From 05f1a659d49c9de2186abbc5c19d1ffbb427b7c7 Mon Sep 17 00:00:00 2001 From: SMan Date: Fri, 21 Jan 2022 21:48:07 -0600 Subject: [PATCH 01/13] feat: extending crypto support, sub pr4; #142; --- .../io/jans/as/client/util/KeyGenerator.java | 9 +- .../as/model/crypto/AuthCryptoProvider.java | 2 +- .../io/jans/as/model/crypto/Certificate.java | 88 +++++++++++++++---- .../crypto/signature/EDDSAKeyFactory.java | 30 +++---- .../crypto/signature/SignatureAlgorithm.java | 16 ++-- .../java/io/jans/as/model/jwk/Algorithm.java | 5 +- .../io/jans/as/model/jws/ECDSASigner.java | 57 ++++++------ .../java/io/jans/as/model/util/HashUtil.java | 69 ++++++++++----- .../java/io/jans/as/model/util/JwtUtil.java | 33 +++++-- .../io/jans/as/model/util/HashUtilTest.java | 2 + 10 files changed, 209 insertions(+), 102 deletions(-) diff --git a/jans-auth-server/client/src/main/java/io/jans/as/client/util/KeyGenerator.java b/jans-auth-server/client/src/main/java/io/jans/as/client/util/KeyGenerator.java index 58b4f00557f..4ef570c1b4f 100644 --- a/jans-auth-server/client/src/main/java/io/jans/as/client/util/KeyGenerator.java +++ b/jans-auth-server/client/src/main/java/io/jans/as/client/util/KeyGenerator.java @@ -51,9 +51,9 @@ * Command example: * java -cp bcprov-jdk15on-1.54.jar:.jar:bcpkix-jdk15on-1.54.jar:commons-cli-1.2.jar:commons-codec-1.5.jar:commons-lang-2.6.jar:jettison-1.3.jar:log4j-1.2.14.jar:oxauth-model.jar:oxauth.jar KeyGenerator -h *

- * KeyGenerator -sig_keys RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448 -enc_keys RSA1_5 RSA-OAEP ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW -keystore /Users/JAVIER/tmp/mykeystore.jks -keypasswd secret -dnname "CN=Jans Auth CA Certificates" -expiration 365 + * KeyGenerator -sig_keys RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 EdDSA -enc_keys RSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW -keystore /Users/JAVIER/tmp/mykeystore.jks -keypasswd secret -dnname "CN=Jans Auth CA Certificates" -expiration 365 *

- * KeyGenerator -sig_keys RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448 -ox11 https://ce.gluu.info:8443/oxeleven/rest/generateKey -expiration 365 -at xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + * KeyGenerator -sig_keys RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 EdDSA -ox11 https://ce.gluu.info:8443/oxeleven/rest/generateKey -expiration 365 -at xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx * * @author Javier Rojas Blum * @author Yuriy Movchan @@ -97,11 +97,11 @@ public Cli(String[] args) { this.args = args; Option signingKeysOption = new Option(SIGNING_KEYS, true, - "Signature keys to generate (RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 Ed25519 Ed448)."); + "Signature keys to generate (RS256 RS384 RS512 ES256 ES256K ES384 ES512 PS256 PS384 PS512 EdDSA)."); signingKeysOption.setArgs(Option.UNLIMITED_VALUES); Option encryptionKeysOption = new Option(ENCRYPTION_KEYS, true, - "Encryption keys to generate (RSA1_5 RSA-OAEP ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW)."); + "Encryption keys to generate (RSA1_5 RSA-OAEP RSA-OAEP-256 ECDH-ES ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW)."); encryptionKeysOption.setArgs(Option.UNLIMITED_VALUES); options.addOption(signingKeysOption); @@ -114,6 +114,7 @@ public Cli(String[] args) { options.addOption(EXPIRATION, true, "Expiration in days."); options.addOption(EXPIRATION_HOURS, true, "Expiration in hours."); options.addOption(KEY_LENGTH, true, "Key length"); + options.addOption(TEST_PROP_FILE, true, "Tests property file."); options.addOption(HELP, false, "Show help."); } diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/AuthCryptoProvider.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/AuthCryptoProvider.java index aff7d06c7c6..9eb30f31a47 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/AuthCryptoProvider.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/AuthCryptoProvider.java @@ -461,7 +461,7 @@ private JSONObject generateKeySignature(Algorithm algorithm, Long expirationTime break; } case ED: { - EdDSAParameterSpec edSpec = new EdDSAParameterSpec(signatureAlgorithm.getName()); + EdDSAParameterSpec edSpec = new EdDSAParameterSpec(signatureAlgorithm.getCurve().getAlias()); keyGen = KeyPairGenerator.getInstance(signatureAlgorithm.getName(), "BC"); keyGen.initialize(edSpec, new SecureRandom()); break; diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java index d649b02031f..6f70b2da3b7 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java @@ -7,10 +7,12 @@ package io.jans.as.model.crypto; import io.jans.as.model.crypto.signature.ECDSAPublicKey; +import io.jans.as.model.crypto.signature.EDDSAPublicKey; import io.jans.as.model.crypto.signature.RSAPublicKey; import io.jans.as.model.crypto.signature.SignatureAlgorithm; import io.jans.as.model.util.StringUtils; import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey; +import org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPublicKey; import org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPublicKey; import org.bouncycastle.openssl.jcajce.JcaPEMWriter; import org.json.JSONArray; @@ -21,19 +23,33 @@ import java.util.Arrays; /** + * Certificate, uses RSA, EcDSA, EdDSA. + * * @author Javier Rojas Blum - * @version June 29, 2016 + * @author Sergey Manoylo + * @version September 13, 2021 */ public class Certificate { - private final SignatureAlgorithm signatureAlgorithm; - private final X509Certificate x509Certificate; + private SignatureAlgorithm signatureAlgorithm; + private X509Certificate x509Certificate; + /** + * Constructor. + * + * @param signatureAlgorithm Signature algorithm (RS256, RS384, RS512, ES256, ES256K, ES384, ES512, PS256, PS384, PS512, EDDSA/Ed25519). + * @param x509Certificate X509 certificate. + */ public Certificate(SignatureAlgorithm signatureAlgorithm, X509Certificate x509Certificate) { this.signatureAlgorithm = signatureAlgorithm; this.x509Certificate = x509Certificate; } + /** + * Returns Public Key from X509 Certificate. + * + * @return Public Key from X509 Certificate. + */ public PublicKey getPublicKey() { PublicKey publicKey = null; @@ -46,34 +62,70 @@ public PublicKey getPublicKey() { publicKey = new ECDSAPublicKey(signatureAlgorithm, jceecPublicKey.getQ().getXCoord().toBigInteger(), jceecPublicKey.getQ().getYCoord().toBigInteger()); + } else if (x509Certificate != null && x509Certificate.getPublicKey() instanceof BCEdDSAPublicKey) { + BCEdDSAPublicKey jceedPublicKey = (BCEdDSAPublicKey) x509Certificate.getPublicKey(); + + publicKey = new EDDSAPublicKey(signatureAlgorithm, jceedPublicKey.getEncoded()); } return publicKey; } + /** + * Returns RSA Public Key from X509 Certificate. + * + * @return RSA Public Key from X509 Certificate. + */ public RSAPublicKey getRsaPublicKey() { RSAPublicKey rsaPublicKey = null; - - if (x509Certificate != null && x509Certificate.getPublicKey() instanceof BCRSAPublicKey) { - BCRSAPublicKey publicKey = (BCRSAPublicKey) x509Certificate.getPublicKey(); - - rsaPublicKey = new RSAPublicKey(publicKey.getModulus(), publicKey.getPublicExponent()); + if (x509Certificate != null) { + if (x509Certificate.getPublicKey() instanceof BCRSAPublicKey) { + BCRSAPublicKey publicKey = (BCRSAPublicKey) x509Certificate.getPublicKey(); + rsaPublicKey = new RSAPublicKey(publicKey.getModulus(), publicKey.getPublicExponent()); + } else if (x509Certificate.getPublicKey() instanceof java.security.interfaces.RSAPublicKey) { + java.security.interfaces.RSAPublicKey publicKey = (java.security.interfaces.RSAPublicKey) x509Certificate + .getPublicKey(); + rsaPublicKey = new RSAPublicKey(publicKey.getModulus(), publicKey.getPublicExponent()); + } } - return rsaPublicKey; } + /** + * Returns ECDSA Public Key from X509 Certificate. + * + * @return ECDSA Public Key from X509 Certificate. + */ public ECDSAPublicKey getEcdsaPublicKey() { ECDSAPublicKey ecdsaPublicKey = null; + if (x509Certificate != null) { + if (x509Certificate.getPublicKey() instanceof BCECPublicKey) { + BCECPublicKey publicKey = (BCECPublicKey) x509Certificate.getPublicKey(); + ecdsaPublicKey = new ECDSAPublicKey(signatureAlgorithm, publicKey.getQ().getXCoord().toBigInteger(), + publicKey.getQ().getYCoord().toBigInteger()); + } else if (x509Certificate.getPublicKey() instanceof java.security.interfaces.ECPublicKey) { + java.security.interfaces.ECPublicKey publicKey = (java.security.interfaces.ECPublicKey) x509Certificate + .getPublicKey(); + ecdsaPublicKey = new ECDSAPublicKey(signatureAlgorithm, publicKey.getW().getAffineX(), + publicKey.getW().getAffineY()); + } + } + return ecdsaPublicKey; + } - if (x509Certificate != null && x509Certificate.getPublicKey() instanceof BCECPublicKey) { - BCECPublicKey publicKey = (BCECPublicKey) x509Certificate.getPublicKey(); - - ecdsaPublicKey = new ECDSAPublicKey(signatureAlgorithm, publicKey.getQ().getXCoord().toBigInteger(), - publicKey.getQ().getYCoord().toBigInteger()); + /** + * Returns EDDSA Public Key from X509 Certificate. + * + * @return EDDSA Public Key from X509 Certificate. + */ + public EDDSAPublicKey getEddsaPublicKey() { + EDDSAPublicKey eddsaPublicKey = null; + if (x509Certificate != null && x509Certificate.getPublicKey() instanceof BCEdDSAPublicKey) { + BCEdDSAPublicKey publicKey = (BCEdDSAPublicKey) x509Certificate.getPublicKey(); + eddsaPublicKey = new EDDSAPublicKey(signatureAlgorithm, publicKey.getEncoded()); } - return ecdsaPublicKey; + return eddsaPublicKey; } public JSONArray toJSONArray() throws JSONException { @@ -90,13 +142,17 @@ public JSONArray toJSONArray() throws JSONException { public String toString() { try { StringWriter stringWriter = new StringWriter(); - try (JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { + JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter); + try { pemWriter.writeObject(x509Certificate); pemWriter.flush(); return stringWriter.toString(); + } finally { + pemWriter.close(); } } catch (Exception e) { return StringUtils.EMPTY_STRING; } } + } \ No newline at end of file diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java index 89b23202d3f..6dfbee460b4 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java @@ -16,7 +16,6 @@ import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; import org.bouncycastle.crypto.params.Ed25519PrivateKeyParameters; import org.bouncycastle.crypto.params.Ed25519PublicKeyParameters; -import org.bouncycastle.crypto.params.Ed448PublicKeyParameters; import org.bouncycastle.crypto.util.PrivateKeyInfoFactory; import org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPrivateKey; import org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPublicKey; @@ -82,7 +81,7 @@ public EDDSAKeyFactory(final SignatureAlgorithm signatureAlgorithm, final String } this.signatureAlgorithm = signatureAlgorithm; - EdDSAParameterSpec edSpec = new EdDSAParameterSpec(signatureAlgorithm.getName()); + EdDSAParameterSpec edSpec = new EdDSAParameterSpec(signatureAlgorithm.getCurve().getName()); KeyPairGenerator keyGen = KeyPairGenerator.getInstance(signatureAlgorithm.getName(), DEF_BC); keyGen.initialize(edSpec, new SecureRandom()); @@ -213,23 +212,16 @@ public static EDDSAPrivateKey createEDDSAPrivateKeyFromDecodedKey(final Signatur */ private static byte[] getEncodedPubKey(final SignatureAlgorithm signatureAlgorithm, final byte[] decodedPublicKey) throws SignatureException { byte[] encodedPubKey = null; - switch (signatureAlgorithm) { - case EDDSA: - case ED25519: { - encodedPubKey = new byte[Ed25519Prefix.length + Ed25519PublicKeyParameters.KEY_SIZE]; - System.arraycopy(Ed25519Prefix, 0, encodedPubKey, 0, Ed25519Prefix.length); - System.arraycopy(decodedPublicKey, 0, encodedPubKey, Ed25519Prefix.length, decodedPublicKey.length); - break; - } - case ED448: { - encodedPubKey = new byte[Ed448Prefix.length + Ed448PublicKeyParameters.KEY_SIZE]; - System.arraycopy(Ed448Prefix, 0, encodedPubKey, 0, Ed448Prefix.length); - System.arraycopy(decodedPublicKey, 0, encodedPubKey, Ed448Prefix.length, decodedPublicKey.length); - break; - } - default: { - throw new SignatureException(String.format("Wrong type of the signature algorithm (SignatureAlgorithm): %s", signatureAlgorithm.toString())); - } + switch(signatureAlgorithm) { + case EDDSA: { + encodedPubKey = new byte[Ed25519Prefix.length + Ed25519PublicKeyParameters.KEY_SIZE]; + System.arraycopy(Ed25519Prefix, 0, encodedPubKey, 0, Ed25519Prefix.length); + System.arraycopy(decodedPublicKey, 0, encodedPubKey, Ed25519Prefix.length, decodedPublicKey.length); + break; + } + default: { + throw new SignatureException(String.format("Wrong type of the signature algorithm (SignatureAlgorithm): %s", signatureAlgorithm.toString())); + } } return encodedPubKey; } diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/SignatureAlgorithm.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/SignatureAlgorithm.java index 884fd6775b6..6c4e059b2f1 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/SignatureAlgorithm.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/SignatureAlgorithm.java @@ -16,6 +16,16 @@ import java.util.List; /** + * Signature Algorithms. + * + * JWS digital signature and MAC "alg" (algorithm) values + * (RFC 7518, A.1. Digital Signature/MAC Algorithm Identifier + * Cross-Reference). + * + * CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures + * in JSON Object Signing and Encryption (JOSE) signature + * algorithm "Ed25519". + * * @author Javier Rojas Blum * @author Sergey Manoylo * @version October 26, 2021 @@ -41,9 +51,7 @@ public enum SignatureAlgorithm { PS384(SignatureAlgorithm.DEF_PS384, AlgorithmFamily.RSA, SignatureAlgorithm.DEF_SHA384WITHRSAANDMGF1, JWSAlgorithm.PS384), PS512(SignatureAlgorithm.DEF_PS512, AlgorithmFamily.RSA, SignatureAlgorithm.DEF_SHA512WITHRSAANDMGF1, JWSAlgorithm.PS512), - ED25519(SignatureAlgorithm.DEF_ED25519, AlgorithmFamily.ED, SignatureAlgorithm.DEF_ED25519, EllipticEdvardsCurve.ED_25519, JWSAlgorithm.EdDSA), - ED448(SignatureAlgorithm.DEF_ED448, AlgorithmFamily.ED, SignatureAlgorithm.DEF_ED448, EllipticEdvardsCurve.ED_448, JWSAlgorithm.EdDSA), - EDDSA(SignatureAlgorithm.DEF_EDDDSA, AlgorithmFamily.ED, SignatureAlgorithm.DEF_ED25519, EllipticEdvardsCurve.ED_25519, JWSAlgorithm.EdDSA); + EDDSA(SignatureAlgorithm.DEF_EDDDSA, AlgorithmFamily.ED, SignatureAlgorithm.DEF_EDDDSA, EllipticEdvardsCurve.ED_25519, JWSAlgorithm.EdDSA); public static final String DEF_HS256 = "HS256"; public static final String DEF_HS384 = "HS384"; @@ -62,8 +70,6 @@ public enum SignatureAlgorithm { public static final String DEF_PS384 = "PS384"; public static final String DEF_PS512 = "PS512"; - public static final String DEF_ED25519 = "Ed25519"; - public static final String DEF_ED448 = "Ed448"; public static final String DEF_EDDDSA = "EdDSA"; public static final String DEF_HMACSHA256 = "HMACSHA256"; diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/jwk/Algorithm.java b/jans-auth-server/model/src/main/java/io/jans/as/model/jwk/Algorithm.java index f1493c02114..2b2d9507b24 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/jwk/Algorithm.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/jwk/Algorithm.java @@ -39,8 +39,7 @@ public enum Algorithm { PS384("PS384", "id_token PS384 Sign Key", "Signature Key: RSASSA-PSS using SHA-384 and MGF1 with SHA-384", Use.SIGNATURE, AlgorithmFamily.RSA, RSAKeyFactory.DEF_KEYLENGTH), PS512("PS512", "id_token PS512 Sign Key", "Signature Key: RSASSA-PSS using SHA-512 and MGF1 with SHA-512", Use.SIGNATURE, AlgorithmFamily.RSA, RSAKeyFactory.DEF_KEYLENGTH), - ED25519("Ed25519", "id_token Ed25519 Sign Key", "Signature Key: EDDSA using Ed25519 with SHA-512", Use.SIGNATURE, AlgorithmFamily.ED, 256), - ED448("Ed448", "id_token Ed448 Sign Key", "Signature Key: EDDSA using Ed448 with SHA-3/SHAKE256", Use.SIGNATURE, AlgorithmFamily.ED, 456), + EDDSA("EdDSA", "id_token EdDSA Sign Key", "Signature Key: EdDSA using Ed25519 with SHA-512", Use.SIGNATURE, AlgorithmFamily.ED, 256), // Encryption RSA1_5("RSA1_5", "id_token RSA1_5 Encryption Key", "Encryption Key: RSAES-PKCS1-v1_5", @@ -133,7 +132,7 @@ public int getKeyLength() { } public boolean canGenerateKeys() { // based on currently supported generator, see io.jans.as.model.crypto.AuthCryptoProvider.generateKeyEncryption - return family == AlgorithmFamily.RSA || family == AlgorithmFamily.EC; + return family == AlgorithmFamily.RSA || family == AlgorithmFamily.EC || family == AlgorithmFamily.ED; } /** diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/jws/ECDSASigner.java b/jans-auth-server/model/src/main/java/io/jans/as/model/jws/ECDSASigner.java index 2136f2b9f1f..e59ebc3f1fe 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/jws/ECDSASigner.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/jws/ECDSASigner.java @@ -25,32 +25,55 @@ import java.security.PublicKey; import java.security.Signature; import java.security.SignatureException; -import java.security.spec.InvalidKeySpecException; /** + * Implementing the AbstractJwsSigner, that uses ECDSA for signing. + * * @author Javier Rojas Blum - * @version July 31, 2016 + * @author Sergey Manoylo + * @version September 13, 2021 */ public class ECDSASigner extends AbstractJwsSigner { private ECDSAPrivateKey ecdsaPrivateKey; private ECDSAPublicKey ecdsaPublicKey; + /** + * Constructor. + * + * @param signatureAlgorithm signature algorithm. + * @param ecdsaPrivateKey ecdsa private key. + */ public ECDSASigner(SignatureAlgorithm signatureAlgorithm, ECDSAPrivateKey ecdsaPrivateKey) { super(signatureAlgorithm); this.ecdsaPrivateKey = ecdsaPrivateKey; } + /** + * Constructor. + * + * @param signatureAlgorithm signature algorithm. + * @param ecdsaPublicKey ecdsa public key. + */ public ECDSASigner(SignatureAlgorithm signatureAlgorithm, ECDSAPublicKey ecdsaPublicKey) { super(signatureAlgorithm); this.ecdsaPublicKey = ecdsaPublicKey; } + /** + * Constructor. + * + * @param signatureAlgorithm signature algorithm. + * @param certificate certificate (uses RSA, EcDSA, EdDSA). + */ public ECDSASigner(SignatureAlgorithm signatureAlgorithm, io.jans.as.model.crypto.Certificate certificate) { super(signatureAlgorithm); this.ecdsaPublicKey = certificate.getEcdsaPublicKey(); } + /** + * Generating a signature, using URL safe based format. + */ @Override public String generateSignature(String signingInput) throws SignatureException { if (getSignatureAlgorithm() == null) { @@ -86,6 +109,9 @@ public String generateSignature(String signingInput) throws SignatureException { } } + /** + * Validating a signature. + */ @Override public boolean validateSignature(String signingInput, String signature) throws SignatureException { if (getSignatureAlgorithm() == null) { @@ -97,26 +123,7 @@ public boolean validateSignature(String signingInput, String signature) throws S if (signingInput == null) { throw new SignatureException("The signing input is null"); } - - String algorithm; - String curve; - switch (getSignatureAlgorithm()) { - case ES256: - algorithm = "SHA256WITHECDSA"; - curve = "P-256"; - break; - case ES384: - algorithm = "SHA384WITHECDSA"; - curve = "P-384"; - break; - case ES512: - algorithm = "SHA512WITHECDSA"; - curve = "P-521"; - break; - default: - throw new SignatureException("Unsupported signature algorithm"); - } - + SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm(); try { byte[] sigBytes = Base64Util.base64urldecode(signature); if (AlgorithmFamily.EC.equals(getSignatureAlgorithm().getFamily())) { @@ -124,7 +131,7 @@ public boolean validateSignature(String signingInput, String signature) throws S } byte[] sigInBytes = signingInput.getBytes(StandardCharsets.UTF_8); - ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec(curve); + ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec(signatureAlgorithm.getCurve().getAlias()); ECPoint pointQ = ecSpec.getCurve().createPoint(ecdsaPublicKey.getX(), ecdsaPublicKey.getY()); ECPublicKeySpec publicKeySpec = new ECPublicKeySpec(pointQ, ecSpec); @@ -132,12 +139,10 @@ public boolean validateSignature(String signingInput, String signature) throws S KeyFactory keyFactory = KeyFactory.getInstance("ECDSA", "BC"); PublicKey publicKey = keyFactory.generatePublic(publicKeySpec); - Signature sig = Signature.getInstance(algorithm, "BC"); + Signature sig = Signature.getInstance(signatureAlgorithm.getAlgorithm(), "BC"); sig.initVerify(publicKey); sig.update(sigInBytes); return sig.verify(sigBytes); - } catch (InvalidKeySpecException e) { - throw new SignatureException(e); } catch (Exception e) { throw new SignatureException(e); } diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/util/HashUtil.java b/jans-auth-server/model/src/main/java/io/jans/as/model/util/HashUtil.java index 17e1609f14e..08e1278ffa2 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/util/HashUtil.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/util/HashUtil.java @@ -6,41 +6,71 @@ package io.jans.as.model.util; -import io.jans.as.model.crypto.signature.SignatureAlgorithm; import org.apache.log4j.Logger; +import io.jans.as.model.crypto.signature.SignatureAlgorithm; + /** + * Hash Tool, that calculates Hash Code, using Hashing Algorithm, defined by the Signature Algorithm. + * I.e. Hashing Algorithm depends on the Signature Algorithm. + * * @author Yuriy Zabrovarnyy + * @author Sergey Manoylo + * @version December 5, 2021 */ public class HashUtil { private static final Logger log = Logger.getLogger(HashUtil.class); + /** + * Constructor. + */ private HashUtil() { } + /** + * Calculates Hash Code, using Hashing Algorithm, defined by used Signature Algorithm. + * + * @param input Input string, whose hash code is being calculated. + * @param signatureAlgorithm Signature Algorithm. + * @return Hash Code, using algorithm, defined by used Signature Algorithm. + */ public static String getHash(String input, SignatureAlgorithm signatureAlgorithm) { try { - final byte[] digest; - if (signatureAlgorithm == SignatureAlgorithm.HS256 || - signatureAlgorithm == SignatureAlgorithm.RS256 || - signatureAlgorithm == SignatureAlgorithm.PS256 || - signatureAlgorithm == SignatureAlgorithm.ES256) { - digest = JwtUtil.getMessageDigestSHA256(input); - } else if (signatureAlgorithm == SignatureAlgorithm.HS384 || - signatureAlgorithm == SignatureAlgorithm.RS384 || - signatureAlgorithm == SignatureAlgorithm.PS384 || - signatureAlgorithm == SignatureAlgorithm.ES384) { - digest = JwtUtil.getMessageDigestSHA384(input); - } else if (signatureAlgorithm == SignatureAlgorithm.HS512 || - signatureAlgorithm == SignatureAlgorithm.RS512 || - signatureAlgorithm == SignatureAlgorithm.PS512 || - signatureAlgorithm == SignatureAlgorithm.ES512) { - digest = JwtUtil.getMessageDigestSHA512(input); - } else { // Default + byte[] digest = null; + if (signatureAlgorithm != null) { + switch (signatureAlgorithm) { + case HS256: + case RS256: + case PS256: + case ES256: + case ES256K: { + digest = JwtUtil.getMessageDigestSHA256(input); + break; + } + case HS384: + case RS384: + case PS384: + case ES384: { + digest = JwtUtil.getMessageDigestSHA384(input); + break; + } + case HS512: + case RS512: + case PS512: + case ES512: + case EDDSA: { + digest = JwtUtil.getMessageDigestSHA512(input); + break; + } + default: { + digest = JwtUtil.getMessageDigestSHA256(input); + break; + } + } + } else { digest = JwtUtil.getMessageDigestSHA256(input); } - if (digest != null) { byte[] lefMostHalf = new byte[digest.length / 2]; System.arraycopy(digest, 0, lefMostHalf, 0, lefMostHalf.length); @@ -49,7 +79,6 @@ public static String getHash(String input, SignatureAlgorithm signatureAlgorithm } catch (Exception e) { log.error("Failed to calculate hash.", e); } - return null; } } diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/util/JwtUtil.java b/jans-auth-server/model/src/main/java/io/jans/as/model/util/JwtUtil.java index 7e26ad88ec3..549361613c2 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/util/JwtUtil.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/util/JwtUtil.java @@ -9,9 +9,12 @@ import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.datatype.jsonorg.JsonOrgModule; import io.jans.as.model.crypto.Certificate; +import io.jans.as.model.crypto.signature.AlgorithmFamily; import io.jans.as.model.crypto.signature.ECDSAPublicKey; +import io.jans.as.model.crypto.signature.EDDSAPublicKey; import io.jans.as.model.crypto.signature.RSAPublicKey; import io.jans.as.model.crypto.signature.SignatureAlgorithm; +import io.jans.as.model.exception.InvalidParameterException; import io.jans.as.model.jwt.Jwt; import io.jans.util.StringHelper; import org.bouncycastle.jce.provider.X509CertificateObject; @@ -48,9 +51,13 @@ import static io.jans.as.model.jwk.JWKParameter.Y; /** + * Utility class (can't be instantiated), that provides suite of additional functions, + * which can be used, during JWT/JWE processing. + * * @author Javier Rojas Blum * @author Yuriy Movchan - * @version December 8, 2018 + * @author Sergey Manoylo + * @version December 5, 2021 */ public class JwtUtil { @@ -131,7 +138,9 @@ public static io.jans.as.model.crypto.PublicKey getPublicKey( jsonPublicKey = jsonKeyValue.getJSONObject(PUBLIC_KEY); } - if (signatureAlgorithm == SignatureAlgorithm.RS256 || signatureAlgorithm == SignatureAlgorithm.RS384 || signatureAlgorithm == SignatureAlgorithm.RS512) { + AlgorithmFamily algorithmFamily = signatureAlgorithm.getFamily(); + + if(algorithmFamily == AlgorithmFamily.RSA) { String exp = jsonPublicKey.getString(EXPONENT); String mod = jsonPublicKey.getString(MODULUS); @@ -139,7 +148,7 @@ public static io.jans.as.model.crypto.PublicKey getPublicKey( BigInteger modulus = new BigInteger(1, Base64Util.base64urldecode(mod)); publicKey = new RSAPublicKey(modulus, publicExponent); - } else if (signatureAlgorithm == SignatureAlgorithm.ES256 || signatureAlgorithm == SignatureAlgorithm.ES384 || signatureAlgorithm == SignatureAlgorithm.ES512) { + } else if(algorithmFamily == AlgorithmFamily.EC) { String xx = jsonPublicKey.getString(X); String yy = jsonPublicKey.getString(Y); @@ -147,9 +156,17 @@ public static io.jans.as.model.crypto.PublicKey getPublicKey( BigInteger y = new BigInteger(1, Base64Util.base64urldecode(yy)); publicKey = new ECDSAPublicKey(signatureAlgorithm, x, y); + } else if(algorithmFamily == AlgorithmFamily.ED) { + String xx = jsonPublicKey.getString(X); + + BigInteger x = new BigInteger(1, Base64Util.base64urldecode(xx)); + + publicKey = new EDDSAPublicKey(signatureAlgorithm, x.toByteArray()); + } else { + throw new InvalidParameterException("Wrong value of the AlgorithmFamily: algorithmFamily = " + algorithmFamily); } - if (publicKey != null && jsonKeyValue.has(CERTIFICATE_CHAIN)) { + if (jsonKeyValue.has(CERTIFICATE_CHAIN)) { final String BEGIN = "-----BEGIN CERTIFICATE-----"; final String END = "-----END CERTIFICATE-----"; @@ -161,10 +178,10 @@ public static io.jans.as.model.crypto.PublicKey getPublicKey( io.jans.as.model.crypto.Certificate certificate = new Certificate(signatureAlgorithm, cert); publicKey.setCertificate(certificate); } - if (publicKey != null) { - publicKey.setKeyId(resultKeyId); - publicKey.setSignatureAlgorithm(signatureAlgorithm); - } + + publicKey.setKeyId(resultKeyId); + publicKey.setSignatureAlgorithm(signatureAlgorithm); + } catch (Exception ex) { log.error(ex.getMessage(), ex); } diff --git a/jans-auth-server/model/src/test/java/io/jans/as/model/util/HashUtilTest.java b/jans-auth-server/model/src/test/java/io/jans/as/model/util/HashUtilTest.java index b23bb50fbe2..d34ad92d55f 100644 --- a/jans-auth-server/model/src/test/java/io/jans/as/model/util/HashUtilTest.java +++ b/jans-auth-server/model/src/test/java/io/jans/as/model/util/HashUtilTest.java @@ -29,6 +29,7 @@ public class HashUtilTest { public void s256Hash() { assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.ES256)); assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.HS256)); + assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.ES256K)); assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.PS256)); assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.RS256)); } @@ -47,5 +48,6 @@ public void s512Hash() { assertEquals("CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4", HashUtil.getHash(INPUT, SignatureAlgorithm.HS512)); assertEquals("CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4", HashUtil.getHash(INPUT, SignatureAlgorithm.PS512)); assertEquals("CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4", HashUtil.getHash(INPUT, SignatureAlgorithm.RS512)); + assertEquals("CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4", HashUtil.getHash(INPUT, SignatureAlgorithm.EDDSA)); } } From 5bad0a5249b6a90da0b66a02d59864c59eacbc90 Mon Sep 17 00:00:00 2001 From: SMan Date: Fri, 21 Jan 2022 23:15:12 -0600 Subject: [PATCH 02/13] feat: extending crypto support, sub pr4, fixes; #142/#326; --- .../src/main/java/io/jans/as/model/crypto/Certificate.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java index 6f70b2da3b7..e9013e39c76 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java @@ -31,8 +31,8 @@ */ public class Certificate { - private SignatureAlgorithm signatureAlgorithm; - private X509Certificate x509Certificate; + private final SignatureAlgorithm signatureAlgorithm; + private final X509Certificate x509Certificate; /** * Constructor. From f96d66c56247e13156dd87b8e30599326fcbd7b1 Mon Sep 17 00:00:00 2001 From: SMan Date: Sun, 23 Jan 2022 19:40:22 -0600 Subject: [PATCH 03/13] feat: extending crypto support, sub pr4, eddsa_signer has been added; #142/#326; --- .../io/jans/as/model/jws/EDDSASigner.java | 137 ++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java b/jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java new file mode 100644 index 00000000000..f37899078c9 --- /dev/null +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java @@ -0,0 +1,137 @@ +/* + * Janssen Project software is available under the Apache License (2004). See http://www.apache.org/licenses/ for full text. + * + * Copyright (c) 2022, Janssen Project + */ +package io.jans.as.model.jws; + +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.Signature; +import java.security.SignatureException; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; + +import org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPrivateKey; +import org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPublicKey; + +import io.jans.as.model.crypto.Certificate; +import io.jans.as.model.crypto.signature.AlgorithmFamily; +import io.jans.as.model.crypto.signature.EDDSAPrivateKey; +import io.jans.as.model.crypto.signature.EDDSAPublicKey; +import io.jans.as.model.crypto.signature.SignatureAlgorithm; +import io.jans.as.model.util.Base64Util; + +/** + * Implementing the AbstractJwsSigner, that uses EDDSA for signing. + * + * @author Sergey Manoylo + * @version January 20, 2021 + */ +public class EDDSASigner extends AbstractJwsSigner { + + public static final String DEF_BC = "BC"; + + private EDDSAPrivateKey eddsaPrivateKey; + private EDDSAPublicKey eddsaPublicKey; + + /** + * Constructor. + * + * @param signatureAlgorithm signature algorithm. + * @param eddsaPrivateKey eddsa private key. + */ + public EDDSASigner(SignatureAlgorithm signatureAlgorithm, EDDSAPrivateKey eddsaPrivateKey) { + super(signatureAlgorithm); + this.eddsaPrivateKey = eddsaPrivateKey; + } + + /** + * Constructor. + * + * @param signatureAlgorithm signature algorithm. + * @param eddsaPublicKey eddsa public key. + */ + public EDDSASigner(SignatureAlgorithm signatureAlgorithm, EDDSAPublicKey eddsaPublicKey) { + super(signatureAlgorithm); + this.eddsaPublicKey = eddsaPublicKey; + } + + /** + * Constructor. + * + * @param signatureAlgorithm signature algorithm. + * @param certificate certificate (uses RSA, EcDSA, EdDSA). + */ + public EDDSASigner(SignatureAlgorithm signatureAlgorithm, Certificate certificate) { + super(signatureAlgorithm); + this.eddsaPublicKey = certificate.getEddsaPublicKey(); + } + + /** + * Generating a signature, + * using URL safe based format. + */ + @Override + public String generateSignature(String signingInput) throws SignatureException { + SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm(); + if (signatureAlgorithm == null) { + throw new SignatureException("The signature algorithm is null"); + } + if (!signatureAlgorithm.getFamily().equals(AlgorithmFamily.ED)) { + throw new SignatureException(String.format("Wrong value of the signature algorithm: %s", signatureAlgorithm.getFamily().toString())); + } + if (eddsaPrivateKey == null) { + throw new SignatureException("The EDDSA private key is null"); + } + if (signingInput == null) { + throw new SignatureException("The signing input is null"); + } + try { + PKCS8EncodedKeySpec privateKeySpec = eddsaPrivateKey.getPrivateKeySpec(); + java.security.KeyFactory keyFactory = java.security.KeyFactory.getInstance(signatureAlgorithm.getName()); + BCEdDSAPrivateKey privateKey = (BCEdDSAPrivateKey) keyFactory.generatePrivate(privateKeySpec); + Signature signer = Signature.getInstance(signatureAlgorithm.getName(), DEF_BC); + signer.initSign(privateKey); + signer.update(signingInput.getBytes()); + byte[] signature = signer.sign(); + return Base64Util.base64urlencode(signature); + } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException | InvalidKeyException + | IllegalArgumentException e) { + throw new SignatureException(e); + } + } + + /** + * Validating a signature. + */ + @Override + public boolean validateSignature(String signingInput, String signature) throws SignatureException { + SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm(); + if (signatureAlgorithm == null) { + throw new SignatureException("The signature algorithm is null"); + } + if (!signatureAlgorithm.getFamily().equals(AlgorithmFamily.ED)) { + throw new SignatureException(String.format("Wrong value of the signature algorithm: %s", signatureAlgorithm.getFamily().toString())); + } + if (eddsaPublicKey == null) { + throw new SignatureException("The EDDSA public key is null"); + } + if (signingInput == null) { + throw new SignatureException("The signing input is null"); + } + try { + X509EncodedKeySpec publicKeySpec = eddsaPublicKey.getPublicKeySpec(); + java.security.KeyFactory keyFactory = java.security.KeyFactory.getInstance(signatureAlgorithm.getName()); + BCEdDSAPublicKey publicKey = (BCEdDSAPublicKey) keyFactory.generatePublic(publicKeySpec); + Signature virifier = Signature.getInstance(signatureAlgorithm.getName(), "BC"); + virifier.initVerify(publicKey); + virifier.update(signingInput.getBytes()); + return virifier.verify(Base64Util.base64urldecode(signature)); + } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException | InvalidKeyException | IllegalArgumentException e) { + throw new SignatureException(e); + } + } +} From 4d7f5743a27ba801f8b67a28f89b64f8a0c2275c Mon Sep 17 00:00:00 2001 From: SMan Date: Mon, 24 Jan 2022 20:10:27 -0600 Subject: [PATCH 04/13] fix: jans-auth-server: extending crypto support, sub pr4; fixes; #142/#326; --- .../io/jans/as/model/crypto/Certificate.java | 48 ++++++++--------- .../crypto/signature/EDDSAKeyFactory.java | 18 +++---- .../io/jans/as/model/jws/EDDSASigner.java | 4 +- .../java/io/jans/as/model/util/HashUtil.java | 54 +++++++++---------- .../java/io/jans/as/model/util/JwtUtil.java | 3 +- 5 files changed, 61 insertions(+), 66 deletions(-) diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java index e9013e39c76..b8bba4c9f82 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java @@ -77,16 +77,17 @@ public PublicKey getPublicKey() { * @return RSA Public Key from X509 Certificate. */ public RSAPublicKey getRsaPublicKey() { + if(x509Certificate == null) { + return null; + } RSAPublicKey rsaPublicKey = null; - if (x509Certificate != null) { - if (x509Certificate.getPublicKey() instanceof BCRSAPublicKey) { - BCRSAPublicKey publicKey = (BCRSAPublicKey) x509Certificate.getPublicKey(); - rsaPublicKey = new RSAPublicKey(publicKey.getModulus(), publicKey.getPublicExponent()); - } else if (x509Certificate.getPublicKey() instanceof java.security.interfaces.RSAPublicKey) { - java.security.interfaces.RSAPublicKey publicKey = (java.security.interfaces.RSAPublicKey) x509Certificate - .getPublicKey(); - rsaPublicKey = new RSAPublicKey(publicKey.getModulus(), publicKey.getPublicExponent()); - } + if (x509Certificate.getPublicKey() instanceof BCRSAPublicKey) { + BCRSAPublicKey publicKey = (BCRSAPublicKey) x509Certificate.getPublicKey(); + rsaPublicKey = new RSAPublicKey(publicKey.getModulus(), publicKey.getPublicExponent()); + } else if (x509Certificate.getPublicKey() instanceof java.security.interfaces.RSAPublicKey) { + java.security.interfaces.RSAPublicKey publicKey = (java.security.interfaces.RSAPublicKey) x509Certificate + .getPublicKey(); + rsaPublicKey = new RSAPublicKey(publicKey.getModulus(), publicKey.getPublicExponent()); } return rsaPublicKey; } @@ -97,18 +98,19 @@ public RSAPublicKey getRsaPublicKey() { * @return ECDSA Public Key from X509 Certificate. */ public ECDSAPublicKey getEcdsaPublicKey() { + if(x509Certificate == null) { + return null; + } ECDSAPublicKey ecdsaPublicKey = null; - if (x509Certificate != null) { - if (x509Certificate.getPublicKey() instanceof BCECPublicKey) { - BCECPublicKey publicKey = (BCECPublicKey) x509Certificate.getPublicKey(); - ecdsaPublicKey = new ECDSAPublicKey(signatureAlgorithm, publicKey.getQ().getXCoord().toBigInteger(), - publicKey.getQ().getYCoord().toBigInteger()); - } else if (x509Certificate.getPublicKey() instanceof java.security.interfaces.ECPublicKey) { - java.security.interfaces.ECPublicKey publicKey = (java.security.interfaces.ECPublicKey) x509Certificate - .getPublicKey(); - ecdsaPublicKey = new ECDSAPublicKey(signatureAlgorithm, publicKey.getW().getAffineX(), - publicKey.getW().getAffineY()); - } + if (x509Certificate.getPublicKey() instanceof BCECPublicKey) { + BCECPublicKey publicKey = (BCECPublicKey) x509Certificate.getPublicKey(); + ecdsaPublicKey = new ECDSAPublicKey(signatureAlgorithm, publicKey.getQ().getXCoord().toBigInteger(), + publicKey.getQ().getYCoord().toBigInteger()); + } else if (x509Certificate.getPublicKey() instanceof java.security.interfaces.ECPublicKey) { + java.security.interfaces.ECPublicKey publicKey = (java.security.interfaces.ECPublicKey) x509Certificate + .getPublicKey(); + ecdsaPublicKey = new ECDSAPublicKey(signatureAlgorithm, publicKey.getW().getAffineX(), + publicKey.getW().getAffineY()); } return ecdsaPublicKey; } @@ -124,7 +126,6 @@ public EDDSAPublicKey getEddsaPublicKey() { BCEdDSAPublicKey publicKey = (BCEdDSAPublicKey) x509Certificate.getPublicKey(); eddsaPublicKey = new EDDSAPublicKey(signatureAlgorithm, publicKey.getEncoded()); } - return eddsaPublicKey; } @@ -142,13 +143,10 @@ public JSONArray toJSONArray() throws JSONException { public String toString() { try { StringWriter stringWriter = new StringWriter(); - JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter); - try { + try (JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) { pemWriter.writeObject(x509Certificate); pemWriter.flush(); return stringWriter.toString(); - } finally { - pemWriter.close(); } } catch (Exception e) { return StringUtils.EMPTY_STRING; diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java index 6dfbee460b4..f59d9547593 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java @@ -213,15 +213,15 @@ public static EDDSAPrivateKey createEDDSAPrivateKeyFromDecodedKey(final Signatur private static byte[] getEncodedPubKey(final SignatureAlgorithm signatureAlgorithm, final byte[] decodedPublicKey) throws SignatureException { byte[] encodedPubKey = null; switch(signatureAlgorithm) { - case EDDSA: { - encodedPubKey = new byte[Ed25519Prefix.length + Ed25519PublicKeyParameters.KEY_SIZE]; - System.arraycopy(Ed25519Prefix, 0, encodedPubKey, 0, Ed25519Prefix.length); - System.arraycopy(decodedPublicKey, 0, encodedPubKey, Ed25519Prefix.length, decodedPublicKey.length); - break; - } - default: { - throw new SignatureException(String.format("Wrong type of the signature algorithm (SignatureAlgorithm): %s", signatureAlgorithm.toString())); - } + case EDDSA: { + encodedPubKey = new byte[Ed25519Prefix.length + Ed25519PublicKeyParameters.KEY_SIZE]; + System.arraycopy(Ed25519Prefix, 0, encodedPubKey, 0, Ed25519Prefix.length); + System.arraycopy(decodedPublicKey, 0, encodedPubKey, Ed25519Prefix.length, decodedPublicKey.length); + break; + } + default: { + throw new SignatureException(String.format("Wrong type of the signature algorithm (SignatureAlgorithm): %s", signatureAlgorithm.toString())); + } } return encodedPubKey; } diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java b/jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java index f37899078c9..15de5675e7a 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java @@ -32,8 +32,6 @@ */ public class EDDSASigner extends AbstractJwsSigner { - public static final String DEF_BC = "BC"; - private EDDSAPrivateKey eddsaPrivateKey; private EDDSAPublicKey eddsaPublicKey; @@ -93,7 +91,7 @@ public String generateSignature(String signingInput) throws SignatureException { PKCS8EncodedKeySpec privateKeySpec = eddsaPrivateKey.getPrivateKeySpec(); java.security.KeyFactory keyFactory = java.security.KeyFactory.getInstance(signatureAlgorithm.getName()); BCEdDSAPrivateKey privateKey = (BCEdDSAPrivateKey) keyFactory.generatePrivate(privateKeySpec); - Signature signer = Signature.getInstance(signatureAlgorithm.getName(), DEF_BC); + Signature signer = Signature.getInstance(signatureAlgorithm.getName(), "BC"); signer.initSign(privateKey); signer.update(signingInput.getBytes()); byte[] signature = signer.sign(); diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/util/HashUtil.java b/jans-auth-server/model/src/main/java/io/jans/as/model/util/HashUtil.java index 08e1278ffa2..50c85ffe50a 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/util/HashUtil.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/util/HashUtil.java @@ -40,33 +40,33 @@ public static String getHash(String input, SignatureAlgorithm signatureAlgorithm byte[] digest = null; if (signatureAlgorithm != null) { switch (signatureAlgorithm) { - case HS256: - case RS256: - case PS256: - case ES256: - case ES256K: { - digest = JwtUtil.getMessageDigestSHA256(input); - break; - } - case HS384: - case RS384: - case PS384: - case ES384: { - digest = JwtUtil.getMessageDigestSHA384(input); - break; - } - case HS512: - case RS512: - case PS512: - case ES512: - case EDDSA: { - digest = JwtUtil.getMessageDigestSHA512(input); - break; - } - default: { - digest = JwtUtil.getMessageDigestSHA256(input); - break; - } + case HS256: + case RS256: + case PS256: + case ES256: + case ES256K: { + digest = JwtUtil.getMessageDigestSHA256(input); + break; + } + case HS384: + case RS384: + case PS384: + case ES384: { + digest = JwtUtil.getMessageDigestSHA384(input); + break; + } + case HS512: + case RS512: + case PS512: + case ES512: + case EDDSA: { + digest = JwtUtil.getMessageDigestSHA512(input); + break; + } + default: { + digest = JwtUtil.getMessageDigestSHA256(input); + break; + } } } else { digest = JwtUtil.getMessageDigestSHA256(input); diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/util/JwtUtil.java b/jans-auth-server/model/src/main/java/io/jans/as/model/util/JwtUtil.java index 549361613c2..c9cfbe418cb 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/util/JwtUtil.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/util/JwtUtil.java @@ -139,8 +139,7 @@ public static io.jans.as.model.crypto.PublicKey getPublicKey( } AlgorithmFamily algorithmFamily = signatureAlgorithm.getFamily(); - - if(algorithmFamily == AlgorithmFamily.RSA) { + if (algorithmFamily == AlgorithmFamily.RSA) { String exp = jsonPublicKey.getString(EXPONENT); String mod = jsonPublicKey.getString(MODULUS); From 2742575fbacbd1e2b2556249cdf3a0e9aa8c4469 Mon Sep 17 00:00:00 2001 From: SMan Date: Mon, 24 Jan 2022 21:18:49 -0600 Subject: [PATCH 05/13] fix: jans-auth-server: extending crypto support, sub pr4; fixes; #142/#326; --- .../java/io/jans/as/model/crypto/Certificate.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java index b8bba4c9f82..fa2e14da464 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java @@ -51,23 +51,24 @@ public Certificate(SignatureAlgorithm signatureAlgorithm, X509Certificate x509Ce * @return Public Key from X509 Certificate. */ public PublicKey getPublicKey() { + if(x509Certificate == null) { + return null; + } PublicKey publicKey = null; - - if (x509Certificate != null && x509Certificate.getPublicKey() instanceof BCRSAPublicKey) { + if (x509Certificate.getPublicKey() instanceof BCRSAPublicKey) { BCRSAPublicKey jcersaPublicKey = (BCRSAPublicKey) x509Certificate.getPublicKey(); publicKey = new RSAPublicKey(jcersaPublicKey.getModulus(), jcersaPublicKey.getPublicExponent()); - } else if (x509Certificate != null && x509Certificate.getPublicKey() instanceof BCECPublicKey) { + } else if (x509Certificate.getPublicKey() instanceof BCECPublicKey) { BCECPublicKey jceecPublicKey = (BCECPublicKey) x509Certificate.getPublicKey(); publicKey = new ECDSAPublicKey(signatureAlgorithm, jceecPublicKey.getQ().getXCoord().toBigInteger(), jceecPublicKey.getQ().getYCoord().toBigInteger()); - } else if (x509Certificate != null && x509Certificate.getPublicKey() instanceof BCEdDSAPublicKey) { + } else if (x509Certificate.getPublicKey() instanceof BCEdDSAPublicKey) { BCEdDSAPublicKey jceedPublicKey = (BCEdDSAPublicKey) x509Certificate.getPublicKey(); publicKey = new EDDSAPublicKey(signatureAlgorithm, jceedPublicKey.getEncoded()); } - return publicKey; } From b92f888fe481bd2072be0f12d061ab5469a2cc0a Mon Sep 17 00:00:00 2001 From: SMan Date: Tue, 25 Jan 2022 17:12:31 -0600 Subject: [PATCH 06/13] feat: jans-auth-server: temp commit for sonar; fixes #365; --- ...ernalDynamicClientRegistrationService.java | 72 +++++++++++-------- 1 file changed, 43 insertions(+), 29 deletions(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java index 0e4d1275e10..603b086a69f 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java @@ -15,7 +15,7 @@ import io.jans.as.server.service.external.context.DynamicClientRegistrationContext; import io.jans.model.custom.script.CustomScriptType; import io.jans.model.custom.script.conf.CustomScriptConfiguration; -import io.jans.model.custom.script.type.client.ClientRegistrationType; +//import io.jans.model.custom.script.type.client.ClientRegistrationType; import io.jans.service.custom.script.ExternalScriptService; import org.apache.commons.lang3.StringUtils; import org.json.JSONObject; @@ -50,7 +50,7 @@ public ExternalDynamicClientRegistrationService() { public boolean executeExternalCreateClientMethod(CustomScriptConfiguration customScriptConfiguration, RegisterRequest registerRequest, Client client, HttpServletRequest httpRequest) { try { log.trace("Executing python 'createClient' method"); - ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) customScriptConfiguration.getExternalType(); +// ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) customScriptConfiguration.getExternalType(); DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, customScriptConfiguration, client); context.setRegisterRequest(registerRequest); @@ -64,9 +64,10 @@ public boolean executeExternalCreateClientMethod(CustomScriptConfiguration custo log.trace("Cert is not set for client registration. X-ClientCert header has no value."); } - final boolean result = externalClientRegistrationType.createClient(context); +// final boolean result = externalClientRegistrationType.createClient(context); context.throwWebApplicationExceptionIfSet(); - return result; +// return result; + return true; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -94,16 +95,17 @@ public boolean executeExternalCreateClientMethods(RegisterRequest registerReques public boolean executeExternalUpdateClientMethod(HttpServletRequest httpRequest, CustomScriptConfiguration script, RegisterRequest registerRequest, Client client) { try { log.trace("Executing python 'updateClient' method"); - ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) script.getExternalType(); +// ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) script.getExternalType(); DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, script, client); context.setRegisterRequest(registerRequest); context.setSoftwareStatement(Jwt.parseSilently(registerRequest.getSoftwareStatement())); context.setErrorResponseFactory(errorResponseFactory); - final boolean result = externalClientRegistrationType.updateClient(context); + // final boolean result = externalClientRegistrationType.updateClient(context); context.throwWebApplicationExceptionIfSet(); - return result; +// return result; + return true; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -134,11 +136,12 @@ public JSONObject getSoftwareStatementJwks(HttpServletRequest httpRequest, JSONO context.setSoftwareStatement(softwareStatement); context.setErrorResponseFactory(errorResponseFactory); - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final String result = externalType.getSoftwareStatementJwks(context); +// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); +// final String result = externalType.getSoftwareStatementJwks(context); context.throwWebApplicationExceptionIfSet(); - log.info("Result of python 'getSoftwareStatementJwks' method: " + result); - return new JSONObject(result); +// log.info("Result of python 'getSoftwareStatementJwks' method: " + result); +// return new JSONObject(result); + return null; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -156,11 +159,12 @@ public String getSoftwareStatementHmacSecret(HttpServletRequest httpRequest, JSO context.setSoftwareStatement(softwareStatement); context.setErrorResponseFactory(errorResponseFactory); - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final String result = externalType.getSoftwareStatementHmacSecret(context); +// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); +// final String result = externalType.getSoftwareStatementHmacSecret(context); context.throwWebApplicationExceptionIfSet(); - log.trace("Result of python 'getSoftwareStatementHmacSecret' method: " + result); - return result; +// log.trace("Result of python 'getSoftwareStatementHmacSecret' method: " + result); +// return result; + return null; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -178,11 +182,12 @@ public JSONObject getDcrJwks(HttpServletRequest httpRequest, Jwt dcr) { context.setDcr(dcr); context.setErrorResponseFactory(errorResponseFactory); - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final String result = externalType.getDcrJwks(context); +// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); +// final String result = externalType.getDcrJwks(context); context.throwWebApplicationExceptionIfSet(); - log.trace("Result of python 'getDcrJwks' method: " + result); - return new JSONObject(result); +// log.trace("Result of python 'getDcrJwks' method: " + result); +// return new JSONObject(result); + return null; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -200,11 +205,12 @@ public String getDcrHmacSecret(HttpServletRequest httpRequest, Jwt dcr) { context.setDcr(dcr); context.setErrorResponseFactory(errorResponseFactory); - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final String result = externalType.getDcrHmacSecret(context); +// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); +// final String result = externalType.getDcrHmacSecret(context); context.throwWebApplicationExceptionIfSet(); - log.trace("Result of python 'getDcrHmacSecret' method: " + result); - return result; +// log.trace("Result of python 'getDcrHmacSecret' method: " + result); +// return result; + return null; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -219,11 +225,12 @@ public boolean isCertValidForClient(X509Certificate cert, DynamicClientRegistrat log.trace("Executing python 'isCertValidForClient' method"); context.setScript(defaultExternalCustomScript); context.setErrorResponseFactory(errorResponseFactory); - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final boolean result = externalType.isCertValidForClient(cert, context); +// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); +// final boolean result = externalType.isCertValidForClient(cert, context); context.throwWebApplicationExceptionIfSet(); - log.trace("Result of python 'isCertValidForClient' method: " + result); - return result; +// log.trace("Result of python 'isCertValidForClient' method: " + result); +// return result; + return false; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -242,6 +249,7 @@ public boolean modifyPostResponse(JSONObject responseAsJsonObject, ExecutionCont } context.setScript(script); +/* ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); final boolean result = type.modifyPostResponse(responseAsJsonObject, context); if (log.isTraceEnabled()) { @@ -249,6 +257,8 @@ public boolean modifyPostResponse(JSONObject responseAsJsonObject, ExecutionCont } return result; +*/ + return false; } catch (Exception ex) { log.error(ex.getMessage(), ex); saveScriptError(script.getCustomScript(), ex); @@ -264,7 +274,7 @@ public boolean modifyPutResponse(JSONObject responseAsJsonObject, ExecutionConte log.trace("Executing python 'modifyPutResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); } context.setScript(script); - +/* ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); final boolean result = type.modifyPutResponse(responseAsJsonObject, context); if (log.isTraceEnabled()) { @@ -272,6 +282,8 @@ public boolean modifyPutResponse(JSONObject responseAsJsonObject, ExecutionConte } return result; +*/ + return false; } catch (Exception ex) { log.error(ex.getMessage(), ex); saveScriptError(script.getCustomScript(), ex); @@ -287,7 +299,7 @@ public boolean modifyReadResponse(JSONObject responseAsJsonObject, ExecutionCont log.trace("Executing python 'modifyReadResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); } context.setScript(script); - +/* ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); final boolean result = type.modifyReadResponse(responseAsJsonObject, context); if (log.isTraceEnabled()) { @@ -295,6 +307,8 @@ public boolean modifyReadResponse(JSONObject responseAsJsonObject, ExecutionCont } return result; +*/ + return false; } catch (Exception ex) { log.error(ex.getMessage(), ex); saveScriptError(script.getCustomScript(), ex); From 99a3308e2dbb8d39b3fd0478278e1048453a90ba Mon Sep 17 00:00:00 2001 From: SMan Date: Tue, 25 Jan 2022 17:26:24 -0600 Subject: [PATCH 07/13] feat: jans-auth-server: temp commit for sonar; fixes #365; --- ...ernalDynamicClientRegistrationService.java | 72 ++++++++----------- 1 file changed, 29 insertions(+), 43 deletions(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java index 603b086a69f..0e4d1275e10 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java @@ -15,7 +15,7 @@ import io.jans.as.server.service.external.context.DynamicClientRegistrationContext; import io.jans.model.custom.script.CustomScriptType; import io.jans.model.custom.script.conf.CustomScriptConfiguration; -//import io.jans.model.custom.script.type.client.ClientRegistrationType; +import io.jans.model.custom.script.type.client.ClientRegistrationType; import io.jans.service.custom.script.ExternalScriptService; import org.apache.commons.lang3.StringUtils; import org.json.JSONObject; @@ -50,7 +50,7 @@ public ExternalDynamicClientRegistrationService() { public boolean executeExternalCreateClientMethod(CustomScriptConfiguration customScriptConfiguration, RegisterRequest registerRequest, Client client, HttpServletRequest httpRequest) { try { log.trace("Executing python 'createClient' method"); -// ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) customScriptConfiguration.getExternalType(); + ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) customScriptConfiguration.getExternalType(); DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, customScriptConfiguration, client); context.setRegisterRequest(registerRequest); @@ -64,10 +64,9 @@ public boolean executeExternalCreateClientMethod(CustomScriptConfiguration custo log.trace("Cert is not set for client registration. X-ClientCert header has no value."); } -// final boolean result = externalClientRegistrationType.createClient(context); + final boolean result = externalClientRegistrationType.createClient(context); context.throwWebApplicationExceptionIfSet(); -// return result; - return true; + return result; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -95,17 +94,16 @@ public boolean executeExternalCreateClientMethods(RegisterRequest registerReques public boolean executeExternalUpdateClientMethod(HttpServletRequest httpRequest, CustomScriptConfiguration script, RegisterRequest registerRequest, Client client) { try { log.trace("Executing python 'updateClient' method"); -// ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) script.getExternalType(); + ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) script.getExternalType(); DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, script, client); context.setRegisterRequest(registerRequest); context.setSoftwareStatement(Jwt.parseSilently(registerRequest.getSoftwareStatement())); context.setErrorResponseFactory(errorResponseFactory); - // final boolean result = externalClientRegistrationType.updateClient(context); + final boolean result = externalClientRegistrationType.updateClient(context); context.throwWebApplicationExceptionIfSet(); -// return result; - return true; + return result; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -136,12 +134,11 @@ public JSONObject getSoftwareStatementJwks(HttpServletRequest httpRequest, JSONO context.setSoftwareStatement(softwareStatement); context.setErrorResponseFactory(errorResponseFactory); -// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); -// final String result = externalType.getSoftwareStatementJwks(context); + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final String result = externalType.getSoftwareStatementJwks(context); context.throwWebApplicationExceptionIfSet(); -// log.info("Result of python 'getSoftwareStatementJwks' method: " + result); -// return new JSONObject(result); - return null; + log.info("Result of python 'getSoftwareStatementJwks' method: " + result); + return new JSONObject(result); } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -159,12 +156,11 @@ public String getSoftwareStatementHmacSecret(HttpServletRequest httpRequest, JSO context.setSoftwareStatement(softwareStatement); context.setErrorResponseFactory(errorResponseFactory); -// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); -// final String result = externalType.getSoftwareStatementHmacSecret(context); + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final String result = externalType.getSoftwareStatementHmacSecret(context); context.throwWebApplicationExceptionIfSet(); -// log.trace("Result of python 'getSoftwareStatementHmacSecret' method: " + result); -// return result; - return null; + log.trace("Result of python 'getSoftwareStatementHmacSecret' method: " + result); + return result; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -182,12 +178,11 @@ public JSONObject getDcrJwks(HttpServletRequest httpRequest, Jwt dcr) { context.setDcr(dcr); context.setErrorResponseFactory(errorResponseFactory); -// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); -// final String result = externalType.getDcrJwks(context); + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final String result = externalType.getDcrJwks(context); context.throwWebApplicationExceptionIfSet(); -// log.trace("Result of python 'getDcrJwks' method: " + result); -// return new JSONObject(result); - return null; + log.trace("Result of python 'getDcrJwks' method: " + result); + return new JSONObject(result); } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -205,12 +200,11 @@ public String getDcrHmacSecret(HttpServletRequest httpRequest, Jwt dcr) { context.setDcr(dcr); context.setErrorResponseFactory(errorResponseFactory); -// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); -// final String result = externalType.getDcrHmacSecret(context); + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final String result = externalType.getDcrHmacSecret(context); context.throwWebApplicationExceptionIfSet(); -// log.trace("Result of python 'getDcrHmacSecret' method: " + result); -// return result; - return null; + log.trace("Result of python 'getDcrHmacSecret' method: " + result); + return result; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -225,12 +219,11 @@ public boolean isCertValidForClient(X509Certificate cert, DynamicClientRegistrat log.trace("Executing python 'isCertValidForClient' method"); context.setScript(defaultExternalCustomScript); context.setErrorResponseFactory(errorResponseFactory); -// ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); -// final boolean result = externalType.isCertValidForClient(cert, context); + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final boolean result = externalType.isCertValidForClient(cert, context); context.throwWebApplicationExceptionIfSet(); -// log.trace("Result of python 'isCertValidForClient' method: " + result); -// return result; - return false; + log.trace("Result of python 'isCertValidForClient' method: " + result); + return result; } catch (WebApplicationException e) { throw e; } catch (Exception ex) { @@ -249,7 +242,6 @@ public boolean modifyPostResponse(JSONObject responseAsJsonObject, ExecutionCont } context.setScript(script); -/* ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); final boolean result = type.modifyPostResponse(responseAsJsonObject, context); if (log.isTraceEnabled()) { @@ -257,8 +249,6 @@ public boolean modifyPostResponse(JSONObject responseAsJsonObject, ExecutionCont } return result; -*/ - return false; } catch (Exception ex) { log.error(ex.getMessage(), ex); saveScriptError(script.getCustomScript(), ex); @@ -274,7 +264,7 @@ public boolean modifyPutResponse(JSONObject responseAsJsonObject, ExecutionConte log.trace("Executing python 'modifyPutResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); } context.setScript(script); -/* + ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); final boolean result = type.modifyPutResponse(responseAsJsonObject, context); if (log.isTraceEnabled()) { @@ -282,8 +272,6 @@ public boolean modifyPutResponse(JSONObject responseAsJsonObject, ExecutionConte } return result; -*/ - return false; } catch (Exception ex) { log.error(ex.getMessage(), ex); saveScriptError(script.getCustomScript(), ex); @@ -299,7 +287,7 @@ public boolean modifyReadResponse(JSONObject responseAsJsonObject, ExecutionCont log.trace("Executing python 'modifyReadResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); } context.setScript(script); -/* + ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); final boolean result = type.modifyReadResponse(responseAsJsonObject, context); if (log.isTraceEnabled()) { @@ -307,8 +295,6 @@ public boolean modifyReadResponse(JSONObject responseAsJsonObject, ExecutionCont } return result; -*/ - return false; } catch (Exception ex) { log.error(ex.getMessage(), ex); saveScriptError(script.getCustomScript(), ex); From 297041a165f169edeabdb1e57cca2e66376f53a5 Mon Sep 17 00:00:00 2001 From: SMan Date: Tue, 25 Jan 2022 17:33:51 -0600 Subject: [PATCH 08/13] feat: jans-auth-server: fix sonar warns; #365; --- .../crypto/signature/EDDSAKeyFactory.java | 17 +++++------ .../io/jans/as/model/util/HashUtilTest.java | 28 +++++++++---------- 2 files changed, 21 insertions(+), 24 deletions(-) diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java index f59d9547593..b699f6fe221 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java @@ -212,16 +212,13 @@ public static EDDSAPrivateKey createEDDSAPrivateKeyFromDecodedKey(final Signatur */ private static byte[] getEncodedPubKey(final SignatureAlgorithm signatureAlgorithm, final byte[] decodedPublicKey) throws SignatureException { byte[] encodedPubKey = null; - switch(signatureAlgorithm) { - case EDDSA: { - encodedPubKey = new byte[Ed25519Prefix.length + Ed25519PublicKeyParameters.KEY_SIZE]; - System.arraycopy(Ed25519Prefix, 0, encodedPubKey, 0, Ed25519Prefix.length); - System.arraycopy(decodedPublicKey, 0, encodedPubKey, Ed25519Prefix.length, decodedPublicKey.length); - break; - } - default: { - throw new SignatureException(String.format("Wrong type of the signature algorithm (SignatureAlgorithm): %s", signatureAlgorithm.toString())); - } + if (signatureAlgorithm == SignatureAlgorithm.EDDSA) { + encodedPubKey = new byte[Ed25519Prefix.length + Ed25519PublicKeyParameters.KEY_SIZE]; + System.arraycopy(Ed25519Prefix, 0, encodedPubKey, 0, Ed25519Prefix.length); + System.arraycopy(decodedPublicKey, 0, encodedPubKey, Ed25519Prefix.length, decodedPublicKey.length); + } + else { + throw new SignatureException(String.format("Wrong type of the signature algorithm (SignatureAlgorithm): %s", signatureAlgorithm.toString())); } return encodedPubKey; } diff --git a/jans-auth-server/model/src/test/java/io/jans/as/model/util/HashUtilTest.java b/jans-auth-server/model/src/test/java/io/jans/as/model/util/HashUtilTest.java index d34ad92d55f..f01f39017d9 100644 --- a/jans-auth-server/model/src/test/java/io/jans/as/model/util/HashUtilTest.java +++ b/jans-auth-server/model/src/test/java/io/jans/as/model/util/HashUtilTest.java @@ -27,27 +27,27 @@ public class HashUtilTest { @Test public void s256Hash() { - assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.ES256)); - assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.HS256)); - assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.ES256K)); - assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.PS256)); - assertEquals("hhNHO19gwnEguTE5SAK-GA", HashUtil.getHash(INPUT, SignatureAlgorithm.RS256)); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.ES256), "hhNHO19gwnEguTE5SAK-GA"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.HS256), "hhNHO19gwnEguTE5SAK-GA"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.ES256K), "hhNHO19gwnEguTE5SAK-GA"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.PS256), "hhNHO19gwnEguTE5SAK-GA"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.RS256), "hhNHO19gwnEguTE5SAK-GA"); } @Test public void s384Hash() { - assertEquals("W-f-EBbMtR-505d5wk4m78wd6qn1vQkZ", HashUtil.getHash(INPUT, SignatureAlgorithm.ES384)); - assertEquals("W-f-EBbMtR-505d5wk4m78wd6qn1vQkZ", HashUtil.getHash(INPUT, SignatureAlgorithm.HS384)); - assertEquals("W-f-EBbMtR-505d5wk4m78wd6qn1vQkZ", HashUtil.getHash(INPUT, SignatureAlgorithm.PS384)); - assertEquals("W-f-EBbMtR-505d5wk4m78wd6qn1vQkZ", HashUtil.getHash(INPUT, SignatureAlgorithm.RS384)); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.ES384), "W-f-EBbMtR-505d5wk4m78wd6qn1vQkZ"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.HS384), "W-f-EBbMtR-505d5wk4m78wd6qn1vQkZ"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.PS384), "W-f-EBbMtR-505d5wk4m78wd6qn1vQkZ"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.RS384), "W-f-EBbMtR-505d5wk4m78wd6qn1vQkZ"); } @Test public void s512Hash() { - assertEquals("CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4", HashUtil.getHash(INPUT, SignatureAlgorithm.ES512)); - assertEquals("CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4", HashUtil.getHash(INPUT, SignatureAlgorithm.HS512)); - assertEquals("CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4", HashUtil.getHash(INPUT, SignatureAlgorithm.PS512)); - assertEquals("CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4", HashUtil.getHash(INPUT, SignatureAlgorithm.RS512)); - assertEquals("CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4", HashUtil.getHash(INPUT, SignatureAlgorithm.EDDSA)); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.ES512), "CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.HS512), "CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.PS512), "CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.RS512), "CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4"); + assertEquals(HashUtil.getHash(INPUT, SignatureAlgorithm.EDDSA), "CCmNwrkP_FbnPPpQ5f96xpXTDuzHSeGd3jGZ_JrPJo4"); } } From b5743f324f2d31cc552379b4642a1fa006004c36 Mon Sep 17 00:00:00 2001 From: SMan Date: Tue, 25 Jan 2022 17:45:57 -0600 Subject: [PATCH 09/13] feat: jans-auth-server: temp commit for sonar; fixes #365; --- ...ernalDynamicClientRegistrationService.java | 230 +----------------- 1 file changed, 7 insertions(+), 223 deletions(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java index 0e4d1275e10..bd1ccec65e1 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java @@ -8,24 +8,18 @@ import io.jans.as.client.RegisterRequest; import io.jans.as.common.model.registration.Client; -import io.jans.as.model.error.ErrorResponseFactory; import io.jans.as.model.jwt.Jwt; -import io.jans.as.model.util.CertUtils; import io.jans.as.server.model.common.ExecutionContext; import io.jans.as.server.service.external.context.DynamicClientRegistrationContext; import io.jans.model.custom.script.CustomScriptType; import io.jans.model.custom.script.conf.CustomScriptConfiguration; -import io.jans.model.custom.script.type.client.ClientRegistrationType; import io.jans.service.custom.script.ExternalScriptService; -import org.apache.commons.lang3.StringUtils; import org.json.JSONObject; import javax.ejb.DependsOn; import javax.enterprise.context.ApplicationScoped; -import javax.inject.Inject; import javax.inject.Named; import javax.servlet.http.HttpServletRequest; -import javax.ws.rs.WebApplicationException; import java.security.cert.X509Certificate; /** @@ -40,265 +34,55 @@ public class ExternalDynamicClientRegistrationService extends ExternalScriptServ private static final long serialVersionUID = 1416361273036208688L; - @Inject - private ErrorResponseFactory errorResponseFactory; - public ExternalDynamicClientRegistrationService() { super(CustomScriptType.CLIENT_REGISTRATION); } public boolean executeExternalCreateClientMethod(CustomScriptConfiguration customScriptConfiguration, RegisterRequest registerRequest, Client client, HttpServletRequest httpRequest) { - try { - log.trace("Executing python 'createClient' method"); - ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) customScriptConfiguration.getExternalType(); - - DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, customScriptConfiguration, client); - context.setRegisterRequest(registerRequest); - context.setErrorResponseFactory(errorResponseFactory); - context.setSoftwareStatement(Jwt.parseSilently(registerRequest.getSoftwareStatement())); - - final String clientCertAsPem = httpRequest.getHeader("X-ClientCert"); - if (StringUtils.isNotBlank(clientCertAsPem)) { - context.setCertificate(CertUtils.x509CertificateFromPem(clientCertAsPem)); - } else { - log.trace("Cert is not set for client registration. X-ClientCert header has no value."); - } - - final boolean result = externalClientRegistrationType.createClient(context); - context.throwWebApplicationExceptionIfSet(); - return result; - } catch (WebApplicationException e) { - throw e; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(customScriptConfiguration.getCustomScript(), ex); - } - return false; } public boolean executeExternalCreateClientMethods(RegisterRequest registerRequest, Client client, HttpServletRequest httpRequest) { - boolean result = true; - for (CustomScriptConfiguration customScriptConfiguration : this.customScriptConfigurations) { - if (customScriptConfiguration.getExternalType().getApiVersion() > 1) { - result &= executeExternalCreateClientMethod(customScriptConfiguration, registerRequest, client, httpRequest); - if (!result) { - return result; - } - } - } - - return result; + return false; } public boolean executeExternalUpdateClientMethod(HttpServletRequest httpRequest, CustomScriptConfiguration script, RegisterRequest registerRequest, Client client) { - try { - log.trace("Executing python 'updateClient' method"); - ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) script.getExternalType(); - - DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, script, client); - context.setRegisterRequest(registerRequest); - context.setSoftwareStatement(Jwt.parseSilently(registerRequest.getSoftwareStatement())); - context.setErrorResponseFactory(errorResponseFactory); - - final boolean result = externalClientRegistrationType.updateClient(context); - context.throwWebApplicationExceptionIfSet(); - return result; - } catch (WebApplicationException e) { - throw e; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(script.getCustomScript(), ex); - } - return false; } public boolean executeExternalUpdateClientMethods(HttpServletRequest httpRequest, RegisterRequest registerRequest, Client client) { - boolean result = true; - for (CustomScriptConfiguration customScriptConfiguration : this.customScriptConfigurations) { - result &= executeExternalUpdateClientMethod(httpRequest, customScriptConfiguration, registerRequest, client); - if (!result) { - return result; - } - } - - return result; + return false; } public JSONObject getSoftwareStatementJwks(HttpServletRequest httpRequest, JSONObject registerRequest, Jwt softwareStatement) { - try { - log.info("Executing python 'getSoftwareStatementJwks' method, script name:" + defaultExternalCustomScript.getName()); - - DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, registerRequest, defaultExternalCustomScript); - context.setSoftwareStatement(softwareStatement); - context.setErrorResponseFactory(errorResponseFactory); - - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final String result = externalType.getSoftwareStatementJwks(context); - context.throwWebApplicationExceptionIfSet(); - log.info("Result of python 'getSoftwareStatementJwks' method: " + result); - return new JSONObject(result); - } catch (WebApplicationException e) { - throw e; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); - return null; - } + return null; } public String getSoftwareStatementHmacSecret(HttpServletRequest httpRequest, JSONObject registerRequest, Jwt softwareStatement) { - try { - log.trace("Executing python 'getSoftwareStatementHmacSecret' method"); - - DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, registerRequest, defaultExternalCustomScript); - context.setSoftwareStatement(softwareStatement); - context.setErrorResponseFactory(errorResponseFactory); - - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final String result = externalType.getSoftwareStatementHmacSecret(context); - context.throwWebApplicationExceptionIfSet(); - log.trace("Result of python 'getSoftwareStatementHmacSecret' method: " + result); - return result; - } catch (WebApplicationException e) { - throw e; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); - return ""; - } + return null; } public JSONObject getDcrJwks(HttpServletRequest httpRequest, Jwt dcr) { - try { - log.trace("Executing python 'getDcrJwks' method"); - - DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, defaultExternalCustomScript); - context.setDcr(dcr); - context.setErrorResponseFactory(errorResponseFactory); - - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final String result = externalType.getDcrJwks(context); - context.throwWebApplicationExceptionIfSet(); - log.trace("Result of python 'getDcrJwks' method: " + result); - return new JSONObject(result); - } catch (WebApplicationException e) { - throw e; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); - return null; - } + return null; } public String getDcrHmacSecret(HttpServletRequest httpRequest, Jwt dcr) { - try { - log.trace("Executing python 'getDcrHmacSecret' method"); - - DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, defaultExternalCustomScript); - context.setDcr(dcr); - context.setErrorResponseFactory(errorResponseFactory); - - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final String result = externalType.getDcrHmacSecret(context); - context.throwWebApplicationExceptionIfSet(); - log.trace("Result of python 'getDcrHmacSecret' method: " + result); - return result; - } catch (WebApplicationException e) { - throw e; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); - return ""; - } + return null; } public boolean isCertValidForClient(X509Certificate cert, DynamicClientRegistrationContext context) { - try { - log.trace("Executing python 'isCertValidForClient' method"); - context.setScript(defaultExternalCustomScript); - context.setErrorResponseFactory(errorResponseFactory); - ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); - final boolean result = externalType.isCertValidForClient(cert, context); - context.throwWebApplicationExceptionIfSet(); - log.trace("Result of python 'isCertValidForClient' method: " + result); - return result; - } catch (WebApplicationException e) { - throw e; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); - return false; - } + return false; } public boolean modifyPostResponse(JSONObject responseAsJsonObject, ExecutionContext context) { - CustomScriptConfiguration script = defaultExternalCustomScript; - - try { - if (log.isTraceEnabled()) { - log.trace("Executing python 'modifyPostResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); - } - context.setScript(script); - - ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); - final boolean result = type.modifyPostResponse(responseAsJsonObject, context); - if (log.isTraceEnabled()) { - log.trace("Finished 'modifyPostResponse' method, script name: {}, context: {}, result: {}, response: {}", script.getName(), context, result, responseAsJsonObject.toString()); - } - - return result; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(script.getCustomScript(), ex); - } return false; } public boolean modifyPutResponse(JSONObject responseAsJsonObject, ExecutionContext context) { - CustomScriptConfiguration script = defaultExternalCustomScript; - - try { - if (log.isTraceEnabled()) { - log.trace("Executing python 'modifyPutResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); - } - context.setScript(script); - - ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); - final boolean result = type.modifyPutResponse(responseAsJsonObject, context); - if (log.isTraceEnabled()) { - log.trace("Finished 'modifyPutResponse' method, script name: {}, context: {}, result: {}, response: {}", script.getName(), context, result, responseAsJsonObject.toString()); - } - - return result; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(script.getCustomScript(), ex); - } return false; } public boolean modifyReadResponse(JSONObject responseAsJsonObject, ExecutionContext context) { - CustomScriptConfiguration script = defaultExternalCustomScript; - - try { - if (log.isTraceEnabled()) { - log.trace("Executing python 'modifyReadResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); - } - context.setScript(script); - - ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); - final boolean result = type.modifyReadResponse(responseAsJsonObject, context); - if (log.isTraceEnabled()) { - log.trace("Finished 'modifyReadResponse' method, script name: {}, context: {}, result: {}, response: {}", script.getName(), context, result, responseAsJsonObject.toString()); - } - - return result; - } catch (Exception ex) { - log.error(ex.getMessage(), ex); - saveScriptError(script.getCustomScript(), ex); - } return false; } } From 9a0073b9b0b5b19cb34b787da04a505705ce4a06 Mon Sep 17 00:00:00 2001 From: SMan Date: Tue, 25 Jan 2022 18:43:49 -0600 Subject: [PATCH 10/13] feat: jans-auth-server: temp commit for sonar; fixes #365; --- .../external/ExternalDynamicClientRegistrationService.java | 1 + 1 file changed, 1 insertion(+) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java index bd1ccec65e1..cff7ccf5a28 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java @@ -30,6 +30,7 @@ @ApplicationScoped @DependsOn("appInitializer") @Named +@SuppressWarnings("java:S1172") public class ExternalDynamicClientRegistrationService extends ExternalScriptService { private static final long serialVersionUID = 1416361273036208688L; From f3e5c7daf4f796a52f0a11b783621b59f27a6952 Mon Sep 17 00:00:00 2001 From: SMan Date: Tue, 25 Jan 2022 18:57:28 -0600 Subject: [PATCH 11/13] feat: jans-auth-server: temp commit for sonar; fixes #365; --- ...ernalDynamicClientRegistrationService.java | 231 +++++++++++++++++- 1 file changed, 223 insertions(+), 8 deletions(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java index cff7ccf5a28..0e4d1275e10 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalDynamicClientRegistrationService.java @@ -8,18 +8,24 @@ import io.jans.as.client.RegisterRequest; import io.jans.as.common.model.registration.Client; +import io.jans.as.model.error.ErrorResponseFactory; import io.jans.as.model.jwt.Jwt; +import io.jans.as.model.util.CertUtils; import io.jans.as.server.model.common.ExecutionContext; import io.jans.as.server.service.external.context.DynamicClientRegistrationContext; import io.jans.model.custom.script.CustomScriptType; import io.jans.model.custom.script.conf.CustomScriptConfiguration; +import io.jans.model.custom.script.type.client.ClientRegistrationType; import io.jans.service.custom.script.ExternalScriptService; +import org.apache.commons.lang3.StringUtils; import org.json.JSONObject; import javax.ejb.DependsOn; import javax.enterprise.context.ApplicationScoped; +import javax.inject.Inject; import javax.inject.Named; import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.WebApplicationException; import java.security.cert.X509Certificate; /** @@ -30,60 +36,269 @@ @ApplicationScoped @DependsOn("appInitializer") @Named -@SuppressWarnings("java:S1172") public class ExternalDynamicClientRegistrationService extends ExternalScriptService { private static final long serialVersionUID = 1416361273036208688L; + @Inject + private ErrorResponseFactory errorResponseFactory; + public ExternalDynamicClientRegistrationService() { super(CustomScriptType.CLIENT_REGISTRATION); } public boolean executeExternalCreateClientMethod(CustomScriptConfiguration customScriptConfiguration, RegisterRequest registerRequest, Client client, HttpServletRequest httpRequest) { + try { + log.trace("Executing python 'createClient' method"); + ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) customScriptConfiguration.getExternalType(); + + DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, customScriptConfiguration, client); + context.setRegisterRequest(registerRequest); + context.setErrorResponseFactory(errorResponseFactory); + context.setSoftwareStatement(Jwt.parseSilently(registerRequest.getSoftwareStatement())); + + final String clientCertAsPem = httpRequest.getHeader("X-ClientCert"); + if (StringUtils.isNotBlank(clientCertAsPem)) { + context.setCertificate(CertUtils.x509CertificateFromPem(clientCertAsPem)); + } else { + log.trace("Cert is not set for client registration. X-ClientCert header has no value."); + } + + final boolean result = externalClientRegistrationType.createClient(context); + context.throwWebApplicationExceptionIfSet(); + return result; + } catch (WebApplicationException e) { + throw e; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(customScriptConfiguration.getCustomScript(), ex); + } + return false; } public boolean executeExternalCreateClientMethods(RegisterRequest registerRequest, Client client, HttpServletRequest httpRequest) { - return false; + boolean result = true; + for (CustomScriptConfiguration customScriptConfiguration : this.customScriptConfigurations) { + if (customScriptConfiguration.getExternalType().getApiVersion() > 1) { + result &= executeExternalCreateClientMethod(customScriptConfiguration, registerRequest, client, httpRequest); + if (!result) { + return result; + } + } + } + + return result; } public boolean executeExternalUpdateClientMethod(HttpServletRequest httpRequest, CustomScriptConfiguration script, RegisterRequest registerRequest, Client client) { + try { + log.trace("Executing python 'updateClient' method"); + ClientRegistrationType externalClientRegistrationType = (ClientRegistrationType) script.getExternalType(); + + DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, script, client); + context.setRegisterRequest(registerRequest); + context.setSoftwareStatement(Jwt.parseSilently(registerRequest.getSoftwareStatement())); + context.setErrorResponseFactory(errorResponseFactory); + + final boolean result = externalClientRegistrationType.updateClient(context); + context.throwWebApplicationExceptionIfSet(); + return result; + } catch (WebApplicationException e) { + throw e; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(script.getCustomScript(), ex); + } + return false; } public boolean executeExternalUpdateClientMethods(HttpServletRequest httpRequest, RegisterRequest registerRequest, Client client) { - return false; + boolean result = true; + for (CustomScriptConfiguration customScriptConfiguration : this.customScriptConfigurations) { + result &= executeExternalUpdateClientMethod(httpRequest, customScriptConfiguration, registerRequest, client); + if (!result) { + return result; + } + } + + return result; } public JSONObject getSoftwareStatementJwks(HttpServletRequest httpRequest, JSONObject registerRequest, Jwt softwareStatement) { - return null; + try { + log.info("Executing python 'getSoftwareStatementJwks' method, script name:" + defaultExternalCustomScript.getName()); + + DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, registerRequest, defaultExternalCustomScript); + context.setSoftwareStatement(softwareStatement); + context.setErrorResponseFactory(errorResponseFactory); + + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final String result = externalType.getSoftwareStatementJwks(context); + context.throwWebApplicationExceptionIfSet(); + log.info("Result of python 'getSoftwareStatementJwks' method: " + result); + return new JSONObject(result); + } catch (WebApplicationException e) { + throw e; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); + return null; + } } public String getSoftwareStatementHmacSecret(HttpServletRequest httpRequest, JSONObject registerRequest, Jwt softwareStatement) { - return null; + try { + log.trace("Executing python 'getSoftwareStatementHmacSecret' method"); + + DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, registerRequest, defaultExternalCustomScript); + context.setSoftwareStatement(softwareStatement); + context.setErrorResponseFactory(errorResponseFactory); + + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final String result = externalType.getSoftwareStatementHmacSecret(context); + context.throwWebApplicationExceptionIfSet(); + log.trace("Result of python 'getSoftwareStatementHmacSecret' method: " + result); + return result; + } catch (WebApplicationException e) { + throw e; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); + return ""; + } } public JSONObject getDcrJwks(HttpServletRequest httpRequest, Jwt dcr) { - return null; + try { + log.trace("Executing python 'getDcrJwks' method"); + + DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, defaultExternalCustomScript); + context.setDcr(dcr); + context.setErrorResponseFactory(errorResponseFactory); + + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final String result = externalType.getDcrJwks(context); + context.throwWebApplicationExceptionIfSet(); + log.trace("Result of python 'getDcrJwks' method: " + result); + return new JSONObject(result); + } catch (WebApplicationException e) { + throw e; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); + return null; + } } public String getDcrHmacSecret(HttpServletRequest httpRequest, Jwt dcr) { - return null; + try { + log.trace("Executing python 'getDcrHmacSecret' method"); + + DynamicClientRegistrationContext context = new DynamicClientRegistrationContext(httpRequest, null, defaultExternalCustomScript); + context.setDcr(dcr); + context.setErrorResponseFactory(errorResponseFactory); + + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final String result = externalType.getDcrHmacSecret(context); + context.throwWebApplicationExceptionIfSet(); + log.trace("Result of python 'getDcrHmacSecret' method: " + result); + return result; + } catch (WebApplicationException e) { + throw e; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); + return ""; + } } public boolean isCertValidForClient(X509Certificate cert, DynamicClientRegistrationContext context) { - return false; + try { + log.trace("Executing python 'isCertValidForClient' method"); + context.setScript(defaultExternalCustomScript); + context.setErrorResponseFactory(errorResponseFactory); + ClientRegistrationType externalType = (ClientRegistrationType) defaultExternalCustomScript.getExternalType(); + final boolean result = externalType.isCertValidForClient(cert, context); + context.throwWebApplicationExceptionIfSet(); + log.trace("Result of python 'isCertValidForClient' method: " + result); + return result; + } catch (WebApplicationException e) { + throw e; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(defaultExternalCustomScript.getCustomScript(), ex); + return false; + } } public boolean modifyPostResponse(JSONObject responseAsJsonObject, ExecutionContext context) { + CustomScriptConfiguration script = defaultExternalCustomScript; + + try { + if (log.isTraceEnabled()) { + log.trace("Executing python 'modifyPostResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); + } + context.setScript(script); + + ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); + final boolean result = type.modifyPostResponse(responseAsJsonObject, context); + if (log.isTraceEnabled()) { + log.trace("Finished 'modifyPostResponse' method, script name: {}, context: {}, result: {}, response: {}", script.getName(), context, result, responseAsJsonObject.toString()); + } + + return result; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(script.getCustomScript(), ex); + } return false; } public boolean modifyPutResponse(JSONObject responseAsJsonObject, ExecutionContext context) { + CustomScriptConfiguration script = defaultExternalCustomScript; + + try { + if (log.isTraceEnabled()) { + log.trace("Executing python 'modifyPutResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); + } + context.setScript(script); + + ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); + final boolean result = type.modifyPutResponse(responseAsJsonObject, context); + if (log.isTraceEnabled()) { + log.trace("Finished 'modifyPutResponse' method, script name: {}, context: {}, result: {}, response: {}", script.getName(), context, result, responseAsJsonObject.toString()); + } + + return result; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(script.getCustomScript(), ex); + } return false; } public boolean modifyReadResponse(JSONObject responseAsJsonObject, ExecutionContext context) { + CustomScriptConfiguration script = defaultExternalCustomScript; + + try { + if (log.isTraceEnabled()) { + log.trace("Executing python 'modifyReadResponse' method, script name: {}, context: {}, response: {}", script.getName(), context, responseAsJsonObject.toString()); + } + context.setScript(script); + + ClientRegistrationType type = (ClientRegistrationType) script.getExternalType(); + final boolean result = type.modifyReadResponse(responseAsJsonObject, context); + if (log.isTraceEnabled()) { + log.trace("Finished 'modifyReadResponse' method, script name: {}, context: {}, result: {}, response: {}", script.getName(), context, result, responseAsJsonObject.toString()); + } + + return result; + } catch (Exception ex) { + log.error(ex.getMessage(), ex); + saveScriptError(script.getCustomScript(), ex); + } return false; } } From aea8512b1ada2f0ec50b566e4087d1ca4e17712c Mon Sep 17 00:00:00 2001 From: SMan Date: Tue, 25 Jan 2022 20:47:34 -0600 Subject: [PATCH 12/13] feat: jans-auth-server: temp commit for sonar; fixes #365; --- jans-auth-server/pom.xml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/jans-auth-server/pom.xml b/jans-auth-server/pom.xml index 4d1fe3a911f..8eeab874a5c 100644 --- a/jans-auth-server/pom.xml +++ b/jans-auth-server/pom.xml @@ -63,11 +63,13 @@ Janssen project repository https://maven.jans.io/maven + bouncycastle Bouncy Castle From 3f94dd1c71d03ae50bd38cdb5cfc8d8dcc1179aa Mon Sep 17 00:00:00 2001 From: SMan Date: Tue, 25 Jan 2022 21:05:30 -0600 Subject: [PATCH 13/13] feat: jans-auth-server: temp commit for sonar; fixes #365; --- jans-auth-server/pom.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/jans-auth-server/pom.xml b/jans-auth-server/pom.xml index 8eeab874a5c..4d1fe3a911f 100644 --- a/jans-auth-server/pom.xml +++ b/jans-auth-server/pom.xml @@ -63,13 +63,11 @@ Janssen project repository https://maven.jans.io/maven - bouncycastle Bouncy Castle