Fixes eclipse-vertx#59: allow read only token generation based on pub…

…lic keys

vertx-auth-jwt/src/main/java/io/vertx/ext/auth/jwt/impl/Crypto.java

@@ -15,11 +15,7 @@
  */
 package io.vertx.ext.auth.jwt.impl;
 
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.Signature;
-import java.security.SignatureException;
+import java.security.*;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 
@@ -59,6 +55,46 @@ public boolean verify(byte[] signature, byte[] payload) {
  }
 }
 
+/**
+ * Signature based Crypto implementation
+ * @author Paulo Lopes
+ */
+final class CryptoPublicKey implements Crypto {
+ private final Signature sig;
+ private final PublicKey publicKey;
+
+ CryptoPublicKey(final String algorithm, final PublicKey publicKey) {
+ this.publicKey = publicKey;
+
+ Signature signature;
+ try {
+ // use default
+ signature = Signature.getInstance(algorithm);
+ } catch (NoSuchAlgorithmException e) {
+ // error
+ throw new RuntimeException(e);
+ }
+
+ this.sig = signature;
+ }
+
+ @Override
+ public synchronized byte[] sign(byte[] payload) {
+ throw new RuntimeException("CryptoPublicKey cannot sign");
+ }
+
+ @Override
+ public synchronized boolean verify(byte[] signature, byte[] payload) {
+ try {
+ sig.initVerify(publicKey);
+ sig.update(payload);
+ return sig.verify(signature);
+ } catch (SignatureException | InvalidKeyException e) {
+ throw new RuntimeException(e);
+ }
+ }
+}
+
 
 /**
  * Signature based Crypto implementation

vertx-auth-jwt/src/main/java/io/vertx/ext/auth/jwt/impl/JWT.java

@@ -24,6 +24,8 @@
 import java.nio.charset.StandardCharsets;
 import java.security.*;
 import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
 import java.util.*;
 
 /**
@@ -40,6 +42,10 @@ public final class JWT {
  private final Map<String, Crypto> CRYPTO_MAP;
  private final boolean unsecure;
 
+ public JWT() {
+ this(null);
+ }
+
  public JWT(final KeyStore keyStore, final char[] keyStorePassword) {
 
  Map<String, Crypto> tmp = new HashMap<>();
@@ -93,6 +99,29 @@ public JWT(final KeyStore keyStore, final char[] keyStorePassword) {
  CRYPTO_MAP = Collections.unmodifiableMap(tmp);
  }
 
+ public JWT(String publicKey) {
+ Map<String, Crypto> tmp = new HashMap<>();
+
+ unsecure = publicKey == null;
+
+ if (!unsecure) {
+ // load SIGNATURE (Read Only)
+ try {
+ X509EncodedKeySpec spec = new X509EncodedKeySpec(Base64.getDecoder().decode(publicKey));
+ KeyFactory kf = KeyFactory.getInstance("RSA");
+ tmp.put("RS256", new CryptoPublicKey("SHA256withRSA", kf.generatePublic(spec)));
+ } catch (InvalidKeySpecException | NoSuchAlgorithmException | RuntimeException e) {
+ e.printStackTrace();
+ log.warn("RS256 not supported");
+ }
+ }
+
+ // Spec requires "none" to always be available
+ tmp.put("none", new CryptoNone());
+
+ CRYPTO_MAP = Collections.unmodifiableMap(tmp);
+ }
+
  /**
  * Creates a new Message Authentication Code
  *

vertx-auth-jwt/src/main/java/io/vertx/ext/auth/jwt/impl/JWTAuthProviderImpl.java

@@ -64,7 +64,15 @@ public JWTAuthProviderImpl(Vertx vertx, JsonObject config) {
 
  this.jwt = new JWT(ks, keyStore.getString("password").toCharArray());
  } else {
- this.jwt = new JWT(null, null);
+ // in the case of not having a key store we will try to load a public key in pem format
+ // this is how keycloak works as an example.
+ String publicKey = config.getString("public-key");
+
+ if (publicKey != null) {
+ this.jwt = new JWT(publicKey);
+ } else {
+ this.jwt = new JWT();
+ }
  }
 
  } catch (KeyStoreException | IOException | CertificateException | NoSuchAlgorithmException e) {