Example 41 with JwsHeaders
use of org.apache.cxf.rs.security.jose.jws.JwsHeaders in project cxf by apache.
the class JwsJoseCookBookTest method testMultipleSignatures.
@Test
public void testMultipleSignatures() throws Exception {
try {
Cipher.getInstance(AlgorithmUtils.ES_SHA_512_JAVA);
} catch (Throwable t) {
Security.addProvider(new BouncyCastleProvider());
}
try {
JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD);
assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
JwsHeaders firstSignerProtectedHeader = new JwsHeaders();
firstSignerProtectedHeader.setSignatureAlgorithm(SignatureAlgorithm.RS256);
JwsHeaders firstSignerUnprotectedHeader = new JwsHeaders();
firstSignerUnprotectedHeader.setKeyId(RSA_KID_VALUE);
JsonWebKeys jwks = readKeySet("cookbookPrivateSet.txt");
List<JsonWebKey> keys = jwks.getKeys();
JsonWebKey rsaKey = keys.get(1);
jsonProducer.signWith(JwsUtils.getSignatureProvider(rsaKey, SignatureAlgorithm.RS256), firstSignerProtectedHeader, firstSignerUnprotectedHeader);
assertEquals(jsonProducer.getSignatureEntries().get(0).toJson(), FIRST_SIGNATURE_ENTRY_MULTIPLE_SIGNATURES);
JwsHeaders secondSignerUnprotectedHeader = new JwsHeaders();
secondSignerUnprotectedHeader.setSignatureAlgorithm(SignatureAlgorithm.ES512);
secondSignerUnprotectedHeader.setKeyId(ECDSA_KID_VALUE);
JsonWebKey ecKey = keys.get(0);
jsonProducer.signWith(JwsUtils.getSignatureProvider(ecKey, SignatureAlgorithm.ES512), null, secondSignerUnprotectedHeader);
assertEquals(new JsonMapObjectReaderWriter().toJson(jsonProducer.getSignatureEntries().get(1).getUnprotectedHeader()), SECOND_SIGNATURE_UNPROTECTED_HEADER_MULTIPLE_SIGNATURES);
assertEquals(jsonProducer.getSignatureEntries().get(1).toJson().length(), SECOND_SIGNATURE_ENTRY_MULTIPLE_SIGNATURES.length());
JwsHeaders thirdSignerProtectedHeader = new JwsHeaders();
thirdSignerProtectedHeader.setSignatureAlgorithm(SignatureAlgorithm.HS256);
thirdSignerProtectedHeader.setKeyId(HMAC_KID_VALUE);
JsonWebKeys secretJwks = readKeySet("cookbookSecretSet.txt");
List<JsonWebKey> secretKeys = secretJwks.getKeys();
JsonWebKey hmacKey = secretKeys.get(0);
jsonProducer.signWith(JwsUtils.getSignatureProvider(hmacKey, SignatureAlgorithm.HS256), thirdSignerProtectedHeader);
assertEquals(jsonProducer.getSignatureEntries().get(2).toJson(), THIRD_SIGNATURE_ENTRY_MULTIPLE_SIGNATURES);
assertEquals(jsonProducer.getJwsJsonSignedDocument().length(), MULTIPLE_SIGNATURES_JSON_GENERAL_SERIALIZATION.length());
JwsJsonConsumer jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
JsonWebKeys publicJwks = readKeySet("cookbookPublicSet.txt");
List<JsonWebKey> publicKeys = publicJwks.getKeys();
JsonWebKey rsaPublicKey = publicKeys.get(1);
JsonWebKey ecPublicKey = publicKeys.get(0);
assertTrue(jsonConsumer.verifySignatureWith(rsaPublicKey, SignatureAlgorithm.RS256));
assertTrue(jsonConsumer.verifySignatureWith(ecPublicKey, SignatureAlgorithm.ES512));
assertTrue(jsonConsumer.verifySignatureWith(hmacKey, SignatureAlgorithm.HS256));
} finally {
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
}
}
Also used :
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JsonWebKeys(org.apache.cxf.rs.security.jose.jwk.JsonWebKeys)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
JsonMapObjectReaderWriter(org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter)
JwsJsonProducer(org.apache.cxf.rs.security.jose.jws.JwsJsonProducer)
JwsJsonConsumer(org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Test(org.junit.Test)
Example 42 with JwsHeaders
use of org.apache.cxf.rs.security.jose.jws.JwsHeaders in project cxf by apache.
the class JWTTokenProvider method signToken.
private String signToken(JwtClaims claims, RealmProperties jwtRealm, STSPropertiesMBean stsProperties) throws Exception {
if (signToken) {
// Initialise signature objects with defaults of STSPropertiesMBean
Crypto signatureCrypto = stsProperties.getSignatureCrypto();
CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
SignatureProperties signatureProperties = stsProperties.getSignatureProperties();
String alias = stsProperties.getSignatureUsername();
if (jwtRealm != null) {
// callbackhandler and alias of STSPropertiesMBean is ignored
if (jwtRealm.getSignatureCrypto() != null) {
LOG.fine("SAMLRealm signature keystore used");
signatureCrypto = jwtRealm.getSignatureCrypto();
callbackHandler = jwtRealm.getCallbackHandler();
alias = jwtRealm.getSignatureAlias();
}
// SignatureProperties can be defined independently of SignatureCrypto
if (jwtRealm.getSignatureProperties() != null) {
signatureProperties = jwtRealm.getSignatureProperties();
}
}
// Get the signature algorithm to use - for now we don't allow the client to ask
// for a particular signature algorithm, as with SAML
String signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
try {
SignatureAlgorithm.getAlgorithm(signatureAlgorithm);
} catch (IllegalArgumentException ex) {
signatureAlgorithm = SignatureAlgorithm.RS256.name();
}
// If alias not defined, get the default of the SignatureCrypto
if ((alias == null || "".equals(alias)) && (signatureCrypto != null)) {
alias = signatureCrypto.getDefaultX509Identifier();
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Signature alias is null so using default alias: " + alias);
}
}
// Get the password
String password = null;
if (callbackHandler != null) {
WSPasswordCallback[] cb = { new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE) };
callbackHandler.handle(cb);
password = cb[0].getPassword();
}
Properties signingProperties = new Properties();
signingProperties.put(JoseConstants.RSSEC_SIGNATURE_ALGORITHM, signatureAlgorithm);
if (alias != null) {
signingProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, alias);
}
if (password != null) {
signingProperties.put(JoseConstants.RSSEC_KEY_PSWD, password);
} else {
throw new STSException("Can't get the password", STSException.REQUEST_FAILED);
}
if (!(signatureCrypto instanceof Merlin)) {
throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
}
KeyStore keystore = ((Merlin) signatureCrypto).getKeyStore();
signingProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
return jws.signWith(sigProvider);
}
JwsHeaders jwsHeaders = new JwsHeaders(SignatureAlgorithm.NONE);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
return jws.getSignedEncodedJws();
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
STSException(org.apache.cxf.ws.security.sts.provider.STSException)
EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties)
SignatureProperties(org.apache.cxf.sts.SignatureProperties)
Properties(java.util.Properties)
RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties)
KeyStore(java.security.KeyStore)
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SignatureProperties(org.apache.cxf.sts.SignatureProperties)
WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
Aggregations
JwsHeaders (org.apache.cxf.rs.security.jose.jws.JwsHeaders)42
JwsJwtCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)25
JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)22
JwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)20
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)20
Date (java.util.Date)16
Calendar (java.util.Calendar)11
JsonWebKey (org.apache.cxf.rs.security.jose.jwk.JsonWebKey)10
JsonWebKeys (org.apache.cxf.rs.security.jose.jwk.JsonWebKeys)10
HmacJwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider)10
NoneJwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider)10
SyncopeClient (org.apache.syncope.client.lib.SyncopeClient)10
Test (org.junit.jupiter.api.Test)10
JwsJsonProducer (org.apache.cxf.rs.security.jose.jws.JwsJsonProducer)9
Test (org.junit.Test)9
AccessControlException (java.security.AccessControlException)8
WebClient (org.apache.cxf.jaxrs.client.WebClient)8
JwsJsonConsumer (org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer)8
Properties (java.util.Properties)7
Response (javax.ws.rs.core.Response)7
