github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

made signing and verification service construction safe for public-only keys

pull/306/merge
Justin Richer 2013-03-28 17:03:18 -04:00
parent 6cc50e7cd5
commit 4538d8fb14
2 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
View File

@ -164,10 +164,13 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
if (jwk instanceof RSAKey) { if (jwk instanceof RSAKey) {
// build RSA signers & verifiers // build RSA signers & verifiers
RSASSASigner signer = new RSASSASigner(((RSAKey) jwk).toRSAPrivateKey());
RSASSAVerifier verifier = new RSASSAVerifier(((RSAKey) jwk).toRSAPublicKey());
if (jwk.isPrivate()) { // only add the signer if there's a private key
RSASSASigner signer = new RSASSASigner(((RSAKey) jwk).toRSAPrivateKey());
signers.put(id, signer); signers.put(id, signer);
}
RSASSAVerifier verifier = new RSASSAVerifier(((RSAKey) jwk).toRSAPublicKey());
verifiers.put(id, verifier); verifiers.put(id, verifier);
} else if (jwk instanceof ECKey) { } else if (jwk instanceof ECKey) {
@ -178,11 +181,15 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
} else if (jwk instanceof OctetSequenceKey) { } else if (jwk instanceof OctetSequenceKey) {
// build HMAC signers & verifiers // build HMAC signers & verifiers
MACSigner signer = new MACSigner(((OctetSequenceKey) jwk).toByteArray());
MACVerifier verifier = new MACVerifier(((OctetSequenceKey) jwk).toByteArray());
if (jwk.isPrivate()) { // technically redundant check because all HMAC keys are private
MACSigner signer = new MACSigner(((OctetSequenceKey) jwk).toByteArray());
signers.put(id, signer); signers.put(id, signer);
}
MACVerifier verifier = new MACVerifier(((OctetSequenceKey) jwk).toByteArray());
verifiers.put(id, verifier); verifiers.put(id, verifier);
} else { } else {
logger.warn("Unknown key type: " + jwk); logger.warn("Unknown key type: " + jwk);
} }

6
openid-connect-server/src/main/webapp/WEB-INF/crypto-config.xml
View File

@ -3,12 +3,12 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJwtSigningAndValidationService">
<constructor-arg name="keyStore">
<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore"> <bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
<property name="location" value="classpath:keystore.jwks" /> <property name="location" value="classpath:keystore.jwks" />
</bean> </bean>
</constructor-arg>
<bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJwtSigningAndValidationService">
<constructor-arg name="keyStore" ref="defaultKeyStore" />
<property name="defaultSignerKeyId" value="rsa1" /> <property name="defaultSignerKeyId" value="rsa1" />
<property name="defaultSigningAlgorithmName" value="RS256" /> <property name="defaultSigningAlgorithmName" value="RS256" />
</bean> </bean>