Introduce JwtEncoder with JWS implementation

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java

@@ -24,6 +24,8 @@
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
+import org.springframework.security.crypto.keys.KeyManager;
+import org.springframework.security.oauth2.jose.jws.NimbusJwsEncoder;
 import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider;
@@ -81,22 +83,38 @@ public OAuth2AuthorizationServerConfigurer<B> authorizationService(OAuth2Authori
 		return this;
 	}
 
+	/**
+	 * Sets the key manager.
+	 *
+	 * @param keyManager the key manager
+	 * @return the {@link OAuth2AuthorizationServerConfigurer} for further configuration
+	 */
+	public OAuth2AuthorizationServerConfigurer<B> keyManager(KeyManager keyManager) {
+		Assert.notNull(keyManager, "keyManager cannot be null");
+		this.getBuilder().setSharedObject(KeyManager.class, keyManager);
+		return this;
+	}
+
 	@Override
 	public void init(B builder) {
 		OAuth2ClientAuthenticationProvider clientAuthenticationProvider =
 				new OAuth2ClientAuthenticationProvider(
 						getRegisteredClientRepository(builder));
 		builder.authenticationProvider(postProcess(clientAuthenticationProvider));
 
+		NimbusJwsEncoder jwtEncoder = new NimbusJwsEncoder(getKeyManager(builder));
+
 		OAuth2AuthorizationCodeAuthenticationProvider authorizationCodeAuthenticationProvider =
 				new OAuth2AuthorizationCodeAuthenticationProvider(
 						getRegisteredClientRepository(builder),
-						getAuthorizationService(builder));
+						getAuthorizationService(builder),
+						jwtEncoder);
 		builder.authenticationProvider(postProcess(authorizationCodeAuthenticationProvider));
 
 		OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider =
 				new OAuth2ClientCredentialsAuthenticationProvider(
-						getAuthorizationService(builder));
+						getAuthorizationService(builder),
+						jwtEncoder);
 		builder.authenticationProvider(postProcess(clientCredentialsAuthenticationProvider));
 
 		ExceptionHandlingConfigurer<B> exceptionHandling = builder.getConfigurer(ExceptionHandlingConfigurer.class);
@@ -168,4 +186,17 @@ private static <B extends HttpSecurityBuilder<B>> OAuth2AuthorizationService get
 		}
 		return (!authorizationServiceMap.isEmpty() ? authorizationServiceMap.values().iterator().next() : null);
 	}
+
+	private static <B extends HttpSecurityBuilder<B>> KeyManager getKeyManager(B builder) {
+		KeyManager keyManager = builder.getSharedObject(KeyManager.class);
+		if (keyManager == null) {
+			keyManager = getKeyManagerBean(builder);
+			builder.setSharedObject(KeyManager.class, keyManager);
+		}
+		return keyManager;
+	}
+
+	private static <B extends HttpSecurityBuilder<B>> KeyManager getKeyManagerBean(B builder) {
+		return builder.getSharedObject(ApplicationContext.class).getBean(KeyManager.class);
+	}
 }

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java

@@ -26,6 +26,8 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
 import org.springframework.security.config.test.SpringTestRule;
+import org.springframework.security.crypto.keys.KeyManager;
+import org.springframework.security.crypto.keys.StaticKeyGeneratingKeyManager;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
@@ -73,6 +75,7 @@
 public class OAuth2AuthorizationCodeGrantTests {
 	private static RegisteredClientRepository registeredClientRepository;
 	private static OAuth2AuthorizationService authorizationService;
+	private static KeyManager keyManager;
 
 	@Rule
 	public final SpringTestRule spring = new SpringTestRule();
@@ -84,6 +87,7 @@ public class OAuth2AuthorizationCodeGrantTests {
 	public static void init() {
 		registeredClientRepository = mock(RegisteredClientRepository.class);
 		authorizationService = mock(OAuth2AuthorizationService.class);
+		keyManager = new StaticKeyGeneratingKeyManager();
 	}
 
 	@Before
@@ -200,5 +204,10 @@ RegisteredClientRepository registeredClientRepository() {
 		OAuth2AuthorizationService authorizationService() {
 			return authorizationService;
 		}
+
+		@Bean
+		KeyManager keyManager() {
+			return keyManager;
+		}
 	}
 }

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java

@@ -26,6 +26,8 @@
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
 import org.springframework.security.config.test.SpringTestRule;
+import org.springframework.security.crypto.keys.KeyManager;
+import org.springframework.security.crypto.keys.StaticKeyGeneratingKeyManager;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
@@ -60,6 +62,7 @@
 public class OAuth2ClientCredentialsGrantTests {
 	private static RegisteredClientRepository registeredClientRepository;
 	private static OAuth2AuthorizationService authorizationService;
+	private static KeyManager keyManager;
 
 	@Rule
 	public final SpringTestRule spring = new SpringTestRule();
@@ -71,6 +74,7 @@ public class OAuth2ClientCredentialsGrantTests {
 	public static void init() {
 		registeredClientRepository = mock(RegisteredClientRepository.class);
 		authorizationService = mock(OAuth2AuthorizationService.class);
+		keyManager = new StaticKeyGeneratingKeyManager();
 	}
 
 	@Before
@@ -135,5 +139,10 @@ RegisteredClientRepository registeredClientRepository() {
 		OAuth2AuthorizationService authorizationService() {
 			return authorizationService;
 		}
+
+		@Bean
+		KeyManager keyManager() {
+			return keyManager;
+		}
 	}
 }

crypto/spring-security-crypto2.gradle

@@ -0,0 +1,11 @@
+apply plugin: 'io.spring.convention.spring-module'
+
+dependencies {
+	compile project(':spring-security-core2')
+	compile 'org.springframework.security:spring-security-core'
+	compile springCoreDependency
+
+	testCompile 'junit:junit'
+	testCompile 'org.assertj:assertj-core'
+	testCompile 'org.mockito:mockito-core'
+}

crypto/src/main/java/org/springframework/security/crypto/keys/KeyGeneratorUtils.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.crypto.keys;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.spec.ECFieldFp;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPoint;
+import java.security.spec.EllipticCurve;
+
+/**
+ * @author Joe Grandja
+ * @since 0.0.1
+ */
+final class KeyGeneratorUtils {
+
+	static SecretKey generateSecretKey() {
+		SecretKey hmacKey;
+		try {
+			hmacKey = KeyGenerator.getInstance("HmacSha256").generateKey();
+		} catch (Exception ex) {
+			throw new IllegalStateException(ex);
+		}
+		return hmacKey;
+	}
+
+	static KeyPair generateRsaKey() {
+		KeyPair keyPair;
+		try {
+			KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+			keyPairGenerator.initialize(2048);
+			keyPair = keyPairGenerator.generateKeyPair();
+		} catch (Exception ex) {
+			throw new IllegalStateException(ex);
+		}
+		return keyPair;
+	}
+
+	static KeyPair generateEcKey() {
+		EllipticCurve ellipticCurve = new EllipticCurve(
+				new ECFieldFp(
+						new BigInteger("115792089210356248762697446949407573530086143415290314195533631308867097853951")),
+				new BigInteger("115792089210356248762697446949407573530086143415290314195533631308867097853948"),
+				new BigInteger("41058363725152142129326129780047268409114441015993725554835256314039467401291"));
+		ECPoint ecPoint = new ECPoint(
+				new BigInteger("48439561293906451759052585252797914202762949526041747995844080717082404635286"),
+				new BigInteger("36134250956749795798585127919587881956611106672985015071877198253568414405109"));
+		ECParameterSpec ecParameterSpec = new ECParameterSpec(
+				ellipticCurve,
+				ecPoint,
+				new BigInteger("115792089210356248762697446949407573529996955224135760342422259061068512044369"),
+				1);
+
+		KeyPair keyPair;
+		try {
+			KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
+			keyPairGenerator.initialize(ecParameterSpec);
+			keyPair = keyPairGenerator.generateKeyPair();
+		} catch (Exception ex) {
+			throw new IllegalStateException(ex);
+		}
+		return keyPair;
+	}
+}

crypto/src/main/java/org/springframework/security/crypto/keys/KeyManager.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.crypto.keys;
+
+import org.springframework.lang.Nullable;
+
+import java.util.Set;
+
+/**
+ * Implementations of this interface are responsible for the management of {@link ManagedKey}(s),
+ * e.g. {@code javax.crypto.SecretKey}, {@code java.security.PrivateKey}, {@code java.security.PublicKey}, etc.
+ *
+ * @author Joe Grandja
+ * @since 0.0.1
+ * @see ManagedKey
+ */
+public interface KeyManager {
+
+	/**
+	 * Returns the {@link ManagedKey} identified by the provided {@code keyId},
+	 * or {@code null} if not found.
+	 *
+	 * @param keyId the key ID
+	 * @return the {@link ManagedKey}, or {@code null} if not found
+	 */
+	@Nullable
+	ManagedKey findByKeyId(String keyId);
+
+	/**
+	 * Returns a {@code Set} of {@link ManagedKey}(s) having the provided key {@code algorithm},
+	 * or an empty {@code Set} if not found.
+	 *
+	 * @param algorithm the key algorithm
+	 * @return a {@code Set} of {@link ManagedKey}(s), or an empty {@code Set} if not found
+	 */
+	Set<ManagedKey> findByAlgorithm(String algorithm);
+
+	/**
+	 * Returns a {@code Set} of the {@link ManagedKey}(s).
+	 *
+	 * @return a {@code Set} of the {@link ManagedKey}(s)
+	 */
+	Set<ManagedKey> getKeys();
+
+}