feat(jans-auth-server): extending crypto support sub pr4 #670

smansoft · 2022-01-22T04:13:10Z

No description provided.

…b-pr4

yuriyz

Please check inlined comments

yuriyz · 2022-01-24T12:11:32Z

jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java

@@ -90,13 +142,17 @@ public JSONArray toJSONArray() throws JSONException {
    public String toString() {
        try {
            StringWriter stringWriter = new StringWriter();
-            try (JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter)) {


try-resource statement looks better, is there any reason with replacing it with manual close()?

yuriyz · 2022-01-24T12:12:45Z

jans-auth-server/model/src/main/java/io/jans/as/model/crypto/signature/EDDSAKeyFactory.java

-            default: {
-                throw new SignatureException(String.format("Wrong type of the signature algorithm (SignatureAlgorithm): %s", signatureAlgorithm.toString()));
-            }
+        switch(signatureAlgorithm) {


yuriyz · 2022-01-24T12:24:31Z

jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java

+ * @author Sergey Manoylo
+ * @version January 20, 2021
+ */
+public class EDDSASigner extends AbstractJwsSigner {


EDDSASigner class is present but I don't see any usage of these class in entire PR. Maybe add test to see it in action.

We have tests for EDDSASigner, of course (in
the branch jans-auth-server-extending-crypto-support-full).
for example:

https://github.com/JanssenProject/jans/blob/jans-auth-server-extending-crypto-support-full/jans-auth-server/server/src/test/java/io/jans/as/server/comp/SignatureTest.java

https://github.com/JanssenProject/jans/blob/jans-auth-server-extending-crypto-support-full/jans-auth-server/server/src/test/java/io/jans/as/server/comp/JwtCrossCheckTest.java
.

This branch:
jans-auth-server-extending-crypto-support-full
contains fixed working (PASSED) tests in the JwtCrossCheckTest (where checking signings oxAuth <-> Nimbus is provided).

In the branch: jans-auth-server-extending-crypto-support-full
class EDDSASigner is used in the
package io.jans.as.server.bcauthorize.ws.rs.BackchannelAuthorizeRestWebServiceImpl

boolean validSignature = false; JwsSigner jwsSigner = null; switch(algorithm.getFamily()) { case RSA: { RSAPublicKey publicKey = JwkClient.getRSAPublicKey(client.getJwksUri(), keyId); jwsSigner = new RSASigner(algorithm, publicKey); break; } case EC: { ECDSAPublicKey publicKey = JwkClient.getECDSAPublicKey(client.getJwksUri(), keyId); jwsSigner = new ECDSASigner(algorithm, publicKey); break; } case ED: { EDDSAPublicKey publicKey = JwkClient.getEDDSAPublicKey(client.getJwksUri(), keyId); jwsSigner = new EDDSASigner(algorithm, publicKey); break; } default: { break; } } if(jwsSigner != null) { validSignature = jwsSigner.validate(jwt); }

together with (ECDSASigner, RSASigner).

I can move these changes in this PR, NP, but also I need to change the JwkClient class,
as this is a new function: JwkClient.getEDDSAPublicKey.

Also EDDSASigner is used by the JwtVerifier class (in the branch: jans-auth-server-extending-crypto-support-full).
There are unit tests for JwtVerifier too:

https://github.com/JanssenProject/jans/blob/jans-auth-server-extending-crypto-support-full/jans-auth-server/server/src/test/java/io/jans/as/server/comp/JwtSignerVerifyerTest.java

I hope, all this code will be moved to the main in next PRs.

I see, ok, lets get this PR first and in next PR test for it. Not ideal but we have to move forward somehow.

yuriyz · 2022-01-24T12:25:29Z

jans-auth-server/model/src/main/java/io/jans/as/model/jws/EDDSASigner.java

+            X509EncodedKeySpec publicKeySpec = eddsaPublicKey.getPublicKeySpec();
+            java.security.KeyFactory keyFactory = java.security.KeyFactory.getInstance(signatureAlgorithm.getName());
+            BCEdDSAPublicKey publicKey = (BCEdDSAPublicKey) keyFactory.generatePublic(publicKeySpec);
+            Signature virifier = Signature.getInstance(signatureAlgorithm.getName(), "BC");


DEF_BC instead of "BC" ? Lets use everywhere "BC" or otherwise DEF_BC. Mix does not look consistent.

yuriyz · 2022-01-24T12:27:09Z

jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java

-            BCRSAPublicKey publicKey = (BCRSAPublicKey) x509Certificate.getPublicKey();
-
-            rsaPublicKey = new RSAPublicKey(publicKey.getModulus(), publicKey.getPublicExponent());
+        if (x509Certificate != null) {


Lets do early exit. We have big problems with nested ifs in bigger methods.

ìf (x509Certificate == null) { return null; }

yuriyz · 2022-01-24T12:27:33Z

jans-auth-server/model/src/main/java/io/jans/as/model/crypto/Certificate.java

    public ECDSAPublicKey getEcdsaPublicKey() {
        ECDSAPublicKey ecdsaPublicKey = null;
+        if (x509Certificate != null) {


yuriyz · 2022-01-24T12:32:49Z

jans-auth-server/model/src/main/java/io/jans/as/model/util/HashUtil.java

+            byte[] digest = null;
+            if (signatureAlgorithm != null) {
+                switch (signatureAlgorithm) {
+                case HS256:


yuriyz · 2022-01-24T12:33:22Z

jans-auth-server/model/src/main/java/io/jans/as/model/util/JwtUtil.java

-            if (signatureAlgorithm == SignatureAlgorithm.RS256 || signatureAlgorithm == SignatureAlgorithm.RS384 || signatureAlgorithm == SignatureAlgorithm.RS512) {
+            AlgorithmFamily algorithmFamily = signatureAlgorithm.getFamily();
+
+            if(algorithmFamily == AlgorithmFamily.RSA) {


…326;

…b-pr4

sonarcloud · 2022-01-25T22:43:40Z

[jans-cli] Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells