review

cloudfoundry · May 3, 2023 · 31fd4e7 · 31fd4e7
1 parent 1714e1f
commit 31fd4e7
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 26 deletions.
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/KeyInfo.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/KeyInfo.java
@@ -38,7 +38,7 @@
 import static org.cloudfoundry.identity.uaa.oauth.jwk.JsonWebKey.KeyType.RSA;
 
 public class KeyInfo {
-    private final boolean isAsymetric;
+    private final boolean isAsymmetric;
     private Signer signer;
     private SignatureVerifier verifier;
     private final String keyId;
@@ -54,23 +54,23 @@ public KeyInfo(String keyId, String signingKey, String keyUrl) {
     public KeyInfo(String keyId, String signingKey, String keyUrl, String sigAlg, String signingCert) {
         this.keyId = keyId;
         this.keyUrl = validateAndConstructTokenKeyUrl(keyUrl);
-        this.isAsymetric = isAssymetricKey(signingKey);
+        this.isAsymmetric = isAsymmetric(signingKey);
         String algorithm;
-        if (this.isAsymetric) {
+        if (this.isAsymmetric) {
             String jwtAlg;
             KeyPair keyPair;
             try {
                 jwk = JWK.parseFromPEMEncodedObjects(signingKey);
                 jwtAlg = jwk.getKeyType().getValue();
                 if (jwtAlg.startsWith("RSA")) {
-                    algorithm = Optional.ofNullable(sigAlg).map(JwtAlgorithms::sigAlgJava).orElse("SHA256withRSA");
+                    algorithm = Optional.ofNullable(sigAlg).map(JwtAlgorithms::sigAlgJava).orElse(JwtAlgorithms.DEFAULT_RSA);
                     keyPair = jwk.toRSAKey().toKeyPair();
                     PublicKey rsaPublicKey = keyPair.getPublic();
                     this.signer = new RsaSigner((RSAPrivateKey) keyPair.getPrivate(), algorithm);
                     this.verifier = new RsaVerifier((RSAPublicKey) rsaPublicKey, algorithm);
                     this.type = RSA;
                 } else if (jwtAlg.startsWith("EC")) {
-                    algorithm = Optional.ofNullable(sigAlg).map(JwtAlgorithms::sigAlgJava).orElse("SHA256withECDSA");
+                    algorithm = Optional.ofNullable(sigAlg).map(JwtAlgorithms::sigAlgJava).orElse(JwtAlgorithms.DEFAULT_EC);
                     keyPair = jwk.toECKey().toKeyPair();
                     this.signer = null;
                     this.verifier = new EllipticCurveVerifier((ECPublicKey) keyPair.getPublic(), algorithm);
@@ -85,7 +85,7 @@ public KeyInfo(String keyId, String signingKey, String keyUrl, String sigAlg, St
             this.verifierKey = JsonWebKey.pemEncodePublicKey(keyPair.getPublic()).orElse(null);
         } else {
             jwk = new OctetSequenceKey.Builder(signingKey.getBytes()).build();
-            algorithm = Optional.ofNullable(sigAlg).map(JwtAlgorithms::sigAlgJava).orElse("HMACSHA256");
+            algorithm = Optional.ofNullable(sigAlg).map(JwtAlgorithms::sigAlgJava).orElse(JwtAlgorithms.DEFAULT_HMAC);
             SecretKey hmacKey = new SecretKeySpec(signingKey.getBytes(), algorithm);
             this.signer = new MacSigner(algorithm, hmacKey);
             this.verifier = new MacSigner(algorithm, hmacKey);
@@ -94,9 +94,6 @@ public KeyInfo(String keyId, String signingKey, String keyUrl, String sigAlg, St
             this.type = MAC;
         }
     }
-    public void verify() {
-        // not in use
-    }
 
     public SignatureVerifier getVerifier() {
         return this.verifier;
@@ -127,13 +124,13 @@ public Optional<String> verifierCertificate() {
     }
 
     public Map<String, Object> getJwkMap() {
-        if (this.isAsymetric) {
-            Map<String, Object> result = new HashMap<>();
-            result.put(HeaderParameterNames.ALGORITHM, this.algorithm());
-            //new values per OpenID and JWK spec
-            result.put(JWKParameterNames.PUBLIC_KEY_USE, JsonWebKey.KeyUse.sig.name());
-            result.put(HeaderParameterNames.KEY_ID, this.keyId);
-            result.put(JWKParameterNames.KEY_TYPE, type.name());
+        Map<String, Object> result = new HashMap<>();
+        result.put(HeaderParameterNames.ALGORITHM, this.algorithm());
+        //new values per OpenID and JWK spec
+        result.put(JWKParameterNames.PUBLIC_KEY_USE, JsonWebKey.KeyUse.sig.name());
+        result.put(HeaderParameterNames.KEY_ID, this.keyId);
+        result.put(JWKParameterNames.KEY_TYPE, type.name());
+        if (this.isAsymmetric) {
             // X509 releated values from JWK spec
             if (this.verifierCertificate.isPresent()) {
                 X509Certificate x509Certificate = X509CertUtils.parse(verifierCertificate.get());
@@ -161,13 +158,7 @@ public Map<String, Object> getJwkMap() {
             }
             return result;
         } else {
-            Map<String, Object> result = new HashMap<>();
-            result.put(HeaderParameterNames.ALGORITHM, this.algorithm());
             result.put(JsonWebKey.PUBLIC_KEY_VALUE, this.verifierKey);
-            //new values per OpenID and JWK spec
-            result.put(JWKParameterNames.PUBLIC_KEY_USE, JsonWebKey.KeyUse.sig.name());
-            result.put(HeaderParameterNames.KEY_ID, this.keyId);
-            result.put(JWKParameterNames.KEY_TYPE, type.name());
             return result;
         }
     }
@@ -184,7 +175,7 @@ private static String validateAndConstructTokenKeyUrl(String keyUrl) {
         return UriComponentsBuilder.fromHttpUrl(keyUrl).scheme("https").path("/token_keys").build().toUriString();
     }
 
-    private static boolean isAssymetricKey(String key) {
+    private static boolean isAsymmetric(String key) {
         return key.startsWith("-----BEGIN");
     }
 }
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/JwtAlgorithms.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/JwtAlgorithms.java
@@ -21,22 +21,25 @@
  * @author Luke Taylor
  */
 public class JwtAlgorithms {
+    public static final String DEFAULT_HMAC = "HMACSHA256";
+    public static final String DEFAULT_EC = "SHA256withECDSA";
+    public static final String DEFAULT_RSA = "SHA256withRSA";
     private static final Map<String,String> sigAlgs = new HashMap<String,String>();
     private static final Map<String,String> javaToSigAlgs = new HashMap<String,String>();
     private static final Map<String,String> keyAlgs = new HashMap<String,String>();
     private static final Map<String,String> javaToKeyAlgs = new HashMap<String,String>();
 
     static {
-        sigAlgs.put("HS256", "HMACSHA256");
+        sigAlgs.put("HS256", DEFAULT_HMAC);
         sigAlgs.put("HS384" , "HMACSHA384");
         sigAlgs.put("HS512" , "HMACSHA512");
-        sigAlgs.put("RS256" , "SHA256withRSA");
+        sigAlgs.put("RS256" , DEFAULT_RSA);
         sigAlgs.put("RS384" , "SHA384withRSA");
         sigAlgs.put("RS512" , "SHA512withRSA");
         sigAlgs.put("PS256" , "SHA256withRSAandMGF1");
         sigAlgs.put("PS384" , "SHA384withRSAandMGF1");
         sigAlgs.put("PS512" , "SHA512withRSAandMGF1");
-        sigAlgs.put("ES256" , "SHA256withECDSA");
+        sigAlgs.put("ES256" , DEFAULT_EC);
         sigAlgs.put("ES256K" , "SHA256withECDSA");
         sigAlgs.put("ES384" , "SHA384withECDSA");
         sigAlgs.put("ES512" , "SHA512withECDSA");