Copy and alter Spring JWT Helper for "kid" header

[#107773584] https://www.pivotaltracker.com/story/show/107773584 Signed-off-by: Jonathan Lo <jlo@us.ibm.com>
cloudfoundry · Mar 14, 2016 · 84f9b68 · 84f9b68
1 parent 896ffae
commit 84f9b68
Show file tree

Hide file tree

Showing 24 changed files with 538 additions and 21 deletions.
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/audit/event/AbstractUaaEvent.java b/server/src/main/java/org/cloudfoundry/identity/uaa/audit/event/AbstractUaaEvent.java
@@ -12,11 +12,11 @@
  *******************************************************************************/
 package org.cloudfoundry.identity.uaa.audit.event;
 
-import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.core.type.TypeReference;
 import org.cloudfoundry.identity.uaa.audit.AuditEvent;
 import org.cloudfoundry.identity.uaa.audit.AuditEventType;
 import org.cloudfoundry.identity.uaa.audit.UaaAuditService;
+import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
 import org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
@@ -26,7 +26,6 @@
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.jwt.Jwt;
-import org.springframework.security.jwt.JwtHelper;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
 

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/audit/event/TokenIssuedEvent.java b/server/src/main/java/org/cloudfoundry/identity/uaa/audit/event/TokenIssuedEvent.java
@@ -15,10 +15,10 @@
 import com.fasterxml.jackson.core.type.TypeReference;
 import org.cloudfoundry.identity.uaa.audit.AuditEvent;
 import org.cloudfoundry.identity.uaa.audit.AuditEventType;
+import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.jwt.Jwt;
-import org.springframework.security.jwt.JwtHelper;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 
 import java.util.Map;

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/CheckTokenEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/CheckTokenEndpoint.java
@@ -14,13 +14,13 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
 import org.cloudfoundry.identity.uaa.oauth.token.Claims;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.jwt.Jwt;
-import org.springframework.security.jwt.JwtHelper;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/KeyInfo.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/KeyInfo.java
@@ -2,12 +2,13 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.cloudfoundry.identity.uaa.oauth.jwt.IdentifiedSigner;
+import org.cloudfoundry.identity.uaa.oauth.jwt.Signer;
 import org.springframework.security.jwt.crypto.sign.InvalidSignatureException;
 import org.springframework.security.jwt.crypto.sign.MacSigner;
 import org.springframework.security.jwt.crypto.sign.RsaSigner;
 import org.springframework.security.jwt.crypto.sign.RsaVerifier;
 import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
-import org.springframework.security.jwt.crypto.sign.Signer;
 import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
@@ -21,12 +22,12 @@ public class KeyInfo {
     private String keyId;
     private String verifierKey = new RandomValueStringGenerator().generate();
     private String signingKey = verifierKey;
-    private Signer signer = new MacSigner(verifierKey);
+    private org.springframework.security.jwt.crypto.sign.Signer signer = new MacSigner(verifierKey);
     private SignatureVerifier verifier = new MacSigner(signingKey);
     private String type = "MAC";
 
     public Signer getSigner() {
-        return signer;
+        return new IdentifiedSigner(keyId, signer);
     }
 
     /**

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
@@ -20,6 +20,7 @@
 import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
 import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
 import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
+import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
 import org.cloudfoundry.identity.uaa.oauth.token.CompositeAccessToken;
 import org.cloudfoundry.identity.uaa.zone.TokenPolicy;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration;
@@ -44,7 +45,6 @@
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.jwt.Jwt;
-import org.springframework.security.jwt.JwtHelper;
 import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
 import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
 import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;

diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/HeaderParameters.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/HeaderParameters.java
@@ -0,0 +1,25 @@
+package org.cloudfoundry.identity.uaa.oauth.jwt;
+
+/*******************************************************************************
+ * Cloud Foundry
+ * Copyright (c) [2009-2016] Pivotal Software, Inc. All Rights Reserved.
+ * <p>
+ * This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ * You may not use this product except in compliance with the License.
+ * <p>
+ * This product includes a number of subcomponents with
+ * separate copyright notices and license terms. Your use of these
+ * subcomponents is subject to the terms and conditions of the
+ * subcomponent's license, as noted in the LICENSE file.
+ *******************************************************************************/
+public interface HeaderParameters {
+    String getAlg();
+
+    String getEnc();
+
+    String getIv();
+
+    String getTyp();
+
+    String getKid();
+}
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/IdentifiedSigner.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/IdentifiedSigner.java
@@ -0,0 +1,26 @@
+package org.cloudfoundry.identity.uaa.oauth.jwt;
+
+public class IdentifiedSigner implements Signer {
+    private final String id;
+    private final org.springframework.security.jwt.crypto.sign.Signer signer;
+
+    public IdentifiedSigner(String id, org.springframework.security.jwt.crypto.sign.Signer signer) {
+        this.id = id;
+        this.signer = signer;
+    }
+
+    @Override
+    public String keyId() {
+        return id;
+    }
+
+    @Override
+    public byte[] sign(byte[] bytes) {
+        return signer.sign(bytes);
+    }
+
+    @Override
+    public String algorithm() {
+        return signer.algorithm();
+    }
+}
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/Jwt.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/Jwt.java
@@ -0,0 +1,19 @@
+/*
+ * Copyright 2006-2011 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.cloudfoundry.identity.uaa.oauth.jwt;
+
+import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
+
+public interface Jwt extends org.springframework.security.jwt.Jwt {
+    HeaderParameters getHeader();
+}
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/JwtAlgorithms.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/jwt/JwtAlgorithms.java
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2006-2011 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package org.cloudfoundry.identity.uaa.oauth.jwt;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.springframework.security.jwt.crypto.cipher.CipherMetadata;
+
+/**
+ * @author Luke Taylor
+ */
+public class JwtAlgorithms {
+    private static final Map<String,String> sigAlgs = new HashMap<String,String>();
+    private static final Map<String,String> javaToSigAlgs = new HashMap<String,String>();
+    private static final Map<String,String> keyAlgs = new HashMap<String,String>();
+    private static final Map<String,String> javaToKeyAlgs = new HashMap<String,String>();
+
+    static {
+        sigAlgs.put("HS256", "HMACSHA256");
+        sigAlgs.put("HS384" , "HMACSHA384");
+        sigAlgs.put("HS512" , "HMACSHA512");
+        sigAlgs.put("RS256" , "SHA256withRSA");
+        sigAlgs.put("RS512" , "SHA512withRSA");
+
+        keyAlgs.put("RSA1_5" , "RSA/ECB/PKCS1Padding");
+
+        for(Map.Entry<String,String> e: sigAlgs.entrySet()) {
+            javaToSigAlgs.put(e.getValue(), e.getKey());
+        }
+        for(Map.Entry<String,String> e: keyAlgs.entrySet()) {
+            javaToKeyAlgs.put(e.getValue(), e.getKey());
+        }
+
+    }
+
+    static String sigAlg(String javaName){
+        String alg = javaToSigAlgs.get(javaName);
+
+        if (alg == null) {
+            throw new IllegalArgumentException("Invalid or unsupported signature algorithm: " + javaName);
+        }
+
+        return alg;
+    }
+
+    static String keyEncryptionAlg(String javaName) {
+        String alg = javaToKeyAlgs.get(javaName);
+
+        if (alg == null) {
+            throw new IllegalArgumentException("Invalid or unsupported key encryption algorithm: " + javaName);
+        }
+
+        return alg;
+    }
+
+    static String enc(CipherMetadata cipher) {
+        if (!cipher.algorithm().equalsIgnoreCase("AES/CBC/PKCS5Padding")) {
+            throw new IllegalArgumentException("Unknown or unsupported algorithm");
+        }
+        if (cipher.keySize() == 128) {
+            return "A128CBC";
+        } else if (cipher.keySize() == 256) {
+            return "A256CBC";
+        } else {
+            throw new IllegalArgumentException("Unsupported key size");
+        }
+    }
+}