JwkSetConverter excludes enc keys

skip unsupported public key use (enc) without discarding the entire set Fixes gh-1470
spring-attic · Feb 18, 2019 · 96f85b0 · 96f85b0
1 parent 56cb4db
commit 96f85b0
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/...in/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java b/...in/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -82,6 +82,7 @@ public Set<JwkDefinition> convert(InputStream jwkSetSource) {
 			Map<String, String> attributes = new HashMap<String, String>();
 
 			while (parser.nextToken() == JsonToken.START_OBJECT) {
+				attributes.clear();
 				while (parser.nextToken() == JsonToken.FIELD_NAME) {
 					String attributeName = parser.getCurrentName();
 					// gh-1082 - skip arrays such as x5c as we can't deal with them yet
@@ -92,6 +93,14 @@ public Set<JwkDefinition> convert(InputStream jwkSetSource) {
 						attributes.put(attributeName, parser.getValueAsString());
 					}
 				}
+
+				// gh-1470 - skip unsupported public key use (enc) without discarding the entire set
+				JwkDefinition.PublicKeyUse publicKeyUse =
+						JwkDefinition.PublicKeyUse.fromValue(attributes.get(PUBLIC_KEY_USE));
+				if (JwkDefinition.PublicKeyUse.ENC.equals(publicKeyUse)) {
+					continue;
+				}
+
 				JwkDefinition.KeyType keyType =
 						JwkDefinition.KeyType.fromValue(attributes.get(KEY_TYPE));
 				if (JwkDefinition.KeyType.RSA.equals(keyType)) {
@@ -101,7 +110,6 @@ public Set<JwkDefinition> convert(InputStream jwkSetSource) {
 								jwkDefinition.getKeyId() + " (" + KEY_ID + ")");
 					}
 				}
-				attributes.clear();
 			}
 
 		} catch (IOException ex) {

diff --git a/...ava/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTest.java b/...ava/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2017 the original author or authors.
+ * Copyright 2012-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -147,13 +147,12 @@ public void convertWhenJwkSetStreamHasJwkElementWithMissingPublicKeyUseAttribute
 	}
 
 	@Test
-	public void convertWhenJwkSetStreamHasJwkElementWithENCPublicKeyUseAttributeThenThrowJwkException() throws Exception {
-		this.thrown.expect(JwkException.class);
-		this.thrown.expectMessage("enc (use) is currently not supported.");
+	public void convertWhenJwkSetStreamHasRSAJwkElementWithENCPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
 		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, "key-id-1", JwkDefinition.PublicKeyUse.ENC);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
-		this.converter.convert(this.asInputStream(jwkSetObject));
+		Set<JwkDefinition> jwkSet = this.converter.convert(this.asInputStream(jwkSetObject));
+		assertTrue("JWK Set NOT empty", jwkSet.isEmpty());
 	}
 
 	@Test