|
|
|
@ -53,7 +53,7 @@ import com.nimbusds.jwt.SignedJWT;
|
|
|
|
|
|
|
|
|
|
|
|
public class DefaultJwtSigningAndValidationService implements JwtSigningAndValidationService {
|
|
|
|
public class DefaultJwtSigningAndValidationService implements JwtSigningAndValidationService {
|
|
|
|
|
|
|
|
|
|
|
|
public static final String ALG_NONE = "none"; // TODO storing a default "alg:none" id smells a bit..
|
|
|
|
public static final String ALG_NONE = "none";
|
|
|
|
|
|
|
|
|
|
|
|
// map of identifier to signer
|
|
|
|
// map of identifier to signer
|
|
|
|
private Map<String, JWSSigner> signers = new HashMap<String, JWSSigner>();
|
|
|
|
private Map<String, JWSSigner> signers = new HashMap<String, JWSSigner>();
|
|
|
|
@ -131,7 +131,7 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* @param defaultSignerKeyId the defaultSignerKeyId to set
|
|
|
|
* @param defaultSignerKeyId the defaultSignerKeyId to set. The "none" key id is reserved for alg:none in this implementation.
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
public void setDefaultSignerKeyId(String defaultSignerId) {
|
|
|
|
public void setDefaultSignerKeyId(String defaultSignerId) {
|
|
|
|
this.defaultSignerKeyId = defaultSignerId;
|
|
|
|
this.defaultSignerKeyId = defaultSignerId;
|
|
|
|
@ -165,8 +165,6 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
|
|
|
|
private void buildSignersAndVerifiers() throws NoSuchAlgorithmException, InvalidKeySpecException {
|
|
|
|
private void buildSignersAndVerifiers() throws NoSuchAlgorithmException, InvalidKeySpecException {
|
|
|
|
|
|
|
|
|
|
|
|
signers.put(ALG_NONE, new PlainSigner());
|
|
|
|
signers.put(ALG_NONE, new PlainSigner());
|
|
|
|
verifiers.put(ALG_NONE, new PlainVerifier());
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for (Map.Entry<String, JWK> jwkEntry : keys.entrySet()) {
|
|
|
|
for (Map.Entry<String, JWK> jwkEntry : keys.entrySet()) {
|
|
|
|
|
|
|
|
|
|
|
|
@ -230,10 +228,12 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
|
|
|
|
|
|
|
|
|
|
|
|
// At this point, this is a plain JWT and is already good-to-go.
|
|
|
|
// At this point, this is a plain JWT and is already good-to-go.
|
|
|
|
|
|
|
|
|
|
|
|
} else { // we have a signable JWS at this point.
|
|
|
|
} else if (jwt instanceof SignedJWT) { // we have a signable JWS at this point.
|
|
|
|
|
|
|
|
|
|
|
|
((SignedJWT) jwt).sign(signer);
|
|
|
|
((SignedJWT) jwt).sign(signer);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
logger.warn("Attempted to sign an unsupported JWT type.");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} catch (JOSEException e) {
|
|
|
|
} catch (JOSEException e) {
|
|
|
|
|
|
|
|
|
|
|
|
@ -270,10 +270,13 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
|
|
|
|
|
|
|
|
|
|
|
|
// do nothing because PlainJWT is good already.
|
|
|
|
// do nothing because PlainJWT is good already.
|
|
|
|
|
|
|
|
|
|
|
|
} else { // we have a signable JWS at this point.
|
|
|
|
} else if (jwt instanceof SignedJWT){ // we have a signable JWS at this point.
|
|
|
|
|
|
|
|
|
|
|
|
((SignedJWT) jwt).sign(signer);
|
|
|
|
((SignedJWT) jwt).sign(signer);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
logger.warn("Attempted to sign an unsupported JWT type.");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
} catch (JOSEException e) {
|
|
|
|
} catch (JOSEException e) {
|
|
|
|
@ -285,16 +288,15 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
|
|
|
|
@Override
|
|
|
|
@Override
|
|
|
|
public boolean validateSignature(JWT jwt) {
|
|
|
|
public boolean validateSignature(JWT jwt) {
|
|
|
|
|
|
|
|
|
|
|
|
if (getDefaultSigningAlgorithm().equals(JWSAlgorithm.NONE) {
|
|
|
|
if (getDefaultSignerKeyId().equals(ALG_NONE) && (jwt instanceof PlainJWT)) {
|
|
|
|
|
|
|
|
|
|
|
|
if (jwt instanceof PlainJWT) {
|
|
|
|
return PlainVerifier.verify((PlainJWT) jwt);
|
|
|
|
return
|
|
|
|
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for (JWSVerifier verifier : verifiers.values()) {
|
|
|
|
for (JWSVerifier verifier : verifiers.values()) {
|
|
|
|
try {
|
|
|
|
try {
|
|
|
|
if (jwt.verify(verifier)) {
|
|
|
|
if (((SignedJWT) jwt).verify(verifier)) {
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} catch (JOSEException e) {
|
|
|
|
} catch (JOSEException e) {
|
|
|
|
@ -302,6 +304,7 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
|
|
|
|
logger.error("Failed to validate signature, error was: ", e);
|
|
|
|
logger.error("Failed to validate signature, error was: ", e);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -329,8 +332,6 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
|
|
|
|
|
|
|
|
|
|
|
|
Set<JWSAlgorithm> algs = new HashSet<JWSAlgorithm>();
|
|
|
|
Set<JWSAlgorithm> algs = new HashSet<JWSAlgorithm>();
|
|
|
|
|
|
|
|
|
|
|
|
//TODO add 'none'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for (JWSSigner signer : signers.values()) {
|
|
|
|
for (JWSSigner signer : signers.values()) {
|
|
|
|
algs.addAll(signer.supportedAlgorithms());
|
|
|
|
algs.addAll(signer.supportedAlgorithms());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
William Kim
11 years ago