CXF-8811

rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java

@@ -21,6 +21,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.Principal;
+import java.security.PublicKey;
 
 import jakarta.annotation.Priority;
 import jakarta.ws.rs.HttpMethod;
@@ -77,28 +78,31 @@ public void filter(ContainerRequestContext context) throws IOException {
             if (securityContext != null) {
                 JAXRSUtils.getCurrentMessage().put(SecurityContext.class, securityContext);
             }
+
         }
     }
 
     protected SecurityContext configureSecurityContext(JwsSignatureVerifier sigVerifier) {
-        if (sigVerifier instanceof PublicKeyJwsSignatureVerifier
-            && ((PublicKeyJwsSignatureVerifier)sigVerifier).getX509Certificate() != null) {
-            final Principal principal =
-                ((PublicKeyJwsSignatureVerifier)sigVerifier).getX509Certificate().getSubjectX500Principal();
-            return new SecurityContext() {
+        if (sigVerifier instanceof PublicKeyJwsSignatureVerifier) {
+            JAXRSUtils.getCurrentMessage().getExchange().put(PublicKey.class, ((PublicKeyJwsSignatureVerifier) sigVerifier).getPublicKey());
+            if (((PublicKeyJwsSignatureVerifier) sigVerifier).getX509Certificate() != null) {
+                final Principal principal =
+                        ((PublicKeyJwsSignatureVerifier)sigVerifier).getX509Certificate().getSubjectX500Principal();
+                return new SecurityContext() {
 
-                public Principal getUserPrincipal() {
-                    return principal;
-                }
+                    public Principal getUserPrincipal() {
+                        return principal;
+                    }
 
-                public boolean isUserInRole(String arg0) {
-                    return false;
-                }
-            };
+                    public boolean isUserInRole(String arg0) {
+                        return false;
+                    }
+                };
+            }
         }
         return null;
     }
-    
+
     protected boolean isMethodWithNoContent(String method) {
         return HttpMethod.DELETE.equals(method) || HttpUtils.isMethodWithNoRequestContent(method);
     }

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java

@@ -206,6 +206,11 @@ public final class JoseConstants extends RSSecurityConstants {
      */
     public static final String ENABLE_UNSIGNED_JWT_PRINCIPAL = "rs.security.enable.unsigned-jwt.principal";
 
+    /**
+     * Whether to use request signing certificate to create encryption provider
+     */
+    public static final String USE_REQ_SIG_CERT = "useReqSigCert";
+
     /**
      * Whether to trace JOSE headers.
      */

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java

@@ -23,6 +23,7 @@
 import java.security.Key;
 import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
@@ -62,6 +63,8 @@
 import org.apache.cxf.rt.security.crypto.MessageDigestUtils;
 import org.apache.cxf.rt.security.rs.PrivateKeyPasswordProvider;
 
+import static org.apache.cxf.rt.security.rs.RSSecurityConstants.RSSEC_KEY_STORE_ALIAS;
+
 public final class JweUtils {
     private static final Logger LOG = LogUtils.getL7dLogger(JweUtils.class);
 
@@ -427,7 +430,30 @@ public static KeyEncryptionProvider loadKeyEncryptionProvider(Properties props,
             boolean includeKeyId =
                 JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_KEY_ID);
 
-            if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
+            if (props.getProperty(RSSEC_KEY_STORE_ALIAS) != null && props.getProperty(RSSEC_KEY_STORE_ALIAS).equals(JoseConstants.USE_REQ_SIG_CERT)) {
+                var publicKey = PhaseInterceptorChain.getCurrentMessage().getExchange().get(PublicKey.class);
+                if (publicKey == null) {
+                    throw new JweException(JweException.Error.NO_ENCRYPTOR);
+                }
+                keyEncryptionProvider = getPublicKeyEncryptionProvider(
+                        publicKey,
+                        keyAlgo
+                );
+
+                if (includeCert) {
+                    headers.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(m, props));
+                }
+                if (includeCertSha1) {
+                    KeyManagementUtils.setSha1DigestHeader(headers, m, props);
+                } else if (includeCertSha256) {
+                    KeyManagementUtils.setSha256DigestHeader(headers, m, props);
+                }
+                if (includeKeyId && props.containsKey(RSSEC_KEY_STORE_ALIAS)) {
+                    headers.setKeyId(props.getProperty(RSSEC_KEY_STORE_ALIAS));
+                }
+
+            }
+            else if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.ENCRYPT);
                 if (jwk != null) {
                     keyAlgo = getKeyEncryptionAlgorithm(m, props,
@@ -453,7 +479,8 @@ public static KeyEncryptionProvider loadKeyEncryptionProvider(Properties props,
                         headers.setKeyId(jwk.getKeyId());
                     }
                 }
-            } else {
+            }
+            else {
                 keyEncryptionProvider = getPublicKeyEncryptionProvider(
                     KeyManagementUtils.loadPublicKey(m, props),
                     props,

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java

@@ -118,6 +118,9 @@ public SignatureAlgorithm getAlgorithm() {
     public X509Certificate getX509Certificate() {
         return cert;
     }
+    public PublicKey getPublicKey() {
+        return key;
+    }
     @Override
     public JwsVerificationSignature createJwsVerificationSignature(JwsHeaders headers) {
         Signature sig = CryptoUtils.getVerificationSignature(key,

systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java

@@ -435,6 +435,114 @@ private BookStore createJweJwsBookStore(String address,
         return bean.create(BookStore.class);
     }
 
+    @Test
+    public void testJweJwsJwkRsaUseReqSigCert(){
+        String address = "https://localhost:" + PORT + "/jwejwsjwkreqsigcert";
+        JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAXRSJweJwsTest.class.getResource("client.xml");
+        Bus springBus = bf.createBus(busFile.toString());
+        bean.setBus(springBus);
+        bean.setServiceClass(BookStore.class);
+        bean.setAddress(address);
+        List<Object> providers = new LinkedList<>();
+
+        // writer
+        JweWriterInterceptor jweWriter = new JweWriterInterceptor();
+        jweWriter.setUseJweOutputStream(true);
+        JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor();
+        jwsWriter.setUseJwsOutputStream(true);
+        // reader
+        JweClientResponseFilter jweReader = new JweClientResponseFilter();
+        JwsClientResponseFilter jwsReader = new JwsClientResponseFilter();
+
+        providers.add(jweWriter);
+        providers.add(jwsWriter);
+
+        providers.add(jweReader);
+        providers.add(jwsReader);
+        bean.setProviders(providers);
+
+        //CLIENT == ALICE
+        bean.getProperties(true).put(
+                "rs.security.encryption.out.properties",
+                "org/apache/cxf/systest/jaxrs/security/alice.jwk.enc.out.properties"
+        );
+        bean.getProperties(true).put(
+                "rs.security.signature.out.properties",
+                "org/apache/cxf/systest/jaxrs/security/alice.jwk.sign.out.properties"
+        );
+        bean.getProperties(true).put(
+                "rs.security.encryption.in.properties",
+                "org/apache/cxf/systest/jaxrs/security/alice.jwk.enc.in.properties"
+        );
+        bean.getProperties(true).put(
+                "rs.security.signature.in.properties",
+                "org/apache/cxf/systest/jaxrs/security/alice.jwk.sign.in.properties"
+        );
+
+        bean.getProperties(true).put("jose.debug", true);
+        bean.getProperties(true).put("rs.security.signature.include.public.key", "true");
+
+        BookStore bs = bean.create(BookStore.class);
+        String text = bs.echoText("book");
+        assertEquals("book", text);
+    }
+
+    @Test
+    public void testJweJwsRsaUseReqSigCert(){
+        String address = "https://localhost:" + PORT + "/jwejwsreqsigcert";
+        JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAXRSJweJwsTest.class.getResource("client.xml");
+        Bus springBus = bf.createBus(busFile.toString());
+        bean.setBus(springBus);
+        bean.setServiceClass(BookStore.class);
+        bean.setAddress(address);
+        List<Object> providers = new LinkedList<>();
+
+        // writer
+        JweWriterInterceptor jweWriter = new JweWriterInterceptor();
+        jweWriter.setUseJweOutputStream(true);
+        JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor();
+        jwsWriter.setUseJwsOutputStream(true);
+        // reader
+        JweClientResponseFilter jweReader = new JweClientResponseFilter();
+        JwsClientResponseFilter jwsReader = new JwsClientResponseFilter();
+
+        providers.add(jweWriter);
+        providers.add(jwsWriter);
+
+        providers.add(jweReader);
+        providers.add(jwsReader);
+        bean.setProviders(providers);
+
+        //CLIENT == ALICE
+        bean.getProperties(true).put(
+                "rs.security.encryption.out.properties",
+                "org/apache/cxf/systest/jaxrs/security/bob.rs.properties"
+        );
+        bean.getProperties(true).put(
+                "rs.security.signature.out.properties",
+                "org/apache/cxf/systest/jaxrs/security/alice.rs.properties"
+        );
+        bean.getProperties(true).put(
+                "rs.security.encryption.in.properties",
+                "org/apache/cxf/systest/jaxrs/security/alice.rs.properties"
+        );
+        bean.getProperties(true).put(
+                "rs.security.signature.in.properties",
+                "org/apache/cxf/systest/jaxrs/security/bob.rs.properties"
+        );
+
+        bean.getProperties(true).put("jose.debug", true);
+        bean.getProperties(true).put("rs.security.signature.include.cert", "true");
+
+        BookStore bs = bean.create(BookStore.class);
+        String text = bs.echoText("book");
+        assertEquals("book", text);
+    }
+
     @Test
     public void testJweAesGcmDirect() throws Exception {
         String address = "https://localhost:" + PORT + "/jweaesgcmdirect";

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.jwk.enc.in.properties

@@ -0,0 +1,22 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.jwk.enc.out.properties

@@ -0,0 +1,22 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.jwk.sign.in.properties

@@ -0,0 +1,22 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.jwk.sign.out.properties

@@ -0,0 +1,22 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.rs.properties

@@ -16,6 +16,7 @@
 #    under the License.
 rs.security.keystore.type=jks
 rs.security.keystore.password=password
+rs.security.key.password=password
 rs.security.keystore.alias=alice
 rs.security.keystore.file=keys/alice.jks
 rs.security.encryption.content.algorithm=A128GCM

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.enc.in.properties

@@ -0,0 +1,24 @@
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+#
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.enc.out.properties

@@ -0,0 +1,24 @@
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+#
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=useReqSigCert
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256