wildfly-security
diff --git a/‎auth/client/src/main/java/org/wildfly/security/auth/client/WildFlyElytronClientDefaultSSLContextProvider.java
Lines changed: 3 additions & 0 deletions b/‎auth/client/src/main/java/org/wildfly/security/auth/client/WildFlyElytronClientDefaultSSLContextProvider.java
Lines changed: 3 additions & 0 deletions
diff --git a/‎http/oidc/src/main/java/org/wildfly/security/http/oidc/JWKEncPublicKeyLocator.java
Lines changed: 3 additions & 3 deletions b/‎http/oidc/src/main/java/org/wildfly/security/http/oidc/JWKEncPublicKeyLocator.java
Lines changed: 3 additions & 3 deletions
diff --git a/‎http/oidc/src/main/java/org/wildfly/security/http/oidc/JWKPublicKeyLocator.java
Lines changed: 3 additions & 3 deletions b/‎http/oidc/src/main/java/org/wildfly/security/http/oidc/JWKPublicKeyLocator.java
Lines changed: 3 additions & 3 deletions
diff --git a/‎jose/jwk/pom.xml
Lines changed: 40 additions & 2 deletions b/‎jose/jwk/pom.xml
Lines changed: 40 additions & 2 deletions
diff --git a/‎jose/jwk/src/main/java/org/wildfly/security/jose/jwk/JWK.java
Lines changed: 34 additions & 0 deletions b/‎jose/jwk/src/main/java/org/wildfly/security/jose/jwk/JWK.java
Lines changed: 34 additions & 0 deletions
diff --git a/‎jose/jwk/src/main/java/org/wildfly/security/jose/jwk/JWKParser.java
Lines changed: 9 additions & 5 deletions b/‎jose/jwk/src/main/java/org/wildfly/security/jose/jwk/JWKParser.java
Lines changed: 9 additions & 5 deletions
diff --git a/‎jose/jwk/src/main/java/org/wildfly/security/jose/jwk/JsonWebKeySetUtil.java
Lines changed: 37 additions & 4 deletions b/‎jose/jwk/src/main/java/org/wildfly/security/jose/jwk/JsonWebKeySetUtil.java
Lines changed: 37 additions & 4 deletions
@@ -126,6 +126,9 @@ public Object newInstance(Object ignored) throws NoSuchAlgorithmException {
                     throw ElytronMessages.log.sslContextForSecurityProviderCreatesInfiniteLoop();
                 }
             } catch (ConfigXMLParseException | GeneralSecurityException e) {
+                if (log.isTraceEnabled()) {
+                    log.trace("Unable to obtain SSLContext", e);
+                }
                 if (e.getCause() instanceof FileNotFoundException) {
                     throw log.clientConfigurationFileNotFound();
                 }
 
@@ -21,16 +21,16 @@
 import static org.apache.http.HttpHeaders.ACCEPT;
 import static org.wildfly.security.http.oidc.ElytronMessages.log;
 import static org.wildfly.security.http.oidc.Oidc.JSON_CONTENT_TYPE;
+import static org.wildfly.security.jose.jwk.JsonWebKeySetUtil.FOR_ENCRYPTION;
+import static org.wildfly.security.jose.jwk.JsonWebKeySetUtil.getKeys;
 
 import java.security.PublicKey;
 import java.util.ArrayList;
 import java.util.Map;
 import java.util.List;
 
 import org.apache.http.client.methods.HttpGet;
-import org.wildfly.security.jose.jwk.JWK;
 import org.wildfly.security.jose.jwk.JsonWebKeySet;
-import org.wildfly.security.jose.jwk.JsonWebKeySetUtil;
 
 /**
  * A public key locator that dynamically obtains the public key used for encryption
@@ -97,7 +97,7 @@ private void sendRequest(OidcClientConfiguration config) {
         request.addHeader(ACCEPT, JSON_CONTENT_TYPE);
         try {
             JsonWebKeySet jwks = Oidc.sendJsonHttpRequest(config, request, JsonWebKeySet.class);
-            Map<String, PublicKey> publicKeys = JsonWebKeySetUtil.getKeysForUse(jwks, JWK.Use.ENC);
+            Map<String, PublicKey> publicKeys = getKeys(jwks, FOR_ENCRYPTION);
 
             if (log.isDebugEnabled()) {
                 log.debug("Public keys successfully retrieved for client " +  config.getResourceName() + ". New kids: " + publicKeys.keySet());
 
@@ -19,15 +19,15 @@
 package org.wildfly.security.http.oidc;
 
 import static org.wildfly.security.http.oidc.ElytronMessages.log;
+import static org.wildfly.security.jose.jwk.JsonWebKeySetUtil.FOR_SIGNATURE_VALIDATION;
+import static org.wildfly.security.jose.jwk.JsonWebKeySetUtil.getKeys;
 
 import java.security.PublicKey;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.apache.http.client.methods.HttpGet;
-import org.wildfly.security.jose.jwk.JWK;
 import org.wildfly.security.jose.jwk.JsonWebKeySet;
-import org.wildfly.security.jose.jwk.JsonWebKeySetUtil;
 
 /**
  * A public key locator that dynamically obtains the public key from an OpenID
@@ -95,7 +95,7 @@ private void sendRequest(OidcClientConfiguration oidcClientConfiguration) {
         try {
             JsonWebKeySet jwks = Oidc.sendJsonHttpRequest(oidcClientConfiguration, getMethod, JsonWebKeySet.class);
 
-            Map<String, PublicKey> publicKeys = JsonWebKeySetUtil.getKeysForUse(jwks, JWK.Use.SIG);
+            Map<String, PublicKey> publicKeys = getKeys(jwks, FOR_SIGNATURE_VALIDATION);
 
             if (log.isDebugEnabled()) {
                 log.debug("Public keys successfully retrieved for client " +  oidcClientConfiguration.getResourceName() + ". New kids: " + publicKeys.keySet().toString());
 
@@ -52,7 +52,7 @@
             <groupId>org.jboss.logging</groupId>
             <artifactId>jboss-logging</artifactId>
             <scope>provided</scope>
-        </dependency>        
+        </dependency>
         <dependency>
             <groupId>org.jboss.logging</groupId>
             <artifactId>jboss-logging-processor</artifactId>
@@ -67,7 +67,45 @@
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-annotations</artifactId>
         </dependency>
-               
+
+        <!-- Test Scope -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>net.minidev</groupId>
+                    <artifactId>json-smart</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>jakarta.json</groupId>
+            <artifactId>jakarta.json-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.eclipse.parsson</groupId>
+            <artifactId>jakarta.json</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.wildfly.security</groupId>
+            <artifactId>wildfly-elytron-tests-common</artifactId>
+            <type>test-jar</type>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
 </project>
@@ -42,6 +42,8 @@ public class JWK {
 
     public static final String PUBLIC_KEY_USE = "use";
 
+    public static final String KEY_OPS = "key_ops";
+
     public enum Use {
         SIG("sig"),
         ENC("enc");
@@ -57,6 +59,27 @@ public String asString() {
         }
     }
 
+    public enum KeyOp {
+        SIGN("sign"),
+        VERIFY("verify"),
+        ENCRYPT("encrypt"),
+        DECRYPT("decrypt"),
+        WRAP_KEY("wrapKey"),
+        UNWRAP_KEY("unwrapKey"),
+        DERIVE_KEY("deriveKey"),
+        DERIVE_BITS("deriveBits");
+
+        private String str;
+
+        KeyOp(String str) {
+            this.str = str;
+        }
+
+        public String asString() {
+            return str;
+        }
+    }
+
     @JsonProperty(KEY_ID)
     private String keyId;
 
@@ -69,6 +92,9 @@ public String asString() {
     @JsonProperty(PUBLIC_KEY_USE)
     private String publicKeyUse;
 
+    @JsonProperty(KEY_OPS)
+    private String[] keyOps;
+
     protected Map<String, Object> otherClaims = new HashMap<String, Object>();
 
 
@@ -104,6 +130,14 @@ public void setPublicKeyUse(String publicKeyUse) {
         this.publicKeyUse = publicKeyUse;
     }
 
+    public String[] getKeyOps() {
+        return keyOps;
+    }
+
+    public void setKeyOps(String[] keyOps) {
+        this.keyOps = keyOps;
+    }
+
     @JsonAnyGetter
     public Map<String, Object> getOtherClaims() {
         return otherClaims;
 
@@ -74,21 +74,25 @@ public JWK getJwk() {
     }
 
     public PublicKey toPublicKey() {
+        return toPublicKey(jwk);
+    }
+
+    public static PublicKey toPublicKey(JWK jwk) {
         String keyType = jwk.getKeyType();
         if (keyType.equals(RSAPublicJWK.RSA)) {
-            return createRSAPublicKey();
+            return createRSAPublicKey(jwk);
         } else if (keyType.equals(ECPublicJWK.EC)) {
-            return createECPublicKey();
+            return createECPublicKey(jwk);
         } else {
             throw log.unsupportedKeyTypeForJWK(keyType);
         }
     }
 
-    public boolean isKeyTypeSupported(String keyType) {
+    public static boolean isKeyTypeSupported(String keyType) {
         return (RSAPublicJWK.RSA.equals(keyType) || ECPublicJWK.EC.equals(keyType));
     }
 
-    private PublicKey createECPublicKey() {
+    private static PublicKey createECPublicKey(JWK jwk) {
         String crv = (String) jwk.getOtherClaims().get(ECPublicJWK.CRV);
 
         BigInteger x = new BigInteger(1,
@@ -123,7 +127,7 @@ private PublicKey createECPublicKey() {
         }
     }
 
-    private PublicKey createRSAPublicKey() {
+    private static PublicKey createRSAPublicKey(JWK jwk) {
         BigInteger modulus = new BigInteger(1,
                 CodePointIterator.ofString(jwk.getOtherClaims().get(RSAPublicJWK.MODULUS).toString()).base64Decode(BASE64_URL, false).drain());
         BigInteger publicExponent = new BigInteger(1,
 
@@ -18,9 +18,13 @@
 
 package org.wildfly.security.jose.jwk;
 
+import static org.wildfly.security.jose.jwk.JWKParser.isKeyTypeSupported;
+import static org.wildfly.security.jose.jwk.JWKParser.toPublicKey;
+
 import java.security.PublicKey;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.function.Predicate;
 
 /**
  * Utility methods for JSON Web Key Sets.
@@ -31,15 +35,44 @@
  */
 public class JsonWebKeySetUtil {
 
-    public static Map<String, PublicKey> getKeysForUse(JsonWebKeySet keySet, JWK.Use requestedUse) {
+    public static Map<String, PublicKey> getKeys(JsonWebKeySet keySet, Predicate<JWK> keyPredicate) {
         Map<String, PublicKey> result = new HashMap<>();
         for (JWK jwk : keySet.getKeys()) {
-            JWKParser parser = JWKParser.create(jwk);
-            if (jwk.getPublicKeyUse().equals(requestedUse.asString()) && parser.isKeyTypeSupported(jwk.getKeyType())) {
-                result.put(jwk.getKeyId(), parser.toPublicKey());
+            if (keyPredicate.test(jwk)) {
+                result.put(jwk.getKeyId(), toPublicKey(jwk));
             }
         }
         return result;
     }
 
+    /*
+     * Key Filtering Predicates.
+     */
+
+    public static Predicate<JWK> SUPPORTED_KEY_TYPE = j -> isKeyTypeSupported(j.getKeyType());
+
+    public static Predicate<JWK> usePredicate(JWK.Use requestedUse) {
+        return j -> j.getPublicKeyUse() != null && j.getPublicKeyUse().equals(requestedUse.asString());
+    }
+
+    public static Predicate<JWK> keyOpsPredicate(JWK.KeyOp requestedKeyOp) {
+        return j -> {
+            String[] keyOps = j.getKeyOps();
+            if (keyOps != null) {
+                for (String keyOp : keyOps) {
+                    if (keyOp.equals(requestedKeyOp.asString())) {
+                        return true;
+                    }
+                }
+            }
+
+            return false;
+        };
+    }
+
+    public static Predicate<JWK> FOR_SIGNATURE_VALIDATION = SUPPORTED_KEY_TYPE.and(
+        usePredicate(JWK.Use.SIG).or(keyOpsPredicate(JWK.KeyOp.VERIFY)));
+
+    public static Predicate<JWK> FOR_ENCRYPTION = SUPPORTED_KEY_TYPE.and(
+        usePredicate(JWK.Use.ENC).or(keyOpsPredicate(JWK.KeyOp.ENCRYPT)));
 }
Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,9 @@ public Object newInstance(Object ignored) throws NoSuchAlgorithmException {`
`126`	`126`	`throw ElytronMessages.log.sslContextForSecurityProviderCreatesInfiniteLoop();`
`127`	`127`	`}`
`128`	`128`	`} catch (ConfigXMLParseException \| GeneralSecurityException e) {`
	`129`	`+ if (log.isTraceEnabled()) {`
	`130`	`+ log.trace("Unable to obtain SSLContext", e);`
	`131`	`+ }`
`129`	`132`	`if (e.getCause() instanceof FileNotFoundException) {`
`130`	`133`	`throw log.clientConfigurationFileNotFound();`
`131`	`134`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,21 +74,25 @@ public JWK getJwk() {`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`public PublicKey toPublicKey() {`
	`77`	`+ return toPublicKey(jwk);`
	`78`	`+ }`
	`79`	`+`
	`80`	`+ public static PublicKey toPublicKey(JWK jwk) {`
`77`	`81`	`String keyType = jwk.getKeyType();`
`78`	`82`	`if (keyType.equals(RSAPublicJWK.RSA)) {`
`79`		`- return createRSAPublicKey();`
	`83`	`+ return createRSAPublicKey(jwk);`
`80`	`84`	`} else if (keyType.equals(ECPublicJWK.EC)) {`
`81`		`- return createECPublicKey();`
	`85`	`+ return createECPublicKey(jwk);`
`82`	`86`	`} else {`
`83`	`87`	`throw log.unsupportedKeyTypeForJWK(keyType);`
`84`	`88`	`}`
`85`	`89`	`}`
`86`	`90`
`87`		`- public boolean isKeyTypeSupported(String keyType) {`
	`91`	`+ public static boolean isKeyTypeSupported(String keyType) {`
`88`	`92`	`return (RSAPublicJWK.RSA.equals(keyType) \|\| ECPublicJWK.EC.equals(keyType));`
`89`	`93`	`}`
`90`	`94`
`91`		`- private PublicKey createECPublicKey() {`
	`95`	`+ private static PublicKey createECPublicKey(JWK jwk) {`
`92`	`96`	`String crv = (String) jwk.getOtherClaims().get(ECPublicJWK.CRV);`
`93`	`97`
`94`	`98`	`BigInteger x = new BigInteger(1,`
`@@ -123,7 +127,7 @@ private PublicKey createECPublicKey() {`
`123`	`127`	`}`
`124`	`128`	`}`
`125`	`129`
`126`		`- private PublicKey createRSAPublicKey() {`
	`130`	`+ private static PublicKey createRSAPublicKey(JWK jwk) {`
`127`	`131`	`BigInteger modulus = new BigInteger(1,`
`128`	`132`	`CodePointIterator.ofString(jwk.getOtherClaims().get(RSAPublicJWK.MODULUS).toString()).base64Decode(BASE64_URL, false).drain());`
`129`	`133`	`BigInteger publicExponent = new BigInteger(1,`