Search in sources :

Example 41 with JwsHeaders

use of org.apache.cxf.rs.security.jose.jws.JwsHeaders in project cxf by apache.

the class JwsJoseCookBookTest method testMultipleSignatures.

@Test
public void testMultipleSignatures() throws Exception {
    try {
        Cipher.getInstance(AlgorithmUtils.ES_SHA_512_JAVA);
    } catch (Throwable t) {
        Security.addProvider(new BouncyCastleProvider());
    }
    try {
        JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD);
        assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
        assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
        JwsHeaders firstSignerProtectedHeader = new JwsHeaders();
        firstSignerProtectedHeader.setSignatureAlgorithm(SignatureAlgorithm.RS256);
        JwsHeaders firstSignerUnprotectedHeader = new JwsHeaders();
        firstSignerUnprotectedHeader.setKeyId(RSA_KID_VALUE);
        JsonWebKeys jwks = readKeySet("cookbookPrivateSet.txt");
        List<JsonWebKey> keys = jwks.getKeys();
        JsonWebKey rsaKey = keys.get(1);
        jsonProducer.signWith(JwsUtils.getSignatureProvider(rsaKey, SignatureAlgorithm.RS256), firstSignerProtectedHeader, firstSignerUnprotectedHeader);
        assertEquals(jsonProducer.getSignatureEntries().get(0).toJson(), FIRST_SIGNATURE_ENTRY_MULTIPLE_SIGNATURES);
        JwsHeaders secondSignerUnprotectedHeader = new JwsHeaders();
        secondSignerUnprotectedHeader.setSignatureAlgorithm(SignatureAlgorithm.ES512);
        secondSignerUnprotectedHeader.setKeyId(ECDSA_KID_VALUE);
        JsonWebKey ecKey = keys.get(0);
        jsonProducer.signWith(JwsUtils.getSignatureProvider(ecKey, SignatureAlgorithm.ES512), null, secondSignerUnprotectedHeader);
        assertEquals(new JsonMapObjectReaderWriter().toJson(jsonProducer.getSignatureEntries().get(1).getUnprotectedHeader()), SECOND_SIGNATURE_UNPROTECTED_HEADER_MULTIPLE_SIGNATURES);
        assertEquals(jsonProducer.getSignatureEntries().get(1).toJson().length(), SECOND_SIGNATURE_ENTRY_MULTIPLE_SIGNATURES.length());
        JwsHeaders thirdSignerProtectedHeader = new JwsHeaders();
        thirdSignerProtectedHeader.setSignatureAlgorithm(SignatureAlgorithm.HS256);
        thirdSignerProtectedHeader.setKeyId(HMAC_KID_VALUE);
        JsonWebKeys secretJwks = readKeySet("cookbookSecretSet.txt");
        List<JsonWebKey> secretKeys = secretJwks.getKeys();
        JsonWebKey hmacKey = secretKeys.get(0);
        jsonProducer.signWith(JwsUtils.getSignatureProvider(hmacKey, SignatureAlgorithm.HS256), thirdSignerProtectedHeader);
        assertEquals(jsonProducer.getSignatureEntries().get(2).toJson(), THIRD_SIGNATURE_ENTRY_MULTIPLE_SIGNATURES);
        assertEquals(jsonProducer.getJwsJsonSignedDocument().length(), MULTIPLE_SIGNATURES_JSON_GENERAL_SERIALIZATION.length());
        JwsJsonConsumer jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
        JsonWebKeys publicJwks = readKeySet("cookbookPublicSet.txt");
        List<JsonWebKey> publicKeys = publicJwks.getKeys();
        JsonWebKey rsaPublicKey = publicKeys.get(1);
        JsonWebKey ecPublicKey = publicKeys.get(0);
        assertTrue(jsonConsumer.verifySignatureWith(rsaPublicKey, SignatureAlgorithm.RS256));
        assertTrue(jsonConsumer.verifySignatureWith(ecPublicKey, SignatureAlgorithm.ES512));
        assertTrue(jsonConsumer.verifySignatureWith(hmacKey, SignatureAlgorithm.HS256));
    } finally {
        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
    }
}
Also used : JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders) JsonWebKeys(org.apache.cxf.rs.security.jose.jwk.JsonWebKeys) JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey) JsonMapObjectReaderWriter(org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter) JwsJsonProducer(org.apache.cxf.rs.security.jose.jws.JwsJsonProducer) JwsJsonConsumer(org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Test(org.junit.Test)

Example 42 with JwsHeaders

use of org.apache.cxf.rs.security.jose.jws.JwsHeaders in project cxf by apache.

the class JWTTokenProvider method signToken.

private String signToken(JwtClaims claims, RealmProperties jwtRealm, STSPropertiesMBean stsProperties) throws Exception {
    if (signToken) {
        // Initialise signature objects with defaults of STSPropertiesMBean
        Crypto signatureCrypto = stsProperties.getSignatureCrypto();
        CallbackHandler callbackHandler = stsProperties.getCallbackHandler();
        SignatureProperties signatureProperties = stsProperties.getSignatureProperties();
        String alias = stsProperties.getSignatureUsername();
        if (jwtRealm != null) {
            // callbackhandler and alias of STSPropertiesMBean is ignored
            if (jwtRealm.getSignatureCrypto() != null) {
                LOG.fine("SAMLRealm signature keystore used");
                signatureCrypto = jwtRealm.getSignatureCrypto();
                callbackHandler = jwtRealm.getCallbackHandler();
                alias = jwtRealm.getSignatureAlias();
            }
            // SignatureProperties can be defined independently of SignatureCrypto
            if (jwtRealm.getSignatureProperties() != null) {
                signatureProperties = jwtRealm.getSignatureProperties();
            }
        }
        // Get the signature algorithm to use - for now we don't allow the client to ask
        // for a particular signature algorithm, as with SAML
        String signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
        try {
            SignatureAlgorithm.getAlgorithm(signatureAlgorithm);
        } catch (IllegalArgumentException ex) {
            signatureAlgorithm = SignatureAlgorithm.RS256.name();
        }
        // If alias not defined, get the default of the SignatureCrypto
        if ((alias == null || "".equals(alias)) && (signatureCrypto != null)) {
            alias = signatureCrypto.getDefaultX509Identifier();
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("Signature alias is null so using default alias: " + alias);
            }
        }
        // Get the password
        String password = null;
        if (callbackHandler != null) {
            WSPasswordCallback[] cb = { new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE) };
            callbackHandler.handle(cb);
            password = cb[0].getPassword();
        }
        Properties signingProperties = new Properties();
        signingProperties.put(JoseConstants.RSSEC_SIGNATURE_ALGORITHM, signatureAlgorithm);
        if (alias != null) {
            signingProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, alias);
        }
        if (password != null) {
            signingProperties.put(JoseConstants.RSSEC_KEY_PSWD, password);
        } else {
            throw new STSException("Can't get the password", STSException.REQUEST_FAILED);
        }
        if (!(signatureCrypto instanceof Merlin)) {
            throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
        }
        KeyStore keystore = ((Merlin) signatureCrypto).getKeyStore();
        signingProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
        JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
        JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
        JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
        return jws.signWith(sigProvider);
    }
    JwsHeaders jwsHeaders = new JwsHeaders(SignatureAlgorithm.NONE);
    JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
    return jws.getSignedEncodedJws();
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) STSException(org.apache.cxf.ws.security.sts.provider.STSException) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) SignatureProperties(org.apache.cxf.sts.SignatureProperties) Properties(java.util.Properties) RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties) KeyStore(java.security.KeyStore) JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders) JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer) Crypto(org.apache.wss4j.common.crypto.Crypto) SignatureProperties(org.apache.cxf.sts.SignatureProperties) WSPasswordCallback(org.apache.wss4j.common.ext.WSPasswordCallback) Merlin(org.apache.wss4j.common.crypto.Merlin) JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)

Aggregations

JwsHeaders (org.apache.cxf.rs.security.jose.jws.JwsHeaders)42 JwsJwtCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)25 JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)22 JwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)20 JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)20 Date (java.util.Date)16 Calendar (java.util.Calendar)11 JsonWebKey (org.apache.cxf.rs.security.jose.jwk.JsonWebKey)10 JsonWebKeys (org.apache.cxf.rs.security.jose.jwk.JsonWebKeys)10 HmacJwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider)10 NoneJwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider)10 SyncopeClient (org.apache.syncope.client.lib.SyncopeClient)10 Test (org.junit.jupiter.api.Test)10 JwsJsonProducer (org.apache.cxf.rs.security.jose.jws.JwsJsonProducer)9 Test (org.junit.Test)9 AccessControlException (java.security.AccessControlException)8 WebClient (org.apache.cxf.jaxrs.client.WebClient)8 JwsJsonConsumer (org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer)8 Properties (java.util.Properties)7 Response (javax.ws.rs.core.Response)7