KEYCLOAK-5007 Used single-use cache for tracke OAuth code. OAuth code…

… changed to be encrypted and signed JWT
keycloak · Sep 29, 2017 · 3b6e1f4 · 3b6e1f4
1 parent 63673c4
commit 3b6e1f4
Show file tree

Hide file tree

Showing 69 changed files with 1,568 additions and 458 deletions.
diff --git a/common/src/main/java/org/keycloak/common/util/KeyUtils.java b/common/src/main/java/org/keycloak/common/util/KeyUtils.java
@@ -40,8 +40,8 @@ public class KeyUtils {
     private KeyUtils() {
     }
 
-    public static SecretKey loadSecretKey(byte[] secret) {
+    public static SecretKey loadSecretKey(byte[] secret, String javaAlgorithmName) {
-        return new SecretKeySpec(secret, "HmacSHA256");
+        return new SecretKeySpec(secret, javaAlgorithmName);
     }
 
     public static KeyPair generateRsaKeyPair(int keysize) {

diff --git a/common/src/test/java/org/keycloak/common/util/KeyUtilsTest.java b/common/src/test/java/org/keycloak/common/util/KeyUtilsTest.java
@@ -16,7 +16,7 @@ public void loadSecretKey() throws Exception {
         byte[] secretBytes = new byte[32];
         ThreadLocalRandom.current().nextBytes(secretBytes);
         SecretKeySpec expected = new SecretKeySpec(secretBytes, "HmacSHA256");
-        SecretKey actual = KeyUtils.loadSecretKey(secretBytes);
+        SecretKey actual = KeyUtils.loadSecretKey(secretBytes, "HmacSHA256");
         assertEquals(expected.getAlgorithm(), actual.getAlgorithm());
         assertArrayEquals(expected.getEncoded(), actual.getEncoded());
     }

diff --git a/core/src/main/java/org/keycloak/jose/jwe/JWE.java b/core/src/main/java/org/keycloak/jose/jwe/JWE.java
@@ -111,7 +111,7 @@ public void setEncryptedContentInfo(byte[] initializationVector, byte[] encrypte
     }
 
 
-    public String encodeJwe() {
+    public String encodeJwe() throws JWEException {
         try {
             if (header == null) {
                 throw new IllegalStateException("Header must be set");
@@ -139,8 +139,8 @@ public String encodeJwe() {
             encryptionProvider.encodeJwe(this);
 
             return getEncodedJweString();
-        } catch (IOException | GeneralSecurityException e) {
+        } catch (Exception e) {
-            throw new RuntimeException(e);
+            throw new JWEException(e);
         }
     }
 
@@ -157,7 +157,7 @@ private String getEncodedJweString() {
     }
 
 
-    public JWE verifyAndDecodeJwe(String jweStr) {
+    public JWE verifyAndDecodeJwe(String jweStr) throws JWEException {
         try {
             String[] parts = jweStr.split("\\.");
             if (parts.length != 5) {
@@ -189,8 +189,8 @@ public JWE verifyAndDecodeJwe(String jweStr) {
             encryptionProvider.verifyAndDecodeJwe(this);
 
             return this;
-        } catch (IOException | GeneralSecurityException e) {
+        } catch (Exception e) {
-            throw new RuntimeException(e);
+            throw new JWEException(e);
         }
     }
 

diff --git a/core/src/main/java/org/keycloak/jose/jwe/JWEException.java b/core/src/main/java/org/keycloak/jose/jwe/JWEException.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.jose.jwe;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class JWEException extends Exception {
+
+    public JWEException(String s) {
+        super(s);
+    }
+
+    public JWEException() {
+    }
+
+    public JWEException(Throwable throwable) {
+        super(throwable);
+    }
+}
diff --git a/core/src/main/java/org/keycloak/jose/jwe/alg/AesKeyWrapAlgorithmProvider.java b/core/src/main/java/org/keycloak/jose/jwe/alg/AesKeyWrapAlgorithmProvider.java
@@ -34,18 +34,14 @@
 public class AesKeyWrapAlgorithmProvider implements JWEAlgorithmProvider {
 
     @Override
-    public byte[] decodeCek(byte[] encodedCek, Key encryptionKey) throws IOException, GeneralSecurityException {
+    public byte[] decodeCek(byte[] encodedCek, Key encryptionKey) throws Exception {
-        try {
+        Wrapper encrypter = new AESWrapEngine();
-            Wrapper encrypter = new AESWrapEngine();
+        encrypter.init(false, new KeyParameter(encryptionKey.getEncoded()));
-            encrypter.init(false, new KeyParameter(encryptionKey.getEncoded()));
+        return encrypter.unwrap(encodedCek, 0, encodedCek.length);
-            return encrypter.unwrap(encodedCek, 0, encodedCek.length);
-        } catch (InvalidCipherTextException icte) {
-            throw new IllegalStateException(icte);
-        }
     }
 
     @Override
-    public byte[] encodeCek(JWEEncryptionProvider encryptionProvider, JWEKeyStorage keyStorage, Key encryptionKey) throws IOException, GeneralSecurityException {
+    public byte[] encodeCek(JWEEncryptionProvider encryptionProvider, JWEKeyStorage keyStorage, Key encryptionKey) throws Exception {
         Wrapper encrypter = new AESWrapEngine();
         encrypter.init(true, new KeyParameter(encryptionKey.getEncoded()));
         byte[] cekBytes = keyStorage.getCekBytes();

diff --git a/core/src/main/java/org/keycloak/jose/jwe/alg/DirectAlgorithmProvider.java b/core/src/main/java/org/keycloak/jose/jwe/alg/DirectAlgorithmProvider.java
@@ -30,12 +30,12 @@
 public class DirectAlgorithmProvider implements JWEAlgorithmProvider {
 
     @Override
-    public byte[] decodeCek(byte[] encodedCek, Key encryptionKey) throws IOException, GeneralSecurityException {
+    public byte[] decodeCek(byte[] encodedCek, Key encryptionKey) {
         return new byte[0];
     }
 
     @Override
-    public byte[] encodeCek(JWEEncryptionProvider encryptionProvider, JWEKeyStorage keyStorage, Key encryptionKey) throws IOException, GeneralSecurityException {
+    public byte[] encodeCek(JWEEncryptionProvider encryptionProvider, JWEKeyStorage keyStorage, Key encryptionKey) {
         return new byte[0];
     }
 }
diff --git a/core/src/main/java/org/keycloak/jose/jwe/alg/JWEAlgorithmProvider.java b/core/src/main/java/org/keycloak/jose/jwe/alg/JWEAlgorithmProvider.java
@@ -29,8 +29,8 @@
  */
 public interface JWEAlgorithmProvider {
 
-    byte[] decodeCek(byte[] encodedCek, Key encryptionKey) throws IOException, GeneralSecurityException;
+    byte[] decodeCek(byte[] encodedCek, Key encryptionKey) throws Exception;
 
-    byte[] encodeCek(JWEEncryptionProvider encryptionProvider, JWEKeyStorage keyStorage, Key encryptionKey) throws IOException, GeneralSecurityException;
+    byte[] encodeCek(JWEEncryptionProvider encryptionProvider, JWEKeyStorage keyStorage, Key encryptionKey) throws Exception;
 
 }
diff --git a/core/src/main/java/org/keycloak/jose/jwe/enc/JWEEncryptionProvider.java b/core/src/main/java/org/keycloak/jose/jwe/enc/JWEEncryptionProvider.java
@@ -41,7 +41,7 @@ public interface JWEEncryptionProvider {
      * @throws IOException
      * @throws GeneralSecurityException
      */
-    void encodeJwe(JWE jwe) throws IOException, GeneralSecurityException;
+    void encodeJwe(JWE jwe) throws Exception;
 
 
     /**
@@ -51,7 +51,7 @@ public interface JWEEncryptionProvider {
      * @throws IOException
      * @throws GeneralSecurityException
      */
-    void verifyAndDecodeJwe(JWE jwe) throws IOException, GeneralSecurityException;
+    void verifyAndDecodeJwe(JWE jwe) throws Exception;
 
 
     /**

diff --git a/core/src/main/java/org/keycloak/jose/jws/AlgorithmType.java b/core/src/main/java/org/keycloak/jose/jws/AlgorithmType.java
@@ -25,6 +25,7 @@ public enum AlgorithmType {
 
     RSA,
     HMAC,
+    AES,
     ECDSA
 
 }
diff --git a/core/src/main/java/org/keycloak/representations/CodeJWT.java b/core/src/main/java/org/keycloak/representations/CodeJWT.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2017 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.representations;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class CodeJWT extends JsonWebToken {
+
+    @JsonProperty("uss")
+    protected String userSessionId;
+
+    public String getUserSessionId() {
+        return userSessionId;
+    }
+
+    public CodeJWT userSessionId(String userSessionId) {
+        this.userSessionId = userSessionId;
+        return this;
+    }
+
+}
diff --git a/core/src/main/java/org/keycloak/util/TokenUtil.java b/core/src/main/java/org/keycloak/util/TokenUtil.java
@@ -18,11 +18,18 @@
 package org.keycloak.util;
 
 import org.keycloak.OAuth2Constants;
+import org.keycloak.jose.jwe.JWE;
+import org.keycloak.jose.jwe.JWEConstants;
+import org.keycloak.jose.jwe.JWEException;
+import org.keycloak.jose.jwe.JWEHeader;
+import org.keycloak.jose.jwe.JWEKeyStorage;
 import org.keycloak.jose.jws.JWSInput;
 import org.keycloak.jose.jws.JWSInputException;
+import org.keycloak.representations.JsonWebToken;
 import org.keycloak.representations.RefreshToken;
 
 import java.io.IOException;
+import java.security.Key;
 
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@@ -115,4 +122,52 @@ public static boolean isOfflineToken(String refreshToken) throws JWSInputExcepti
         return token.getType().equals(TOKEN_TYPE_OFFLINE);
     }
 
+
+    public static String jweDirectEncode(Key aesKey, Key hmacKey, JsonWebToken jwt) throws JWEException {
+        int keyLength = aesKey.getEncoded().length;
+        String encAlgorithm;
+        switch (keyLength) {
+            case 16: encAlgorithm = JWEConstants.A128CBC_HS256;
+                break;
+            case 24: encAlgorithm = JWEConstants.A192CBC_HS384;
+                break;
+            case 32: encAlgorithm = JWEConstants.A256CBC_HS512;
+                break;
+            default: throw new IllegalArgumentException("Bad size for Encryption key: " + aesKey + ". Valid sizes are 16, 24, 32.");
+        }
+
+        try {
+            byte[] contentBytes = JsonSerialization.writeValueAsBytes(jwt);
+
+            JWEHeader jweHeader = new JWEHeader(JWEConstants.DIR, encAlgorithm, null);
+            JWE jwe = new JWE()
+                    .header(jweHeader)
+                    .content(contentBytes);
+
+            jwe.getKeyStorage()
+                    .setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION)
+                    .setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
+
+            return jwe.encodeJwe();
+        } catch (IOException ioe) {
+            throw new JWEException(ioe);
+        }
+    }
+
+
+    public static <T extends JsonWebToken> T jweDirectVerifyAndDecode(Key aesKey, Key hmacKey, String jweStr, Class<T> expectedClass) throws JWEException {
+        JWE jwe = new JWE();
+        jwe.getKeyStorage()
+                .setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION)
+                .setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
+
+        jwe.verifyAndDecodeJwe(jweStr);
+
+        try {
+            return JsonSerialization.readValue(jwe.getContent(), expectedClass);
+        } catch (IOException ioe) {
+            throw new JWEException(ioe);
+        }
+    }
+
 }