Search in sources :

Example 1 with ClientAuthorizationRequest

use of com.disney.http.auth.client.ClientAuthorizationRequest in project groovity by disney.

the class HttpSignatureSigner method doAuthorization.

public SignatureAuthorization doAuthorization(HttpRequest request) throws HttpException {
    if (keyId == null || keyId.isEmpty()) {
        throw new HttpException("Signer Configuration Error: no KeyId set");
    }
    // fill in date field if missing from request;
    if (request.getLastHeader("x-date") == null && request.getLastHeader("date") == null) {
        request.addHeader("Date", DateUtils.formatDate(new Date()));
    }
    SignatureAuthorization sa = new SignatureAuthorization();
    sa.setAlgorithm(algorithm);
    sa.setHeaders(headers);
    sa.setKeyId(keyId);
    String signingString = sa.generateSigningString(new ClientAuthorizationRequest(request));
    try {
        // System.out.println("Client signing string "+signingString);
        String signingAlgorithm = Algorithms.getSecurityAlgorithm(algorithm);
        Key key = null;
        if (keyLoader != null) {
            key = keyLoader.call();
        } else if (getKeyPairLoader() != null) {
            // always sign with the private key, validate with the public key
            key = getKeyPairLoader().call().getPrivate();
        } else {
            throw new RuntimeException("No key loader provided for HTTP Signature Signer");
        }
        // keyId must be set, as per protocol
        if (signingAlgorithm.startsWith("Hmac")) {
            Mac mac = Mac.getInstance(signingAlgorithm);
            mac.init(key);
            sa.setSignature(mac.doFinal(signingString.getBytes("UTF-8")));
        } else if (signingAlgorithm.endsWith("RSA")) {
            // rsa
            Signature rsaSigner = Signature.getInstance(signingAlgorithm);
            rsaSigner.initSign((PrivateKey) key);
            rsaSigner.update(signingString.getBytes("UTF-8"));
            sa.setSignature(rsaSigner.sign());
        } else {
            throw new NoSuchAlgorithmException("No known algorithm for " + signingAlgorithm);
        }
        return sa;
    } catch (Exception e) {
        throw new HttpException("Invalid Signature Authorization: signer was not correctly configured.", e);
    }
}
Also used : ClientAuthorizationRequest(com.disney.http.auth.client.ClientAuthorizationRequest) SignatureAuthorization(com.disney.http.auth.SignatureAuthorization) HttpException(org.apache.http.HttpException) Date(java.util.Date) Mac(javax.crypto.Mac) HttpException(org.apache.http.HttpException)

Example 2 with ClientAuthorizationRequest

use of com.disney.http.auth.client.ClientAuthorizationRequest in project groovity by disney.

the class TestSignatureAuth method testRSA.

@Test
public void testRSA() throws Exception {
    HttpGet request = new HttpGet("http://localhost:8080/");
    HttpClientContext localContext = new HttpClientContext();
    HttpSignatureSigner signer = new HttpSignatureSigner();
    signer.setHeaderName(SIGNATURE_HEADER);
    String keyId = "apiUser123";
    String headers = "(request-target) host x-date";
    KeyPair pair = KeyUtils.generateKeyPair();
    PrivateKey privateKey = pair.getPrivate();
    PublicKey publicKey = pair.getPublic();
    KeyObjectKeyLoader privateKeyLoader = new KeyObjectKeyLoader(privateKey);
    signer.setAlgorithm("rsa-sha256");
    signer.setKeyId(keyId);
    signer.setHeaders(Arrays.asList(headers.split(" ")));
    signer.setKeyLoader(privateKeyLoader);
    signer.process(request, localContext);
    SignatureAuthorization testAuth = new SignatureAuthorization();
    testAuth.setAlgorithm("rsa-sha256");
    testAuth.setHeaders(signer.getHeaders());
    String signingString = testAuth.generateSigningString(new ClientAuthorizationRequest(request));
    byte[] encryptedString = signer.doAuthorization(request).getSignature();
    boolean verify = verifyRsa("SHA256withRSA", publicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
    // can choose algorithm
    signer.setAlgorithm("rsa-md5");
    signer.process(request, localContext);
    encryptedString = signer.doAuthorization(request).getSignature();
    verify = verifyRsa("MD5withRSA", publicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
    // wrong keyid, not a key loader so no effect
    signer.setAlgorithm("rsa-sha256");
    signer.setKeyId("something else");
    signer.process(request, localContext);
    encryptedString = signer.doAuthorization(request).getSignature();
    verify = verifyRsa("SHA256withRSA", publicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
    // different headers
    signer.setHeaders(Arrays.asList("host", "x-date"));
    signer.process(request, localContext);
    encryptedString = signer.doAuthorization(request).getSignature();
    verify = verifyRsa("SHA256withRSA", publicKey, signingString, encryptedString);
    Assert.assertFalse(verify);
    // load plain key from file;
    String location = "target/priv.pem";
    File pemFile = new File(location);
    URIParcel.put(pemFile.toURI(), pair);
    URIParcel<KeyPair> pemParcel = new URIParcel<KeyPair>(KeyPair.class, pemFile.toURI());
    signer = new HttpSignatureSigner();
    signer.setHeaderName(SIGNATURE_HEADER);
    signer.setKeyId("defaultValue");
    signer.setAlgorithm("rsa-sha256");
    signer.setHeaders(Arrays.asList(headers.split(" ")));
    signer.setKeyPairLoader(pemParcel);
    signingString = testAuth.generateSigningString(new ClientAuthorizationRequest(request));
    encryptedString = signer.doAuthorization(request).getSignature();
    verify = verifyRsa("SHA256withRSA", publicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
    // try using a KeyStoreLoader
    signer = new HttpSignatureSigner();
    signer.setHeaderName(SIGNATURE_HEADER);
    signer.setAlgorithm("rsa-sha256");
    location = "target/testKeytool.store";
    Map<String, Object> config = new HashMap<String, Object>();
    config.put(KeyStoreValueHandler.KEYSTORE_PASSWORD, "rachel");
    config.put(KeyStoreValueHandler.KEYSTORE_TYPE, "JCEKS");
    URIParcel<KeyStore> parcel = new URIParcel<KeyStore>(KeyStore.class, new File(location).toURI(), config);
    KeyChain chain = new KeyStoreKeyChainImpl(parcel, "".toCharArray());
    KeyChainKeyLoader keystoreLoader = new KeyChainKeyLoader(chain);
    keystoreLoader.setAlias("test");
    signer.setKeyId("test");
    signer.setHeaders(Arrays.asList(headers.split(" ")));
    signer.setKeyLoader(keystoreLoader);
    signer.process(request, localContext);
    signingString = testAuth.generateSigningString(new ClientAuthorizationRequest(request));
    encryptedString = signer.doAuthorization(request).getSignature();
    // check again public key
    KeyStore importedKeystore = parcel.call();
    PublicKey loadedPublicKey = importedKeystore.getCertificate("test").getPublicKey();
    verifyRsa("SHA256withRSA", loadedPublicKey, signingString, encryptedString);
    Assert.assertTrue(verify);
}
Also used : URIParcel(com.disney.uriparcel.URIParcel) HashMap(java.util.HashMap) HttpGet(org.apache.http.client.methods.HttpGet) HttpClientContext(org.apache.http.client.protocol.HttpClientContext) KeyChain(com.disney.http.auth.keychain.KeyChain) KeyStoreKeyChainImpl(com.disney.http.auth.keychain.KeyStoreKeyChainImpl) ClientAuthorizationRequest(com.disney.http.auth.client.ClientAuthorizationRequest) SignatureAuthorization(com.disney.http.auth.SignatureAuthorization) KeyChainKeyLoader(com.disney.http.auth.client.keyloader.KeyChainKeyLoader) HttpSignatureSigner(com.disney.http.auth.client.signer.HttpSignatureSigner) KeyObjectKeyLoader(com.disney.http.auth.client.keyloader.KeyObjectKeyLoader) File(java.io.File) Test(org.junit.Test)

Example 3 with ClientAuthorizationRequest

use of com.disney.http.auth.client.ClientAuthorizationRequest in project groovity by disney.

the class TestSignatureAuth method testHmac.

@Test
public void testHmac() throws Exception {
    HttpGet request = new HttpGet("http://localhost:8080/");
    HttpClientContext localContext = new HttpClientContext();
    HttpSignatureSigner signer = new HttpSignatureSigner();
    signer.setHeaderName(SIGNATURE_HEADER);
    String keyId = "apiUser123";
    String keyValue = "someBase64Secret";
    String headers = "(request-target) host x-date";
    String algorithm = "hmac-sha256";
    KeyObjectKeyLoader hmacKey = new KeyObjectKeyLoader(algorithm, keyValue);
    signer.setHeaderName(SIGNATURE_HEADER);
    signer.setKeyId(keyId);
    signer.setKeyLoader(hmacKey);
    signer.setAlgorithm(algorithm);
    signer.process(request, localContext);
    SignatureAuthorization testAuth = new SignatureAuthorization();
    testAuth.setHeaders(signer.getHeaders());
    Assert.assertNotNull(signer.getHeaderName());
    Assert.assertNotNull(getAuthHeader(request));
    String signingString = testAuth.generateSigningString(new ClientAuthorizationRequest(request));
    byte[] expectedResult = signHmac(algorithm, keyValue, signingString);
    byte[] signature = signer.doAuthorization(request).getSignature();
    Assert.assertArrayEquals(expectedResult, signature);
    // bad signing string
    Assert.assertFalse(Arrays.equals(signHmac(algorithm, keyValue, signingString + "invalid"), signature));
    // wrong key
    signer.setKeyLoader(new KeyObjectKeyLoader(algorithm, "differentKeyValue"));
    signer.process(request, localContext);
    signature = signer.doAuthorization(request).getSignature();
    Assert.assertFalse("Wrong Key", Arrays.equals(expectedResult, signature));
    // wrong algorithm
    signer.setAlgorithm("hmac-md5");
    signer.process(request, localContext);
    signature = signer.doAuthorization(request).getSignature();
    Assert.assertFalse("Wrong algorithm", Arrays.equals(expectedResult, signature));
    // wrong headers
    signer.setHeaders(Arrays.asList(headers.split(" ")));
    signer.setAlgorithm(algorithm);
    signer.setKeyLoader(hmacKey);
    signer.process(request, localContext);
    signature = signer.doAuthorization(request).getSignature();
    Assert.assertFalse("Incorrect Headers", Arrays.equals(expectedResult, signature));
    // wrong header order
    signer.setHeaders(Arrays.asList("host (request-target) x-date"));
    signer.process(request, localContext);
    signature = signer.doAuthorization(request).getSignature();
    Assert.assertFalse("Incorrect header order", Arrays.equals(expectedResult, signature));
}
Also used : ClientAuthorizationRequest(com.disney.http.auth.client.ClientAuthorizationRequest) SignatureAuthorization(com.disney.http.auth.SignatureAuthorization) HttpGet(org.apache.http.client.methods.HttpGet) HttpSignatureSigner(com.disney.http.auth.client.signer.HttpSignatureSigner) HttpClientContext(org.apache.http.client.protocol.HttpClientContext) KeyObjectKeyLoader(com.disney.http.auth.client.keyloader.KeyObjectKeyLoader) Test(org.junit.Test)

Aggregations

SignatureAuthorization (com.disney.http.auth.SignatureAuthorization)3 ClientAuthorizationRequest (com.disney.http.auth.client.ClientAuthorizationRequest)3 KeyObjectKeyLoader (com.disney.http.auth.client.keyloader.KeyObjectKeyLoader)2 HttpSignatureSigner (com.disney.http.auth.client.signer.HttpSignatureSigner)2 HttpGet (org.apache.http.client.methods.HttpGet)2 HttpClientContext (org.apache.http.client.protocol.HttpClientContext)2 Test (org.junit.Test)2 KeyChainKeyLoader (com.disney.http.auth.client.keyloader.KeyChainKeyLoader)1 KeyChain (com.disney.http.auth.keychain.KeyChain)1 KeyStoreKeyChainImpl (com.disney.http.auth.keychain.KeyStoreKeyChainImpl)1 URIParcel (com.disney.uriparcel.URIParcel)1 File (java.io.File)1 Date (java.util.Date)1 HashMap (java.util.HashMap)1 Mac (javax.crypto.Mac)1 HttpException (org.apache.http.HttpException)1