From 066cf62f3bc8eccab32aff78e4d4dded7fd63336 Mon Sep 17 00:00:00 2001 From: nemonik Date: Fri, 17 Feb 2012 12:16:26 -0500 Subject: [PATCH 1/2] additional signer service code --- server/pom.xml | 2 +- .../mitre/jwt/signer/impl/EcdsaSigner.java | 20 +++++--- .../org/mitre/jwt/signer/impl/RsaSigner.java | 2 + .../jwt/signer/service/impl/KeyStore.java | 2 +- .../service/impl/ServiceDefinitionParser.java | 50 +++++++++++++++++-- .../signer/service/impl/jwt-signer-1.0.xsd | 34 +++++++++++++ .../jwt/signer/service/impl/KeyStoreTest.java | 4 +- 7 files changed, 101 insertions(+), 13 deletions(-) diff --git a/server/pom.xml b/server/pom.xml index 2002d6175..dec9d7e27 100644 --- a/server/pom.xml +++ b/server/pom.xml @@ -256,7 +256,7 @@ org.bouncycastle - bcprov-jdk16 + bcprov-ext-jdk16 1.46 diff --git a/server/src/main/java/org/mitre/jwt/signer/impl/EcdsaSigner.java b/server/src/main/java/org/mitre/jwt/signer/impl/EcdsaSigner.java index 2ac0d86ad..06c8dd3e7 100644 --- a/server/src/main/java/org/mitre/jwt/signer/impl/EcdsaSigner.java +++ b/server/src/main/java/org/mitre/jwt/signer/impl/EcdsaSigner.java @@ -3,13 +3,10 @@ package org.mitre.jwt.signer.impl; import java.io.UnsupportedEncodingException; import java.security.GeneralSecurityException; import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; import java.security.SignatureException; -import java.security.interfaces.RSAPrivateKey; -import java.security.interfaces.RSAPublicKey; import java.util.List; import org.apache.commons.codec.binary.Base64; @@ -22,6 +19,14 @@ import org.springframework.beans.factory.InitializingBean; import com.google.common.base.Splitter; import com.google.common.collect.Lists; +/** + * JWT Signer using either the ECDSA SHA-256, SHA-384, SHA-512 hash algorithm + * + * @author AANGANES, nemonik + * + * Requires static install of BC + * + */ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean { /** @@ -37,7 +42,8 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean { ES384("SHA384withECDSA"), ES512("SHA512withECDSA"); - private static final String DEFAULT = Algorithm.ES256.toString(); + public static final String DEFAULT = Algorithm.ES256.toString(); + public static final String PREPEND = "ES"; /** * Returns the Algorithm for the name @@ -75,6 +81,8 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean { } }; + static final String PROVIDER = "BC"; + private static Log logger = LogFactory.getLog(EcdsaSigner.class); public static final String KEYPAIR_ALGORITHM = "EC"; @@ -118,8 +126,8 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean { setPassword(password); try { - signer = Signature.getInstance(Algorithm.getByName(algorithmName).getStandardName()); //, PROVIDER) - } catch (NoSuchAlgorithmException e) { + signer = Signature.getInstance(Algorithm.getByName(algorithmName).getStandardName(), PROVIDER); + } catch (GeneralSecurityException e) { // TODO Auto-generated catch block e.printStackTrace(); } diff --git a/server/src/main/java/org/mitre/jwt/signer/impl/RsaSigner.java b/server/src/main/java/org/mitre/jwt/signer/impl/RsaSigner.java index 3c933e062..95b0f2a81 100644 --- a/server/src/main/java/org/mitre/jwt/signer/impl/RsaSigner.java +++ b/server/src/main/java/org/mitre/jwt/signer/impl/RsaSigner.java @@ -40,7 +40,9 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean { RS256("SHA256withRSA"), RS384("SHA384withRSA"), RS512("SHA512withRSA"); public static final String DEFAULT = Algorithm.RS256.toString(); + public static final String PREPEND = "RS"; + /** * Returns the Algorithm for the name * diff --git a/server/src/main/java/org/mitre/jwt/signer/service/impl/KeyStore.java b/server/src/main/java/org/mitre/jwt/signer/service/impl/KeyStore.java index dc6431d36..9592316e7 100644 --- a/server/src/main/java/org/mitre/jwt/signer/service/impl/KeyStore.java +++ b/server/src/main/java/org/mitre/jwt/signer/service/impl/KeyStore.java @@ -22,7 +22,7 @@ import org.springframework.core.io.Resource; public class KeyStore implements InitializingBean { private static Log logger = LogFactory.getLog(KeyStore.class); - + public static final String TYPE = java.security.KeyStore.getDefaultType(); public static final String PASSWORD = "changeit"; diff --git a/server/src/main/java/org/mitre/jwt/signer/service/impl/ServiceDefinitionParser.java b/server/src/main/java/org/mitre/jwt/signer/service/impl/ServiceDefinitionParser.java index 2a7d53aa7..2bd381f85 100644 --- a/server/src/main/java/org/mitre/jwt/signer/service/impl/ServiceDefinitionParser.java +++ b/server/src/main/java/org/mitre/jwt/signer/service/impl/ServiceDefinitionParser.java @@ -4,6 +4,7 @@ import java.util.List; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.mitre.jwt.signer.impl.EcdsaSigner; import org.mitre.jwt.signer.impl.HmacSigner; import org.mitre.jwt.signer.impl.RsaSigner; import org.springframework.beans.BeanMetadataElement; @@ -42,7 +43,7 @@ public class ServiceDefinitionParser extends AbstractSingleBeanDefinitionParser ManagedList signers = new ManagedList(); List signerElements = DomUtils.getChildElementsByTagName( - element, new String[] { "rsa", "hmac" }); + element, new String[] { "rsa", "ecdsa", "hmac" }); for (Element signerElement : signerElements) { @@ -55,7 +56,7 @@ public class ServiceDefinitionParser extends AbstractSingleBeanDefinitionParser String bits = signerElement.getAttribute("bits"); if (StringUtils.hasText(bits)) { - signer.addConstructorArgValue("RS".concat(bits)); + signer.addConstructorArgValue(RsaSigner.Algorithm.PREPEND.concat(bits)); } else { signer.addConstructorArgValue(RsaSigner.Algorithm.DEFAULT); } @@ -89,6 +90,49 @@ public class ServiceDefinitionParser extends AbstractSingleBeanDefinitionParser signers.add(signer.getBeanDefinition()); + } else if (signerElement.getTagName().contains("ecdsa")) { + + logger.debug("parsing ecdsa element"); + + BeanDefinitionBuilder signer = BeanDefinitionBuilder + .rootBeanDefinition(EcdsaSigner.class); + + String bits = signerElement.getAttribute("bits"); + if (StringUtils.hasText(bits)) { + signer.addConstructorArgValue(EcdsaSigner.Algorithm.PREPEND.concat(bits)); + } else { + signer.addConstructorArgValue(EcdsaSigner.Algorithm.DEFAULT); + } + + String keystoreRef = signerElement.getAttribute("keystore-ref"); + if (!StringUtils.hasText(keystoreRef)) { + parserContext + .getReaderContext() + .error("A keystore-ref must be supplied with the definition of a ecdsa.", + signerElement); + } else { + signer.addConstructorArgReference(keystoreRef); + } + + String alias = signerElement.getAttribute("key-alias"); + if (!StringUtils.hasText(alias)) { + parserContext + .getReaderContext() + .error("An key-alias must be supplied with the definition of a ecdsa.", + signerElement); + } else { + signer.addConstructorArgValue(alias); + } + + String password = signerElement.getAttribute("password"); + if (StringUtils.hasText(password)) { + signer.addConstructorArgValue(password); + } else { + signer.addConstructorArgValue(EcdsaSigner.DEFAULT_PASSWORD); + } + + signers.add(signer.getBeanDefinition()); + } else if (signerElement.getTagName().contains("hmac")) { logger.debug("parsing hmac element"); @@ -114,7 +158,7 @@ public class ServiceDefinitionParser extends AbstractSingleBeanDefinitionParser } signers.add(signer.getBeanDefinition()); - } + } } builder.addPropertyValue("signers", signers); diff --git a/server/src/main/resources/org/mitre/jwt/signer/service/impl/jwt-signer-1.0.xsd b/server/src/main/resources/org/mitre/jwt/signer/service/impl/jwt-signer-1.0.xsd index 81b06f12c..cb3e606fa 100644 --- a/server/src/main/resources/org/mitre/jwt/signer/service/impl/jwt-signer-1.0.xsd +++ b/server/src/main/resources/org/mitre/jwt/signer/service/impl/jwt-signer-1.0.xsd @@ -71,6 +71,40 @@ + + + + Configures an ECDSA signer. + + + + + + + + The reference to the bean that defines the + KeyStore. + + + + + + + The alias to the KeyPair to use for + signing/verifying. + + + + + + + The password to the KeyPair to use for + signing/verifying. + + + + + diff --git a/server/src/test/java/org/mitre/jwt/signer/service/impl/KeyStoreTest.java b/server/src/test/java/org/mitre/jwt/signer/service/impl/KeyStoreTest.java index f07a6cafd..1be36f671 100644 --- a/server/src/test/java/org/mitre/jwt/signer/service/impl/KeyStoreTest.java +++ b/server/src/test/java/org/mitre/jwt/signer/service/impl/KeyStoreTest.java @@ -15,7 +15,6 @@ import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.Security; import java.security.cert.X509Certificate; -import java.security.interfaces.RSAPrivateKey; import java.util.Date; import org.bouncycastle.jce.X509Principal; @@ -39,8 +38,9 @@ public class KeyStoreTest { @Qualifier("testKeystore") KeyStore keystore; + static final String PROVIDER = "BC"; + static { - // Needed to create the certificate Security.addProvider(new BouncyCastleProvider()); } From 0fe4c13c4573834d3dd8820e735cfa09a2b364c7 Mon Sep 17 00:00:00 2001 From: nemonik Date: Fri, 17 Feb 2012 12:20:12 -0500 Subject: [PATCH 2/2] these should of been removed --- .../jwt/signer/service/impl/jwt-signer.xsd | 93 ------------------ .../main/webapp/WEB-INF/spring/keystore.jks | Bin 2165 -> 0 bytes 2 files changed, 93 deletions(-) delete mode 100644 server/src/main/resources/org/mitre/jwt/signer/service/impl/jwt-signer.xsd delete mode 100644 server/src/main/webapp/WEB-INF/spring/keystore.jks diff --git a/server/src/main/resources/org/mitre/jwt/signer/service/impl/jwt-signer.xsd b/server/src/main/resources/org/mitre/jwt/signer/service/impl/jwt-signer.xsd deleted file mode 100644 index fb986ea0b..000000000 --- a/server/src/main/resources/org/mitre/jwt/signer/service/impl/jwt-signer.xsd +++ /dev/null @@ -1,93 +0,0 @@ - - - - - - - - - Describes the JCE KeyStore necessary for certain - signers. - - - - - - - - - - - - - - - - Configures the signer service with these signers. - - - - - - - - - - Configures an RSA signer. - - - - - - - - The reference to the bean that defines the - KeyStore. - - - - - - - The alias to the KeyPair to use for - signing/verifying. - - - - - - - The password to the KeyPair to use for - signing/verifying. - - - - - - - - - Configures an HMAC signer. - - - - - - - - The passphrase used for signing/verifying. - - - - - - - - - - - \ No newline at end of file diff --git a/server/src/main/webapp/WEB-INF/spring/keystore.jks b/server/src/main/webapp/WEB-INF/spring/keystore.jks deleted file mode 100644 index 8c9ac200a38416976db280b0963f7565eb7df681..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2165 zcmcJO=Tno37Kh&?1ZhEvK?S8mL25{VuowZQ1&9%r3!x}T4J9xk6zNL|28<{w0B#N!2vPCF`Lh_ANb|i&I zk;2h1l=%0)xP*{hD20SRf|B`;ViMxtQJG-!qxxS-SoVj6QalPn>!HwS3`$=QV_`@4Rjbl(LiEg8VCe1Y7Rq{tlS1J90-fo8%&ukR&1%X1^-+1 zXN<>KQbLsXng?s8xN*}S>>6HKg=rP5wvtsi9)F^dbz}7LxT=e_MQm!ze6yU-9~*}k z|9r621WA2HND^J=rA}6_C8tF|)+UU_pQwxa?svsfR?{LQt_hx}7C0F7FX?KrYetsC z3{#x@J@%a{SB!?I9mdy!PG-~uHT33q_F|6g&bnZ!@{i-li5=T;_WNZsxi}AQVGAi~ zeaE}gxWh}NmJ!Hc6(l>CK-)PQiSV=S`x*EXSd*SX^j~@6iVwnYWHA$~;8ju1hRdkz zPPOSKAv!}s04^**oub^!%HdLn-RNKl2mt-_Lf;XEt_Vg!u9NV%_Bw00 z4J^Oq@u5D<+$%qk&ge6ey^5bfc_o~sR#mu>uc*pPQ$=oR5#x~3V#&M_uhj>6BQtZ2 zt3mF6J7kVDW5>-jAFp(_xD}g}dNmQo&_zVybcU|{5jOFMyHgnUyG@32!dB_(t3QO0MkQ?LFG{%9P+M+BXx96C4_ zT4R$Qy3Vp%jYyWgRt{Qo-0NuZp_TAI@YV$0aL9|}&G%T1^%F665fWGM>Q5Q?SCU_% zrHIf0XSD-z2y!l(iArsaOzN6sRwN&|@J4h;H<_5X_dfCR9tApw9?PTp=Vxf85M_=p zN=Fnc7AB7yiS0P(WhOL7`1qdA>U=5A692uE604zOp0Q__4HT7!PD!NeFEV{&Ksn09pEhtxi1bG7Eer6oA|od{fa>>x&BIdNQ`wprg*oNj^52sknHQ@ zMVWHF@@{9AEM5@V)tRv?OOgF4Cf|UY=K7n0E{?!aeV!v?VNVXQKAFT-9jU)4UvYGA zXII->4^XWs=B&lVb~{#i_QoXZ1P!F8Tk}Soe$~p-9JH9LP*948{v=11n}kW z+vXlCUMkg!v&m1Sl3B$2J)=5aVNFvW`DCm1Aa*EMWqe22>GQs&b=og3UreU+a2E+} zp>yl`^Jr{Ap3}qOEgDUVQTAk2tl2JGy;u;jc({`W3yDr3E!Ltm~b^<><5b54;D#a+6<;0#=ra zX3h#0%-qj?F`&C9G&}p=9>Xuhm6_$<d zwZ77)ZI>g^7ev$!WXn)(`^VnyN3G>A{-Xh_>Z*nR$DUd?aPr#E>>M^_!9#p7Epn%VPR20~!2MK;ySW^VZ}m SA0JT09sk9(uREY39sdJ(OwTz0