client's default signing algorithm
-
-		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
+		JWSAlgorithm signingAlg; 
+		JWSAlgorithm clientAlg = client.getIdTokenSignedResponseAlg().getAlgorithm();
+		if (clientAlg != JWSAlgorithm.NONE) {
+			signingAlg = clientAlg;
+		} else {
+			signingAlg = jwtService.getDefaultSigningAlgorithm();
+		}
+		
 		SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);

 		jwtService.signJwt(signed);
@ -153,8 +158,6 @@ public class ConnectTokenEnhancer implements TokenEnhancer {

 			SignedJWT idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);

-			//TODO: check for client's preferred signer alg and use that
-
 			jwtService.signJwt(idToken);

 			idTokenEntity.setJwt(idToken);