Example 11 with SignatureAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm in project cxf by apache.
the class JwsUtils method getSignatureVerifier.
public static JwsSignatureVerifier getSignatureVerifier(JsonWebKey jwk, SignatureAlgorithm defaultAlgorithm) {
SignatureAlgorithm sigAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : SignatureAlgorithm.getAlgorithm(jwk.getAlgorithm());
JwsSignatureVerifier theVerifier = null;
KeyType keyType = jwk.getKeyType();
if (KeyType.RSA == keyType) {
theVerifier = getPublicKeySignatureVerifier(JwkUtils.toRSAPublicKey(jwk, true), sigAlgo);
} else if (KeyType.OCTET == keyType) {
byte[] key = JoseUtils.decode((String) jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE));
theVerifier = getHmacSignatureVerifier(key, sigAlgo);
} else if (KeyType.EC == keyType) {
theVerifier = getPublicKeySignatureVerifier(JwkUtils.toECPublicKey(jwk), sigAlgo);
}
return theVerifier;
}
Also used :
KeyType(org.apache.cxf.rs.security.jose.jwk.KeyType)
SignatureAlgorithm(org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm)
Example 12 with SignatureAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm in project cxf by apache.
the class JwsUtils method loadSignatureVerifier.
public static JwsSignatureVerifier loadSignatureVerifier(Message m, Properties props, JwsHeaders inHeaders) {
JwsSignatureVerifier theVerifier = null;
String inHeaderKid = null;
if (inHeaders != null) {
inHeaderKid = inHeaders.getKeyId();
// TODO: optionally validate inHeaders.getAlgorithm against a property in props
if (inHeaders.getHeader(JoseConstants.HEADER_JSON_WEB_KEY) != null) {
JsonWebKey publicJwk = inHeaders.getJsonWebKey();
if (inHeaderKid != null && !inHeaderKid.equals(publicJwk.getKeyId()) || !MessageUtils.getContextualBoolean(m, JoseConstants.RSSEC_ACCEPT_PUBLIC_KEY, false)) {
throw new JwsException(JwsException.Error.INVALID_KEY);
}
return getSignatureVerifier(publicJwk, inHeaders.getSignatureAlgorithm());
} else if (inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) {
List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain());
KeyManagementUtils.validateCertificateChain(props, chain);
return getPublicKeySignatureVerifier(chain.get(0), inHeaders.getSignatureAlgorithm());
} else if (inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) {
X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), MessageDigestUtils.ALGO_SHA_1, m, props);
if (foundCert != null) {
return getPublicKeySignatureVerifier(foundCert, inHeaders.getSignatureAlgorithm());
}
} else if (inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT_SHA256) != null) {
X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509ThumbprintSHA256(), MessageDigestUtils.ALGO_SHA_256, m, props);
if (foundCert != null) {
return getPublicKeySignatureVerifier(foundCert, inHeaders.getSignatureAlgorithm());
}
}
}
if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.VERIFY, inHeaderKid);
if (jwk != null) {
SignatureAlgorithm signatureAlgo = getSignatureAlgorithm(m, props, SignatureAlgorithm.getAlgorithm(jwk.getAlgorithm()), getDefaultKeyAlgorithm(jwk));
theVerifier = getSignatureVerifier(jwk, signatureAlgo);
}
} else {
SignatureAlgorithm signatureAlgo = getSignatureAlgorithm(m, props, null, null);
if (signatureAlgo == SignatureAlgorithm.NONE && SignatureAlgorithm.NONE.getJwaName().equals(inHeaders.getAlgorithm())) {
theVerifier = new NoneJwsSignatureVerifier();
} else {
X509Certificate[] certs = KeyManagementUtils.loadX509CertificateOrChain(m, props);
if (certs != null && certs.length > 0) {
theVerifier = getPublicKeySignatureVerifier(certs[0], signatureAlgo);
}
}
}
if (theVerifier == null) {
LOG.warning("Verifier is not available");
throw new JwsException(JwsException.Error.NO_VERIFIER);
}
return theVerifier;
}
Also used :
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
ArrayList(java.util.ArrayList)
List(java.util.List)
SignatureAlgorithm(org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
SignatureAlgorithm (org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm)12
Properties (java.util.Properties)3
ArrayList (java.util.ArrayList)2
List (java.util.List)2
Message (org.apache.cxf.message.Message)2
JsonWebKey (org.apache.cxf.rs.security.jose.jwk.JsonWebKey)2
KeyType (org.apache.cxf.rs.security.jose.jwk.KeyType)2
PrivateKey (java.security.PrivateKey)1
X509Certificate (java.security.cert.X509Certificate)1
ECPrivateKey (java.security.interfaces.ECPrivateKey)1
RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1
HashMap (java.util.HashMap)1
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)1
OAuthJoseJwtProducer (org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtProducer)1
OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)1
