-
Notifications
You must be signed in to change notification settings - Fork 3
feat(sdk): add comprehensive DPoP (RFC 9449) support (DSPX-3397) #374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
dmihalcik-virtru
wants to merge
36
commits into
main
Choose a base branch
from
DSPX-3397-java-sdk
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
36 commits
Select commit
Hold shift + click to select a range
ba9592e
feat(java-sdk): add comprehensive DPoP (RFC 9449) support (DSPX-3397)
dmihalcik-virtru b899a15
fix(java-sdk): fix DPoP compile errors, nonce caching, and add 401-retry
dmihalcik-virtru 7b30aef
feat(java-sdk): add --dpop and --dpop-key CLI flags to encrypt/decrypt
dmihalcik-virtru 5755ea0
fix(java-sdk): propagate --dpop flags to subcommand help via ScopeTyp…
dmihalcik-virtru 6e55f55
fix(cmdline): replace System.exit in Supports with Callable<Integer>
dmihalcik-virtru f227a1e
test(java-sdk): add TokenSource unit tests and remove unused altindag…
dmihalcik-virtru 3e05969
docs: DPoP nonce challenge design spec
dmihalcik-virtru b4062ee
docs: DPoP nonce challenge implementation plan
dmihalcik-virtru a5b8228
feat(sdk): retry token request with nonce on use_dpop_nonce (RFC 9449…
dmihalcik-virtru 796ad9b
fix(sdk): address DPoP nonce retry quality issues
dmihalcik-virtru baca983
feat(cmdline): declare dpop_nonce_challenge support
dmihalcik-virtru 3674856
fix(sdk): harden DPoP retry interceptor
dmihalcik-virtru c63890e
fix(sdk): tighten TokenSource error handling and JWK validation
dmihalcik-virtru 76d3b77
fix(cmdline): restore fast-fail validation for credential options
dmihalcik-virtru c9268d1
fix(cmdline): print stack trace for failures that escape picocli
dmihalcik-virtru ad4894a
Add verbose logging and DPoP retry exception logging
dmihalcik-virtru f3c8180
Fall back to Bearer scheme when AS returns non-DPoP-bound token
dmihalcik-virtru 3568013
fix(sdk): strip query and fragment from DPoP htu claim
dmihalcik-virtru d5eca4a
test(sdk): advertise DPoP token_type in SDKBuilder mock IdP
dmihalcik-virtru 631fa05
docs(sdk): correct RFC 9449 section citations and remove stale plan/spec
dmihalcik-virtru e830c4e
fix(sdk): fail loudly when DPoP is requested but well-known omits pla…
dmihalcik-virtru 3a55f31
fix(cmdline): validate DPoP key options at parse time + add coverage
dmihalcik-virtru 68ff681
debug(sdk): add DPoP path/method/claims logging to AuthInterceptor
dmihalcik-virtru d7e6967
fix(sdk): disable Connect-GET on authenticated client (DPoP htm drift)
dmihalcik-virtru 0958854
fix(sdk): log malformed DPoP nonce challenge instead of swallowing 401
dmihalcik-virtru 5a457ff
fix(sdk): drop stale DPoP proof header on Bearer-downgrade retry
dmihalcik-virtru 7334294
fix(sdk): read token and scheme atomically to close a data race
dmihalcik-virtru 714eec5
fix(sdk): reject public-only DPoP JWK in central validation
dmihalcik-virtru eb3533e
refactor(cmdline): validate DpopMaterial in its constructor
dmihalcik-virtru c6120d0
docs(sdk): correct getAuthHeaders Javadoc for Bearer fallback
dmihalcik-virtru a66014c
test(sdk): assert DPoP proof htm claim reflects request method
dmihalcik-virtru 8e091ef
test(sdk): cover AuthInterceptor connect-kotlin request/response path
dmihalcik-virtru ab46e33
refactor(sdk): model token scheme as an enum, make AuthHeaders static
dmihalcik-virtru 4ed3952
docs(sdk): clarify retry-once semantics and trim redundant helper Jav…
dmihalcik-virtru c36755a
fix(sdk): surface persistent DPoP nonce challenge after retry
dmihalcik-virtru 28510cb
docs: note JAVA_HOME setup via brew for local builds
dmihalcik-virtru File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
129 changes: 129 additions & 0 deletions
129
cmdline/src/main/java/io/opentdf/platform/CliDpopOptions.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,129 @@ | ||
| package io.opentdf.platform; | ||
|
|
||
| import com.nimbusds.jose.JOSEException; | ||
| import com.nimbusds.jose.JWSAlgorithm; | ||
| import com.nimbusds.jose.jwk.Curve; | ||
| import com.nimbusds.jose.jwk.ECKey; | ||
| import com.nimbusds.jose.jwk.JWK; | ||
| import com.nimbusds.jose.jwk.KeyUse; | ||
| import com.nimbusds.jose.jwk.gen.ECKeyGenerator; | ||
| import com.nimbusds.jose.jwk.gen.RSAKeyGenerator; | ||
| import io.opentdf.platform.sdk.DpopKeyValidation; | ||
|
|
||
| import java.io.IOException; | ||
| import java.nio.file.Files; | ||
| import java.nio.file.Path; | ||
| import java.util.Optional; | ||
| import java.util.UUID; | ||
|
|
||
| final class CliDpopOptions { | ||
| private CliDpopOptions() { | ||
| } | ||
|
|
||
| static final class DpopMaterial { | ||
| final JWK jwk; | ||
| final JWSAlgorithm alg; | ||
|
|
||
| DpopMaterial(JWK jwk, JWSAlgorithm alg) { | ||
| // Validate in the constructor so a DpopMaterial is never valid only by | ||
| // convention of its caller — every instance has a compatible key/alg pair. | ||
| DpopKeyValidation.validate(jwk, alg); | ||
| this.jwk = jwk; | ||
| this.alg = alg; | ||
| } | ||
| } | ||
|
|
||
| static Optional<DpopMaterial> parse(String dpopAlg, Path dpopKeyPath) { | ||
| if (dpopKeyPath != null) { | ||
| JWK jwk = loadPrivateKey(dpopKeyPath); | ||
| JWSAlgorithm alg; | ||
| if (dpopAlg != null && !dpopAlg.isEmpty()) { | ||
| alg = parseAlgorithm(dpopAlg); | ||
| } else if (jwk instanceof ECKey) { | ||
| Curve curve = ((ECKey) jwk).getCurve(); | ||
| try { | ||
| alg = DpopKeyValidation.inferEcAlgorithm(curve); | ||
| } catch (IllegalArgumentException e) { | ||
| throw new IllegalArgumentException( | ||
| "DPoP key file " + dpopKeyPath + " uses unsupported EC curve " + curve, e); | ||
| } | ||
| } else { | ||
| alg = JWSAlgorithm.RS256; | ||
| } | ||
| try { | ||
| return Optional.of(new DpopMaterial(jwk, alg)); | ||
| } catch (IllegalArgumentException e) { | ||
| throw new IllegalArgumentException( | ||
| "DPoP key file " + dpopKeyPath + " is incompatible with --dpop=" + alg + ": " + e.getMessage(), | ||
| e); | ||
| } | ||
| } | ||
| if (dpopAlg != null) { | ||
| JWSAlgorithm alg = dpopAlg.isEmpty() ? JWSAlgorithm.RS256 : parseAlgorithm(dpopAlg); | ||
| return Optional.of(new DpopMaterial(generateKeyForAlgorithm(alg), alg)); | ||
| } | ||
| return Optional.empty(); | ||
| } | ||
|
|
||
| static JWSAlgorithm parseAlgorithm(String alg) { | ||
| switch (alg.toUpperCase()) { | ||
| case "RS256": return JWSAlgorithm.RS256; | ||
| case "RS384": return JWSAlgorithm.RS384; | ||
| case "RS512": return JWSAlgorithm.RS512; | ||
| case "ES256": return JWSAlgorithm.ES256; | ||
| case "ES384": return JWSAlgorithm.ES384; | ||
| case "ES512": return JWSAlgorithm.ES512; | ||
| default: | ||
| throw new IllegalArgumentException("Unsupported DPoP algorithm: " + alg | ||
| + ". Supported: RS256, RS384, RS512, ES256, ES384, ES512"); | ||
| } | ||
| } | ||
|
|
||
| private static JWK loadPrivateKey(Path path) { | ||
| String pem; | ||
| try { | ||
| pem = Files.readString(path); | ||
| } catch (IOException e) { | ||
| throw new IllegalArgumentException("Cannot read DPoP key file " + path + ": " + e.getMessage(), e); | ||
| } | ||
| JWK jwk; | ||
| try { | ||
| jwk = JWK.parseFromPEMEncodedObjects(pem); | ||
| } catch (JOSEException e) { | ||
| throw new IllegalArgumentException( | ||
| "DPoP key file " + path + " is not a valid PEM-encoded key: " + e.getMessage(), e); | ||
| } | ||
| if (!jwk.isPrivate()) { | ||
| throw new IllegalArgumentException( | ||
| "DPoP key file " + path + " contains a public key only; a private key is required"); | ||
| } | ||
| return jwk; | ||
| } | ||
|
|
||
| private static JWK generateKeyForAlgorithm(JWSAlgorithm alg) { | ||
| try { | ||
| if (JWSAlgorithm.RS256.equals(alg) || JWSAlgorithm.RS384.equals(alg) || JWSAlgorithm.RS512.equals(alg)) { | ||
| return new RSAKeyGenerator(2048) | ||
| .keyUse(KeyUse.SIGNATURE) | ||
| .keyID(UUID.randomUUID().toString()) | ||
| .generate(); | ||
| } | ||
| Curve curve; | ||
| if (JWSAlgorithm.ES256.equals(alg)) { | ||
| curve = Curve.P_256; | ||
| } else if (JWSAlgorithm.ES384.equals(alg)) { | ||
| curve = Curve.P_384; | ||
| } else if (JWSAlgorithm.ES512.equals(alg)) { | ||
| curve = Curve.P_521; | ||
| } else { | ||
| throw new IllegalArgumentException("Cannot generate key for algorithm: " + alg); | ||
| } | ||
| return new ECKeyGenerator(curve) | ||
| .keyUse(KeyUse.SIGNATURE) | ||
| .keyID(UUID.randomUUID().toString()) | ||
| .generate(); | ||
| } catch (JOSEException e) { | ||
| throw new IllegalArgumentException("Failed to generate DPoP key for algorithm " + alg + ": " + e.getMessage(), e); | ||
| } | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.