Jwt Service optimize

2022-02-14 09:47:01 +08:00
parent db151cc95a
commit ade641922c
6 changed files with 123 additions and 82 deletions
--- a/maxkey-common/src/main/java/org/maxkey/crypto/jwt/encryption/service/impl/DefaultJwtEncryptionAndDecryptionService.java
+++ b/maxkey-common/src/main/java/org/maxkey/crypto/jwt/encryption/service/impl/DefaultJwtEncryptionAndDecryptionService.java
@@ -52,7 +52,7 @@ import com.nimbusds.jose.jwk.RSAKey;
 */
 public class DefaultJwtEncryptionAndDecryptionService implements JwtEncryptionAndDecryptionService {

-	private static Logger logger = LoggerFactory.getLogger(DefaultJwtEncryptionAndDecryptionService.class);
+	private static Logger _logger = LoggerFactory.getLogger(DefaultJwtEncryptionAndDecryptionService.class);

 	// map of identifier to encrypter
 	private Map<String, JWEEncrypter> encrypters = new HashMap<String, JWEEncrypter>();
@@ -106,6 +106,25 @@ public class DefaultJwtEncryptionAndDecryptionService implements JwtEncryptionAn
 		buildEncryptersAndDecrypters();

 	}
+	
+	public DefaultJwtEncryptionAndDecryptionService(String jwkSetString, String defaultEncryptionKeyId,String defaultAlgorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, JOSEException {
+		JWKSetKeyStore keyStore = new JWKSetKeyStore("{\"keys\": [" + jwkSetString + "]}");
+		this.defaultEncryptionKeyId = defaultEncryptionKeyId;
+		this.defaultAlgorithm = JWEAlgorithm.parse(defaultAlgorithm);
+		_logger.trace(" encryptAlgorithm {}" , defaultAlgorithm);
+		
+		// convert all keys in the keystore to a map based on key id
+		for (JWK key : keyStore.getKeys()) {
+			if (!Strings.isNullOrEmpty(key.getKeyID())) {
+				this.keys.put(key.getKeyID(), key);
+			} else {
+				throw new IllegalArgumentException("Tried to load a key from a keystore without a 'kid' field: " + key);
+			}
+		}
+
+		buildEncryptersAndDecrypters();
+
+	}


 	@PostConstruct
@@ -158,6 +177,14 @@ public class DefaultJwtEncryptionAndDecryptionService implements JwtEncryptionAn
 	public JWEAlgorithm getDefaultAlgorithm() {
 		return defaultAlgorithm;
 	}
+	
+	public JWEAlgorithm getDefaultAlgorithm(String algorithm) {
+		if(algorithm.startsWith("RSA")) {
+			return defaultAlgorithm;
+		}else {
+			return JWEAlgorithm.DIR;
+		}
+	}

 	public void setDefaultAlgorithm(String algorithm) {
 		defaultAlgorithm = JWEAlgorithm.parse(algorithm);
@@ -182,7 +209,7 @@ public class DefaultJwtEncryptionAndDecryptionService implements JwtEncryptionAn
 			jwt.encrypt(encrypter);
 		} catch (JOSEException e) {

-			logger.error("Failed to encrypt JWT, error was: ", e);
+			_logger.error("Failed to encrypt JWT, error was: ", e);
 		}

 	}
@@ -202,7 +229,7 @@ public class DefaultJwtEncryptionAndDecryptionService implements JwtEncryptionAn
 			jwt.decrypt(decrypter);
 		} catch (JOSEException e) {

-			logger.error("Failed to decrypt JWT, error was: ", e);
+			_logger.error("Failed to decrypt JWT, error was: ", e);
 		}

 	}
@@ -231,7 +258,7 @@ public class DefaultJwtEncryptionAndDecryptionService implements JwtEncryptionAn
 					RSADecrypter decrypter = new RSADecrypter(((RSAKey) jwk).toRSAPrivateKey());
 					decrypters.put(id, decrypter);
 				} else {
-					logger.warn("No private key for key #" + jwk.getKeyID());
+					_logger.warn("No private key for key #" + jwk.getKeyID());
 				}

 				//  add support for EC keys
@@ -246,7 +273,7 @@ public class DefaultJwtEncryptionAndDecryptionService implements JwtEncryptionAn
 				decrypters.put(id, decrypter);

 			} else {
-				logger.warn("Unknown key type: " + jwk);
+				_logger.warn("Unknown key type: " + jwk);
 			}

 		}
--- a/maxkey-common/src/main/java/org/maxkey/crypto/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
+++ b/maxkey-common/src/main/java/org/maxkey/crypto/jwt/signer/service/impl/DefaultJwtSigningAndValidationService.java
@@ -46,7 +46,8 @@ import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jwt.SignedJWT;

 public class DefaultJwtSigningAndValidationService implements JwtSigningAndValidationService {
-
+	final static Logger _logger = LoggerFactory.getLogger(DefaultJwtSigningAndValidationService.class);
+	
 	// map of identifier to signer
 	private Map<String, JWSSigner> signers = new HashMap<String, JWSSigner>();

@@ -111,7 +112,39 @@ public class DefaultJwtSigningAndValidationService implements JwtSigningAndValid
 		buildSignersAndVerifiers();
 	}

-
+	/**
+	 * Build this service based on the given keystore. All keys must have a key
+	 * id ({@code kid}) field in order to be used.
+	 * see DefaultJwtSigningAndValidationService(JWKSetKeyStore keyStore)
+	 * @param jwkSetString
+	 * @param defaultSignerKeyId
+	 * @param defaultAlgorithm
+	 * @throws NoSuchAlgorithmException
+	 * @throws InvalidKeySpecException
+	 * @throws JOSEException
+	 */
+	public DefaultJwtSigningAndValidationService(String jwkSetString, String defaultSignerKeyId,String defaultAlgorithm) throws NoSuchAlgorithmException, InvalidKeySpecException, JOSEException {
+		JWKSetKeyStore keyStore = new JWKSetKeyStore("{\"keys\": [" + jwkSetString + "]}");
+		this.defaultSignerKeyId = defaultSignerKeyId;
+		this.defaultAlgorithm = JWSAlgorithm.parse(defaultAlgorithm);
+		_logger.trace(" signingAlg {}" , defaultAlgorithm);
+		
+		// convert all keys in the keystore to a map based on key id
+		if (keyStore!= null && keyStore.getJwkSet() != null) {
+			for (JWK key : keyStore.getKeys()) {
+				if (!Strings.isNullOrEmpty(key.getKeyID())) {
+					// use the key ID that's built into the key itself
+					//  (#641): deal with JWK thumbprints
+					this.keys.put(key.getKeyID(), key);
+				} else {
+					// create a random key id
+					String fakeKid = UUID.randomUUID().toString();
+					this.keys.put(fakeKid, key);
+				}
+			}
+		}
+		buildSignersAndVerifiers();
+	}
 	/**
 	 * @return the defaultSignerKeyId
 	 */