github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Revert "removed the plain verifer. validating a no-signature is simply handled as a special case in validateSignature(). Also, doing some type safety checks." 

This reverts commit c957d59f7c.
pull/485/merge
William Kim 2013-08-26 15:32:50 -04:00
parent 15ec027505
commit 78559b625a
2 changed files with 101 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
openid-connect-common/src/main/java/org/mitre/jwt/signer/PlainVerifier.java Normal file
View File

@ -0,0 +1,96 @@
/*******************************************************************************
* Copyright 2013 The MITRE Corporation
* and the MIT Kerberos and Internet Trust Consortium
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
******************************************************************************/
package org.mitre.jwt.signer;
import java.util.Set;
import com.google.common.collect.Sets;
import com.nimbusds.jose.DefaultJWSHeaderFilter;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeaderFilter;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.PlainHeader;
import com.nimbusds.jose.ReadOnlyJWSHeader;
import com.nimbusds.jose.Requirement;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.PlainJWT;
/**
* Verifier to support "alg:none" JWS signing option (no signature).
*
* FIXME: The JWSVerifier interface was never intended to be used with plain JWTs.
* Use of the signer/verifier pattern alongside the other JWSSigner/Verifiers will require refactoring.
*
* @author wkim
*
*/
public final class PlainVerifier implements JWSVerifier {
// the NONE alg constant lives in the Algorithm superclass of JWSAlgorithm, not allowing its use as a JWSAlgorithm object.
// redefining the constant here for convenience.
private static final JWSAlgorithm NONE = new JWSAlgorithm("none", Requirement.REQUIRED);
/**
* The JWS header filter.
*/
private final DefaultJWSHeaderFilter headerFilter;
public PlainVerifier() {
headerFilter = new DefaultJWSHeaderFilter(Sets.newHashSet(NONE));
}
@Override
public Set<JWSAlgorithm> supportedAlgorithms() {
return Sets.newHashSet(NONE);
}
@Override
public JWSHeaderFilter getJWSHeaderFilter() {
return headerFilter;
}
@Override
public boolean verify(ReadOnlyJWSHeader header, byte[] signingInput, Base64URL signature) throws JOSEException {
if (header instanceof PlainHeader) {
// XXX NOT POSSIBLE--Interface does not allow this.
return signature.decode().length == 0;
} else { // not a plain (unsigned) JWS
throw new JOSEException("Not a plain JWT header.");
}
}
/**
* Verifies that the third signature component of the JWT is null.
*
* @param jwt
* @return
*/
public static boolean verify(PlainJWT jwt) {
return jwt.getParsedParts()[2] == null;
}
}

13
openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
View File

@ -28,6 +28,7 @@ import javax.annotation.PostConstruct;
import org.mitre.jose.keystore.JWKSetKeyStore; import org.mitre.jose.keystore.JWKSetKeyStore;
import org.mitre.jwt.signer.PlainSigner; import org.mitre.jwt.signer.PlainSigner;
import org.mitre.jwt.signer.PlainVerifier;
import org.mitre.jwt.signer.service.JwtSigningAndValidationService; import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -164,7 +165,6 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
private void buildSignersAndVerifiers() throws NoSuchAlgorithmException, InvalidKeySpecException { private void buildSignersAndVerifiers() throws NoSuchAlgorithmException, InvalidKeySpecException {
signers.put(ALG_NONE, new PlainSigner()); signers.put(ALG_NONE, new PlainSigner());
// no plain verifier, that is handled as a special case in validateSignature().
for (Map.Entry<String, JWK> jwkEntry : keys.entrySet()) { for (Map.Entry<String, JWK> jwkEntry : keys.entrySet()) {
@ -288,20 +288,17 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
@Override @Override
public boolean validateSignature(JWT jwt) { public boolean validateSignature(JWT jwt) {
if (getDefaultSignerKeyId().equals(ALG_NONE)) { if (getDefaultSignerKeyId().equals(ALG_NONE) && (jwt instanceof PlainJWT)) {
return (jwt instanceof PlainJWT); return PlainVerifier.verify((PlainJWT) jwt);
} else { } else {
for (JWSVerifier verifier : verifiers.values()) { for (JWSVerifier verifier : verifiers.values()) {
try { try {
if (((SignedJWT) jwt).verify(verifier)) {
if (jwt instanceof SignedJWT) { return true;
return ((SignedJWT) jwt).verify(verifier);
} }
} catch (JOSEException e) { } catch (JOSEException e) {
logger.error("Failed to validate signature, error was: ", e); logger.error("Failed to validate signature, error was: ", e);