updated encryption to sign using int value rather than alg

pull/105/head
Mike Derryberry 2012-07-06 09:12:43 -04:00
parent cd222ad66e
commit 025f7f3d66
5 changed files with 128 additions and 17 deletions

View File

@ -70,6 +70,46 @@ public class JweHeader extends JwtHeader{
super.loadFromJsonObject(pass); super.loadFromJsonObject(pass);
} }
public String getIntegrity() {
return INTEGRITY;
}
public String getInitializationVector() {
return INITIALIZATION_VECTOR;
}
public String getEphemeralPublicKey() {
return EPHEMERAL_PUBLIC_KEY;
}
public String getCompressionAlgorithm() {
return COMPRESSION_ALGORITHM;
}
public String getJsonSetUrl() {
return JSON_SET_URL;
}
public String getJsonWebKey() {
return JSON_WEB_KEY;
}
public String getX509Url() {
return X509_URL;
}
public String getX509CertificateThumbprint() {
return X509_CERTIFICATE_THUMBPRINT;
}
public String getX509CertificateChain() {
return X509_CERTIFICATE_CHAIN;
}
public String getKeyId() {
return KEY_ID;
}
public void setIv(String iv) { public void setIv(String iv) {
setClaim(INITIALIZATION_VECTOR, iv); setClaim(INITIALIZATION_VECTOR, iv);
} }

View File

@ -5,11 +5,11 @@ import org.mitre.jwe.model.Jwe;
import org.mitre.jwt.encryption.AbstractJweDecrypter; import org.mitre.jwt.encryption.AbstractJweDecrypter;
import org.mitre.jwt.model.JwtHeader; import org.mitre.jwt.model.JwtHeader;
public class RsaDecrypter extends AbstractJweDecrypter { public class Decrypter extends AbstractJweDecrypter {
private Jwe jwe; private Jwe jwe;
public RsaDecrypter(Jwe jwe) { public Decrypter(Jwe jwe) {
setJwe(jwe); setJwe(jwe);
} }
@ -29,10 +29,20 @@ public class RsaDecrypter extends AbstractJweDecrypter {
String alg = jwe.getHeader().getAlgorithm(); String alg = jwe.getHeader().getAlgorithm();
if(alg.equals("RS256") || alg.equals("RS384") || alg.equals("RS512")) { if(alg.equals("RS256") || alg.equals("RS384") || alg.equals("RS512")) {
//Base 64 decode each part of the jwe
String decodedHeader = new String(Base64.decodeBase64(jwe.getHeader().toString())); String decodedHeader = new String(Base64.decodeBase64(jwe.getHeader().toString()));
JwtHeader unencryptedHeader = new JwtHeader(decodedHeader); JwtHeader unencryptedHeader = new JwtHeader(decodedHeader);
String decodedEncryptionKey = new String(Base64.decodeBase64(jwe.getEncryptedKey().toString()));
jwe.setEncryptedKey(decodedEncryptionKey.getBytes());
String decodedCiphertext = new String(Base64.decodeBase64(jwe.getCiphertext().toString()));
jwe.setCiphertext(decodedCiphertext.getBytes());
String decodedSig = new String(Base64.decodeBase64(jwe.getSignature())); String decodedSig = new String(Base64.decodeBase64(jwe.getSignature()));
//create new jwe using the decoded header and signature, and decrypt the ciphertext and key
jwe.setHeader(unencryptedHeader); jwe.setHeader(unencryptedHeader);
jwe.setCiphertext(decryptCipherText(jwe).getBytes()); jwe.setCiphertext(decryptCipherText(jwe).getBytes());
jwe.setEncryptedKey(decryptEncryptionKey(jwe)); jwe.setEncryptedKey(decryptEncryptionKey(jwe));

View File

@ -6,9 +6,9 @@ import org.mitre.jwe.model.Jwe;
import org.mitre.jwe.model.JweHeader; import org.mitre.jwe.model.JweHeader;
import org.mitre.jwt.encryption.AbstractJweEncrypter; import org.mitre.jwt.encryption.AbstractJweEncrypter;
import org.mitre.jwt.model.JwtClaims; import org.mitre.jwt.model.JwtClaims;
import org.mitre.jwt.signer.impl.RsaSigner; import org.mitre.jwt.signer.impl.HmacSigner;
public class RsaEncrypter extends AbstractJweEncrypter { public class Encrypter extends AbstractJweEncrypter {
private Jwe jwe; private Jwe jwe;
@ -18,7 +18,7 @@ public class RsaEncrypter extends AbstractJweEncrypter {
private String signature; private String signature;
public RsaEncrypter(Jwe jwe) { public Encrypter(Jwe jwe) {
setJwe(jwe); setJwe(jwe);
setHeader(jwe.getHeader()); setHeader(jwe.getHeader());
setClaims(jwe.getClaims()); setClaims(jwe.getClaims());
@ -62,18 +62,28 @@ public class RsaEncrypter extends AbstractJweEncrypter {
public Jwe encryptAndSign(Jwe jwe) { public Jwe encryptAndSign(Jwe jwe) {
String alg = jwe.getHeader().getAlgorithm(); String alg = jwe.getHeader().getAlgorithm();
String iv = jwe.getHeader().getIntegrity();
if(alg.equals("RS256") || alg.equals("RS384") || alg.equals("RS512")) { if(alg.equals("RS256") || alg.equals("RS384") || alg.equals("RS512")) {
jwe.setCiphertext(encryptClaims(jwe)); jwe.setCiphertext(encryptClaims(jwe));
jwe.setEncryptedKey(encryptKey(jwe)); jwe.setEncryptedKey(encryptKey(jwe));
RsaSigner rsaSigner = new RsaSigner(); //TODO: Add parameters to RsaSigner. ie: keys from keystore (null at the moment) if(iv.equals("HS256") || iv.equals("HS384") || iv.equals("HS512")){
HmacSigner hmacSigner = new HmacSigner(); //TODO: Add parameters to RsaSigner. ie: keys from keystore (null at the moment)
try { try {
jwe = (Jwe) rsaSigner.sign(jwe); jwe = (Jwe) hmacSigner.sign(jwe);
} catch (NoSuchAlgorithmException e) { } catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block // TODO Auto-generated catch block
e.printStackTrace(); e.printStackTrace();
} }
} else if(iv.equals("RS256") || iv.equals("RS384") || iv.equals("RS512")) {
throw new IllegalArgumentException("Integrity Value must use Hmac signing");
} else {
throw new IllegalArgumentException("Not a valid integrity value algorithm");
}
} else if(alg.equals("HS256") || alg.equals("HS384") || alg.equals("HS512")){ } else if(alg.equals("HS256") || alg.equals("HS384") || alg.equals("HS512")){
throw new IllegalArgumentException("Cannot use Hmac for encryption"); throw new IllegalArgumentException("Cannot use Hmac for encryption");

View File

@ -19,6 +19,7 @@ import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset; import java.nio.charset.Charset;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.List;
import javax.crypto.Mac; import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
@ -31,6 +32,11 @@ import org.mitre.jwt.signer.JwsAlgorithm;
import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import com.google.common.base.Splitter;
import com.google.common.collect.Lists;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
/** /**
* JWT Signer using either the HMAC SHA-256, SHA-384, SHA-512 hash algorithm * JWT Signer using either the HMAC SHA-256, SHA-384, SHA-512 hash algorithm
* *
@ -140,7 +146,16 @@ public class HmacSigner extends AbstractJwtSigner implements InitializingBean {
*/ */
@Override @Override
public String generateSignature(String signatureBase) throws NoSuchAlgorithmException { public String generateSignature(String signatureBase) throws NoSuchAlgorithmException {
afterPropertiesSet();
List<String> parts = Lists.newArrayList(Splitter.on(".").split(signatureBase));
if (parts.size() == 2) {
initializeMac();
}
else if (parts.size() == 3) {
initializeMacJwe(signatureBase);
}
if (passphrase == null) { if (passphrase == null) {
throw new IllegalArgumentException("Passphrase cannot be null"); throw new IllegalArgumentException("Passphrase cannot be null");
} }
@ -178,6 +193,30 @@ public class HmacSigner extends AbstractJwtSigner implements InitializingBean {
this.passphrase = passphrase; this.passphrase = passphrase;
} }
public void initializeMac() {
try {
mac = Mac.getInstance(JwsAlgorithm.getByName(super.getAlgorithm()).getStandardName());
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public void initializeMacJwe(String signatureBase) {
List<String> parts = Lists.newArrayList(Splitter.on(".").split(signatureBase));
String header = parts.get(0);
JsonParser parser = new JsonParser();
JsonObject object = (JsonObject) parser.parse(header);
try {
mac = Mac.getInstance(JwsAlgorithm.getByName(object.get("int").getAsString())
.getStandardName());
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
/* /*
* (non-Javadoc) * (non-Javadoc)

View File

@ -36,6 +36,8 @@ import org.springframework.util.Assert;
import com.google.common.base.Splitter; import com.google.common.base.Splitter;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
/** /**
* JWT Signer using either the RSA SHA-256, SHA-384, SHA-512 hash algorithm * JWT Signer using either the RSA SHA-256, SHA-384, SHA-512 hash algorithm
@ -174,13 +176,13 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean {
public String generateSignature(String signatureBase) throws NoSuchAlgorithmException { public String generateSignature(String signatureBase) throws NoSuchAlgorithmException {
String sig = null; String sig = null;
try { List<String> parts = Lists.newArrayList(Splitter.on(".").split(signatureBase));
initializeSigner();
} catch (GeneralSecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
if(parts.size() == 2) {
initializeSigner();
} else if (parts.size() == 3) {
initializeSignerJwe(signatureBase);
}
try { try {
signer.initSign(privateKey); signer.initSign(privateKey);
signer.update(signatureBase.getBytes("UTF-8")); signer.update(signatureBase.getBytes("UTF-8"));
@ -237,6 +239,16 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean {
signer = Signature.getInstance(JwsAlgorithm.getByName(super.getAlgorithm()).getStandardName()); signer = Signature.getInstance(JwsAlgorithm.getByName(super.getAlgorithm()).getStandardName());
} }
public void initializeSignerJwe(String signatureBase) throws NoSuchAlgorithmException {
List<String> parts = Lists.newArrayList(Splitter.on(".").split(signatureBase));
String header = parts.get(0);
JsonParser parser = new JsonParser();
JsonObject object = (JsonObject) parser.parse(header);
signer = Signature.getInstance(JwsAlgorithm.getByName(object.get("int").getAsString()).getStandardName());
}
/* /*
* (non-Javadoc) * (non-Javadoc)
* *