implemented alg:none at the signing service.

2013-08-26 12:45:43 -04:00 · 2013-08-26 12:45:43 -04:00 · 02078ebccb
parent d763a954da
commit 02078ebccb
3 changed files with 39 additions and 22 deletions
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainSigner.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainSigner.java
@ -30,6 +30,9 @@ import com.nimbusds.jose.util.Base64URL;
 /**
 * Signer to support "alg:none" JWS signing option (no signature).
 * 
+ * FIXME: The JWSSigner interface was never intended to be used with plain JWTs.
+ * Use of the signer/verifier pattern alongside the other JWSSigner/Verifiers will require refactoring.
+ * 
 * @author wkim
 *
 */
@ -44,7 +47,7 @@ public final class PlainSigner implements JWSSigner {
 	@Override
 	public Base64URL sign(ReadOnlyJWSHeader header, byte[] signingInput) throws JOSEException {
 		
-		if (header instanceof PlainHeader) {
+		if (header instanceof PlainHeader) { // XXX impossible due to interface method signature
 			
 			return new Base64URL("");
 			
@ -55,4 +58,14 @@ public final class PlainSigner implements JWSSigner {
 		}
 	}
 	
+	/**
+	 * Utility method to return an empty signature.
+	 * 
+	 * @return
+	 */
+	public static Base64URL sign() {
+		
+		return new Base64URL("");
+	}
+
 }
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java
@ -33,6 +33,9 @@ import com.nimbusds.jwt.PlainJWT;
 /**
 * Verifier to support "alg:none" JWS signing option (no signature).
 * 
+ * FIXME: The JWSVerifier interface was never intended to be used with plain JWTs.
+ * Use of the signer/verifier pattern alongside the other JWSSigner/Verifiers will require refactoring.
+ * 
 * @author wkim
 *
 */
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
@ -53,7 +53,7 @@ import com.nimbusds.jwt.SignedJWT;

 public class DefaultJwtSigningAndValidationService implements JwtSigningAndValidationService {

-	public static final String ALG_NONE = "none"; // TODO storing a default "alg:none" id smells a bit..
+	public static final String ALG_NONE = "none";
 	
 	// map of identifier to signer
 	private Map<String, JWSSigner> signers = new HashMap<String, JWSSigner>();
@ -131,7 +131,7 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 	}

 	/**
-	 * @param defaultSignerKeyId the defaultSignerKeyId to set
+	 * @param defaultSignerKeyId the defaultSignerKeyId to set. The "none" key id is reserved for alg:none in this implementation.
 	 */
 	public void setDefaultSignerKeyId(String defaultSignerId) {
 		this.defaultSignerKeyId = defaultSignerId;
@ -165,8 +165,6 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 	private void buildSignersAndVerifiers() throws NoSuchAlgorithmException, InvalidKeySpecException {
 		
 		signers.put(ALG_NONE, new PlainSigner());
-		verifiers.put(ALG_NONE, new PlainVerifier());
-		
 		
 		for (Map.Entry<String, JWK> jwkEntry : keys.entrySet()) {

@ -230,10 +228,12 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 				
 				// At this point, this is a plain JWT and is already good-to-go.
 				
-			} else { // we have a signable JWS at this point.
+			} else if (jwt instanceof SignedJWT) { // we have a signable JWS at this point.
 				
 				((SignedJWT) jwt).sign(signer);
 				
+			} else {
+				logger.warn("Attempted to sign an unsupported JWT type.");
 			}
 		} catch (JOSEException e) {

@ -270,10 +270,13 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 				
 				// do nothing because PlainJWT is good already.	
 				
-			} else { // we have a signable JWS at this point.
+			} else if (jwt instanceof SignedJWT){ // we have a signable JWS at this point.
 			
 				((SignedJWT) jwt).sign(signer);
 				
+			} else {
+				
+				logger.warn("Attempted to sign an unsupported JWT type.");
 			}
 			
 		} catch (JOSEException e) {
@ -285,16 +288,15 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 	@Override
 	public boolean validateSignature(JWT jwt) {

-		if (getDefaultSigningAlgorithm().equals(JWSAlgorithm.NONE) {
+		if (getDefaultSignerKeyId().equals(ALG_NONE) && (jwt instanceof PlainJWT)) {
 			
-			if (jwt instanceof PlainJWT) {
-				return 
-			}
-		}
+			return PlainVerifier.verify((PlainJWT) jwt);
+			
+		} else { 

 			for (JWSVerifier verifier : verifiers.values()) {
 				try {
-				if (jwt.verify(verifier)) {
+					if (((SignedJWT) jwt).verify(verifier)) {
 						return true;
 					}
 				} catch (JOSEException e) {
@ -302,6 +304,7 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 					logger.error("Failed to validate signature, error was: ", e);
 				}
 			}
+		}
 		return false;
 	}

@ -329,8 +332,6 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid

 		Set<JWSAlgorithm> algs = new HashSet<JWSAlgorithm>();

-		//TODO add 'none'
-
 		for (JWSSigner signer : signers.values()) {
 			algs.addAll(signer.supportedAlgorithms());
 		}