From 475b1547dc35608925b4dc07a70130b34c355d1b Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Fri, 29 Apr 2022 14:23:04 +0300 Subject: [PATCH] fix(jans-auth-server): during encryption AS must consider client's jwks too, not only jwks_uri https://github.com/JanssenProject/jans/issues/1273 --- .../io/jans/as/common/util/CommonUtils.java | 21 +++++++++++++++++++ .../io/jans/as/server/auth/MTLSService.java | 7 ++----- .../authorize/ws/rs/AuthzRequestService.java | 7 ++++--- .../authorize/JwtAuthorizationRequest.java | 6 ++---- .../server/model/token/ClientAssertion.java | 7 ++----- .../as/server/model/token/JwrService.java | 7 ++++--- .../ws/rs/UserInfoRestWebServiceImpl.java | 3 ++- 7 files changed, 37 insertions(+), 21 deletions(-) create mode 100644 jans-auth-server/common/src/main/java/io/jans/as/common/util/CommonUtils.java diff --git a/jans-auth-server/common/src/main/java/io/jans/as/common/util/CommonUtils.java b/jans-auth-server/common/src/main/java/io/jans/as/common/util/CommonUtils.java new file mode 100644 index 00000000000..279094291d5 --- /dev/null +++ b/jans-auth-server/common/src/main/java/io/jans/as/common/util/CommonUtils.java @@ -0,0 +1,21 @@ +package io.jans.as.common.util; + +import com.google.common.base.Strings; +import io.jans.as.common.model.registration.Client; +import io.jans.as.model.util.JwtUtil; +import org.json.JSONObject; + +/** + * @author Yuriy Zabrovarnyy + */ +public class CommonUtils { + + private CommonUtils() { + } + + public static JSONObject getJwks(Client client) { + return Strings.isNullOrEmpty(client.getJwks()) + ? JwtUtil.getJSONWebKeys(client.getJwksUri()) + : new JSONObject(client.getJwks()); + } +} diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/auth/MTLSService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/auth/MTLSService.java index 7a9e1db8e42..a5884c78c22 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/auth/MTLSService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/auth/MTLSService.java @@ -6,8 +6,8 @@ package io.jans.as.server.auth; -import com.google.common.base.Strings; import io.jans.as.common.model.registration.Client; +import io.jans.as.common.util.CommonUtils; import io.jans.as.model.authorize.AuthorizeRequestParam; import io.jans.as.model.common.AuthenticationMethod; import io.jans.as.model.common.Prompt; @@ -19,7 +19,6 @@ import io.jans.as.model.token.TokenErrorResponseType; import io.jans.as.model.util.CertUtils; import io.jans.as.model.util.HashUtil; -import io.jans.as.model.util.JwtUtil; import io.jans.as.server.model.common.SessionId; import io.jans.as.server.model.common.SessionIdState; import io.jans.as.server.service.SessionIdService; @@ -130,9 +129,7 @@ public boolean processMTLS(HttpServletRequest httpRequest, HttpServletResponse h final PublicKey publicKey = cert.getPublicKey(); final byte[] encodedKey = publicKey.getEncoded(); - JSONObject jsonWebKeys = Strings.isNullOrEmpty(client.getJwks()) - ? JwtUtil.getJSONWebKeys(client.getJwksUri()) - : new JSONObject(client.getJwks()); + JSONObject jsonWebKeys = CommonUtils.getJwks(client); if (jsonWebKeys == null) { log.debug("Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", client.getClientId(), diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequestService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequestService.java index f3b7512a9fc..c8904e938df 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequestService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequestService.java @@ -4,6 +4,7 @@ import com.google.common.collect.Sets; import io.jans.as.common.model.common.User; import io.jans.as.common.model.registration.Client; +import io.jans.as.common.util.CommonUtils; import io.jans.as.model.authorize.AuthorizeErrorResponseType; import io.jans.as.model.common.ResponseMode; import io.jans.as.model.config.WebKeysConfiguration; @@ -352,7 +353,7 @@ private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriRespo String nestedKeyId = new ServerCryptoProvider(cryptoProvider).getKeyId(webKeysConfiguration, Algorithm.fromString(signatureAlgorithm.getName()), Use.SIGNATURE); - JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri()); + JSONObject jsonWebKeys = CommonUtils.getJwks(client); redirectUriResponse.getRedirectUri().setNestedJsonWebKeys(jsonWebKeys); String clientSecret = clientService.decryptSecret(client.getClientSecret()); @@ -361,7 +362,7 @@ private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriRespo } // Encrypted response - JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri()); + JSONObject jsonWebKeys = CommonUtils.getJwks(client); if (jsonWebKeys != null) { keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), Algorithm.fromString(client.getAttributes().getAuthorizationEncryptedResponseAlg()), @@ -382,7 +383,7 @@ private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriRespo keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(webKeysConfiguration, Algorithm.fromString(signatureAlgorithm.getName()), Use.SIGNATURE); - JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri()); + JSONObject jsonWebKeys = CommonUtils.getJwks(client); redirectUriResponse.getRedirectUri().setJsonWebKeys(jsonWebKeys); String clientSecret = clientService.decryptSecret(client.getClientSecret()); diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java index b7bc277009a..aac864aae58 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/authorize/JwtAuthorizationRequest.java @@ -6,9 +6,9 @@ package io.jans.as.server.model.authorize; -import com.google.common.base.Strings; import com.google.common.collect.Lists; import io.jans.as.common.model.registration.Client; +import io.jans.as.common.util.CommonUtils; import io.jans.as.model.authorize.AuthorizeErrorResponseType; import io.jans.as.model.common.Display; import io.jans.as.model.common.Prompt; @@ -322,9 +322,7 @@ private void loadPayload(String payload) throws JSONException, UnsupportedEncodi private boolean validateSignature(@NotNull AbstractCryptoProvider cryptoProvider, SignatureAlgorithm signatureAlgorithm, Client client, String signingInput, String signature) throws Exception { ClientService clientService = CdiUtil.bean(ClientService.class); String sharedSecret = clientService.decryptSecret(client.getClientSecret()); - JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ? - JwtUtil.getJSONWebKeys(client.getJwksUri()) : - new JSONObject(client.getJwks()); + JSONObject jwks = CommonUtils.getJwks(client); return cryptoProvider.verifySignature(signingInput, signature, keyId, jwks, sharedSecret, signatureAlgorithm); } diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/ClientAssertion.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/ClientAssertion.java index 58993b50444..3146aa12757 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/ClientAssertion.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/ClientAssertion.java @@ -6,8 +6,8 @@ package io.jans.as.server.model.token; -import com.google.common.base.Strings; import io.jans.as.common.model.registration.Client; +import io.jans.as.common.util.CommonUtils; import io.jans.as.model.common.AuthenticationMethod; import io.jans.as.model.configuration.AppConfiguration; import io.jans.as.model.crypto.AbstractCryptoProvider; @@ -19,7 +19,6 @@ import io.jans.as.model.jwt.JwtHeaderName; import io.jans.as.model.jwt.JwtType; import io.jans.as.model.token.ClientAssertionType; -import io.jans.as.model.util.JwtUtil; import io.jans.as.server.service.ClientService; import io.jans.service.cdi.util.CdiUtil; import io.jans.util.security.StringEncrypter; @@ -108,9 +107,7 @@ private boolean load(AppConfiguration appConfiguration, AbstractCryptoProvider c // Validate the crypto segment String keyId = jwt.getHeader().getKeyId(); - JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ? - JwtUtil.getJSONWebKeys(client.getJwksUri()) : - new JSONObject(client.getJwks()); + JSONObject jwks = CommonUtils.getJwks(client); String sharedSecret = clientService.decryptSecret(client.getClientSecret()); boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), keyId, jwks, sharedSecret, signatureAlgorithm); diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/JwrService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/JwrService.java index bb672af5885..55a317f3275 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/JwrService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/token/JwrService.java @@ -7,6 +7,7 @@ package io.jans.as.server.model.token; import io.jans.as.common.model.registration.Client; +import io.jans.as.common.util.CommonUtils; import io.jans.as.model.config.WebKeysConfiguration; import io.jans.as.model.configuration.AppConfiguration; import io.jans.as.model.crypto.AbstractCryptoProvider; @@ -22,12 +23,12 @@ import io.jans.as.model.jwt.Jwt; import io.jans.as.model.jwt.JwtType; import io.jans.as.model.token.JsonWebResponse; -import io.jans.as.model.util.JwtUtil; import io.jans.as.server.model.common.IAuthorizationGrant; import io.jans.as.server.service.ClientService; import io.jans.as.server.service.SectorIdentifierService; import io.jans.as.server.service.ServerCryptoProvider; import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.BooleanUtils; import org.json.JSONObject; import org.slf4j.Logger; @@ -91,7 +92,7 @@ private Jwt signJwt(Jwt jwt, Client client) throws Exception { private Jwe encryptJwe(Jwe jwe, Client client) throws Exception { - if (appConfiguration.getUseNestedJwtDuringEncryption()) { + if (BooleanUtils.isTrue(appConfiguration.getUseNestedJwtDuringEncryption())) { JwtSigner jwtSigner = JwtSigner.newJwtSigner(appConfiguration, webKeysConfiguration, client); Jwt jwt = jwtSigner.newJwt(); jwt.setClaims(jwe.getClaims()); @@ -102,7 +103,7 @@ private Jwe encryptJwe(Jwe jwe, Client client) throws Exception { final BlockEncryptionAlgorithm encryptionMethod = jwe.getHeader().getEncryptionMethod(); if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) { - JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri()); + JSONObject jsonWebKeys = CommonUtils.getJwks(client); String keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), Algorithm.fromString(keyEncryptionAlgorithm.getName()), Use.ENCRYPTION); diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java b/jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java index 75c3ca676c5..87bdc1241d6 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java @@ -10,6 +10,7 @@ import io.jans.as.common.model.common.User; import io.jans.as.common.model.registration.Client; import io.jans.as.common.service.AttributeService; +import io.jans.as.common.util.CommonUtils; import io.jans.as.model.common.ComponentType; import io.jans.as.model.common.ScopeType; import io.jans.as.model.config.Constants; @@ -290,7 +291,7 @@ public String getJweResponse( // Encryption if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) { - JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(authorizationGrant.getClient().getJwksUri()); + JSONObject jsonWebKeys = CommonUtils.getJwks(authorizationGrant.getClient()); String keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), Algorithm.fromString(keyEncryptionAlgorithm.getName()), Use.ENCRYPTION);