Require that both RS256 and ES256 must be supported if the signature algorithm is not configured

Author: sberyozkin

spec/src/main/asciidoc/configuration.asciidoc

@@ -356,7 +356,8 @@ return Public Key text in one of the supported formats.
 #### `mp.jwt.verify.publickey.algorithm`
 
 The `mp.jwt.verify.publickey.algorithm` configuration property allows for specifying which Public Key Signature Algorithm
-is supported by the MP JWT endpoint. This property can be be set to either `RS256` or `ES256`. Default value is `RS256`.
+is supported by the MP JWT endpoint. This property can be be set to either `RS256` or `ES256`. If `mp.jwt.verify.publickey.algorithm` is not set then both `RS256` and `ES256` must be accepted.
+
 Support for the other asymmetric signature algorithms such as `RS512`, `ES512` and others is optional.
 
 `mp.jwt.verify.publickey.algorithm` will provide an additional hint how to read the Public Key in the PKCS#8 PEM format as both RSA and EC Public Keys in the PKCS#8 PEM format may only have a standard `-----BEGIN PUBLIC KEY-----` header and footer.

tck/src/main/java/org/eclipse/microprofile/jwt/tck/util/MpJwtTestVersion.java

@@ -24,7 +24,7 @@
  * loading the META-INF/MPJWTTESTVERSION resource from the test war and converting it to the MpJwtTestVersion value.
  */
 public enum MpJwtTestVersion {
-    MPJWT_V_1_0, MPJWT_V_1_1, MPJWT_V_1_2, MPJWT_V_2_1;
+    MPJWT_V_1_0, MPJWT_V_1_1, MPJWT_V_1_2, MPJWT_V_2_1, MPJWT_V_2_2;
 
     public static final String VERSION_LOCATION = "META-INF/MPJWTTESTVERSION";
     public static final String MANIFEST_NAME = "MPJWTTESTVERSION";

tck/src/test/java/org/eclipse/microprofile/jwt/tck/config/PublicKeyEndpoint.java

@@ -31,6 +31,7 @@
 import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPublicKey;
 import java.util.Base64;
+import java.util.List;
 import java.util.Optional;
 import java.util.logging.Logger;
 
@@ -73,8 +74,8 @@ public class PublicKeyEndpoint {
     private Optional<String> location;
 
     @Inject
-    @ConfigProperty(name = Names.VERIFIER_PUBLIC_KEY_ALGORITHM, defaultValue = "RS256")
-    private String algorithm;
+    @ConfigProperty(name = Names.VERIFIER_PUBLIC_KEY_ALGORITHM)
+    private List<String> algorithm;
 
     @Inject
     @ConfigProperty(name = Names.ISSUER)
@@ -116,15 +117,15 @@ public JsonObject verifyKeyAsPEM() {
 
         // Check the key exists and is a valid PEM public key
         try {
-            if ("RS256".equals(algorithm)) {
+            if (algorithm.contains("RS256")) {
                 PublicKey publicKey = SimpleTokenUtils.decodePublicKey(key.orElse("bad-key"));
                 if (publicKey instanceof RSAPublicKey) {
                     msg += " | key as PEM PASS";
                     pass = true;
                 } else {
                     pass = false;
                 }
-            } else if ("ES256".equals(algorithm)) {
+            } else if (algorithm.contains("ES256")) {
                 PublicKey publicKey = SimpleTokenUtils.decodeECPublicKey(key.orElse("bad-key"));
                 if (publicKey instanceof ECPublicKey) {
                     msg += " | key as PEM PASS";
@@ -161,7 +162,7 @@ public JsonObject verifyKeyLocationAsPEMResource() {
             try {
                 String pemValue = SimpleTokenUtils.readResource(locationValue);
                 log.info(String.format("verifyKeyLocationAsPEMResource, locationValue=%s", pemValue));
-                if ("RS256".equals(algorithm)) {
+                if (algorithm.contains("RS256")) {
                     PublicKey publicKey = SimpleTokenUtils.decodePublicKey(pemValue);
                     if (publicKey instanceof RSAPublicKey) {
                         log.info(String.format("verifyKeyLocationAsPEMResource, publicKey=%s", publicKey));
@@ -170,7 +171,7 @@ public JsonObject verifyKeyLocationAsPEMResource() {
                     } else {
                         pass = false;
                     }
-                } else if ("ES256".equals(algorithm)) {
+                } else if (algorithm.contains("ES256")) {
                     PublicKey publicKey = SimpleTokenUtils.decodeECPublicKey(pemValue);
                     if (publicKey instanceof ECPublicKey) {
                         log.info(String.format("verifyKeyLocationAsPEMResource, publicKey=%s", publicKey));
@@ -360,7 +361,7 @@ public JsonObject verifyKeyLocationAsJWKResource(@QueryParam("kid") String kid)
                 StringBuilder msgBuilder = new StringBuilder();
                 JsonObject jwk = Json.createReader(new StringReader(jwkValue)).readObject();
                 if (verifyJWK(jwk, kid, msgBuilder)) {
-                    if ("RS256".equals(algorithm)) {
+                    if (algorithm.contains("RS256")) {
                         PublicKey publicKey = SimpleTokenUtils.decodeJWKSPublicKey(jwkValue);
                         log.info(String.format("verifyKeyLocationAsJWKResource, publicKey=%s", publicKey));
                     }
@@ -452,7 +453,7 @@ public JsonObject verifyKeyLocationAsJWKSUrl(@QueryParam("kid") String kid) {
                 log.info(String.format("verifyKeyLocationAsJWKSUrl, locationValue=%s", jwksContents.toString()));
                 StringBuilder msgBuilder = new StringBuilder();
                 if (verifyJWKS(jwksContents.toString(), kid, msgBuilder)) {
-                    if ("RS256".equals(algorithm)) {
+                    if (algorithm.contains("RS256")) {
                         PublicKey publicKey = SimpleTokenUtils.decodeJWKSPublicKey(jwksContents.toString());
                         log.info(String.format("verifyKeyLocationAsJWKSResource, publicKey=%s", publicKey));
                     }
@@ -602,7 +603,7 @@ private boolean verifyJWK(JsonObject key, String kid, StringBuilder msg) {
 
         boolean pass = true;
 
-        String expectedKty = "RS256".equals(algorithm) ? "RSA" : "EC";
+        String expectedKty = algorithm.contains("RS256") ? "RSA" : "EC";
         if (!key.getJsonString("kty").getString().equals(expectedKty)) {
             msg.append("key != " + expectedKty);
             pass = false;
@@ -620,7 +621,7 @@ private boolean verifyJWK(JsonObject key, String kid, StringBuilder msg) {
             msg.append("alg != " + algorithm);
             pass = false;
         }
-        if ("RS256".equals(algorithm)) {
+        if (algorithm.contains("RS256")) {
             if (!key.getJsonString("e").getString().equals("AQAB")) {
                 msg.append("e != AQAB");
                 pass = false;
@@ -629,7 +630,7 @@ private boolean verifyJWK(JsonObject key, String kid, StringBuilder msg) {
                 msg.append("n != tL6HShqY5H4y56rsCo7VdhT9...");
                 pass = false;
             }
-        } else if ("ES256".equals(algorithm)) {
+        } else if (algorithm.contains("ES256")) {
             if (!key.getJsonString("crv").getString().equals("P-256")) {
                 msg.append("crv != P-256");
                 pass = false;

tck/src/test/java/org/eclipse/microprofile/jwt/tck/config/RS256OrES256Endpoint.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2016-2018 Contributors to the Eclipse Foundation
+ *
+ *  See the NOTICE file(s) distributed with this work for additional
+ *  information regarding copyright ownership.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  You may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.eclipse.microprofile.jwt.tck.config;
+
+import java.io.StringReader;
+
+import org.eclipse.microprofile.jwt.Claim;
+import org.eclipse.microprofile.jwt.ClaimValue;
+import org.eclipse.microprofile.jwt.Claims;
+
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.enterprise.context.RequestScoped;
+import jakarta.inject.Inject;
+import jakarta.json.Json;
+import jakarta.json.JsonObject;
+import jakarta.json.JsonReader;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+
+/**
+ * The common endpoint used by the various config tests
+ */
+@RequestScoped
+@Path("/endp")
+public class RS256OrES256Endpoint {
+    @Inject
+    @Claim(standard = Claims.raw_token)
+    private ClaimValue<String> rawToken;
+
+    @GET
+    @Path("/verifyToken")
+    @Produces(MediaType.TEXT_PLAIN)
+    @RolesAllowed("Tester")
+    public String verifyToken() {
+        return getAlgorithm();
+    }
+
+    private String getAlgorithm() {
+        JsonReader jsonReader = Json.createReader(new StringReader(rawToken.getValue().split(".")[0]));
+        JsonObject headers = jsonReader.readObject();
+        return headers.getString("alg");
+    }
+}

tck/src/test/java/org/eclipse/microprofile/jwt/tck/config/RsaAndEcSignatureAlgorithmTest.java

@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) 2016-2020 Contributors to the Eclipse Foundation
+ *
+ *  See the NOTICE file(s) distributed with this work for additional
+ *  information regarding copyright ownership.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  You may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.eclipse.microprofile.jwt.tck.config;
+
+import static jakarta.ws.rs.core.MediaType.TEXT_PLAIN;
+import static org.eclipse.microprofile.jwt.tck.TCKConstants.TEST_GROUP_CONFIG;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.security.PrivateKey;
+
+import org.eclipse.microprofile.jwt.tck.container.jaxrs.TCKApplication;
+import org.eclipse.microprofile.jwt.tck.util.MpJwtTestVersion;
+import org.eclipse.microprofile.jwt.tck.util.TokenUtils;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.RunAsClient;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.arquillian.testng.Arquillian;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.testng.Assert;
+import org.testng.Reporter;
+import org.testng.annotations.Test;
+
+import jakarta.ws.rs.client.ClientBuilder;
+import jakarta.ws.rs.client.WebTarget;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.Response;
+
+/**
+ * Validate that if mp.jwt.verify.publickey.algorithm is not configured, then both RS256 and ES256 signatures must be
+ * accepted.
+ */
+public class RsaAndEcSignatureAlgorithmTest extends Arquillian {
+
+    /**
+     * The base URL for the container under test
+     */
+    @ArquillianResource
+    private URL baseURL;
+
+    /**
+     * Create a CDI aware base web application archive
+     *
+     * @return the base base web application archive
+     * @throws IOException
+     *             - on resource failure
+     */
+    @Deployment()
+    public static WebArchive createDeployment() throws IOException {
+        URL config =
+                RsaAndEcSignatureAlgorithmTest.class.getResource("/META-INF/microprofile-config-rsa-ec.properties");
+
+        WebArchive webArchive = ShrinkWrap
+                .create(WebArchive.class, "RsaAndEcSignatureAlgorithmTest.war")
+                .addAsManifestResource(new StringAsset(MpJwtTestVersion.MPJWT_V_2_2.name()),
+                        MpJwtTestVersion.MANIFEST_NAME)
+                .addClass(RS256OrES256Endpoint.class)
+                .addClass(TCKApplication.class)
+                .addClass(SimpleTokenUtils.class)
+                .addAsWebInfResource("beans.xml", "beans.xml")
+                .addAsManifestResource(config, "microprofile-config.properties");
+        return webArchive;
+    }
+
+    @RunAsClient
+    @Test(groups = TEST_GROUP_CONFIG, description = "Validate that the ES256 signed token is accepted")
+    public void testES256Token() throws Exception {
+        Reporter.log("testES256Token, expect HTTP_OK");
+
+        PrivateKey privateKey = TokenUtils.readECPrivateKey("/ecPrivateKey.pem");
+        String kid = "eckey";
+        String token = TokenUtils.signClaims(privateKey, kid, "/Token1.json");
+
+        String uri = baseURL.toExternalForm() + "endp/verifyToken";
+        WebTarget echoEndpointTarget = ClientBuilder.newClient()
+                .target(uri);
+        Response response =
+                echoEndpointTarget.request(TEXT_PLAIN).header(HttpHeaders.AUTHORIZATION, "Bearer " + token).get();
+        Assert.assertEquals(response.getStatus(), HttpURLConnection.HTTP_OK);
+        String replyString = response.readEntity(String.class);
+        Assert.assertEquals("ES256", replyString);
+    }
+
+    @RunAsClient
+    @Test(groups = TEST_GROUP_CONFIG, description = "Validate that the RS256 signed token is accepted")
+    public void testRS256Token() throws Exception {
+        Reporter.log("testRS256Token, expect HTTP_OK");
+
+        PrivateKey privateKey = TokenUtils.readPrivateKey("/privateKey4k.pem");
+        String kid = "rskey";
+        String token = TokenUtils.signClaims(privateKey, kid, "/Token1.json");
+
+        String uri = baseURL.toExternalForm() + "endp/verifyToken";
+        WebTarget echoEndpointTarget = ClientBuilder.newClient()
+                .target(uri);
+        Response response =
+                echoEndpointTarget.request(TEXT_PLAIN).header(HttpHeaders.AUTHORIZATION, "Bearer " + token).get();
+        Assert.assertEquals(response.getStatus(), HttpURLConnection.HTTP_OK);
+        String replyString = response.readEntity(String.class);
+        Assert.assertEquals("RS256", replyString);
+    }
+
+}

tck/src/test/resources/META-INF/microprofile-config-rsa-ec.properties

@@ -0,0 +1,22 @@
+#
+#  Copyright (c) 2011-2022 Contributors to the Eclipse Foundation
+#
+#  See the NOTICE file(s) distributed with this work for additional
+#  information regarding copyright ownership.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  You may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#
+
+# A reference to the publicKey4k.pem contents embedded location
+mp.jwt.verify.publickey.location=/rs256es256.jwk
+mp.jwt.verify.issuer=https://server.example.com

tck/src/test/resources/rs256es256.jwk

@@ -0,0 +1,21 @@
+{
+    "keys": [
+        {
+            "kty": "RSA",
+            "use": "sig",
+            "alg": "RS256",
+            "kid": "rskey",
+            "e": "AQAB",
+            "n": "tL6HShqY5H4y56rsCo7VdhT9_eLQwsJpKWg66j98XsB_qc5ZxkJ25GXCzpjR0ZvzAxMNlj1hrMORaKVzz2_5axZgF1eZfzgrNyQ9rtGaBtMNAB20jLsoYp5psRTaYxKeOiLHPr3956ukSRUF9YfJGSamrvGOwC8h6zbq6uaydv-FVJXijlMD_iCggUfoirtVOWK_X1IzV7covxcGzT0X019_4RbtjLdnvqZnGqmpHQpBEItI-4gNvaKR8NDWUxAjO_v-oOKR5nEUnDWcQSCxKmyQrVJtHr9PBwWrHzTSx4k1L1hLf-AWXAdy_r6c0Lzgt5knmZTyWDG2-n8SlrXxHHxFO1Wz8H_OKBzTAf8zIuj2lkXYo-M6aoJM7qQmTys80dtYvnaHGSl-jpe2plMbS9RS4XcHH7vCqJc9acBnp9CvLgjOmA0b5Rc0WyN4sn1SDFYe6HZcVo4YGTbtTTlwgu_ozQ1x-xpTAaU0mWkHMwT0CO79rPORjhDXokEuduvtp6VUiAaoFF6Y3QQLf6O3P9p8yghpBBLb460lEQqOHQQGP0EK46cU81dlcD5lYE0TayDzb9pZZWUyjIE4ElzyW7wgI4xw7czdBalN-IhXKfGUCqIDVh7X7JpmskZMaRixf424yBcZLntEejZy59yLDSssHMc_bqnBraXuo8JBEPk"
+        },
+        {
+            "kty": "EC",
+            "use": "sig",
+            "alg": "ES256",
+            "kid": "eckey",
+            "crv":"P-256",
+            "x":"w4HohvwOj21FBQE1PrJOAlPRQMyWimmXH9rIHa7YMTU",
+            "y":"osZEjUhZa79-kClcGm79eX0q_QFLlrA99MhkzNy6MtI"
+       }
+    ]
+}

tck/src/test/resources/suites/tck-base-suite.xml

@@ -72,6 +72,7 @@
             <class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsPEMTest" />
             <class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsPEMLocationTest" />
             <class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsJWKLocationTest" />
+            <class name="org.eclipse.microprofile.jwt.tck.config.RsaAndEcSignatureAlgorithmTest" />
             <class name="org.eclipse.microprofile.jwt.tck.config.IssValidationTest" />
             <class name="org.eclipse.microprofile.jwt.tck.config.IssValidationFailTest" />
             <class name="org.eclipse.microprofile.jwt.tck.container.jaxrs.CookieTokenTest" />

tck/src/test/resources/suites/tck-full-suite.xml

@@ -72,6 +72,7 @@
             <class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsPEMTest" />
             <class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsPEMLocationTest" />
             <class name="org.eclipse.microprofile.jwt.tck.config.ECPublicKeyAsJWKLocationTest" />
+            <class name="org.eclipse.microprofile.jwt.tck.config.RsaAndEcSignatureAlgorithmTest" />
             <class name="org.eclipse.microprofile.jwt.tck.config.IssValidationTest" />
             <class name="org.eclipse.microprofile.jwt.tck.config.IssValidationFailTest" />
             <class name="org.eclipse.microprofile.jwt.tck.container.jaxrs.CookieTokenTest" />