libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-11992 Use StandartCharsets.UTF-8 for strings in module core

Browse source
This commit is contained in:
Andrei Arlou 2019-11-10 02:06:15 +03:00 committed by Stian Thorgersen
parent 43c0dd01ec
commit 7c295c1d43
8 changed files with 32 additions and 84 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
core/src/main/java/org/keycloak/jose/jwe/JWE.java
View file

@ -18,7 +18,7 @@
package org.keycloak.jose.jwe; package org.keycloak.jose.jwe;
import java.io.IOException; import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets;
import java.security.spec.KeySpec; import java.security.spec.KeySpec;
import org.keycloak.common.util.Base64; import org.keycloak.common.util.Base64;
@ -222,14 +222,8 @@ public class JWE {
} }
public static String encryptUTF8(String password, String saltString, String payload) { public static String encryptUTF8(String password, String saltString, String payload) {
byte[] bytes = null; byte[] bytes = payload.getBytes(StandardCharsets.UTF_8);
try {
bytes = payload.getBytes("UTF-8");
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encrypt(password, saltString, bytes); return encrypt(password, saltString, bytes);
} }
@ -276,11 +270,7 @@ public class JWE {
public static String decryptUTF8(String password, String saltString, String encodedJwe) { public static String decryptUTF8(String password, String saltString, String encodedJwe) {
byte[] payload = decrypt(password, saltString, encodedJwe); byte[] payload = decrypt(password, saltString, encodedJwe);
try { return new String(payload, StandardCharsets.UTF_8);
return new String(payload, "UTF-8");
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
} }
} }

5
core/src/main/java/org/keycloak/jose/jwe/enc/AesCbcHmacShaEncryptionProvider.java
View file

@ -20,6 +20,7 @@ package org.keycloak.jose.jwe.enc;
import java.io.IOException; import java.io.IOException;
import java.nio.ByteBuffer; import java.nio.ByteBuffer;
import java.nio.ByteOrder; import java.nio.ByteOrder;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.InvalidKeyException; import java.security.InvalidKeyException;
import java.security.Key; import java.security.Key;
@ -67,7 +68,7 @@ public abstract class AesCbcHmacShaEncryptionProvider implements JWEEncryptionPr
byte[] cipherBytes = encryptBytes(contentBytes, initializationVector, aesKey); byte[] cipherBytes = encryptBytes(contentBytes, initializationVector, aesKey);
byte[] aad = jwe.getBase64Header().getBytes("UTF-8"); byte[] aad = jwe.getBase64Header().getBytes(StandardCharsets.UTF_8);
byte[] authenticationTag = computeAuthenticationTag(aad, initializationVector, cipherBytes, hmacShaKey); byte[] authenticationTag = computeAuthenticationTag(aad, initializationVector, cipherBytes, hmacShaKey);
jwe.setEncryptedContentInfo(initializationVector, cipherBytes, authenticationTag); jwe.setEncryptedContentInfo(initializationVector, cipherBytes, authenticationTag);
@ -91,7 +92,7 @@ public abstract class AesCbcHmacShaEncryptionProvider implements JWEEncryptionPr
throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength +", but was " + aesKey.getEncoded().length); throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength +", but was " + aesKey.getEncoded().length);
} }
byte[] aad = jwe.getBase64Header().getBytes("UTF-8"); byte[] aad = jwe.getBase64Header().getBytes(StandardCharsets.UTF_8);
byte[] authenticationTag = computeAuthenticationTag(aad, jwe.getInitializationVector(), jwe.getEncryptedContent(), hmacShaKey); byte[] authenticationTag = computeAuthenticationTag(aad, jwe.getInitializationVector(), jwe.getEncryptedContent(), hmacShaKey);
byte[] expectedAuthTag = jwe.getAuthenticationTag(); byte[] expectedAuthTag = jwe.getAuthenticationTag();

5
core/src/main/java/org/keycloak/jose/jwe/enc/AesGcmEncryptionProvider.java
View file

@ -17,6 +17,7 @@
package org.keycloak.jose.jwe.enc; package org.keycloak.jose.jwe.enc;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException; import java.security.GeneralSecurityException;
import java.security.InvalidKeyException; import java.security.InvalidKeyException;
import java.security.Key; import java.security.Key;
@ -57,7 +58,7 @@ public abstract class AesGcmEncryptionProvider implements JWEEncryptionProvider
} }
// https://tools.ietf.org/html/rfc7516#appendix-A.1.5 // https://tools.ietf.org/html/rfc7516#appendix-A.1.5
byte[] aad = jwe.getBase64Header().getBytes("UTF-8"); byte[] aad = jwe.getBase64Header().getBytes(StandardCharsets.UTF_8);
byte[] cipherBytes = encryptBytes(contentBytes, initializationVector, aesKey, aad); byte[] cipherBytes = encryptBytes(contentBytes, initializationVector, aesKey, aad);
byte[] authenticationTag = getAuthenticationTag(cipherBytes); byte[] authenticationTag = getAuthenticationTag(cipherBytes);
@ -79,7 +80,7 @@ public abstract class AesGcmEncryptionProvider implements JWEEncryptionProvider
} }
// https://tools.ietf.org/html/rfc7516#appendix-A.1.5 // https://tools.ietf.org/html/rfc7516#appendix-A.1.5
byte[] aad = jwe.getBase64Header().getBytes("UTF-8"); byte[] aad = jwe.getBase64Header().getBytes(StandardCharsets.UTF_8);
byte[] decryptedTargetContent = getAeadDecryptedTargetContent(jwe); byte[] decryptedTargetContent = getAeadDecryptedTargetContent(jwe);
byte[] contentBytes = decryptBytes(decryptedTargetContent, jwe.getInitializationVector(), aesKey, aad); byte[] contentBytes = decryptBytes(decryptedTargetContent, jwe.getInitializationVector(), aesKey, aad);

59
core/src/main/java/org/keycloak/jose/jws/JWSBuilder.java
View file

@ -25,7 +25,7 @@ import org.keycloak.util.JsonSerialization;
import javax.crypto.SecretKey; import javax.crypto.SecretKey;
import java.io.IOException; import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets;
import java.security.PrivateKey; import java.security.PrivateKey;
/** /**
@ -76,11 +76,7 @@ public class JWSBuilder {
if (kid != null) builder.append(",\"kid\" : \"").append(kid).append("\""); if (kid != null) builder.append(",\"kid\" : \"").append(kid).append("\"");
if (contentType != null) builder.append(",\"cty\":\"").append(contentType).append("\""); if (contentType != null) builder.append(",\"cty\":\"").append(contentType).append("\"");
builder.append("}"); builder.append("}");
try { return Base64Url.encode(builder.toString().getBytes(StandardCharsets.UTF_8));
return Base64Url.encode(builder.toString().getBytes("UTF-8"));
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
} }
protected String encodeAll(StringBuilder encoding, byte[] signature) { protected String encodeAll(StringBuilder encoding, byte[] signature) {
@ -115,7 +111,7 @@ public class JWSBuilder {
encode(signer.getAlgorithm(), data, buffer); encode(signer.getAlgorithm(), data, buffer);
byte[] signature = null; byte[] signature = null;
try { try {
signature = signer.sign(buffer.toString().getBytes("UTF-8")); signature = signer.sign(buffer.toString().getBytes(StandardCharsets.UTF_8));
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
@ -134,12 +130,7 @@ public class JWSBuilder {
StringBuilder buffer = new StringBuilder(); StringBuilder buffer = new StringBuilder();
byte[] data = marshalContent(); byte[] data = marshalContent();
encode(algorithm, data, buffer); encode(algorithm, data, buffer);
byte[] signature = null; byte[] signature = RSAProvider.sign(buffer.toString().getBytes(StandardCharsets.UTF_8), algorithm, privateKey);
try {
signature = RSAProvider.sign(buffer.toString().getBytes("UTF-8"), algorithm, privateKey);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encodeAll(buffer, signature); return encodeAll(buffer, signature);
} }
@ -163,12 +154,7 @@ public class JWSBuilder {
StringBuilder buffer = new StringBuilder(); StringBuilder buffer = new StringBuilder();
byte[] data = marshalContent(); byte[] data = marshalContent();
encode(Algorithm.HS256, data, buffer); encode(Algorithm.HS256, data, buffer);
byte[] signature = null; byte[] signature = HMACProvider.sign(buffer.toString().getBytes(StandardCharsets.UTF_8), Algorithm.HS256, sharedSecret);
try {
signature = HMACProvider.sign(buffer.toString().getBytes("UTF-8"), Algorithm.HS256, sharedSecret);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encodeAll(buffer, signature); return encodeAll(buffer, signature);
} }
@ -177,12 +163,7 @@ public class JWSBuilder {
StringBuilder buffer = new StringBuilder(); StringBuilder buffer = new StringBuilder();
byte[] data = marshalContent(); byte[] data = marshalContent();
encode(Algorithm.HS384, data, buffer); encode(Algorithm.HS384, data, buffer);
byte[] signature = null; byte[] signature = HMACProvider.sign(buffer.toString().getBytes(StandardCharsets.UTF_8), Algorithm.HS384, sharedSecret);
try {
signature = HMACProvider.sign(buffer.toString().getBytes("UTF-8"), Algorithm.HS384, sharedSecret);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encodeAll(buffer, signature); return encodeAll(buffer, signature);
} }
@ -191,12 +172,7 @@ public class JWSBuilder {
StringBuilder buffer = new StringBuilder(); StringBuilder buffer = new StringBuilder();
byte[] data = marshalContent(); byte[] data = marshalContent();
encode(Algorithm.HS512, data, buffer); encode(Algorithm.HS512, data, buffer);
byte[] signature = null; byte[] signature = HMACProvider.sign(buffer.toString().getBytes(StandardCharsets.UTF_8), Algorithm.HS512, sharedSecret);
try {
signature = HMACProvider.sign(buffer.toString().getBytes("UTF-8"), Algorithm.HS512, sharedSecret);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encodeAll(buffer, signature); return encodeAll(buffer, signature);
} }
@ -205,12 +181,7 @@ public class JWSBuilder {
StringBuilder buffer = new StringBuilder(); StringBuilder buffer = new StringBuilder();
byte[] data = marshalContent(); byte[] data = marshalContent();
encode(Algorithm.HS256, data, buffer); encode(Algorithm.HS256, data, buffer);
byte[] signature = null; byte[] signature = HMACProvider.sign(buffer.toString().getBytes(StandardCharsets.UTF_8), Algorithm.HS256, sharedSecret);
try {
signature = HMACProvider.sign(buffer.toString().getBytes("UTF-8"), Algorithm.HS256, sharedSecret);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encodeAll(buffer, signature); return encodeAll(buffer, signature);
} }
@ -219,12 +190,7 @@ public class JWSBuilder {
StringBuilder buffer = new StringBuilder(); StringBuilder buffer = new StringBuilder();
byte[] data = marshalContent(); byte[] data = marshalContent();
encode(Algorithm.HS384, data, buffer); encode(Algorithm.HS384, data, buffer);
byte[] signature = null; byte[] signature = HMACProvider.sign(buffer.toString().getBytes(StandardCharsets.UTF_8), Algorithm.HS384, sharedSecret);
try {
signature = HMACProvider.sign(buffer.toString().getBytes("UTF-8"), Algorithm.HS384, sharedSecret);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encodeAll(buffer, signature); return encodeAll(buffer, signature);
} }
@ -233,12 +199,7 @@ public class JWSBuilder {
StringBuilder buffer = new StringBuilder(); StringBuilder buffer = new StringBuilder();
byte[] data = marshalContent(); byte[] data = marshalContent();
encode(Algorithm.HS512, data, buffer); encode(Algorithm.HS512, data, buffer);
byte[] signature = null; byte[] signature = HMACProvider.sign(buffer.toString().getBytes(StandardCharsets.UTF_8), Algorithm.HS512, sharedSecret);
try {
signature = HMACProvider.sign(buffer.toString().getBytes("UTF-8"), Algorithm.HS512, sharedSecret);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encodeAll(buffer, signature); return encodeAll(buffer, signature);
} }
} }

8
core/src/main/java/org/keycloak/jose/jws/JWSInput.java
View file

@ -21,7 +21,7 @@ import org.keycloak.common.util.Base64Url;
import org.keycloak.util.JsonSerialization; import org.keycloak.util.JsonSerialization;
import java.io.IOException; import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets;
/** /**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@ -106,10 +106,6 @@ public class JWSInput {
} }
public String readContentAsString() { public String readContentAsString() {
try { return new String(content, StandardCharsets.UTF_8);
return new String(content, "UTF-8");
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
} }
} }

6
core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java
View file

@ -25,6 +25,8 @@ import org.keycloak.jose.jws.JWSInput;
import javax.crypto.Mac; import javax.crypto.Mac;
import javax.crypto.SecretKey; import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
@ -81,7 +83,7 @@ public class HMACProvider implements SignatureProvider {
public static boolean verify(JWSInput input, SecretKey key) { public static boolean verify(JWSInput input, SecretKey key) {
try { try {
byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), key); byte[] signature = sign(input.getEncodedSignatureInput().getBytes(StandardCharsets.UTF_8), input.getHeader().getAlgorithm(), key);
return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature())); return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
@ -91,7 +93,7 @@ public class HMACProvider implements SignatureProvider {
public static boolean verify(JWSInput input, byte[] sharedSecret) { public static boolean verify(JWSInput input, byte[] sharedSecret) {
try { try {
byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), sharedSecret); byte[] signature = sign(input.getEncodedSignatureInput().getBytes(StandardCharsets.UTF_8), input.getHeader().getAlgorithm(), sharedSecret);
return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature())); return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);

8
core/src/main/java/org/keycloak/jose/jws/crypto/HashUtils.java
View file

@ -21,7 +21,7 @@ import org.keycloak.common.util.Base64Url;
import org.keycloak.crypto.HashException; import org.keycloak.crypto.HashException;
import org.keycloak.crypto.JavaAlgorithm; import org.keycloak.crypto.JavaAlgorithm;
import java.io.UnsupportedEncodingException; import java.nio.charset.StandardCharsets;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.util.Arrays; import java.util.Arrays;
@ -32,15 +32,11 @@ public class HashUtils {
// See "at_hash" and "c_hash" in OIDC specification // See "at_hash" and "c_hash" in OIDC specification
public static String oidcHash(String jwtAlgorithmName, String input) { public static String oidcHash(String jwtAlgorithmName, String input) {
try { byte[] inputBytes = input.getBytes(StandardCharsets.UTF_8);
byte[] inputBytes = input.getBytes("UTF-8");
String javaAlgName = JavaAlgorithm.getJavaAlgorithmForHash(jwtAlgorithmName); String javaAlgName = JavaAlgorithm.getJavaAlgorithmForHash(jwtAlgorithmName);
byte[] hash = hash(javaAlgName, inputBytes); byte[] hash = hash(javaAlgName, inputBytes);
return encodeHashToOIDC(hash); return encodeHashToOIDC(hash);
} catch (UnsupportedEncodingException e) {
throw new HashException("Error when creating token hash", e);
}
} }

3
core/src/main/java/org/keycloak/jose/jws/crypto/RSAProvider.java
View file

@ -22,6 +22,7 @@ import org.keycloak.common.util.PemUtils;
import org.keycloak.jose.jws.Algorithm; import org.keycloak.jose.jws.Algorithm;
import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInput;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey; import java.security.PrivateKey;
import java.security.PublicKey; import java.security.PublicKey;
import java.security.Signature; import java.security.Signature;
@ -78,7 +79,7 @@ public class RSAProvider implements SignatureProvider {
try { try {
Signature verifier = getSignature(input.getHeader().getAlgorithm()); Signature verifier = getSignature(input.getHeader().getAlgorithm());
verifier.initVerify(publicKey); verifier.initVerify(publicKey);
verifier.update(input.getEncodedSignatureInput().getBytes("UTF-8")); verifier.update(input.getEncodedSignatureInput().getBytes(StandardCharsets.UTF_8));
return verifier.verify(input.getSignature()); return verifier.verify(input.getSignature());
} catch (Exception e) { } catch (Exception e) {
return false; return false;