diff --git a/server/src/main/java/org/mitre/jwt/signer/impl/RsaSigner.java b/server/src/main/java/org/mitre/jwt/signer/impl/RsaSigner.java index 83b05d6b7..8def8e717 100644 --- a/server/src/main/java/org/mitre/jwt/signer/impl/RsaSigner.java +++ b/server/src/main/java/org/mitre/jwt/signer/impl/RsaSigner.java @@ -1,6 +1,7 @@ package org.mitre.jwt.signer.impl; import java.io.UnsupportedEncodingException; +import java.security.GeneralSecurityException; import java.security.InvalidKeyException; import java.security.KeyPair; import java.security.NoSuchAlgorithmException; @@ -129,48 +130,42 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean { setKeystore(keystore); setAlias(alias); setPassword(password); - + try { signer = Signature.getInstance(Algorithm.getByName(algorithmName).getStandardName(), "BC"); - } catch (NoSuchAlgorithmException e) { + } catch (GeneralSecurityException e) { // TODO Auto-generated catch block e.printStackTrace(); - } catch (NoSuchProviderException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } + } } @Override public void afterPropertiesSet() throws Exception { KeyPair keyPair = keystore.getKeyPairForAlias(alias, password); - publicKey = (RSAPublicKey) keyPair.getPublic(); + publicKey = ((RSAPublicKey) keyPair.getPublic()); privateKey = (RSAPrivateKey) keyPair.getPrivate(); - + logger.debug("RSA Signer ready for business"); } + /* (non-Javadoc) + * @see org.mitre.jwt.signer.AbstractJwtSigner#generateSignature(java.lang.String) + */ @Override protected String generateSignature(String signatureBase) { - - try { + + try { signer.initSign(privateKey); - } catch (InvalidKeyException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } - - try { signer.update(signatureBase.getBytes("UTF-8")); - } catch (SignatureException e) { + } catch (GeneralSecurityException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (UnsupportedEncodingException e) { // TODO Auto-generated catch block e.printStackTrace(); - } + } byte[] sigBytes; String sig = ""; @@ -247,34 +242,24 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean { try { signer.initVerify(publicKey); - } catch (InvalidKeyException e1) { - // TODO Auto-generated catch block - e1.printStackTrace(); - return false; - } - - try { signer.update(signingInput.getBytes("UTF-8")); - } catch (SignatureException e1) { - // TODO Auto-generated catch block - e1.printStackTrace(); - } catch (UnsupportedEncodingException e1) { - // TODO Auto-generated catch block - e1.printStackTrace(); - } - - try { signer.verify(s64.getBytes("UTF-8")); - } catch (SignatureException e) { + } catch (GeneralSecurityException e) { // TODO Auto-generated catch block e.printStackTrace(); - return false; } catch (UnsupportedEncodingException e) { // TODO Auto-generated catch block e.printStackTrace(); - return false; } return true; } + + public RSAPrivateKey getPrivateKey() { + return privateKey; + } + + public void setPrivateKey(RSAPrivateKey privateKey) { + this.privateKey = privateKey; + } } diff --git a/server/src/main/java/org/mitre/jwt/signer/service/impl/KeyStore.java b/server/src/main/java/org/mitre/jwt/signer/service/impl/KeyStore.java index a74961593..5d86066ae 100644 --- a/server/src/main/java/org/mitre/jwt/signer/service/impl/KeyStore.java +++ b/server/src/main/java/org/mitre/jwt/signer/service/impl/KeyStore.java @@ -19,6 +19,8 @@ import java.security.PublicKey; import java.security.Security; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; +import java.security.interfaces.RSAPrivateKey; +import java.security.interfaces.RSAPublicKey; import java.util.Date; import org.apache.commons.logging.Log; @@ -76,7 +78,7 @@ public class KeyStore implements InitializingBean { * Create an RSA KeyPair and insert into specified KeyStore * * @param location - * @param commonName + * @param domainName * @param alias * @param keystorePassword * @param aliasPassword @@ -87,7 +89,7 @@ public class KeyStore implements InitializingBean { * @throws IOException */ public static java.security.KeyStore generateRsaKeyPair(String location, - String commonName, String alias, String keystorePassword, + String domainName, String alias, String keystorePassword, String aliasPassword, int daysNotValidBefore, int daysNotValidAfter) throws GeneralSecurityException, IOException { @@ -98,18 +100,20 @@ public class KeyStore implements InitializingBean { rsaKeyPairGenerator.initialize(2048); KeyPair rsaKeyPair = rsaKeyPairGenerator.generateKeyPair(); - X509V3CertificateGenerator v3CertGen = createCertificate(commonName, + X509V3CertificateGenerator v3CertGen = createCertificate(domainName, daysNotValidBefore, daysNotValidAfter); + RSAPrivateKey rsaPrivateKey = (RSAPrivateKey) rsaKeyPair.getPrivate(); + v3CertGen.setPublicKey(rsaKeyPair.getPublic()); - v3CertGen.setSignatureAlgorithm("SHA1withRSA"); // "MD5WithRSAEncryption"); + v3CertGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); // "MD5WithRSAEncryption"); // BC docs say to use another, but it seemingly isn't included... X509Certificate certificate = v3CertGen - .generateX509Certificate(rsaKeyPair.getPrivate()); + .generateX509Certificate(rsaPrivateKey); // if exist, overwrite - ks.setKeyEntry(alias, rsaKeyPair.getPrivate(), aliasPassword.toCharArray(), + ks.setKeyEntry(alias, rsaPrivateKey, aliasPassword.toCharArray(), new java.security.cert.Certificate[] { certificate }); storeJceKeyStore(location, keystorePassword, ks); @@ -267,7 +271,7 @@ public class KeyStore implements InitializingBean { // Get public key PublicKey publicKey = cert.getPublicKey(); - return new KeyPair(publicKey, (PrivateKey) key); + return new KeyPair(publicKey, (RSAPrivateKey) key); } return null; diff --git a/server/src/test/java/org/mitre/jwt/JwtTest.java b/server/src/test/java/org/mitre/jwt/JwtTest.java index 3776e4710..69fc88167 100644 --- a/server/src/test/java/org/mitre/jwt/JwtTest.java +++ b/server/src/test/java/org/mitre/jwt/JwtTest.java @@ -1,12 +1,9 @@ package org.mitre.jwt; import static org.hamcrest.CoreMatchers.equalTo; -import static org.hamcrest.CoreMatchers.not; -import static org.hamcrest.CoreMatchers.nullValue; import static org.junit.Assert.assertThat; import java.io.UnsupportedEncodingException; -import java.security.Security; import java.util.Date; import org.junit.Test; @@ -16,7 +13,6 @@ import org.mitre.jwt.signer.JwtSigner; import org.mitre.jwt.signer.impl.HmacSigner; import org.mitre.jwt.signer.impl.PlaintextSigner; import org.mitre.jwt.signer.impl.RsaSigner; -import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.mitre.jwt.signer.service.impl.KeyStore; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; @@ -82,7 +78,7 @@ public class JwtTest { signer.sign(jwt); /* - * Expected string based on the following strucutres, serialized exactly as follows and base64 encoded: + * Expected string based on the following structures, serialized exactly as follows and base64 encoded: * * header: {"typ":"JWT","alg":"HS256"} * claims: {"exp":1300819380,"iss":"joe","http://example.com/is_root":true} @@ -100,8 +96,18 @@ public class JwtTest { } + /** + * @throws Exception + */ @Test - public void testGenerateRsaSignature() { + public void testGenerateRsaSignature() throws Exception { + +// java.security.KeyStore ks = KeyStore.generateRsaKeyPair(keystore +// .getLocation().getFile().getPath(), "OpenID Connect Server", +// "twentyYears", KeyStore.PASSWORD, KeyStore.PASSWORD, 30, 365*20); +// +// keystore.setKeystore(ks); + Jwt jwt = new Jwt(); jwt.getHeader().setType("JWT"); jwt.getHeader().setAlgorithm("RS256"); @@ -109,27 +115,18 @@ public class JwtTest { jwt.getClaims().setIssuer("joe"); jwt.getClaims().setClaim("http://example.com/is_root", Boolean.TRUE); - JwtSigner signer = new RsaSigner(RsaSigner.Algorithm.DEFAULT, keystore, "test"); + JwtSigner signer = new RsaSigner(RsaSigner.Algorithm.DEFAULT, keystore, "twentyYears"); + ((RsaSigner) signer).afterPropertiesSet(); signer.sign(jwt); - - System.out.println("vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"); - System.out.println("vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"); - System.out.println("vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"); - System.out.println(jwt.getSignature()); - System.out.println("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"); - System.out.println("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"); - System.out.println("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^"); - -// String signature = "p-63Jzz7mgi3H4hvW6MFB7lmPRZjhsL666MYkmpX33Y"; -// String expected = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjEzMDA4MTkzODAsImlzcyI6ImpvZSIsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ." + signature; -// -// String actual = jwt.toString(); -// -// assertThat(actual, equalTo(expected)); -// assertThat(jwt.getSignature(), equalTo(signature)); - assertThat(signer, not(nullValue())); + String signature = "TW0nOd_vr1rnV7yIS-lIV2-00V_zJMWxzOc3Z7k3gvMO2aIjIGjZ9nByZMI0iL5komMxYXPl_RCkbd9OKiPkk4iK5CDj7Mawbzu95LgEOOqdXO1f7-IqX9dIvJhVXXInLD3RsGvavyheIqNeFEVidLrJo30tBchB_niljEW7VeX8nSZfiCOdbOTW3hu0ycnon7wFpejb-cRP_S0iqGxCgbYXJzqPT192EHmRy_wmFxxIy9Lc84uqNkAZSIn1jVIeAemm22RoWbq0xLVLTRyiZoxJTUzac_VteiSPRNFlUQuOdxqNf0Hxqh_wVfX1mfXUzv0D8vHJVy6aIqTISmn-qg"; + String expected = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjEzMDA4MTkzODAsImlzcyI6ImpvZSIsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.TW0nOd_vr1rnV7yIS-lIV2-00V_zJMWxzOc3Z7k3gvMO2aIjIGjZ9nByZMI0iL5komMxYXPl_RCkbd9OKiPkk4iK5CDj7Mawbzu95LgEOOqdXO1f7-IqX9dIvJhVXXInLD3RsGvavyheIqNeFEVidLrJo30tBchB_niljEW7VeX8nSZfiCOdbOTW3hu0ycnon7wFpejb-cRP_S0iqGxCgbYXJzqPT192EHmRy_wmFxxIy9Lc84uqNkAZSIn1jVIeAemm22RoWbq0xLVLTRyiZoxJTUzac_VteiSPRNFlUQuOdxqNf0Hxqh_wVfX1mfXUzv0D8vHJVy6aIqTISmn-qg"; + + String actual = jwt.toString(); + + assertThat(actual, equalTo(expected)); + assertThat(jwt.getSignature(), equalTo(signature)); } diff --git a/server/src/test/resources/keystore.jks b/server/src/test/resources/keystore.jks index d8480427e..b5dbd08c9 100644 Binary files a/server/src/test/resources/keystore.jks and b/server/src/test/resources/keystore.jks differ