Skip to content

Commit

Permalink
fix(jans-auth-server): during encryption AS must consider client's jw…
Browse files Browse the repository at this point in the history
…ks too, not only jwks_uri

#1273
  • Loading branch information
yuriyz committed Apr 29, 2022
1 parent 14c6a2b commit 475b154
Show file tree
Hide file tree
Showing 7 changed files with 37 additions and 21 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
package io.jans.as.common.util;

import com.google.common.base.Strings;
import io.jans.as.common.model.registration.Client;
import io.jans.as.model.util.JwtUtil;
import org.json.JSONObject;

/**
* @author Yuriy Zabrovarnyy
*/
public class CommonUtils {

private CommonUtils() {
}

public static JSONObject getJwks(Client client) {
return Strings.isNullOrEmpty(client.getJwks())
? JwtUtil.getJSONWebKeys(client.getJwksUri())
: new JSONObject(client.getJwks());
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@

package io.jans.as.server.auth;

import com.google.common.base.Strings;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.authorize.AuthorizeRequestParam;
import io.jans.as.model.common.AuthenticationMethod;
import io.jans.as.model.common.Prompt;
Expand All @@ -19,7 +19,6 @@
import io.jans.as.model.token.TokenErrorResponseType;
import io.jans.as.model.util.CertUtils;
import io.jans.as.model.util.HashUtil;
import io.jans.as.model.util.JwtUtil;
import io.jans.as.server.model.common.SessionId;
import io.jans.as.server.model.common.SessionIdState;
import io.jans.as.server.service.SessionIdService;
Expand Down Expand Up @@ -130,9 +129,7 @@ public boolean processMTLS(HttpServletRequest httpRequest, HttpServletResponse h
final PublicKey publicKey = cert.getPublicKey();
final byte[] encodedKey = publicKey.getEncoded();

JSONObject jsonWebKeys = Strings.isNullOrEmpty(client.getJwks())
? JwtUtil.getJSONWebKeys(client.getJwksUri())
: new JSONObject(client.getJwks());
JSONObject jsonWebKeys = CommonUtils.getJwks(client);

if (jsonWebKeys == null) {
log.debug("Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", client.getClientId(),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import com.google.common.collect.Sets;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.common.ResponseMode;
import io.jans.as.model.config.WebKeysConfiguration;
Expand Down Expand Up @@ -352,7 +353,7 @@ private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriRespo
String nestedKeyId = new ServerCryptoProvider(cryptoProvider).getKeyId(webKeysConfiguration,
Algorithm.fromString(signatureAlgorithm.getName()), Use.SIGNATURE);

JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
JSONObject jsonWebKeys = CommonUtils.getJwks(client);
redirectUriResponse.getRedirectUri().setNestedJsonWebKeys(jsonWebKeys);

String clientSecret = clientService.decryptSecret(client.getClientSecret());
Expand All @@ -361,7 +362,7 @@ private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriRespo
}

// Encrypted response
JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
JSONObject jsonWebKeys = CommonUtils.getJwks(client);
if (jsonWebKeys != null) {
keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys),
Algorithm.fromString(client.getAttributes().getAuthorizationEncryptedResponseAlg()),
Expand All @@ -382,7 +383,7 @@ private void fillRedirectUriResponseforJARM(RedirectUriResponse redirectUriRespo
keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(webKeysConfiguration,
Algorithm.fromString(signatureAlgorithm.getName()), Use.SIGNATURE);

JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
JSONObject jsonWebKeys = CommonUtils.getJwks(client);
redirectUriResponse.getRedirectUri().setJsonWebKeys(jsonWebKeys);

String clientSecret = clientService.decryptSecret(client.getClientSecret());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@

package io.jans.as.server.model.authorize;

import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.common.Display;
import io.jans.as.model.common.Prompt;
Expand Down Expand Up @@ -322,9 +322,7 @@ private void loadPayload(String payload) throws JSONException, UnsupportedEncodi
private boolean validateSignature(@NotNull AbstractCryptoProvider cryptoProvider, SignatureAlgorithm signatureAlgorithm, Client client, String signingInput, String signature) throws Exception {
ClientService clientService = CdiUtil.bean(ClientService.class);
String sharedSecret = clientService.decryptSecret(client.getClientSecret());
JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ?
JwtUtil.getJSONWebKeys(client.getJwksUri()) :
new JSONObject(client.getJwks());
JSONObject jwks = CommonUtils.getJwks(client);
return cryptoProvider.verifySignature(signingInput, signature, keyId, jwks, sharedSecret, signatureAlgorithm);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@

package io.jans.as.server.model.token;

import com.google.common.base.Strings;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.common.AuthenticationMethod;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
Expand All @@ -19,7 +19,6 @@
import io.jans.as.model.jwt.JwtHeaderName;
import io.jans.as.model.jwt.JwtType;
import io.jans.as.model.token.ClientAssertionType;
import io.jans.as.model.util.JwtUtil;
import io.jans.as.server.service.ClientService;
import io.jans.service.cdi.util.CdiUtil;
import io.jans.util.security.StringEncrypter;
Expand Down Expand Up @@ -108,9 +107,7 @@ private boolean load(AppConfiguration appConfiguration, AbstractCryptoProvider c

// Validate the crypto segment
String keyId = jwt.getHeader().getKeyId();
JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ?
JwtUtil.getJSONWebKeys(client.getJwksUri()) :
new JSONObject(client.getJwks());
JSONObject jwks = CommonUtils.getJwks(client);
String sharedSecret = clientService.decryptSecret(client.getClientSecret());
boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(),
keyId, jwks, sharedSecret, signatureAlgorithm);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
package io.jans.as.server.model.token;

import io.jans.as.common.model.registration.Client;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.config.WebKeysConfiguration;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
Expand All @@ -22,12 +23,12 @@
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtType;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.model.util.JwtUtil;
import io.jans.as.server.model.common.IAuthorizationGrant;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.SectorIdentifierService;
import io.jans.as.server.service.ServerCryptoProvider;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.json.JSONObject;
import org.slf4j.Logger;

Expand Down Expand Up @@ -91,7 +92,7 @@ private Jwt signJwt(Jwt jwt, Client client) throws Exception {

private Jwe encryptJwe(Jwe jwe, Client client) throws Exception {

if (appConfiguration.getUseNestedJwtDuringEncryption()) {
if (BooleanUtils.isTrue(appConfiguration.getUseNestedJwtDuringEncryption())) {
JwtSigner jwtSigner = JwtSigner.newJwtSigner(appConfiguration, webKeysConfiguration, client);
Jwt jwt = jwtSigner.newJwt();
jwt.setClaims(jwe.getClaims());
Expand All @@ -102,7 +103,7 @@ private Jwe encryptJwe(Jwe jwe, Client client) throws Exception {
final BlockEncryptionAlgorithm encryptionMethod = jwe.getHeader().getEncryptionMethod();

if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
JSONObject jsonWebKeys = CommonUtils.getJwks(client);
String keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys),
Algorithm.fromString(keyEncryptionAlgorithm.getName()),
Use.ENCRYPTION);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.service.AttributeService;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.common.ComponentType;
import io.jans.as.model.common.ScopeType;
import io.jans.as.model.config.Constants;
Expand Down Expand Up @@ -290,7 +291,7 @@ public String getJweResponse(
// Encryption
if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP
|| keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(authorizationGrant.getClient().getJwksUri());
JSONObject jsonWebKeys = CommonUtils.getJwks(authorizationGrant.getClient());
String keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys),
Algorithm.fromString(keyEncryptionAlgorithm.getName()),
Use.ENCRYPTION);
Expand Down

0 comments on commit 475b154

Please sign in to comment.