From f866e5addc86b875229159023689009c5905efed Mon Sep 17 00:00:00 2001 From: Amanda Anganes Date: Fri, 2 Aug 2013 14:35:35 -0400 Subject: [PATCH] Use clients preferred algorithm, if any, to sign --- .../JwtSigningAndValidationService.java | 3 +-- ...DefaultJwtSigningAndValidationService.java | 27 +++++++++++++++++++ .../connect/token/ConnectTokenEnhancer.java | 13 +++++---- 3 files changed, 36 insertions(+), 7 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java index d85d0d009..e4ae66ff6 100644 --- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/JwtSigningAndValidationService.java @@ -72,8 +72,7 @@ public interface JwtSigningAndValidationService { * @param alg the name of the algorithm to use, as specified in JWS s.6 * @return the signed jwt */ - //TODO: implement later; only need signJwt(Jwt jwt) for now - //public Jwt signJwt(Jwt jwt, String alg); + public void signJwt(SignedJWT jwt, JWSAlgorithm alg); /** * TODO: method to sign a jwt using a specified algorithm and a key id diff --git a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java index ee07e6fe4..c08a71688 100644 --- a/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java +++ b/openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java @@ -215,6 +215,33 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid } + @Override + public void signJwt(SignedJWT jwt, JWSAlgorithm alg) { + + JWSSigner signer = null; + + for (JWSSigner s : signers.values()) { + if (s.supportedAlgorithms().contains(alg)) { + signer = s; + break; + } + } + + if (signer == null) { + //If we can't find an algorithm that matches, we can't sign + logger.error("No matching algirthm found for alg=" + alg); + + } + + try { + jwt.sign(signer); + } catch (JOSEException e) { + + logger.error("Failed to sign JWT, error was: ", e); + } + + } + @Override public boolean validateSignature(SignedJWT jwt) { diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java index 61f40a464..56408acc1 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java @@ -84,9 +84,14 @@ public class ConnectTokenEnhancer implements TokenEnhancer { claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it - // TODO: use client's default signing algorithm - - JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm(); + JWSAlgorithm signingAlg; + JWSAlgorithm clientAlg = client.getIdTokenSignedResponseAlg().getAlgorithm(); + if (clientAlg != JWSAlgorithm.NONE) { + signingAlg = clientAlg; + } else { + signingAlg = jwtService.getDefaultSigningAlgorithm(); + } + SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims); jwtService.signJwt(signed); @@ -156,8 +161,6 @@ public class ConnectTokenEnhancer implements TokenEnhancer { SignedJWT idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims); - //TODO: check for client's preferred signer alg and use that - jwtService.signJwt(idToken); idTokenEntity.setJwt(idToken);