made signing and verification service construction safe for public-only keys

2013-03-28 17:03:18 -04:00 · 2013-03-28 17:03:18 -04:00 · 4538d8fb14
parent 6cc50e7cd5
commit 4538d8fb14
2 changed files with 19 additions and 12 deletions
--- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
+++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
@ -164,10 +164,13 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 			
            if (jwk instanceof RSAKey) {
            	// build RSA signers & verifiers
-            	RSASSASigner signer = new RSASSASigner(((RSAKey) jwk).toRSAPrivateKey());
-            	RSASSAVerifier verifier = new RSASSAVerifier(((RSAKey) jwk).toRSAPublicKey());
            	
-            	signers.put(id, signer);
+            	if (jwk.isPrivate()) { // only add the signer if there's a private key            	
+            		RSASSASigner signer = new RSASSASigner(((RSAKey) jwk).toRSAPrivateKey());
+            		signers.put(id, signer);
+            	}
+            	
+            	RSASSAVerifier verifier = new RSASSAVerifier(((RSAKey) jwk).toRSAPublicKey());            	
            	verifiers.put(id, verifier);
            	
            } else if (jwk instanceof ECKey) {
@ -178,11 +181,15 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
            	
            } else if (jwk instanceof OctetSequenceKey) {
            	// build HMAC signers & verifiers
-            	MACSigner signer = new MACSigner(((OctetSequenceKey) jwk).toByteArray());
-            	MACVerifier verifier = new MACVerifier(((OctetSequenceKey) jwk).toByteArray());
-
-            	signers.put(id, signer);
+            	
+            	if (jwk.isPrivate()) { // technically redundant check because all HMAC keys are private
+            		MACSigner signer = new MACSigner(((OctetSequenceKey) jwk).toByteArray());
+            		signers.put(id, signer);
+            	}
+            	
+            	MACVerifier verifier = new MACVerifier(((OctetSequenceKey) jwk).toByteArray());            	
            	verifiers.put(id, verifier);
+            	
            } else {
            	logger.warn("Unknown key type: " + jwk);
            }
--- a/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
@ -3,12 +3,12 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">

-	<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
-		<property name="location" value="classpath:keystore.jwks" />
-	</bean>
-
 	<bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJwtSigningAndValidationService">
-		<constructor-arg name="keyStore" ref="defaultKeyStore" />
+		<constructor-arg name="keyStore">
+			<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
+				<property name="location" value="classpath:keystore.jwks" />
+			</bean>
+		</constructor-arg>
 		<property name="defaultSignerKeyId" value="rsa1" />
 		<property name="defaultSigningAlgorithmName" value="RS256" />
 	</bean>