Search in sources :

Example 1 with PrivateKeyPasswordProvider

use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.

the class JweUtils method loadDecryptionProvider.

public static JweDecryptionProvider loadDecryptionProvider(Properties props, JweHeaders inHeaders) {
    Message m = PhaseInterceptorChain.getCurrentMessage();
    KeyDecryptionProvider keyDecryptionProvider = null;
    ContentAlgorithm contentAlgo = getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM);
    SecretKey ctDecryptionKey = null;
    KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null);
    if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) {
        // Supporting loading a private key via a certificate for now
        List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain());
        KeyManagementUtils.validateCertificateChain(props, chain);
        X509Certificate cert = chain == null ? null : chain.get(0);
        PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT);
        if (keyAlgo == null) {
            keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
        }
        contentAlgo = inHeaders.getContentEncryptionAlgorithm();
        keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
    } else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) {
        X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), MessageDigestUtils.ALGO_SHA_1, m, props);
        if (foundCert != null) {
            PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
            if (keyAlgo == null) {
                keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
            }
            contentAlgo = inHeaders.getContentEncryptionAlgorithm();
            keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
        }
    } else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT_SHA256) != null) {
        X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509ThumbprintSHA256(), MessageDigestUtils.ALGO_SHA_256, m, props);
        if (foundCert != null) {
            PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
            if (keyAlgo == null) {
                keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
            }
            contentAlgo = inHeaders.getContentEncryptionAlgorithm();
            keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
        }
    } else {
        if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
            JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.DECRYPT);
            if (jwk == null) {
                LOG.warning("Extracting the JsonWebKey failed");
                throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
            }
            if (KeyAlgorithm.DIRECT == keyAlgo) {
                contentAlgo = getContentEncryptionAlgorithm(m, props, ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()), ContentAlgorithm.A128GCM);
                ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentAlgo.getJwaName());
            } else {
                keyAlgo = getKeyEncryptionAlgorithm(m, props, KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()), getDefaultKeyAlgorithm(jwk));
                keyDecryptionProvider = getKeyDecryptionProvider(jwk, keyAlgo);
            }
        } else if (keyAlgo != null && AlgorithmUtils.PBES_HS_SET.contains(keyAlgo.getJwaName())) {
            PrivateKeyPasswordProvider provider = KeyManagementUtils.loadPasswordProvider(m, props, KeyOperation.DECRYPT);
            char[] password = provider != null ? provider.getPassword(props) : null;
            if (password == null) {
                throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
            }
            keyDecryptionProvider = new PbesHmacAesWrapKeyDecryptionAlgorithm(new String(password));
        } else {
            PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, KeyOperation.DECRYPT);
            if (keyAlgo == null) {
                keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
            }
            keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
        }
    }
    return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentAlgo);
}
Also used : ECPrivateKey(java.security.interfaces.ECPrivateKey) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) PrivateKey(java.security.PrivateKey) Message(org.apache.cxf.message.Message) JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey) PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider) X509Certificate(java.security.cert.X509Certificate) KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm) SecretKey(javax.crypto.SecretKey) ContentAlgorithm(org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)

Example 2 with PrivateKeyPasswordProvider

use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.

the class JwkUtils method loadJsonWebKey.

public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper, String inHeaderKid) {
    PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper);
    JsonWebKeys jwkSet = loadJwkSet(m, props, cb);
    final String kid;
    if (inHeaderKid != null && MessageUtils.getContextualBoolean(m, JoseConstants.RSSEC_ACCEPT_PUBLIC_KEY, false)) {
        kid = inHeaderKid;
    } else {
        kid = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIAS, keyOper);
    }
    if (kid != null) {
        return jwkSet.getKey(kid);
    } else if (keyOper != null) {
        List<JsonWebKey> keys = jwkSet.getKeyOperationMap().get(keyOper);
        if (keys != null && keys.size() == 1) {
            return keys.get(0);
        }
    }
    return null;
}
Also used : List(java.util.List) ArrayList(java.util.ArrayList) PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider)

Example 3 with PrivateKeyPasswordProvider

use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.

the class JAXRSHTTPSignatureTest method testHttpSignaturePropertiesPasswordProvider.

@Test
public void testHttpSignaturePropertiesPasswordProvider() {
    URL busFile = JAXRSHTTPSignatureTest.class.getResource("client.xml");
    CreateSignatureInterceptor signatureFilter = new CreateSignatureInterceptor();
    String address = "http://localhost:" + PORT + "/httpsig/bookstore/books";
    WebClient client = WebClient.create(address, Collections.singletonList(signatureFilter), busFile.toString());
    client.type("application/xml").accept("application/xml");
    Map<String, Object> properties = new HashMap<>();
    properties.put("rs.security.keystore.alias", "alice");
    properties.put("rs.security.keystore.password", "password");
    properties.put("rs.security.keystore.file", "keys/alice.jks");
    PrivateKeyPasswordProvider passwordProvider = storeProperties -> "password".toCharArray();
    properties.put("rs.security.key.password.provider", passwordProvider);
    properties.put("rs.security.http.signature.key.id", "alice-key-id");
    WebClient.getConfig(client).getRequestContext().putAll(properties);
    Response response = client.post(new Book("CXF", 126L));
    assertEquals(200, response.getStatus());
    Book returnedBook = response.readEntity(Book.class);
    assertEquals(126L, returnedBook.getId());
}
Also used : KeyPair(java.security.KeyPair) CreateSignatureInterceptor(org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor) Arrays(java.util.Arrays) MessageDigestInputStream(org.apache.cxf.common.util.MessageDigestInputStream) Provider(javax.ws.rs.ext.Provider) BeforeClass(org.junit.BeforeClass) URL(java.net.URL) MessageDigest(java.security.MessageDigest) Priorities(javax.ws.rs.Priorities) HashMap(java.util.HashMap) ClientRequestFilter(javax.ws.rs.client.ClientRequestFilter) ArrayList(java.util.ArrayList) MediaType(javax.ws.rs.core.MediaType) VerifySignatureClientFilter(org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureClientFilter) Map(java.util.Map) AbstractBusClientServerTestBase(org.apache.cxf.testutil.common.AbstractBusClientServerTestBase) Assert.fail(org.junit.Assert.fail) OutputStream(java.io.OutputStream) KeyPairGenerator(java.security.KeyPairGenerator) ClientRequestContext(javax.ws.rs.client.ClientRequestContext) PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider) WebClient(org.apache.cxf.jaxrs.client.WebClient) Assert.assertNotNull(org.junit.Assert.assertNotNull) IOUtils(org.apache.cxf.helpers.IOUtils) Assert.assertTrue(org.junit.Assert.assertTrue) IOException(java.io.IOException) KeyStore(java.security.KeyStore) Test(org.junit.Test) ClassLoaderUtils(org.apache.cxf.common.classloader.ClassLoaderUtils) Collectors(java.util.stream.Collectors) StandardCharsets(java.nio.charset.StandardCharsets) MessageVerifier(org.apache.cxf.rs.security.httpsignature.MessageVerifier) Objects(java.util.Objects) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) MessageSigner(org.apache.cxf.rs.security.httpsignature.MessageSigner) Priority(javax.annotation.Priority) Base64(java.util.Base64) List(java.util.List) Book(org.apache.cxf.systest.jaxrs.security.Book) WriterInterceptorContext(javax.ws.rs.ext.WriterInterceptorContext) Response(javax.ws.rs.core.Response) PrivateKey(java.security.PrivateKey) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Collections(java.util.Collections) CachedOutputStream(org.apache.cxf.io.CachedOutputStream) Assert.assertEquals(org.junit.Assert.assertEquals) Response(javax.ws.rs.core.Response) CreateSignatureInterceptor(org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor) HashMap(java.util.HashMap) Book(org.apache.cxf.systest.jaxrs.security.Book) WebClient(org.apache.cxf.jaxrs.client.WebClient) PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider) URL(java.net.URL) Test(org.junit.Test)

Example 4 with PrivateKeyPasswordProvider

use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.

the class JAXRSJweJwsTest method testJweRsaJwsRsaCert.

@Test
public void testJweRsaJwsRsaCert() throws Exception {
    String address = "https://localhost:" + PORT + "/jwejwsrsacert";
    JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = JAXRSJweJwsTest.class.getResource("client.xml");
    Bus springBus = bf.createBus(busFile.toString());
    bean.setBus(springBus);
    bean.setServiceClass(BookStore.class);
    bean.setAddress(address);
    List<Object> providers = new LinkedList<>();
    JweWriterInterceptor jweWriter = new JweWriterInterceptor();
    jweWriter.setUseJweOutputStream(true);
    providers.add(jweWriter);
    providers.add(new JweClientResponseFilter());
    JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor();
    jwsWriter.setUseJwsOutputStream(true);
    providers.add(jwsWriter);
    providers.add(new JwsClientResponseFilter());
    bean.setProviders(providers);
    bean.getProperties(true).put("rs.security.keystore.file", "org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt");
    bean.getProperties(true).put("rs.security.signature.out.properties", CLIENT_JWEJWS_PROPERTIES);
    bean.getProperties(true).put("rs.security.encryption.in.properties", CLIENT_JWEJWS_PROPERTIES);
    PrivateKeyPasswordProvider provider = new PrivateKeyPasswordProviderImpl();
    bean.getProperties(true).put("rs.security.signature.key.password.provider", provider);
    bean.getProperties(true).put("rs.security.decryption.key.password.provider", provider);
    BookStore bs = bean.create(BookStore.class);
    WebClient.getConfig(bs).getRequestContext().put("rs.security.keystore.alias.jwe.out", "AliceCert");
    WebClient.getConfig(bs).getRequestContext().put("rs.security.keystore.alias.jws.in", "AliceCert");
    String text = bs.echoText("book");
    assertEquals("book", text);
}
Also used : Bus(org.apache.cxf.Bus) BookStore(org.apache.cxf.systest.jaxrs.security.jose.BookStore) JwsClientResponseFilter(org.apache.cxf.rs.security.jose.jaxrs.JwsClientResponseFilter) JAXRSClientFactoryBean(org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean) JweWriterInterceptor(org.apache.cxf.rs.security.jose.jaxrs.JweWriterInterceptor) PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider) URL(java.net.URL) LinkedList(java.util.LinkedList) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) JweClientResponseFilter(org.apache.cxf.rs.security.jose.jaxrs.JweClientResponseFilter) JwsWriterInterceptor(org.apache.cxf.rs.security.jose.jaxrs.JwsWriterInterceptor) Test(org.junit.Test)

Example 5 with PrivateKeyPasswordProvider

use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.

the class JAXRSJweJwsTest method doTestJweJwkAesCbcHMac.

private void doTestJweJwkAesCbcHMac(String propFile) throws Exception {
    String address = "https://localhost:" + PORT + "/jwejwkaescbchmac";
    JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = JAXRSJweJwsTest.class.getResource("client.xml");
    Bus springBus = bf.createBus(busFile.toString());
    bean.setBus(springBus);
    bean.setServiceClass(BookStore.class);
    bean.setAddress(address);
    List<Object> providers = new LinkedList<>();
    JweWriterInterceptor jweWriter = new JweWriterInterceptor();
    jweWriter.setUseJweOutputStream(true);
    providers.add(jweWriter);
    providers.add(new JweClientResponseFilter());
    bean.setProviders(providers);
    bean.getProperties(true).put("rs.security.encryption.properties", propFile);
    PrivateKeyPasswordProvider provider = new PrivateKeyPasswordProviderImpl("Thus from my lips, by yours, my sin is purged.");
    bean.getProperties(true).put("rs.security.key.password.provider", provider);
    BookStore bs = bean.create(BookStore.class);
    String text = bs.echoText("book");
    assertEquals("book", text);
}
Also used : Bus(org.apache.cxf.Bus) BookStore(org.apache.cxf.systest.jaxrs.security.jose.BookStore) JAXRSClientFactoryBean(org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean) JweWriterInterceptor(org.apache.cxf.rs.security.jose.jaxrs.JweWriterInterceptor) PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider) URL(java.net.URL) LinkedList(java.util.LinkedList) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) JweClientResponseFilter(org.apache.cxf.rs.security.jose.jaxrs.JweClientResponseFilter)

Aggregations

PrivateKeyPasswordProvider (org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider)10 URL (java.net.URL)5 LinkedList (java.util.LinkedList)4 Bus (org.apache.cxf.Bus)4 SpringBusFactory (org.apache.cxf.bus.spring.SpringBusFactory)4 JAXRSClientFactoryBean (org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean)4 JweWriterInterceptor (org.apache.cxf.rs.security.jose.jaxrs.JweWriterInterceptor)4 JweClientResponseFilter (org.apache.cxf.rs.security.jose.jaxrs.JweClientResponseFilter)3 BookStore (org.apache.cxf.systest.jaxrs.security.jose.BookStore)3 Test (org.junit.Test)3 KeyStore (java.security.KeyStore)2 PrivateKey (java.security.PrivateKey)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 JwsWriterInterceptor (org.apache.cxf.rs.security.jose.jaxrs.JwsWriterInterceptor)2 IOException (java.io.IOException)1 OutputStream (java.io.OutputStream)1 StandardCharsets (java.nio.charset.StandardCharsets)1 KeyPair (java.security.KeyPair)1 KeyPairGenerator (java.security.KeyPairGenerator)1