From 30d7aaa66acb4f1eb533d85371ce9d7c83c9aa11 Mon Sep 17 00:00:00 2001
From: William Kim <wkim@mitre.org>
Date: Thu, 22 Aug 2013 15:17:14 -0400
Subject: [PATCH] PlainSigner and PlainVerifier created for alg:none JWS
 support.

---
 .../org/mitre/jwt/signer/PlainSigner.java     | 58 +++++++++++++
 .../org/mitre/jwt/signer/PlainVerifier.java   | 81 +++++++++++++++++++
 2 files changed, 139 insertions(+)
 create mode 100644 openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainSigner.java
 create mode 100644 openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java

diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainSigner.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainSigner.java
new file mode 100644
index 000000000..1252a79ee
--- /dev/null
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainSigner.java
@@ -0,0 +1,58 @@
+/*******************************************************************************
+ * Copyright 2013 The MITRE Corporation 
+ *   and the MIT Kerberos and Internet Trust Consortium
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ ******************************************************************************/
+package org.mitre.jwt.signer;
+
+import java.util.Set;
+
+import com.google.common.collect.Sets;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.PlainHeader;
+import com.nimbusds.jose.ReadOnlyJWSHeader;
+import com.nimbusds.jose.Requirement;
+import com.nimbusds.jose.util.Base64URL;
+
+/**
+ * Signer to support "alg:none" JWS signing option (no signature).
+ * 
+ * @author wkim
+ *
+ */
+public class PlainSigner implements JWSSigner {
+
+
+	@Override
+	public Set<JWSAlgorithm> supportedAlgorithms() {
+		return Sets.newHashSet(new JWSAlgorithm("none", Requirement.REQUIRED));
+	}
+
+	@Override
+	public Base64URL sign(ReadOnlyJWSHeader header, byte[] signingInput) throws JOSEException {
+		
+		if (header instanceof PlainHeader) {
+			
+			return new Base64URL("");
+			
+		} else {
+			
+			throw new JOSEException("Invalid header. This signer is for use with Plain JWTs only.");
+			
+		}
+	}
+
+}
diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java
new file mode 100644
index 000000000..b689eb54d
--- /dev/null
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java
@@ -0,0 +1,81 @@
+/*******************************************************************************
+ * Copyright 2013 The MITRE Corporation 
+ *   and the MIT Kerberos and Internet Trust Consortium
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ ******************************************************************************/
+package org.mitre.jwt.signer;
+
+import java.util.Set;
+
+import com.google.common.collect.Sets;
+import com.nimbusds.jose.DefaultJWSHeaderFilter;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeaderFilter;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.PlainHeader;
+import com.nimbusds.jose.ReadOnlyJWSHeader;
+import com.nimbusds.jose.Requirement;
+import com.nimbusds.jose.util.Base64URL;
+
+/**
+ * Verifier to support "alg:none" JWS signing option (no signature).
+ * 
+ * @author wkim
+ *
+ */
+public class PlainVerifier implements JWSVerifier {
+
+	// the NONE alg constant lives in the Algorithm superclass of JWSAlgorithm, not allowing its use as a JWSAlgorithm object.
+	// redefining the constant here for convenience.
+	private static final JWSAlgorithm NONE = new JWSAlgorithm("none", Requirement.REQUIRED);
+	
+	/**
+	 * The JWS header filter.
+	 */
+	private final DefaultJWSHeaderFilter headerFilter;
+	
+	public PlainVerifier() {
+		
+		headerFilter = new DefaultJWSHeaderFilter(Sets.newHashSet(NONE));
+		
+	}
+
+	
+	@Override
+	public Set<JWSAlgorithm> supportedAlgorithms() {
+		return Sets.newHashSet(NONE); 
+	}
+
+
+	@Override
+	public JWSHeaderFilter getJWSHeaderFilter() {
+		return headerFilter;
+	}
+
+	@Override
+	public boolean verify(ReadOnlyJWSHeader header, byte[] signingInput, Base64URL signature) throws JOSEException {
+		
+		if (header instanceof PlainHeader) {
+			// XXX NOT POSSIBLE--Interface does not allow this.
+			return signature.decode().length == 0;
+			
+		} else { // not a plain (unsigned) JWS
+			
+			throw new JOSEException("Not a plain JWT header.");
+			
+		}
+	}
+
+}