JsonSignature.java

  1. /*
  2.  * GovWay - A customizable API Gateway 
  3.  * https://govway.org
  4.  * 
  5.  * Copyright (c) 2005-2025 Link.it srl (https://link.it). 
  6.  * 
  7.  * This program is free software: you can redistribute it and/or modify
  8.  * it under the terms of the GNU General Public License version 3, as published by
  9.  * the Free Software Foundation.
  10.  *
  11.  * This program is distributed in the hope that it will be useful,
  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14.  * GNU General Public License for more details.
  15.  *
  16.  * You should have received a copy of the GNU General Public License
  17.  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18.  *
  19.  */


  22. package org.openspcoop2.utils.security;

  24. import java.security.PrivateKey;
  25. import java.util.Iterator;
  26. import java.util.Properties;

  28. import javax.crypto.SecretKey;

  30. import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
  31. import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
  32. import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
  33. import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer;
  34. import org.apache.cxf.rs.security.jose.jws.JwsException;
  35. import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
  36. import org.apache.cxf.rs.security.jose.jws.JwsJsonProducer;
  37. import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
  38. import org.apache.cxf.rs.security.jose.jws.JwsUtils;
  39. import org.openspcoop2.utils.UtilsException;
  40. import org.openspcoop2.utils.certificate.KeyStore;
  41. import org.openspcoop2.utils.certificate.KeystoreType;

  43. /** 
  44.  * JsonSignature
  45.  *
  46.  * @author Poli Andrea (apoli@link.it)
  47.  * @author $Author$
  48.  * @version $Rev$, $Date$
  49.  */
  50. public class JsonSignature {

  52.     private JwsSignatureProvider provider;
  53.     private JWSOptions options;
  54.     private JwsHeaders headers;
  55.     private JwtHeaders jwtHeaders;
  56.     
  57.     public JsonSignature(Properties props, JWSOptions options) throws UtilsException{
  58.         this(props, null, options);
  59.     }
  60.     public JsonSignature(Properties props, JwtHeaders jwtHeaders, JWSOptions options) throws UtilsException{
  61.         try {
  62.             this.headers = new JwsHeaders(props);
  63.             this.provider = JsonUtils.getJwsSymmetricProvider(props);
  64.             if(this.provider==null) {
  65.                 try {
  66.                     this.provider = JwsUtils.loadSignatureProvider(JsonUtils.newMessage(), props, this.headers);
  67.                 }catch(JwsException jwsExc) {
  68.                     if(jwsExc.getMessage()!=null && jwsExc.getMessage().contains("NO_PROVIDER")) {
  69.                         // caso in cui la chiave privata PKCS11 non e' stata mappata in un PrivateKeyJwsSignatureProvider
  70.                         // caso pkcs11 dove la chiave privata non e' ne ECPrivateKey ne RSAPrivateKey gestita dal metodo getPrivateKeySignatureProvider
  71.                         // ad es. può essere sun.security.pkcs11.P11Key$P11PrivateKey
  72.                         this.provider = JsonUtils.getJwsAsymmetricProvider(props);
  73.                         if(this.provider==null) {
  74.                             // rilancio eccezione precedente
  75.                             throw jwsExc;
  76.                         }
  77.                     }
  78.                 }
  79.             }
  80.             this.options=options;
  81.             this.jwtHeaders = jwtHeaders;
  82.         }catch(Exception t) {
  83.             throw JsonUtils.convert(options.getSerialization(), JsonUtils.SIGNATURE,JsonUtils.SENDER,t);
  84.         }
  85.     }

  87.     public JsonSignature(java.security.KeyStore keystore, boolean secretKey, String alias, String passwordPrivateKey, String signatureAlgorithm, JWSOptions options) throws UtilsException{
  88.         this(new KeyStore(keystore), secretKey, alias, passwordPrivateKey, signatureAlgorithm, 
  89.                 null, options);
  90.     }
  91.     public JsonSignature(KeyStore keystore, boolean secretKey, String alias, String passwordPrivateKey, String signatureAlgorithm, JWSOptions options) throws UtilsException{
  92.         this(keystore, secretKey, alias, passwordPrivateKey, signatureAlgorithm, 
  93.                 null, options);
  94.     }
  95.     public JsonSignature(java.security.KeyStore keystore, boolean secretKey, String alias, String passwordPrivateKey, String signatureAlgorithm, 
  96.             JwtHeaders jwtHeaders, JWSOptions options) throws UtilsException{
  97.         this(new KeyStore(keystore),secretKey, alias, passwordPrivateKey, signatureAlgorithm, jwtHeaders, options);
  98.     }
  99.     public JsonSignature(KeyStore keystore, boolean secretKey, String alias, String passwordPrivateKey, String signatureAlgorithm, 
  100.             JwtHeaders jwtHeaders, JWSOptions options) throws UtilsException{
  101.         try {
  102.             
  103.             org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm algo = org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.getAlgorithm(signatureAlgorithm);
  104.             if(secretKey) {
  105.                 String tipo = KeystoreType.JCEKS.getLabel();
  106.                 SecretKey secret = keystore.getSecretKey(alias, passwordPrivateKey);
  107.                 if(KeystoreType.PKCS11.getNome().equalsIgnoreCase(keystore.getKeystoreType())) {
  108.                     tipo = KeystoreType.PKCS11.getLabel();
  109.                     SecretKeyPkcs11 secretKeyPkcs11 = new SecretKeyPkcs11(keystore.getKeystoreProvider(), secret);
  110.                     this.provider = new HmacJwsSignatureProviderExtended(secretKeyPkcs11, algo);
  111.                 }
  112.                 else {
  113.                     this.provider = JwsUtils.getHmacSignatureProvider(secret.getEncoded(), algo);
  114.                 }
  115.                 if(this.provider==null) {
  116.                     throw new UtilsException("("+tipo+") JwsSignatureProvider init failed; check signature algorithm ("+signatureAlgorithm+")");
  117.                 }
  118.             }
  119.             else {
  120.                 PrivateKey pKey = keystore.getPrivateKey(alias, passwordPrivateKey);
  121.                 this.provider = JwsUtils.getPrivateKeySignatureProvider(pKey, algo);
  122.                 if(this.provider==null) {
  123.                     // caso in cui la chiave privata PKCS11 non e' stata mappata in un PrivateKeyJwsSignatureProvider
  124.                     // caso pkcs11 dove la chiave privata non e' ne ECPrivateKey ne RSAPrivateKey gestita dal metodo getPrivateKeySignatureProvider
  125.                     // ad es. può essere sun.security.pkcs11.P11Key$P11PrivateKey
  126.                     this.provider = JsonUtils.getJwsAsymmetricProvider(pKey, algo);
  127.                     if(this.provider==null) {
  128.                         throw new UtilsException("("+keystore.getKeystore().getType()+") JwsSignatureProvider init failed; check signature algorithm ("+signatureAlgorithm+")");
  129.                     }
  130.                 }
  131.             }
  132.             this.options=options;
  133.             this.jwtHeaders = jwtHeaders;
  134.         }catch(Exception t) {
  135.             throw JsonUtils.convert(options.getSerialization(), JsonUtils.SIGNATURE,JsonUtils.SENDER,t);
  136.         }
  137.     }
  138.     
  139.     public JsonSignature(JsonWebKeys jsonWebKeys, boolean secretKey, String alias, String signatureAlgorithm, JWSOptions options) throws UtilsException{
  140.         this(jsonWebKeys, secretKey, alias, signatureAlgorithm, 
  141.                 null, options);
  142.     }
  143.     public JsonSignature(JsonWebKeys jsonWebKeys, boolean secretKey, String alias, String signatureAlgorithm, 
  144.             JwtHeaders jwtHeaders, JWSOptions options) throws UtilsException{
  145.         this(JsonUtils.readKey(jsonWebKeys, alias),secretKey,signatureAlgorithm,jwtHeaders,options);
  146.     }
  147.     
  148.     public JsonSignature(JsonWebKey jsonWebKey, boolean secretKey, String signatureAlgorithm, JWSOptions options) throws UtilsException{
  149.         this(jsonWebKey, secretKey, signatureAlgorithm, 
  150.                 null, options);
  151.     }
  152.     public JsonSignature(JsonWebKey jsonWebKey, boolean secretKey, String signatureAlgorithm, 
  153.             JwtHeaders jwtHeaders, JWSOptions options) throws UtilsException{
  154.         try {
  155.             org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm algo = org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.getAlgorithm(signatureAlgorithm);
  156.             if(secretKey) {
  157.                 this.provider = JwsUtils.getSignatureProvider(jsonWebKey, algo);
  158.                 if(this.provider==null) {
  159.                     throw new UtilsException("(JsonWebKey) JwsSignatureProvider init failed; check signature algorithm ("+signatureAlgorithm+")");
  160.                 }
  161.             }else {
  162.                 this.provider = JwsUtils.getPrivateKeySignatureProvider(JwkUtils.toRSAPrivateKey(jsonWebKey), algo);
  163.             }
  164.             this.options=options;
  165.             this.jwtHeaders = jwtHeaders;
  166.         }catch(Exception t) {
  167.             throw JsonUtils.convert(options.getSerialization(), JsonUtils.SIGNATURE,JsonUtils.SENDER,t);
  168.         }
  169.     }

  171.     public JsonSignature(String secret,  String signatureAlgorithm, JWSOptions options) throws UtilsException{
  172.         this(secret, signatureAlgorithm, null, options);
  173.     }
  174.     public JsonSignature(String secret,  String signatureAlgorithm, JwtHeaders jwtHeaders, JWSOptions options) throws UtilsException{
  175.         try {
  176.             
  177.             org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm algo = org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm.getAlgorithm(signatureAlgorithm);
  178.             this.provider = JwsUtils.getHmacSignatureProvider(secret.getBytes(), algo);
  179.             if(this.provider==null) {
  180.                 throw new UtilsException("(Secret) JwsSignatureProvider init failed; check signature algorithm ("+signatureAlgorithm+")");
  181.             }
  182.             this.options=options;
  183.             this.jwtHeaders = jwtHeaders;
  184.         }catch(Exception t) {
  185.             throw JsonUtils.convert(options.getSerialization(), JsonUtils.SIGNATURE,JsonUtils.SENDER,t);
  186.         }
  187.     }

  189.     public String sign(String jsonString) throws UtilsException{
  190.         try {
  191.             switch(this.options.getSerialization()) {
  192.                 case JSON: return signJson(jsonString);
  193.                 case COMPACT: return signCompact(jsonString);
  194.                 default: throw new UtilsException("Unsupported serialization '"+this.options.getSerialization()+"'");
  195.             }
  196.         }
  197.         catch(Exception t) {
  198.             throw JsonUtils.convert(this.options.getSerialization(), JsonUtils.SIGNATURE,JsonUtils.SENDER,t);
  199.         }
  200.     }

  202.     private String signCompact(String jsonString) throws Exception {
  203.         JwsHeaders headersInternal = new JwsHeaders(this.provider.getAlgorithm());
  204.         // utilizzabile solamente per JSON. Per COMPACT è sconsigliato poichè limitato nei caratteri, non utilizzabile quindi per un json https://tools.ietf.org/html/rfc7797#page-8
  205.         // Infatti JwsCompactProducer di cxf non lo implementa proprio se si va a vedere il codice, il metodo 'getUnsignedEncodedJws' utilizzato per comporre il jwt non prevede il caso di lasciarlo in chiaro
  206. /**     if(this.options.isPayloadEncoding()==false) {
  207. //          headers.setPayloadEncodingStatus(this.options.isPayloadEncoding()); // RFC: https://tools.ietf.org/html/rfc7797
  208. //      }*/
  209.         JwsCompactProducer jwsProducer = new JwsCompactProducer(headersInternal, jsonString, this.options.isDetached());
  210.         fillJwtHeaders(jwsProducer.getJwsHeaders(), this.provider.getAlgorithm());
  211.         return jwsProducer.signWith(this.provider);
  212.     }

  214.     private String signJson(String jsonString) throws Exception {
  215.         JwsJsonProducer jwsProducer = new JwsJsonProducer(jsonString, false, this.options.isDetached());
  216.         JwsHeaders headersInternal = new JwsHeaders(this.provider.getAlgorithm());
  217.         if(!this.options.isPayloadEncoding()) {
  218.             headersInternal.setPayloadEncodingStatus(this.options.isPayloadEncoding()); // RFC: https://tools.ietf.org/html/rfc7797
  219.         }
  220.         fillJwtHeaders(headersInternal, this.provider.getAlgorithm());
  221.         return jwsProducer.signWith(this.provider, headersInternal);
  222.     }

  224.     
  225.     private void fillJwtHeaders(JwsHeaders headers,
  226.             org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm signatureAlgo) throws Exception {
  227.         if(this.headers!=null &&
  228.             this.headers.asMap()!=null && !this.headers.asMap().isEmpty()) {
  229.             Iterator<String> itKeys = this.headers.asMap().keySet().iterator();
  230.             while (itKeys.hasNext()) {
  231.                 String key = itKeys.next();
  232.                 if(!headers.containsHeader(key)) {
  233.                     headers.setHeader(key, this.headers.getHeader(key));
  234.                 }
  235.             }
  236.         }
  237.         if(this.jwtHeaders!=null) {
  238.             this.jwtHeaders.fillJwsHeaders(headers, false, signatureAlgo.getJwaName());
  239.         }
  240.     }
  241. }
Created with JaCoCo 0.8.8.202204050719