Skip to content

Commit

Permalink
runAsServer before signing/verifying jws and encrypting/decrypting jwe
Browse files Browse the repository at this point in the history
  • Loading branch information
jimmy1wu committed Feb 22, 2024
1 parent f3d39a6 commit 6dd3ddf
Show file tree
Hide file tree
Showing 14 changed files with 84 additions and 27 deletions.
8 changes: 5 additions & 3 deletions dev/com.ibm.ws.security.jwt/bnd.bnd
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#*******************************************************************************
# Copyright (c) 2017, 2023 IBM Corporation and others.
# Copyright (c) 2017, 2024 IBM Corporation and others.
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Eclipse Public License 2.0
# which accompanies this distribution, and is available at
Expand Down Expand Up @@ -75,7 +75,8 @@ Import-Package: \
com.ibm.ws.ssl;version="[1.0.0, 2.0)";resolution:=optional, \
com.ibm.ws.security.wim;version="[1.0.0, 2.0)";resolution:=optional, \
com.ibm.wsspi.security.wim.model;version="[1.0.0, 2.0)";resolution:=optional, \
com.ibm.ws.kernel.productinfo
com.ibm.ws.kernel.productinfo, \
com.ibm.ws.kernel.security.thread

Private-Package: \
com.ibm.ws.security.jwt.internal.*, \
Expand Down Expand Up @@ -137,7 +138,8 @@ instrument.classesExcludes: com/ibm/ws/security/jwt/internal/resources/*.class
io.openliberty.com.google.gson;version=latest, \
com.ibm.ws.org.osgi.annotation.versioning;version=latest, \
com.ibm.json4j;version=latest, \
com.ibm.ws.kernel.boot.core;version=latest
com.ibm.ws.kernel.boot.core;version=latest, \
com.ibm.ws.kernel.security.thread;version=latest

-testpath: \
../build.sharedResources/lib/junit/old/junit.jar;version=file, \
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2016, 2023 IBM Corporation and others.
* Copyright (c) 2016, 2024 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
Expand Down Expand Up @@ -45,6 +45,7 @@
import com.ibm.websphere.security.jwt.JwtToken;
import com.ibm.websphere.security.jwt.KeyException;
import com.ibm.websphere.security.jwt.KeyStoreServiceException;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.security.common.crypto.KeyAlgorithmChecker;
import com.ibm.ws.security.common.jwk.impl.JwKRetriever;
import com.ibm.ws.security.common.time.TimeUtils;
Expand Down Expand Up @@ -855,6 +856,7 @@ void validateAlgorithm(String requiredAlg, String tokenAlg) throws InvalidTokenE

void processJwtContextWithConsumer(JwtConsumer jwtConsumer, JwtContext jwtContext)
throws InvalidTokenException, InvalidJwtException {
Object token = ThreadIdentityManager.runAsServer();
try {
jwtConsumer.processContext(jwtContext);
} catch (InvalidJwtSignatureException e) {
Expand All @@ -869,6 +871,8 @@ void processJwtContextWithConsumer(JwtConsumer jwtConsumer, JwtContext jwtContex
// message
throw e;
}
} finally {
ThreadIdentityManager.reset(token);
}
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2020, 2022 IBM Corporation and others.
* Copyright (c) 2020, 2024 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
Expand Down Expand Up @@ -32,6 +32,7 @@
import com.ibm.websphere.security.jwt.InvalidTokenException;
import com.ibm.websphere.security.jwt.KeyException;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.security.common.jwk.impl.JwKRetriever;
import com.ibm.ws.security.common.jwk.impl.JwkKidBuilder;
import com.ibm.ws.security.jwt.config.JwtConfig;
Expand Down Expand Up @@ -169,7 +170,13 @@ static String getJwePayload(String jweString, @Sensitive Key decryptionKey) thro
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setCompactSerialization(jweString);
jwe.setKey(decryptionKey);
String payload = jwe.getPayload();
String payload = null;
Object token = ThreadIdentityManager.runAsServer();
try {
payload = jwe.getPayload();
} finally {
ThreadIdentityManager.reset(token);
}
if (isJws(payload)) {
verifyContentType(jwe);
}
Expand Down Expand Up @@ -317,10 +324,13 @@ static String getContentEncryptionAlgorithmFromConfig(JwtConfig jwtConfig) {

static String getJwtString(JsonWebEncryption jwe) throws JwtTokenException {
String jwt = null;
Object token = ThreadIdentityManager.runAsServer();
try {
jwt = jwe.getCompactSerialization();
} catch (Exception e) {
throw new JwtTokenException(e.getLocalizedMessage(), e);
} finally {
ThreadIdentityManager.reset(token);
}
return jwt;
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2016 IBM Corporation and others.
* Copyright (c) 2016, 2024 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
Expand All @@ -20,6 +20,7 @@
import org.jose4j.jwt.JwtClaims;

import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.security.jwt.internal.JwtTokenException;

/**
Expand Down Expand Up @@ -85,7 +86,7 @@ public static String getSignedJwt(JwtClaims claims, JwtData jwtData) throws JwtT
// payload
// of a JsonWebEncryption object and set the cty (Content Type) header
// to "jwt".

Object token = ThreadIdentityManager.runAsServer();
try {
jwt = jws.getCompactSerialization();
} catch (Exception e) {
Expand All @@ -95,6 +96,8 @@ public static String getSignedJwt(JwtClaims claims, JwtData jwtData) throws JwtT
// * Tr.formatMessage(tc,
// * "JWT_CANNOT_GENERATE_JWT", objs),
// */"Can not generate JWT", e);
} finally {
ThreadIdentityManager.reset(token);
}
// if (tc.isDebugEnabled()) {
// Tr.debug(tc, "JWT=", jwt);
Expand Down
5 changes: 3 additions & 2 deletions dev/com.ibm.ws.security.oauth/bnd.bnd
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#*******************************************************************************
# Copyright (c) 2019, 2023 IBM Corporation and others.
# Copyright (c) 2019, 2024 IBM Corporation and others.
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Eclipse Public License 2.0
# which accompanies this distribution, and is available at
Expand Down Expand Up @@ -145,7 +145,8 @@ Include-Resource: \
com.ibm.ws.org.eclipse.equinox.metatype;version=latest,\
com.ibm.ws.security.jwt;version=latest,\
com.ibm.ws.kernel.boot.core;version=latest,\
com.ibm.ws.security.sso.common;version=latest
com.ibm.ws.security.sso.common;version=latest,\
com.ibm.ws.kernel.security.thread;version=latest

-testpath: \
../build.sharedResources/lib/junit/old/junit.jar;version=file, \
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2016 IBM Corporation and others.
* Copyright (c) 2016, 2024 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
Expand All @@ -22,6 +22,7 @@
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.security.oauth20.TraceConstants;
import com.ibm.ws.webcontainer.security.openidconnect.OidcServerConfig;

Expand Down Expand Up @@ -82,12 +83,15 @@ public static String getSignedJwt(JwtClaims claims, OidcServerConfig oidcServerC
// base64url-encoded parts in the form Header.Payload.Signature
// If you wanted to encrypt it, you can simply set this jwt as the payload
// of a JsonWebEncryption object and set the cty (Content Type) header to "jwt".
Object token = ThreadIdentityManager.runAsServer();
try {
jwt = jws.getCompactSerialization();
} catch (Exception e) {
Object[] objs = new Object[] { oidcServerConfig.getProviderId(), e.getLocalizedMessage() };
Tr.error(tc, "JWT_CANNOT_GENERATE_JWT", objs);
throw new JWTTokenException(Tr.formatMessage(tc, "JWT_CANNOT_GENERATE_JWT", objs), e);
} finally {
ThreadIdentityManager.reset(token);
}
if (tc.isDebugEnabled()) {
Tr.debug(tc, "JWT=", jwt);
Expand Down
5 changes: 3 additions & 2 deletions dev/com.ibm.ws.security.openidconnect.clients.common/bnd.bnd
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#*******************************************************************************
# Copyright (c) 2018, 2023 IBM Corporation and others.
# Copyright (c) 2018, 2024 IBM Corporation and others.
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Eclipse Public License 2.0
# which accompanies this distribution, and is available at
Expand Down Expand Up @@ -84,7 +84,8 @@ Private-Package: \
com.ibm.ws.config;version=latest,\
io.openliberty.security.oidcclientcore.internal;version=latest,\
io.openliberty.security.common.jwt;version=latest,\
com.ibm.ws.security.oauth.2.0;version=latest
com.ibm.ws.security.oauth.2.0;version=latest,\
com.ibm.ws.kernel.security.thread;version=latest

-testpath: \
../build.sharedResources/lib/junit/old/junit.jar;version=file,\
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.security.openidconnect.backchannellogout.BackchannelLogoutConstants;
import com.ibm.ws.security.openidconnect.clients.common.Constants;
import com.ibm.ws.security.openidconnect.clients.common.OidcClientRequest;
Expand Down Expand Up @@ -189,7 +190,7 @@ public JwtClaims parseJwtWithValidation(String jwtString,
}

JwtConsumer jwtConsumer = builder.build();

Object token = ThreadIdentityManager.runAsServer();
try {
JwtContext validatedJwtContext = jwtConsumer.process(jwtString);

Expand Down Expand Up @@ -226,6 +227,8 @@ public JwtClaims parseJwtWithValidation(String jwtString,
// otherwise throw original Exception
throw e;
}
} finally {
ThreadIdentityManager.reset(token);
}

return jwtClaims;
Expand Down Expand Up @@ -327,6 +330,7 @@ public JwtClaims validateJwsSignature(JsonWebSignature signature, String jwtStri
}

JwtConsumer jwtConsumer = builder.build();
Object token = ThreadIdentityManager.runAsServer();
try {
JwtContext validatedJwtContext = jwtConsumer.process(jwtString);
return validatedJwtContext.getJwtClaims();
Expand All @@ -344,6 +348,8 @@ public JwtClaims validateJwsSignature(JsonWebSignature signature, String jwtStri
} else {
throw new JWTTokenValidationFailedException(e.getMessage(), e);
}
} finally {
ThreadIdentityManager.reset(token);
}
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2013, 2023 IBM Corporation and others.
* Copyright (c) 2013, 2024 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
Expand Down Expand Up @@ -34,6 +34,7 @@
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.security.openidconnect.clients.common.Constants;

public class JWT {
Expand Down Expand Up @@ -360,8 +361,13 @@ private String serializeAndSign(WSJsonToken token) throws InvalidKeyException, U
}
// todo: did we miss any?
jws.setKey(getKey(alg)); // private key
return jws.getCompactSerialization();

Object threadIdentityToken = ThreadIdentityManager.runAsServer();
try {
return jws.getCompactSerialization();
} finally {
ThreadIdentityManager.reset(threadIdentityToken);
}
}

public String getSignedJWTString() throws SignatureException, InvalidKeyException {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2013, 2022 IBM Corporation and others.
* Copyright (c) 2013, 2024 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
Expand Down Expand Up @@ -43,6 +43,7 @@
import com.google.gson.stream.JsonToken;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.ws.common.encoder.Base64Coder;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;

/**
* Some utility functions for {@link JsonToken}s.
Expand Down Expand Up @@ -383,7 +384,12 @@ public static void validateTokenString(String tokenString, String alg, @Sensitiv
}

JwtConsumer secondPassJwtConsumer = secondBuilder.build();
secondPassJwtConsumer.processContext(jwtContext);
Object token = ThreadIdentityManager.runAsServer();
try {
secondPassJwtConsumer.processContext(jwtContext);
} finally {
ThreadIdentityManager.reset(token);
}
}

static Object getJsonPrimitive(JsonPrimitive primitive) {
Expand Down
5 changes: 3 additions & 2 deletions dev/io.openliberty.security.common.jwt/bnd.bnd
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#*******************************************************************************
# Copyright (c) 2022, 2023 IBM Corporation and others.
# Copyright (c) 2022, 2024 IBM Corporation and others.
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Eclipse Public License 2.0
# which accompanies this distribution, and is available at
Expand Down Expand Up @@ -42,7 +42,8 @@ Private-Package: \
com.ibm.ws.security.common;version=latest,\
com.ibm.ws.security.common.jsonwebkey;version=latest,\
com.ibm.ws.org.apache.httpcomponents;version=latest,\
com.ibm.ws.ssl;version=latest
com.ibm.ws.ssl;version=latest, \
com.ibm.ws.kernel.security.thread;version=latest

-testpath: \
../build.sharedResources/lib/junit/old/junit.jar;version=file,\
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2022, 2023 IBM Corporation and others.
* Copyright (c) 2022, 2024 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
Expand All @@ -24,6 +24,7 @@

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;

import io.openliberty.security.common.jwt.JwtParsingUtils;
import io.openliberty.security.common.jwt.exceptions.JwtContextMissingJoseObjects;
Expand Down Expand Up @@ -81,8 +82,13 @@ public JwtClaims validateJwsSignature(JwtContext jwtContext) throws JwtContextMi
JwtConsumerBuilder builder = createJwtConsumerBuilderWithConstraints(algHeader);

JwtConsumer jwtConsumer = builder.build();
JwtContext validatedJwtContext = jwtConsumer.process(jwtContext.getJwt());
return validatedJwtContext.getJwtClaims();
Object token = ThreadIdentityManager.runAsServer();
try {
JwtContext validatedJwtContext = jwtConsumer.process(jwtContext.getJwt());
return validatedJwtContext.getJwtClaims();
} finally {
ThreadIdentityManager.reset(token);
}
}

public JwtConsumerBuilder createJwtConsumerBuilderWithConstraints(String algHeader) throws SigningKeyNotSpecifiedException {
Expand Down
5 changes: 3 additions & 2 deletions dev/io.openliberty.security.oidcclientcore.internal/bnd.bnd
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#*******************************************************************************
# Copyright (c) 2022, 2023 IBM Corporation and others.
# Copyright (c) 2022, 2024 IBM Corporation and others.
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Eclipse Public License 2.0
# which accompanies this distribution, and is available at
Expand Down Expand Up @@ -61,7 +61,8 @@ Export-Package: \
com.ibm.ws.org.jose4j;version=latest,\
com.ibm.ws.security.common.jsonwebkey;version=latest,\
io.openliberty.security.common.jwt;version=latest,\
com.ibm.ws.kernel.boot.core;version=latest
com.ibm.ws.kernel.boot.core;version=latest, \
com.ibm.ws.kernel.security.thread;version=latest

-testpath: \
../build.sharedResources/lib/junit/old/junit.jar;version=file,\
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*******************************************************************************
* Copyright (c) 2023 IBM Corporation and others.
* Copyright (c) 2023, 2024 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
Expand All @@ -25,6 +25,7 @@
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.security.common.ssl.SecuritySSLUtils;
import com.ibm.ws.ssl.KeyStoreService;

Expand Down Expand Up @@ -140,7 +141,12 @@ private String getSignedJwt(JwtClaims claims) throws Exception {
jws.setKey(clientAssertionSigningKey);
jws.setDoKeyValidation(false);

return jws.getCompactSerialization();
Object token = ThreadIdentityManager.runAsServer();
try {
return jws.getCompactSerialization();
} finally {
ThreadIdentityManager.reset(token);
}
}

@Sensitive
Expand Down

0 comments on commit 6dd3ddf

Please sign in to comment.