JWSUtils uses JWSAlgorithm to match bit length; ConnectTokenEnhancer calls the util method now
Amanda Anganes
parent
3a591dc1f4
commit
37580cc21e
|
|
@ -16,17 +16,10 @@
|
|||
******************************************************************************/
|
||||
package org.mitre.openid.connect.token;
|
||||
|
||||
import java.security.InvalidKeyException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.Arrays;
|
||||
import java.util.Date;
|
||||
import java.util.Set;
|
||||
import java.util.UUID;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import javax.crypto.Mac;
|
||||
import javax.crypto.spec.SecretKeySpec;
|
||||
import javax.servlet.http.HttpSession;
|
||||
|
||||
import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
|
||||
|
|
@ -35,6 +28,7 @@ import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
|||
import org.mitre.oauth2.service.ClientDetailsEntityService;
|
||||
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
|
||||
import org.mitre.openid.connect.service.ApprovedSiteService;
|
||||
import org.mitre.openid.connect.util.JWSUtils;
|
||||
import org.mitre.openid.connect.web.AuthenticationTimeStamper;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
|
@ -42,7 +36,6 @@ import org.springframework.beans.factory.annotation.Autowired;
|
|||
import org.springframework.security.oauth2.common.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.common.util.OAuth2Utils;
|
||||
import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
||||
import org.springframework.security.oauth2.provider.OAuth2Request;
|
||||
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
|
||||
import org.springframework.stereotype.Service;
|
||||
import org.springframework.web.context.request.RequestContextHolder;
|
||||
|
|
@ -163,39 +156,11 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
|
|||
Set<String> responseTypes = OAuth2Utils.parseParameterList(responseType);
|
||||
if (responseTypes.contains("token")) {
|
||||
// calculate the token hash
|
||||
|
||||
// get the right algorithm size
|
||||
// TODO: all this string parsing feels like a bad hack
|
||||
String algName = signingAlg.getName();
|
||||
Pattern re = Pattern.compile("^[HRE]S(\\d+)$");
|
||||
Matcher match = re.matcher(algName);
|
||||
if (match.matches()) {
|
||||
String bits = match.group(1);
|
||||
String hmacAlg = "HMACSHA" + bits;
|
||||
try {
|
||||
Mac mac = Mac.getInstance(hmacAlg);
|
||||
mac.init(new SecretKeySpec(token.getJwt().serialize().getBytes(), hmacAlg));
|
||||
|
||||
byte[] at_hash_bytes = mac.doFinal();
|
||||
byte[] at_hash_bytes_left = Arrays.copyOf(at_hash_bytes, at_hash_bytes.length / 2);
|
||||
Base64URL at_hash = Base64URL.encode(at_hash_bytes_left);
|
||||
|
||||
idClaims.setClaim("at_hash", at_hash);
|
||||
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
|
||||
logger.error("No such algorithm error: ", e);
|
||||
|
||||
} catch (InvalidKeyException e) {
|
||||
|
||||
logger.error("Invalid key error: ", e);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Base64URL at_hash = JWSUtils.getAccessTokenHash(signingAlg, token.getJwt().serialize().getBytes());
|
||||
//TODO: What should happen if the hash cannot be calculated?
|
||||
idClaims.setClaim("at_hash", at_hash);
|
||||
}
|
||||
|
||||
|
||||
SignedJWT idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims);
|
||||
|
||||
//TODO: check for client's preferred signer alg and use that
|
||||
|
|
|
|||
|
|
@ -3,8 +3,6 @@ package org.mitre.openid.connect.util;
|
|||
import java.security.InvalidKeyException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.Arrays;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import javax.crypto.Mac;
|
||||
import javax.crypto.spec.SecretKeySpec;
|
||||
|
|
@ -27,22 +25,28 @@ public class JWSUtils {
|
|||
|
||||
public static Base64URL getAccessTokenHash(JWSAlgorithm signingAlg, byte[] tokenBytes) {
|
||||
|
||||
//Switch based on the given signing algorithm
|
||||
//Switch based on the given signing algorithm - use HMAC with the same bitnumber
|
||||
//as the JWSAlgorithm to hash the token.
|
||||
|
||||
String algName = signingAlg.getName();
|
||||
|
||||
if (algName.equals(JWSAlgorithm.HS256)) {
|
||||
String hashAlg = null;
|
||||
|
||||
if (signingAlg.equals(JWSAlgorithm.HS256) || signingAlg.equals(JWSAlgorithm.ES256) || signingAlg.equals(JWSAlgorithm.RS256)) {
|
||||
hashAlg = "HMACSHA256";
|
||||
}
|
||||
|
||||
Pattern re = Pattern.compile("^[HRE]S(\\d+)$");
|
||||
Matcher match = re.matcher(algName);
|
||||
if (match.matches()) {
|
||||
String bits = match.group(1);
|
||||
String hmacAlg = "HMACSHA" + bits;
|
||||
else if (signingAlg.equals(JWSAlgorithm.ES384) || signingAlg.equals(JWSAlgorithm.HS384) || signingAlg.equals(JWSAlgorithm.RS384)) {
|
||||
hashAlg = "HMACSHA384";
|
||||
}
|
||||
|
||||
else if (signingAlg.equals(JWSAlgorithm.ES512) || signingAlg.equals(JWSAlgorithm.HS512) || signingAlg.equals(JWSAlgorithm.RS512)) {
|
||||
hashAlg = "HMACSHA512";
|
||||
}
|
||||
|
||||
if (hashAlg != null) {
|
||||
|
||||
try {
|
||||
Mac mac = Mac.getInstance(hmacAlg);
|
||||
mac.init(new SecretKeySpec(tokenBytes, hmacAlg));
|
||||
Mac mac = Mac.getInstance(hashAlg);
|
||||
mac.init(new SecretKeySpec(tokenBytes, hashAlg));
|
||||
|
||||
byte[] at_hash_bytes = mac.doFinal();
|
||||
byte[] at_hash_bytes_left = Arrays.copyOf(at_hash_bytes, at_hash_bytes.length / 2);
|
||||
|
|
|
|||
Loading…
Reference in New Issue