From 78559b625aaec9214068dca03b0e32d44ff62af7 Mon Sep 17 00:00:00 2001 From: William Kim Date: Mon, 26 Aug 2013 15:32:50 -0400 Subject: [PATCH] Revert "removed the plain verifer. validating a no-signature is simply handled as a special case in validateSignature(). Also, doing some type safety checks." This reverts commit c957d59f7c3453dbb1ed3268b5bc3320b0294f46. --- .../org/mitre/jwt/signer/PlainVerifier.java | 96 +++++++++++++++++++ ...DefaultJwtSigningAndValidationService.java | 13 +-- 2 files changed, 101 insertions(+), 8 deletions(-) create mode 100644 openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java new file mode 100644 index 000000000..34deebe4f --- /dev/null +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java @@ -0,0 +1,96 @@ +/******************************************************************************* + * Copyright 2013 The MITRE Corporation + * and the MIT Kerberos and Internet Trust Consortium + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + ******************************************************************************/ +package org.mitre.jwt.signer; + +import java.util.Set; + +import com.google.common.collect.Sets; +import com.nimbusds.jose.DefaultJWSHeaderFilter; +import com.nimbusds.jose.JOSEException; +import com.nimbusds.jose.JWSAlgorithm; +import com.nimbusds.jose.JWSHeaderFilter; +import com.nimbusds.jose.JWSVerifier; +import com.nimbusds.jose.PlainHeader; +import com.nimbusds.jose.ReadOnlyJWSHeader; +import com.nimbusds.jose.Requirement; +import com.nimbusds.jose.util.Base64URL; +import com.nimbusds.jwt.PlainJWT; + +/** + * Verifier to support "alg:none" JWS signing option (no signature). + * + * FIXME: The JWSVerifier interface was never intended to be used with plain JWTs. + * Use of the signer/verifier pattern alongside the other JWSSigner/Verifiers will require refactoring. + * + * @author wkim + * + */ +public final class PlainVerifier implements JWSVerifier { + + // the NONE alg constant lives in the Algorithm superclass of JWSAlgorithm, not allowing its use as a JWSAlgorithm object. + // redefining the constant here for convenience. + private static final JWSAlgorithm NONE = new JWSAlgorithm("none", Requirement.REQUIRED); + + /** + * The JWS header filter. + */ + private final DefaultJWSHeaderFilter headerFilter; + + public PlainVerifier() { + + headerFilter = new DefaultJWSHeaderFilter(Sets.newHashSet(NONE)); + + } + + + @Override + public Set supportedAlgorithms() { + return Sets.newHashSet(NONE); + } + + + @Override + public JWSHeaderFilter getJWSHeaderFilter() { + return headerFilter; + } + + @Override + public boolean verify(ReadOnlyJWSHeader header, byte[] signingInput, Base64URL signature) throws JOSEException { + + if (header instanceof PlainHeader) { + // XXX NOT POSSIBLE--Interface does not allow this. + return signature.decode().length == 0; + + } else { // not a plain (unsigned) JWS + + throw new JOSEException("Not a plain JWT header."); + + } + } + + /** + * Verifies that the third signature component of the JWT is null. + * + * @param jwt + * @return + */ + public static boolean verify(PlainJWT jwt) { + + return jwt.getParsedParts()[2] == null; + } + +} diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java index a52cc70b6..89386b51a 100644 --- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java @@ -28,6 +28,7 @@ import javax.annotation.PostConstruct; import org.mitre.jose.keystore.JWKSetKeyStore; import org.mitre.jwt.signer.PlainSigner; +import org.mitre.jwt.signer.PlainVerifier; import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -164,7 +165,6 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid private void buildSignersAndVerifiers() throws NoSuchAlgorithmException, InvalidKeySpecException { signers.put(ALG_NONE, new PlainSigner()); - // no plain verifier, that is handled as a special case in validateSignature(). for (Map.Entry jwkEntry : keys.entrySet()) { @@ -288,20 +288,17 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid @Override public boolean validateSignature(JWT jwt) { - if (getDefaultSignerKeyId().equals(ALG_NONE)) { + if (getDefaultSignerKeyId().equals(ALG_NONE) && (jwt instanceof PlainJWT)) { - return (jwt instanceof PlainJWT); + return PlainVerifier.verify((PlainJWT) jwt); } else { for (JWSVerifier verifier : verifiers.values()) { - try { - - if (jwt instanceof SignedJWT) { - return ((SignedJWT) jwt).verify(verifier); + if (((SignedJWT) jwt).verify(verifier)) { + return true; } - } catch (JOSEException e) { logger.error("Failed to validate signature, error was: ", e);