CXF-8811: Use request JWS signing key to encrypt JWE response

rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java

@@ -21,6 +21,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.Principal;
+import java.security.PublicKey;
 
 import jakarta.annotation.Priority;
 import jakarta.ws.rs.HttpMethod;
@@ -81,24 +82,26 @@ public void filter(ContainerRequestContext context) throws IOException {
     }
 
     protected SecurityContext configureSecurityContext(JwsSignatureVerifier sigVerifier) {
-        if (sigVerifier instanceof PublicKeyJwsSignatureVerifier
-            && ((PublicKeyJwsSignatureVerifier)sigVerifier).getX509Certificate() != null) {
-            final Principal principal =
-                ((PublicKeyJwsSignatureVerifier)sigVerifier).getX509Certificate().getSubjectX500Principal();
-            return new SecurityContext() {
+        if (sigVerifier instanceof PublicKeyJwsSignatureVerifier) {
+            PublicKeyJwsSignatureVerifier pkVerifier = (PublicKeyJwsSignatureVerifier) sigVerifier;
+            JAXRSUtils.getCurrentMessage().getExchange().put(PublicKey.class, pkVerifier.getPublicKey());
+            if (pkVerifier.getX509Certificate() != null) {
+                final Principal principal = pkVerifier.getX509Certificate().getSubjectX500Principal();
+                return new SecurityContext() {
 
-                public Principal getUserPrincipal() {
-                    return principal;
-                }
+                    public Principal getUserPrincipal() {
+                        return principal;
+                    }
 
-                public boolean isUserInRole(String arg0) {
-                    return false;
-                }
-            };
+                    public boolean isUserInRole(String arg0) {
+                        return false;
+                    }
+                };
+            }
         }
         return null;
     }
-    
+
     protected boolean isMethodWithNoContent(String method) {
         return HttpMethod.DELETE.equals(method) || HttpUtils.isMethodWithNoRequestContent(method);
     }

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/JoseConstants.java

@@ -206,6 +206,13 @@ public final class JoseConstants extends RSSecurityConstants {
      */
     public static final String ENABLE_UNSIGNED_JWT_PRINCIPAL = "rs.security.enable.unsigned-jwt.principal";
 
+    /**
+     * Magic value for the {@code rs.security.keystore.alias} property that causes the JWE encryption
+     * to use the public key extracted from the inbound JWS signature verification, instead of loading
+     * a key from the configured keystore. This mirrors the WS-Security {@code useReqSigCert} convention.
+     */
+    public static final String USE_REQ_SIG_CERT = "useReqSigCert";
+
     /**
      * Whether to trace JOSE headers.
      */

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java

@@ -427,7 +427,15 @@ public static KeyEncryptionProvider loadKeyEncryptionProvider(Properties props,
             boolean includeKeyId =
                 JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_KEY_ID);
 
-            if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
+            String alias = props.getProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS);
+            if (JoseConstants.USE_REQ_SIG_CERT.equals(alias)) {
+                PublicKey publicKey = (PublicKey)
+                    PhaseInterceptorChain.getCurrentMessage().getExchange().get(PublicKey.class);
+                if (publicKey == null) {
+                    throw new JweException(JweException.Error.NO_ENCRYPTOR);
+                }
+                keyEncryptionProvider = getPublicKeyEncryptionProvider(publicKey, keyAlgo);
+            } else if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
                 JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.ENCRYPT);
                 if (jwk != null) {
                     keyAlgo = getKeyEncryptionAlgorithm(m, props,

rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java

@@ -118,6 +118,9 @@ public SignatureAlgorithm getAlgorithm() {
     public X509Certificate getX509Certificate() {
         return cert;
     }
+    public PublicKey getPublicKey() {
+        return key;
+    }
     @Override
     public JwsVerificationSignature createJwsVerificationSignature(JwsHeaders headers) {
         Signature sig = CryptoUtils.getVerificationSignature(key,

systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JAXRSJweJwsTest.java

@@ -435,6 +435,62 @@ private BookStore createJweJwsBookStore(String address,
         return bean.create(BookStore.class);
     }
 
+    @Test
+    public void testJweJwsJwkRsaUseReqSigCert() throws Exception {
+        String address = "https://localhost:" + PORT + "/jwejwsjwkreqsigcert";
+        BookStore bs = createUseReqSigCertBookStore(address,
+            "org/apache/cxf/systest/jaxrs/security/alice.jwk.enc.out.properties",
+            "org/apache/cxf/systest/jaxrs/security/alice.jwk.sign.out.properties",
+            "org/apache/cxf/systest/jaxrs/security/alice.jwk.enc.in.properties",
+            "org/apache/cxf/systest/jaxrs/security/alice.jwk.sign.in.properties",
+            "rs.security.signature.include.public.key");
+        String text = bs.echoText("book");
+        assertEquals("book", text);
+    }
+
+    @Test
+    public void testJweJwsRsaUseReqSigCert() throws Exception {
+        String address = "https://localhost:" + PORT + "/jwejwsreqsigcert";
+        BookStore bs = createUseReqSigCertBookStore(address,
+            "org/apache/cxf/systest/jaxrs/security/bob.rs.properties",
+            "org/apache/cxf/systest/jaxrs/security/alice.rs.properties",
+            "org/apache/cxf/systest/jaxrs/security/alice.rs.properties",
+            "org/apache/cxf/systest/jaxrs/security/bob.rs.properties",
+            "rs.security.signature.include.cert");
+        String text = bs.echoText("book");
+        assertEquals("book", text);
+    }
+
+    private BookStore createUseReqSigCertBookStore(String address,
+                                                   String encOutProps, String sigOutProps,
+                                                   String encInProps, String sigInProps,
+                                                   String includeKeyProperty) {
+        JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean();
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = JAXRSJweJwsTest.class.getResource("client.xml");
+        Bus springBus = bf.createBus(busFile.toString());
+        bean.setBus(springBus);
+        bean.setServiceClass(BookStore.class);
+        bean.setAddress(address);
+        List<Object> providers = new LinkedList<>();
+        JweWriterInterceptor jweWriter = new JweWriterInterceptor();
+        jweWriter.setUseJweOutputStream(true);
+        JwsWriterInterceptor jwsWriter = new JwsWriterInterceptor();
+        jwsWriter.setUseJwsOutputStream(true);
+        providers.add(jweWriter);
+        providers.add(jwsWriter);
+        providers.add(new JweClientResponseFilter());
+        providers.add(new JwsClientResponseFilter());
+        bean.setProviders(providers);
+        bean.getProperties(true).put("rs.security.encryption.out.properties", encOutProps);
+        bean.getProperties(true).put("rs.security.signature.out.properties", sigOutProps);
+        bean.getProperties(true).put("rs.security.encryption.in.properties", encInProps);
+        bean.getProperties(true).put("rs.security.signature.in.properties", sigInProps);
+        bean.getProperties(true).put("jose.debug", true);
+        bean.getProperties(true).put(includeKeyProperty, "true");
+        return bean.create(BookStore.class);
+    }
+
     @Test
     public void testJweAesGcmDirect() throws Exception {
         String address = "https://localhost:" + PORT + "/jweaesgcmdirect";

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.jwk.enc.in.properties

@@ -0,0 +1,24 @@
+#
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.jwk.enc.out.properties

@@ -0,0 +1,24 @@
+#
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.jwk.sign.in.properties

@@ -0,0 +1,24 @@
+#
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.jwk.sign.out.properties

@@ -0,0 +1,24 @@
+#
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/alice.rs.properties

@@ -1,3 +1,5 @@
+#
+#
 #    Licensed to the Apache Software Foundation (ASF) under one
 #    or more contributor license agreements. See the NOTICE file
 #    distributed with this work for additional information
@@ -16,6 +18,7 @@
 #    under the License.
 rs.security.keystore.type=jks
 rs.security.keystore.password=password
+rs.security.key.password=password
 rs.security.keystore.alias=alice
 rs.security.keystore.file=keys/alice.jks
 rs.security.encryption.content.algorithm=A128GCM

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.enc.in.properties

@@ -0,0 +1,25 @@
+#
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+#
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.enc.out.properties

@@ -0,0 +1,25 @@
+#
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+#
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=useReqSigCert
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.sign.in.properties

@@ -0,0 +1,25 @@
+#
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+#
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.jwk.sign.out.properties

@@ -0,0 +1,25 @@
+#
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+#
+rs.security.keystore.type=jwk
+rs.security.keystore.alias=2011-04-29
+rs.security.keystore.file=org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256

systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bob.rs.enc.out.properties

@@ -0,0 +1,27 @@
+#
+#
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+#
+rs.security.keystore.type=jks
+rs.security.keystore.password=password
+rs.security.key.password=password
+rs.security.keystore.alias=useReqSigCert
+rs.security.keystore.file=keys/bob.jks
+rs.security.encryption.content.algorithm=A128GCM
+rs.security.encryption.key.algorithm=RSA-OAEP
+rs.security.signature.algorithm=RS256