Example 1 with PrivateKeyPasswordProvider
use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.
the class JweUtils method loadDecryptionProvider.
public static JweDecryptionProvider loadDecryptionProvider(Properties props, JweHeaders inHeaders) {
Message m = PhaseInterceptorChain.getCurrentMessage();
KeyDecryptionProvider keyDecryptionProvider = null;
ContentAlgorithm contentAlgo = getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM);
SecretKey ctDecryptionKey = null;
KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null);
if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) {
// Supporting loading a private key via a certificate for now
List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain());
KeyManagementUtils.validateCertificateChain(props, chain);
X509Certificate cert = chain == null ? null : chain.get(0);
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
} else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) {
X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), MessageDigestUtils.ALGO_SHA_1, m, props);
if (foundCert != null) {
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
} else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT_SHA256) != null) {
X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509ThumbprintSHA256(), MessageDigestUtils.ALGO_SHA_256, m, props);
if (foundCert != null) {
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
} else {
if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.DECRYPT);
if (jwk == null) {
LOG.warning("Extracting the JsonWebKey failed");
throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
}
if (KeyAlgorithm.DIRECT == keyAlgo) {
contentAlgo = getContentEncryptionAlgorithm(m, props, ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()), ContentAlgorithm.A128GCM);
ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentAlgo.getJwaName());
} else {
keyAlgo = getKeyEncryptionAlgorithm(m, props, KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()), getDefaultKeyAlgorithm(jwk));
keyDecryptionProvider = getKeyDecryptionProvider(jwk, keyAlgo);
}
} else if (keyAlgo != null && AlgorithmUtils.PBES_HS_SET.contains(keyAlgo.getJwaName())) {
PrivateKeyPasswordProvider provider = KeyManagementUtils.loadPasswordProvider(m, props, KeyOperation.DECRYPT);
char[] password = provider != null ? provider.getPassword(props) : null;
if (password == null) {
throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
}
keyDecryptionProvider = new PbesHmacAesWrapKeyDecryptionAlgorithm(new String(password));
} else {
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
}
return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentAlgo);
}
Also used :
ECPrivateKey(java.security.interfaces.ECPrivateKey)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
PrivateKey(java.security.PrivateKey)
Message(org.apache.cxf.message.Message)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider)
X509Certificate(java.security.cert.X509Certificate)
KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)
SecretKey(javax.crypto.SecretKey)
ContentAlgorithm(org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)
Example 2 with PrivateKeyPasswordProvider
use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.
the class JwkUtils method loadJsonWebKey.
public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper, String inHeaderKid) {
PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper);
JsonWebKeys jwkSet = loadJwkSet(m, props, cb);
final String kid;
if (inHeaderKid != null && MessageUtils.getContextualBoolean(m, JoseConstants.RSSEC_ACCEPT_PUBLIC_KEY, false)) {
kid = inHeaderKid;
} else {
kid = KeyManagementUtils.getKeyId(m, props, JoseConstants.RSSEC_KEY_STORE_ALIAS, keyOper);
}
if (kid != null) {
return jwkSet.getKey(kid);
} else if (keyOper != null) {
List<JsonWebKey> keys = jwkSet.getKeyOperationMap().get(keyOper);
if (keys != null && keys.size() == 1) {
return keys.get(0);
}
}
return null;
}
Also used :
List(java.util.List)
ArrayList(java.util.ArrayList)
PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider)
Example 3 with PrivateKeyPasswordProvider
use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.
the class JAXRSHTTPSignatureTest method testHttpSignaturePropertiesPasswordProvider.
@Test
public void testHttpSignaturePropertiesPasswordProvider() {
URL busFile = JAXRSHTTPSignatureTest.class.getResource("client.xml");
CreateSignatureInterceptor signatureFilter = new CreateSignatureInterceptor();
String address = "http://localhost:" + PORT + "/httpsig/bookstore/books";
WebClient client = WebClient.create(address, Collections.singletonList(signatureFilter), busFile.toString());
client.type("application/xml").accept("application/xml");
Map<String, Object> properties = new HashMap<>();
properties.put("rs.security.keystore.alias", "alice");
properties.put("rs.security.keystore.password", "password");
properties.put("rs.security.keystore.file", "keys/alice.jks");
PrivateKeyPasswordProvider passwordProvider = storeProperties -> "password".toCharArray();
properties.put("rs.security.key.password.provider", passwordProvider);
properties.put("rs.security.http.signature.key.id", "alice-key-id");
WebClient.getConfig(client).getRequestContext().putAll(properties);
Response response = client.post(new Book("CXF", 126L));
assertEquals(200, response.getStatus());
Book returnedBook = response.readEntity(Book.class);
assertEquals(126L, returnedBook.getId());
}
Also used :
KeyPair(java.security.KeyPair)
CreateSignatureInterceptor(org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor)
Arrays(java.util.Arrays)
MessageDigestInputStream(org.apache.cxf.common.util.MessageDigestInputStream)
Provider(javax.ws.rs.ext.Provider)
BeforeClass(org.junit.BeforeClass)
URL(java.net.URL)
MessageDigest(java.security.MessageDigest)
Priorities(javax.ws.rs.Priorities)
HashMap(java.util.HashMap)
ClientRequestFilter(javax.ws.rs.client.ClientRequestFilter)
ArrayList(java.util.ArrayList)
MediaType(javax.ws.rs.core.MediaType)
VerifySignatureClientFilter(org.apache.cxf.rs.security.httpsignature.filters.VerifySignatureClientFilter)
Map(java.util.Map)
AbstractBusClientServerTestBase(org.apache.cxf.testutil.common.AbstractBusClientServerTestBase)
Assert.fail(org.junit.Assert.fail)
OutputStream(java.io.OutputStream)
KeyPairGenerator(java.security.KeyPairGenerator)
ClientRequestContext(javax.ws.rs.client.ClientRequestContext)
PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider)
WebClient(org.apache.cxf.jaxrs.client.WebClient)
Assert.assertNotNull(org.junit.Assert.assertNotNull)
IOUtils(org.apache.cxf.helpers.IOUtils)
Assert.assertTrue(org.junit.Assert.assertTrue)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
Test(org.junit.Test)
ClassLoaderUtils(org.apache.cxf.common.classloader.ClassLoaderUtils)
Collectors(java.util.stream.Collectors)
StandardCharsets(java.nio.charset.StandardCharsets)
MessageVerifier(org.apache.cxf.rs.security.httpsignature.MessageVerifier)
Objects(java.util.Objects)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
MessageSigner(org.apache.cxf.rs.security.httpsignature.MessageSigner)
Priority(javax.annotation.Priority)
Base64(java.util.Base64)
List(java.util.List)
Book(org.apache.cxf.systest.jaxrs.security.Book)
WriterInterceptorContext(javax.ws.rs.ext.WriterInterceptorContext)
Response(javax.ws.rs.core.Response)
PrivateKey(java.security.PrivateKey)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Collections(java.util.Collections)
CachedOutputStream(org.apache.cxf.io.CachedOutputStream)
Assert.assertEquals(org.junit.Assert.assertEquals)
Response(javax.ws.rs.core.Response)
CreateSignatureInterceptor(org.apache.cxf.rs.security.httpsignature.filters.CreateSignatureInterceptor)
HashMap(java.util.HashMap)
Book(org.apache.cxf.systest.jaxrs.security.Book)
WebClient(org.apache.cxf.jaxrs.client.WebClient)
PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider)
URL(java.net.URL)
Test(org.junit.Test)
Example 4 with PrivateKeyPasswordProvider
use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.
the class JAXRSJweJwsTest method testJweRsaJwsRsaCert.
@Test
public void testJweRsaJwsRsaCert() throws Exception {
String address = "https://localhost:" + PORT + "/jwejwsrsacert";
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
SpringBusFactory bf = new SpringBusFactory();
URL busFile = JAXRSJweJwsTest.class.getResource("client.xml");
Bus springBus = bf.createBus(busFile.toString());
bean.setBus(springBus);
bean.setServiceClass(BookStore.class);
bean.setAddress(address);
List<Object> providers = new LinkedList<>();
JweWriterInterceptor jweWriter = new JweWriterInterceptor();
jweWriter.setUseJweOutputStream(true);
providers.add(jweWriter);
providers.add(new JweClientResponseFilter());
JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor();
jwsWriter.setUseJwsOutputStream(true);
providers.add(jwsWriter);
providers.add(new JwsClientResponseFilter());
bean.setProviders(providers);
bean.getProperties(true).put("rs.security.keystore.file", "org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt");
bean.getProperties(true).put("rs.security.signature.out.properties", CLIENT_JWEJWS_PROPERTIES);
bean.getProperties(true).put("rs.security.encryption.in.properties", CLIENT_JWEJWS_PROPERTIES);
PrivateKeyPasswordProvider provider = new PrivateKeyPasswordProviderImpl();
bean.getProperties(true).put("rs.security.signature.key.password.provider", provider);
bean.getProperties(true).put("rs.security.decryption.key.password.provider", provider);
BookStore bs = bean.create(BookStore.class);
WebClient.getConfig(bs).getRequestContext().put("rs.security.keystore.alias.jwe.out", "AliceCert");
WebClient.getConfig(bs).getRequestContext().put("rs.security.keystore.alias.jws.in", "AliceCert");
String text = bs.echoText("book");
assertEquals("book", text);
}
Also used :
Bus(org.apache.cxf.Bus)
BookStore(org.apache.cxf.systest.jaxrs.security.jose.BookStore)
JwsClientResponseFilter(org.apache.cxf.rs.security.jose.jaxrs.JwsClientResponseFilter)
JAXRSClientFactoryBean(org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean)
JweWriterInterceptor(org.apache.cxf.rs.security.jose.jaxrs.JweWriterInterceptor)
PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider)
URL(java.net.URL)
LinkedList(java.util.LinkedList)
SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory)
JweClientResponseFilter(org.apache.cxf.rs.security.jose.jaxrs.JweClientResponseFilter)
JwsWriterInterceptor(org.apache.cxf.rs.security.jose.jaxrs.JwsWriterInterceptor)
Test(org.junit.Test)
Example 5 with PrivateKeyPasswordProvider
use of org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider in project cxf by apache.
the class JAXRSJweJwsTest method doTestJweJwkAesCbcHMac.
private void doTestJweJwkAesCbcHMac(String propFile) throws Exception {
String address = "https://localhost:" + PORT + "/jwejwkaescbchmac";
JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
SpringBusFactory bf = new SpringBusFactory();
URL busFile = JAXRSJweJwsTest.class.getResource("client.xml");
Bus springBus = bf.createBus(busFile.toString());
bean.setBus(springBus);
bean.setServiceClass(BookStore.class);
bean.setAddress(address);
List<Object> providers = new LinkedList<>();
JweWriterInterceptor jweWriter = new JweWriterInterceptor();
jweWriter.setUseJweOutputStream(true);
providers.add(jweWriter);
providers.add(new JweClientResponseFilter());
bean.setProviders(providers);
bean.getProperties(true).put("rs.security.encryption.properties", propFile);
PrivateKeyPasswordProvider provider = new PrivateKeyPasswordProviderImpl("Thus from my lips, by yours, my sin is purged.");
bean.getProperties(true).put("rs.security.key.password.provider", provider);
BookStore bs = bean.create(BookStore.class);
String text = bs.echoText("book");
assertEquals("book", text);
}
Also used :
Bus(org.apache.cxf.Bus)
BookStore(org.apache.cxf.systest.jaxrs.security.jose.BookStore)
JAXRSClientFactoryBean(org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean)
JweWriterInterceptor(org.apache.cxf.rs.security.jose.jaxrs.JweWriterInterceptor)
PrivateKeyPasswordProvider(org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider)
URL(java.net.URL)
LinkedList(java.util.LinkedList)
SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory)
JweClientResponseFilter(org.apache.cxf.rs.security.jose.jaxrs.JweClientResponseFilter)
Aggregations
PrivateKeyPasswordProvider (org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider)10
URL (java.net.URL)5
LinkedList (java.util.LinkedList)4
Bus (org.apache.cxf.Bus)4
SpringBusFactory (org.apache.cxf.bus.spring.SpringBusFactory)4
JAXRSClientFactoryBean (org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean)4
JweWriterInterceptor (org.apache.cxf.rs.security.jose.jaxrs.JweWriterInterceptor)4
JweClientResponseFilter (org.apache.cxf.rs.security.jose.jaxrs.JweClientResponseFilter)3
BookStore (org.apache.cxf.systest.jaxrs.security.jose.BookStore)3
Test (org.junit.Test)3
KeyStore (java.security.KeyStore)2
PrivateKey (java.security.PrivateKey)2
ArrayList (java.util.ArrayList)2
List (java.util.List)2
JwsWriterInterceptor (org.apache.cxf.rs.security.jose.jaxrs.JwsWriterInterceptor)2
IOException (java.io.IOException)1
OutputStream (java.io.OutputStream)1
StandardCharsets (java.nio.charset.StandardCharsets)1
KeyPair (java.security.KeyPair)1
KeyPairGenerator (java.security.KeyPairGenerator)1
