New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEYCLOAK-7560 Refactor Token Sign and Verify by Token Signature SPI #5260
Closed
Closed
Changes from 1 commit
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9 changes: 9 additions & 0 deletions
9
core/src/main/java/org/keycloak/jose/jws/JWSSignatureProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
package org.keycloak.jose.jws; | ||
|
||
import java.security.Key; | ||
|
||
public interface JWSSignatureProvider { | ||
// KEYCLOAK-7560 Refactoring Token Signing and Verifying by Token Signature SPI | ||
byte[] sign(byte[] data, String sigAlgName, Key key); | ||
boolean verify(JWSInput input, Key key); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
server-spi-private/src/main/java/org/keycloak/jose/jws/TokenSignatureProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
package org.keycloak.jose.jws; | ||
|
||
import java.security.Key; | ||
|
||
import org.keycloak.provider.Provider; | ||
|
||
// KEYCLOAK-7560 Refactoring Token Signing and Verifying by Token Signature SPI | ||
|
||
public interface TokenSignatureProvider extends Provider { | ||
byte[] sign(byte[] data, String sigAlgName, Key key); | ||
boolean verify(JWSInput jws, Key verifyKey); | ||
} |
11 changes: 11 additions & 0 deletions
11
server-spi-private/src/main/java/org/keycloak/jose/jws/TokenSignatureProviderFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
package org.keycloak.jose.jws; | ||
|
||
import org.keycloak.component.ComponentFactory; | ||
import org.keycloak.component.ComponentModel; | ||
import org.keycloak.models.KeycloakSession; | ||
|
||
// KEYCLOAK-7560 Refactoring Token Signing and Verifying by Token Signature SPI | ||
|
||
public interface TokenSignatureProviderFactory<T extends TokenSignatureProvider> extends ComponentFactory<T, TokenSignatureProvider> { | ||
T create(KeycloakSession session, ComponentModel model); | ||
} |
29 changes: 29 additions & 0 deletions
29
server-spi-private/src/main/java/org/keycloak/jose/jws/TokenSignatureSpi.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
package org.keycloak.jose.jws; | ||
|
||
import org.keycloak.provider.Provider; | ||
import org.keycloak.provider.ProviderFactory; | ||
import org.keycloak.provider.Spi; | ||
|
||
// KEYCLOAK-7560 Refactoring Token Signing and Verifying by Token Signature SPI | ||
|
||
public class TokenSignatureSpi implements Spi { | ||
@Override | ||
public boolean isInternal() { | ||
return true; | ||
} | ||
|
||
@Override | ||
public String getName() { | ||
return "tokenSignature"; | ||
} | ||
|
||
@Override | ||
public Class<? extends Provider> getProviderClass() { | ||
return TokenSignatureProvider.class; | ||
} | ||
|
||
@Override | ||
public Class<? extends ProviderFactory> getProviderFactoryClass() { | ||
return TokenSignatureProviderFactory.class; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
server-spi-private/src/main/java/org/keycloak/keys/SignatureKeyProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
package org.keycloak.keys; | ||
|
||
import java.security.Key; | ||
|
||
// KEYCLOAK-7560 Refactoring Token Signing and Verifying by Token Signature SPI | ||
|
||
public interface SignatureKeyProvider { | ||
Key getSignKey(); | ||
Key getVerifyKey(String kid); | ||
} |
35 changes: 35 additions & 0 deletions
35
...r-spi-private/src/main/java/org/keycloak/models/utils/DefaultTokenSignatureProviders.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
package org.keycloak.models.utils; | ||
|
||
import org.keycloak.common.util.MultivaluedHashMap; | ||
import org.keycloak.component.ComponentModel; | ||
import org.keycloak.jose.jws.TokenSignatureProvider; | ||
import org.keycloak.models.RealmModel; | ||
|
||
// KEYCLOAK-7560 Refactoring Token Signing and Verifying by Token Signature SPI | ||
|
||
public class DefaultTokenSignatureProviders { | ||
private static final String COMPONENT_SIGNATURE_ALGORITHM_KEY = "org.keycloak.jose.jws.TokenSignatureProvider.algorithm"; | ||
private static final String RSASSA_PROVIDER_ID = "rsassa-signature"; | ||
private static final String HMAC_PROVIDER_ID = "hmac-signature"; | ||
|
||
public static void createProviders(RealmModel realm) { | ||
createAndAddProvider(realm, RSASSA_PROVIDER_ID, "RS256"); | ||
createAndAddProvider(realm, RSASSA_PROVIDER_ID, "RS384"); | ||
createAndAddProvider(realm, RSASSA_PROVIDER_ID, "RS512"); | ||
createAndAddProvider(realm, HMAC_PROVIDER_ID, "HS256"); | ||
createAndAddProvider(realm, HMAC_PROVIDER_ID, "HS384"); | ||
createAndAddProvider(realm, HMAC_PROVIDER_ID, "HS512"); | ||
} | ||
|
||
private static void createAndAddProvider(RealmModel realm, String providerId, String sigAlgName) { | ||
ComponentModel generated = new ComponentModel(); | ||
generated.setName(providerId); | ||
generated.setParentId(realm.getId()); | ||
generated.setProviderId(providerId); | ||
generated.setProviderType(TokenSignatureProvider.class.getName()); | ||
MultivaluedHashMap<String, String> config = new MultivaluedHashMap<>(); | ||
config.putSingle(COMPONENT_SIGNATURE_ALGORITHM_KEY, sigAlgName); | ||
generated.setConfig(config); | ||
realm.addComponentModel(generated); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
verify()
callsverifySignature()
, and then nowverifySignature()
callsverify()
=> stack overflowShould be
this.verifyKey != null
instead?Even in that case, I'd say it should suffice that
this.signatureProvider != null
since e.g. in case of hardware token, one might have no access to the key.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I also think that only this.signatureProvider != null is sufficient to check.
I've commented above that this TokenVerifier's refactoring had not yet completely been implemented and I had not yet written arquillian integration test cases for it so I had not recognized this stack overflow potential. Thank you very much.