refactored JWKs, updated signing servier to use them

2012-06-25 17:19:25 -04:00 · 2012-06-25 17:19:25 -04:00 · 1127a7cfbc
parent adb8499bee
commit 1127a7cfbc
6 changed files with 26 additions and 56 deletions
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/AbstractOIDCAuthenticationFilter.java
@ -489,7 +489,6 @@ public class AbstractOIDCAuthenticationFilter extends
 				if(jwtValidator.validateSignature(jsonRoot.getAsJsonObject().get("id_token").getAsString())
 					&& idToken.getClaims().getIssuer() != null
 					&& idToken.getClaims().getIssuer().equals(serverConfig.getIssuer())
-					&& idToken.getClaims().getIssuer().equals(serverConfig.getClientId())
 					&& !jwtValidator.isJwtExpired(idToken)
 					&& jwtValidator.validateIssuedAt(idToken)){
 					
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java
@ -20,6 +20,7 @@ import java.security.PublicKey;
 import java.util.Map;

 import org.mitre.jwt.model.Jwt;
+import org.mitre.jwt.signer.JwtSigner;

 public interface JwtSigningAndValidationService {

@ -28,7 +29,7 @@ public interface JwtSigningAndValidationService {
 	 * 
 	 * @return
 	 */
-	public Map<String, PublicKey> getAllPublicKeys();
+	public Map<String, JwtSigner> getAllSigners();

 	/**
 	 * Check to see if this JWT has expired or not
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/AbstractJwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/AbstractJwtSigningAndValidationService.java
@ -50,7 +50,8 @@ public abstract class AbstractJwtSigningAndValidationService implements JwtSigni
 		Date issuedAt = jwt.getClaims().getIssuedAt();
 		
 		if (issuedAt != null) {
-			return new Date().before(issuedAt);
+			// make sure the token was issued in the past
+			return new Date().after(issuedAt);
 		} else {
 			return false;
 		}
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/JwtSigningAndValidationServiceDefault.java
@ -77,34 +77,20 @@ public class JwtSigningAndValidationServiceDefault extends AbstractJwtSigningAnd

 	}

-	/*
-	 * (non-Javadoc)
+	/**
+	 * 
+	 * Returns a copy of the collection of signers.
 	 * 
 	 * @see
 	 * org.mitre.jwt.signer.service.JwtSigningAndValidationService#getAllPublicKeys
 	 * ()
 	 */
 	@Override
-	public Map<String, PublicKey> getAllPublicKeys() {
+	public Map<String, JwtSigner> getAllSigners() {

-		Map<String, PublicKey> map = new HashMap<String, PublicKey>();
+		Map<String, JwtSigner> map = new HashMap<String, JwtSigner>();

-		for (String signerId : signers.keySet()) {
-
-			JwtSigner signer = signers.get(signerId);
-			
-			if (signer instanceof RsaSigner) {
-
-				RsaSigner rsa = (RsaSigner)signer;
-				
-				PublicKey publicKey = rsa.getPublicKey();
-
-				if (publicKey != null) {
-					map.put(signerId, publicKey);
-				}
-
-			}
-		}
+		map.putAll(signers);

 		return map;
 	}
@ -165,23 +151,4 @@ public class JwtSigningAndValidationServiceDefault extends AbstractJwtSigningAnd
 		return signers;
 	}

-	@Override
-	public boolean validateIssuedAt(Jwt jwt) {
-		Date issuedAt = jwt.getClaims().getIssuedAt();
-		
-		if (issuedAt != null)
-			return new Date().before(issuedAt);
-		else
-			return false;
-	}
-
-	@Override
-	public boolean validateNonce(Jwt jwt, String nonce) {
-		if(nonce.equals(jwt.getClaims().getNonce())){
-			return true;
-		}
-		else{
-			return false;
-		}
-	}
 }
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/view/JwkKeyListView.java
@ -30,6 +30,8 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

 import org.apache.commons.codec.binary.Base64;
+import org.mitre.jwt.signer.JwtSigner;
+import org.mitre.jwt.signer.impl.RsaSigner;
 import org.springframework.validation.BeanPropertyBindingResult;
 import org.springframework.web.servlet.view.AbstractView;

@ -77,19 +79,22 @@ public class JwkKeyListView extends AbstractView {
 		
 		Writer out = response.getWriter();
 		
-		BiMap<String, PublicKey> keyMap = (BiMap<String, PublicKey>) model.get("keys");
+		//BiMap<String, PublicKey> keyMap = (BiMap<String, PublicKey>) model.get("keys");
+		Map<String, JwtSigner> signers = (Map<String, JwtSigner>) model.get("signers");
 		
 		JsonObject obj = new JsonObject();
 		JsonArray keys = new JsonArray();
 		obj.add("keys", keys);
 		
-		for (String keyId : keyMap.keySet()) {
+		for (String keyId : signers.keySet()) {

-			PublicKey src = keyMap.get(keyId);
+			JwtSigner src = signers.get(keyId);

-			if (src instanceof RSAPublicKey) {
+			if (src instanceof RsaSigner) {
 				
-				RSAPublicKey rsa = (RSAPublicKey)src;
+				RsaSigner rsaSigner = (RsaSigner) src;
+				
+				RSAPublicKey rsa = (RSAPublicKey) rsaSigner.getPublicKey(); // we're sure this is an RSAPublicKey b/c this is an RsaSigner
 				
 				
 				BigInteger mod = rsa.getModulus();
@ -101,13 +106,13 @@ public class JwkKeyListView extends AbstractView {
 				JsonObject o = new JsonObject();

 				o.addProperty("use", "sig"); // since we don't do encryption yet
-				o.addProperty("alg", "RS" + rsa.getModulus().bitLength()); // we know this is RSA
+				o.addProperty("alg", rsaSigner.getAlgorithm()); // we know this is RSA
 				o.addProperty("mod", m64);
 				o.addProperty("exp", e64);
 				o.addProperty("kid", keyId);

 				keys.add(o);
-			}
+			} // TODO: deal with non-RSA key types
        }
 		
 		gson.toJson(obj, out);
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/JsonWebKeyEndpoint.java
@ -21,6 +21,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;

+import org.mitre.jwt.signer.JwtSigner;
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
@ -40,16 +41,12 @@ public class JsonWebKeyEndpoint {
 	@RequestMapping("/jwk")
 	public ModelAndView getJwk() {
 		
-		// get all public keys for display
-		// map from key id to public key for that signer
-		Map<String, PublicKey> keys = jwtService.getAllPublicKeys();
-
-		// put them into a bidirectional map to get at key IDs
-		BiMap<String, PublicKey> biKeys = HashBiMap.create(keys);
+		// map from key id to signer
+		Map<String, JwtSigner> signers = jwtService.getAllSigners();
 		
 		// TODO: check if keys are empty, return a 404 here or just an empty list?
 		
-		return new ModelAndView("jwkKeyList", "keys", biKeys);
+		return new ModelAndView("jwkKeyList", "signers", signers);
 	}
 	
 }