github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix for issue 5, code refactoring across signers

Browse Source
pull/59/head
nemonik 13 years ago
parent 4f407a3a11
commit f215cfc50c
5 changed files with 303 additions and 207 deletions
Show Stats Download Patch File Download Diff File

21
openid-connect-client/src/main/java/org/mitre/openid/connect/client/OpenIdConnectAuthenticationFilter.java
Unescape View File

@ -38,6 +38,8 @@ import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.WebUtils;
import com.google.common.base.Splitter;
import com.google.common.collect.Lists;
import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
@ -443,6 +445,25 @@ public class OpenIdConnectAuthenticationFilter extends
try {
idToken = IdToken.parse(jsonRoot.getAsJsonObject()
.get("id_token").getAsString());
List<String> parts = Lists.newArrayList(Splitter.on(".")
.split(jsonRoot.getAsJsonObject().get("id_token")
.getAsString()));
if (parts.size() != 3) {
throw new IllegalArgumentException(
"Invalid JWT format.");
}
String h64 = parts.get(0);
String c64 = parts.get(1);
String s64 = parts.get(2);
logger.debug("h64 = " + h64);
logger.debug("c64 = " + c64);
logger.debug("s64 = " + s64);
} catch (Exception e) {
// I suspect this could happen

6
openid-connect-server/.settings/org.eclipse.wst.common.component
Unescape View File

@ -5,12 +5,6 @@
<wb-resource deploy-path="/WEB-INF/classes" source-path="/src/main/resources"/>
<wb-resource deploy-path="/" source-path="/target/m2e-wtp/web-resources"/>
<wb-resource deploy-path="/" source-path="/src/main/webapp" tag="defaultRootSource"/>
<dependent-module archiveName="spring-security-oauth2-1.0.0.BUILD-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/spring-security-oauth2/spring-security-oauth2">
<dependency-type>uses</dependency-type>
</dependent-module>
<dependent-module archiveName="openid-connect-common-0.1.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/openid-connect-common/openid-connect-common">
<dependency-type>uses</dependency-type>
</dependent-module>
<property name="java-output-path" value="/openid/target/classes"/>
<property name="context-root" value="openid-connect-server"/>
</wb-module>

130
openid-connect-server/src/main/java/org/mitre/jwt/signer/impl/EcdsaSigner.java
Unescape View File

@ -3,10 +3,10 @@ package org.mitre.jwt.signer.impl;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.List;
import org.apache.commons.codec.binary.Base64;
@ -15,6 +15,7 @@ import org.apache.commons.logging.LogFactory;
import org.mitre.jwt.signer.AbstractJwtSigner;
import org.mitre.jwt.signer.service.impl.KeyStore;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert;
import com.google.common.base.Splitter;
import com.google.common.collect.Lists;
@ -38,15 +39,15 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean {
public enum Algorithm {
// Algorithm constants
ES256("SHA256withECDSA"),
ES384("SHA384withECDSA"),
ES512("SHA512withECDSA");
ES256("SHA256withECDSA"), ES384("SHA384withECDSA"), ES512(
"SHA512withECDSA");
public static final String DEFAULT = Algorithm.ES256.toString();
public static final String PREPEND = "ES";
/**
* Returns the Algorithm for the name
*
* @param name
* @return
*/
@ -58,7 +59,8 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean {
}
// corresponding type not found
throw new IllegalArgumentException("Algorithm name does not have a corresponding Algorithm");
throw new IllegalArgumentException(
"Algorithm name does not have a corresponding Algorithm");
}
private final String standardName;
@ -74,6 +76,7 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean {
/**
* Return the Java standard algorithm name
*
* @return
*/
public String getStandardName() {
@ -81,8 +84,6 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean {
}
};
static final String PROVIDER = "BC";
private static Log logger = LogFactory.getLog(EcdsaSigner.class);
public static final String KEYPAIR_ALGORITHM = "EC";
@ -90,7 +91,7 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean {
private KeyStore keystore;
private String alias;
private String password;
private String password = DEFAULT_PASSWORD;
private PrivateKey privateKey;
private PublicKey publicKey;
@ -100,88 +101,123 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean {
* Default constructor
*/
public EcdsaSigner() {
this(Algorithm.DEFAULT, null, null, DEFAULT_PASSWORD);
super(Algorithm.DEFAULT);
}
/**
* Creates an EcdsaSigner from an algorithm name, a Java Keystore, an alias
* for the key pair, and the default password to access. Key pairs created
* with larger bit sizes obviously create larger signatures.
*
* @param algorithmName
* The algorithm name
* @param keystore
* A Java Keystore containing the key pair
* @param alias
* The alias for the key pair
* @throws GeneralSecurityException
*/
public EcdsaSigner(String algorithmName, KeyStore keystore, String alias) {
public EcdsaSigner(String algorithmName, KeyStore keystore, String alias)
throws GeneralSecurityException {
this(algorithmName, keystore, alias, DEFAULT_PASSWORD);
}
/**
* Creates an EcdsaSigner from an algorithm name, a Java Keystore, an alias
* for the key pair, and the password to access. Key pairs created with
* larger bit sizes obviously create larger signatures.
*
* @param algorithmName
* The algorithm name
* @param keystore
* A Java Keystore containing the key pair
* @param alias
* The alias for the key pair
* @param password
* The password used to access and retrieve the key pair.
* @throws GeneralSecurityException
*/
public EcdsaSigner(String algorithmName, KeyStore keystore, String alias, String password) {
public EcdsaSigner(String algorithmName, KeyStore keystore, String alias,
String password) throws GeneralSecurityException {
super(algorithmName);
Assert.notNull(keystore, "A keystore must be supplied");
Assert.notNull(alias, "A alias must be supplied");
Assert.notNull(password, "A password must be supplied");
setKeystore(keystore);
setAlias(alias);
setPassword(password);
try {
signer = Signature.getInstance(Algorithm.getByName(algorithmName).getStandardName(), PROVIDER);
} catch (GeneralSecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
KeyPair keyPair = keystore.getKeyPairForAlias(alias, password);
publicKey = keyPair.getPublic();
privateKey = keyPair.getPrivate();
}
/**
* Creates an RsaSigner from an algorithm name, and key pair. Key pairs
* created with larger bit sizes obviously create larger signatures.
*
* @param algorithmName
* The algorithm name
* @param publicKey
* The public key
* @param privateKey
* The private key
*/
public EcdsaSigner(String algorithmName, PublicKey publicKey, PrivateKey privateKey) {
public EcdsaSigner(String algorithmName, PublicKey publicKey,
PrivateKey privateKey) {
super(algorithmName);
Assert.notNull(publicKey, "A publicKey must be supplied");
Assert.notNull(privateKey, "A privateKey must be supplied");
this.publicKey = publicKey;
this.privateKey = privateKey;
}
/* (non-Javadoc)
* @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
/*
* (non-Javadoc)
*
* @see
* org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
*/
@Override
public void afterPropertiesSet() throws Exception {
KeyPair keyPair = keystore.getKeyPairForAlias(alias, password);
publicKey = keyPair.getPublic();
privateKey = keyPair.getPrivate();
// Can throw a GeneralException
signer = Signature.getInstance(Algorithm.getByName(super.getAlgorithm())
.getStandardName()); // PROVIDER);
logger.debug( Algorithm.getByName(getAlgorithm()).getStandardName() + " ECDSA Signer ready for business");
logger.debug(Algorithm.getByName(getAlgorithm()).getStandardName()
+ " ECDSA Signer ready for business");
}
/* (non-Javadoc)
* @see org.mitre.jwt.signer.AbstractJwtSigner#generateSignature(java.lang.String)
*/
@Override
protected String generateSignature(String signatureBase) {
String sig = null;
try {
signer.initSign(privateKey);
signer.update(signatureBase.getBytes("UTF-8"));
} catch (GeneralSecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
byte[] sigBytes;
String sig = "";
try {
sigBytes = signer.sign();
byte[] sigBytes = signer.sign();
sig = new String(Base64.encodeBase64URLSafe(sigBytes));
// strip off any padding
sig = sig.replace("=", "");
} catch (SignatureException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (GeneralSecurityException e) {
logger.error(e);
} catch (UnsupportedEncodingException e) {
logger.error(e);
}
return sig;
@ -215,8 +251,9 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean {
this.password = password;
}
/* (non-Javadoc)
/*
* (non-Javadoc)
*
* @see java.lang.Object#toString()
*/
@Override
@ -226,7 +263,9 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean {
+ ", publicKey=" + publicKey + ", signer=" + signer + "]";
}
/* (non-Javadoc)
/*
* (non-Javadoc)
*
* @see org.mitre.jwt.signer.AbstractJwtSigner#verify(java.lang.String)
*/
@Override
@ -251,14 +290,11 @@ public class EcdsaSigner extends AbstractJwtSigner implements InitializingBean {
signer.update(signingInput.getBytes("UTF-8"));
signer.verify(s64.getBytes("UTF-8"));
} catch (GeneralSecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
logger.error(e);
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
logger.error(e);
}
return true;
}
}

78
openid-connect-server/src/main/java/org/mitre/jwt/signer/impl/HmacSigner.java
Unescape View File

@ -2,7 +2,7 @@ package org.mitre.jwt.signer.impl;
import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
@ -12,6 +12,8 @@ import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.mitre.jwt.signer.AbstractJwtSigner;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert;
/**
* JWT Signer using either the HMAC SHA-256, SHA-384, SHA-512 hash algorithm
@ -19,7 +21,7 @@ import org.mitre.jwt.signer.AbstractJwtSigner;
* @author AANGANES, nemonik
*
*/
public class HmacSigner extends AbstractJwtSigner {
public class HmacSigner extends AbstractJwtSigner implements InitializingBean {
/**
* an enum for mapping a JWS name to standard algorithm name
@ -71,16 +73,18 @@ public class HmacSigner extends AbstractJwtSigner {
public String getStandardName() {
return standardName;
}
};
}
public static final String DEFAULT_PASSPHRASE = "changeit";;
private static Log logger = LogFactory.getLog(HmacSigner.class);
private Mac mac;
private String passphrase;
private String passphrase = DEFAULT_PASSPHRASE;
/**
* Create a signer with no passphrase
* Default constructor
*/
public HmacSigner() {
super(Algorithm.DEFAULT);
@ -90,8 +94,10 @@ public class HmacSigner extends AbstractJwtSigner {
* Create HMAC singer with default algorithm and passphrase as raw bytes
*
* @param passphraseAsRawBytes
* The passphrase as raw bytes
*/
public HmacSigner(byte[] passphraseAsRawBytes) {
public HmacSigner(byte[] passphraseAsRawBytes)
throws NoSuchAlgorithmException {
this(Algorithm.DEFAULT, new String(passphraseAsRawBytes,
Charset.forName("UTF-8")));
}
@ -100,8 +106,9 @@ public class HmacSigner extends AbstractJwtSigner {
* Create HMAC singer with default algorithm and passphrase
*
* @param passwordAsRawBytes
* The passphrase as raw bytes
*/
public HmacSigner(String passphrase) {
public HmacSigner(String passphrase) throws NoSuchAlgorithmException {
this(Algorithm.DEFAULT, passphrase);
}
@ -109,11 +116,12 @@ public class HmacSigner extends AbstractJwtSigner {
* Create HMAC singer with given algorithm and password as raw bytes
*
* @param algorithmName
* the JWS name for the standard name of the requested MAC
* algorithm
* The Java standard name of the requested MAC algorithm
* @param passphraseAsRawBytes
* The passphrase as raw bytes
*/
public HmacSigner(String algorithmName, byte[] passphraseAsRawBytes) {
public HmacSigner(String algorithmName, byte[] passphraseAsRawBytes)
throws NoSuchAlgorithmException {
this(algorithmName, new String(passphraseAsRawBytes,
Charset.forName("UTF-8")));
}
@ -122,23 +130,33 @@ public class HmacSigner extends AbstractJwtSigner {
* Create HMAC singer with given algorithm and passwords
*
* @param algorithmName
* the JWS name for the standard name of the requested MAC
* algorithm
* The Java standard name of the requested MAC algorithm
* @param passphrase
* the passphrase
*/
public HmacSigner(String algorithmName, String passphrase) {
super(algorithmName);
Assert.notNull(passphrase, "A passphrase must be supplied");
setPassphrase(passphrase);
try {
mac = Mac.getInstance(Algorithm.getByName(algorithmName)
.getStandardName());
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
/*
* (non-Javadoc)
*
* @see
* org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
*/
@Override
public void afterPropertiesSet() throws Exception {
mac = Mac.getInstance(Algorithm.getByName(super.getAlgorithm())
.getStandardName());
logger.debug(Algorithm.getByName(getAlgorithm()).getStandardName()
+ " ECDSA Signer ready for business");
}
@ -152,25 +170,18 @@ public class HmacSigner extends AbstractJwtSigner {
@Override
protected String generateSignature(String signatureBase) {
if (passphrase == null) {
return null; // TODO: probably throw some kind of exception
throw new IllegalArgumentException("Passphrase cannot be null");
}
try {
mac.init(new SecretKeySpec(getPassphrase().getBytes(), mac
.getAlgorithm()));
} catch (InvalidKeyException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
try {
mac.update(signatureBase.getBytes("UTF-8"));
} catch (IllegalStateException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (GeneralSecurityException e) {
logger.error(e);
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
logger.error(e);
}
byte[] sigBytes = mac.doFinal();
@ -179,6 +190,7 @@ public class HmacSigner extends AbstractJwtSigner {
// strip off any padding
sig = sig.replace("=", "");
return sig;
}
@ -191,14 +203,12 @@ public class HmacSigner extends AbstractJwtSigner {
}
public void setPassphrase(String passphrase) {
if (passphrase.isEmpty())
throw new IllegalArgumentException("passphrase must be set");
this.passphrase = passphrase;
}
/* (non-Javadoc)
/*
* (non-Javadoc)
*
* @see java.lang.Object#toString()
*/
@Override

129
openid-connect-server/src/main/java/org/mitre/jwt/signer/impl/RsaSigner.java
Unescape View File

@ -6,7 +6,6 @@ import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.RSAPrivateKey;
import java.util.List;
@ -16,6 +15,7 @@ import org.apache.commons.logging.LogFactory;
import org.mitre.jwt.signer.AbstractJwtSigner;
import org.mitre.jwt.signer.service.impl.KeyStore;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.util.Assert;
import com.google.common.base.Splitter;
import com.google.common.collect.Lists;
@ -42,7 +42,6 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean {
public static final String DEFAULT = Algorithm.RS256.toString();
public static final String PREPEND = "RS";
/**
* Returns the Algorithm for the name
*
@ -89,7 +88,7 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean {
private KeyStore keystore;
private String alias;
private String password;
private String password = DEFAULT_PASSWORD;
private PrivateKey privateKey;
private PublicKey publicKey;
@ -99,91 +98,126 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean {
* Default constructor
*/
public RsaSigner() {
this(Algorithm.DEFAULT, null, null, DEFAULT_PASSWORD);
super(Algorithm.DEFAULT);
}
/**
* Creates an RsaSigner from an algorithm name, a Java Keystore, an alias
* for the key pair, and the default password to access. Key pairs created
* with larger bit sizes obviously create larger signatures.
*
* @param algorithmName
* The algorithm name
* @param keystore
* A Java Keystore containing the key pair
* @param alias
* The alias for the key pair
* @throws GeneralSecurityException
*/
public RsaSigner(String algorithmName, KeyStore keystore, String alias) {
public RsaSigner(String algorithmName, KeyStore keystore, String alias)
throws GeneralSecurityException {
this(algorithmName, keystore, alias, DEFAULT_PASSWORD);
}
/**
* Creates an RsaSigner from an algorithm name, a Java Keystore, an alias
* for the key pair, and the password to access. Key pairs created with
* larger bit sizes obviously create larger signatures.
*
* @param algorithmName
* The algorithm name
* @param keystore
* A Java Keystore containing the key pair
* @param alias
* The alias for the key pair
* @param password
* The password used to access and retrieve the key pair.
* @throws GeneralSecurityException
*/
public RsaSigner(String algorithmName, KeyStore keystore, String alias,
String password) {
String password) throws GeneralSecurityException {
super(algorithmName);
Assert.notNull(keystore, "An keystore must be supplied");
Assert.notNull(alias, "A alias must be supplied");
Assert.notNull(password, "A password must be supplied");
setKeystore(keystore);
setAlias(alias);
setPassword(password);
try {
signer = Signature.getInstance(Algorithm.getByName(algorithmName).getStandardName()); //, PROVIDER);
} catch (GeneralSecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
KeyPair keyPair = keystore.getKeyPairForAlias(alias, password);
publicKey = keyPair.getPublic();
privateKey = keyPair.getPrivate();
}
/**
* Creates an RsaSigner from an algorithm name, and key pair. Key pairs
* created with larger bit sizes obviously create larger signatures.
*
* @param algorithmName
* The algorithm name
* @param publicKey
* The public key
* @param privateKey
* The private key
*/
public RsaSigner(String algorithmName, PublicKey publicKey, PrivateKey privateKey) {
public RsaSigner(String algorithmName, PublicKey publicKey,
PrivateKey privateKey) {
super(algorithmName);
Assert.notNull(publicKey, "An publicKey must be supplied");
Assert.notNull(privateKey, "A privateKey must be supplied");
this.publicKey = publicKey;
this.privateKey = privateKey;
}
/*
* (non-Javadoc)
*
* @see
* org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
*/
@Override
public void afterPropertiesSet() throws Exception {
KeyPair keyPair = keystore.getKeyPairForAlias(alias, password);
publicKey = keyPair.getPublic();
privateKey = keyPair.getPrivate();
// unsupported algorithm will throw a NoSuchAlgorithmException
signer = Signature.getInstance(Algorithm
.getByName(super.getAlgorithm()).getStandardName()); // ,
// PROVIDER);
logger.debug( Algorithm.getByName(getAlgorithm()).getStandardName() + " RSA Signer ready for business");
logger.debug(Algorithm.getByName(getAlgorithm()).getStandardName()
+ " RSA Signer ready for business");
}
/* (non-Javadoc)
* @see org.mitre.jwt.signer.AbstractJwtSigner#generateSignature(java.lang.String)
/*
* (non-Javadoc)
*
* @see
* org.mitre.jwt.signer.AbstractJwtSigner#generateSignature(java.lang.String
* )
*/
@Override
protected String generateSignature(String signatureBase) {
String sig = null;
try {
signer.initSign(privateKey);
signer.update(signatureBase.getBytes("UTF-8"));
} catch (GeneralSecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
byte[] sigBytes;
String sig = "";
byte[] sigBytes = signer.sign();
try {
sigBytes = signer.sign();
sig = new String(Base64.encodeBase64URLSafe(sigBytes));
// strip off any padding
sig = sig.replace("=", "");
} catch (SignatureException e) {
// TODO Auto-generated catch block
e.printStackTrace();
sig = (new String(Base64.encodeBase64URLSafe(sigBytes))).replace(
"=", "");
} catch (GeneralSecurityException e) {
logger.error(e);
} catch (UnsupportedEncodingException e) {
logger.error(e);
}
return sig;
@ -237,15 +271,16 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean {
+ ", publicKey=" + publicKey + ", signer=" + signer + "]";
}
/* (non-Javadoc)
* @see org.mitre.jwt.signer.AbstractJwtSigner#verify(java.lang.String)
*/
/* (non-Javadoc)
/*
* (non-Javadoc)
*
* @see org.mitre.jwt.signer.AbstractJwtSigner#verify(java.lang.String)
*/
@Override
public boolean verify(String jwtString) {
boolean value = false;
// split on the dots
List<String> parts = Lists.newArrayList(Splitter.on(".").split(
jwtString));
@ -263,15 +298,15 @@ public class RsaSigner extends AbstractJwtSigner implements InitializingBean {
try {
signer.initVerify(publicKey);
signer.update(signingInput.getBytes("UTF-8"));
signer.verify(s64.getBytes("UTF-8"));
value = signer.verify(s64.getBytes("UTF-8"));
} catch (GeneralSecurityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
logger.error(e);
return false;
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
logger.error(e);
return false;
}
return true;
return value;
}
}
Write Preview
Loading…
Cancel
Save