Merge pull request #584 from microsoft/trboehre/jwt-cert

Merge pull request #567 from microsoft/trboehre/expiredcert

Author: tracyboehrer

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/CachingOpenIdMetadata.java

@@ -0,0 +1,112 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.bot.connector.authentication;
+
+import com.auth0.jwk.Jwk;
+import com.auth0.jwk.JwkException;
+import com.auth0.jwk.SigningKeyNotFoundException;
+import com.auth0.jwk.UrlJwkProvider;
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import java.io.IOException;
+import java.net.URL;
+import java.security.interfaces.RSAPublicKey;
+import java.time.Duration;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Maintains a cache of OpenID metadata keys.
+ */
+class CachingOpenIdMetadata implements OpenIdMetadata {
+    private static final Logger LOGGER = LoggerFactory.getLogger(CachingOpenIdMetadata.class);
+    private static final int CACHE_DAYS = 5;
+
+    private String url;
+    private long lastUpdated;
+    private ObjectMapper mapper;
+    private Map<String, Jwk> keyCache = new HashMap<>();
+    private final Object sync = new Object();
+
+    /**
+     * Constructs a OpenIdMetaData cache for a url.
+     * 
+     * @param withUrl The url.
+     */
+    CachingOpenIdMetadata(String withUrl) {
+        url = withUrl;
+        mapper = new ObjectMapper().findAndRegisterModules();
+    }
+
+    /**
+     * Gets a openid key.
+     *
+     * <p>
+     * Note: This could trigger a cache refresh, which will incur network calls.
+     * </p>
+     *
+     * @param keyId The JWT key.
+     * @return The cached key.
+     */
+    @Override
+    public OpenIdMetadataKey getKey(String keyId) {
+        synchronized (sync) {
+            // If keys are more than 5 days old, refresh them
+            if (lastUpdated < System.currentTimeMillis() - Duration.ofDays(CACHE_DAYS).toMillis()) {
+                refreshCache();
+            }
+
+            // Search the cache even if we failed to refresh
+            return findKey(keyId);
+        }
+    }
+
+    private void refreshCache() {
+        keyCache.clear();
+
+        try {
+            URL openIdUrl = new URL(this.url);
+            HashMap<String, String> openIdConf =
+                this.mapper.readValue(openIdUrl, new TypeReference<HashMap<String, Object>>() {
+                });
+            URL keysUrl = new URL(openIdConf.get("jwks_uri"));
+            lastUpdated = System.currentTimeMillis();
+            UrlJwkProvider provider = new UrlJwkProvider(keysUrl);
+            keyCache = provider.getAll().stream().collect(Collectors.toMap(Jwk::getId, jwk -> jwk));
+        } catch (IOException e) {
+            LOGGER.error(String.format("Failed to load openID config: %s", e.getMessage()));
+            lastUpdated = 0;
+        } catch (SigningKeyNotFoundException keyexception) {
+            LOGGER.error("refreshCache", keyexception);
+            lastUpdated = 0;
+        }
+    }
+
+    @SuppressWarnings("unchecked")
+    private OpenIdMetadataKey findKey(String keyId) {
+        if (!keyCache.containsKey(keyId)) {
+            LOGGER.warn("findKey: keyId " + keyId + " doesn't exist.");
+            return null;
+        }
+
+        try {
+            Jwk jwk = keyCache.get(keyId);
+            OpenIdMetadataKey key = new OpenIdMetadataKey();
+            key.key = (RSAPublicKey) jwk.getPublicKey();
+            key.endorsements = (List<String>) jwk.getAdditionalAttributes().get("endorsements");
+            key.certificateChain = jwk.getCertificateChain();
+            return key;
+        } catch (JwkException e) {
+            String errorDescription = String.format("Failed to load keys: %s", e.getMessage());
+            LOGGER.warn(errorDescription);
+        }
+        return null;
+    }
+}

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/CachingOpenIdMetadataResolver.java

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.bot.connector.authentication;
+
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+
+/**
+ * Maintains a cache of OpenIdMetadata objects.
+ */
+public class CachingOpenIdMetadataResolver implements OpenIdMetadataResolver {
+    private static final ConcurrentMap<String, CachingOpenIdMetadata> OPENID_METADATA_CACHE =
+        new ConcurrentHashMap<>();
+
+    /**
+     * Gets the OpenIdMetadata object for the specified key.
+     * @param metadataUrl  The key
+     * @return The OpenIdMetadata object.  If the key is not found, an new OpenIdMetadata
+     * object is created.
+     */
+    @Override
+    public OpenIdMetadata get(String metadataUrl) {
+        return OPENID_METADATA_CACHE
+            .computeIfAbsent(metadataUrl, key -> new CachingOpenIdMetadata(metadataUrl));
+    }
+}

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/EmulatorValidation.java

@@ -23,7 +23,7 @@ private EmulatorValidation() {
      * TO BOT FROM EMULATOR: Token validation parameters when connecting to a
      * channel.
      */
-    private static final TokenValidationParameters TOKENVALIDATIONPARAMETERS =
+    public static final TokenValidationParameters TOKENVALIDATIONPARAMETERS =
         new TokenValidationParameters() {
             {
                 this.validateIssuer = true;

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/GovernmentChannelValidation.java

@@ -20,7 +20,7 @@ public final class GovernmentChannelValidation {
      * TO BOT FROM GOVERNMENT CHANNEL: Token validation parameters when connecting
      * to a bot.
      */
-    private static final TokenValidationParameters TOKENVALIDATIONPARAMETERS =
+    public static final TokenValidationParameters TOKENVALIDATIONPARAMETERS =
         new TokenValidationParameters() {
             {
                 this.validateIssuer = true;

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/JwtTokenExtractor.java

@@ -9,26 +9,28 @@
 import com.auth0.jwt.interfaces.DecodedJWT;
 import com.auth0.jwt.interfaces.Verification;
 import com.microsoft.bot.connector.ExecutorFactory;
+import java.io.ByteArrayInputStream;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+import java.util.Date;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
 
 /**
  * Extracts relevant data from JWT Tokens.
  */
 public class JwtTokenExtractor {
-    private static final Logger LOGGER = LoggerFactory.getLogger(OpenIdMetadata.class);
-    private static final ConcurrentMap<String, OpenIdMetadata> OPENID_METADATA_CACHE =
-        new ConcurrentHashMap<>();
+    private static final Logger LOGGER = LoggerFactory.getLogger(CachingOpenIdMetadata.class);
 
     private TokenValidationParameters tokenValidationParameters;
     private List<String> allowedSigningAlgorithms;
+    private OpenIdMetadataResolver openIdMetadataResolver;
     private OpenIdMetadata openIdMetadata;
 
     /**
@@ -43,13 +45,18 @@ public JwtTokenExtractor(
         String withMetadataUrl,
         List<String> withAllowedSigningAlgorithms
     ) {
-
         this.tokenValidationParameters =
             new TokenValidationParameters(withTokenValidationParameters);
         this.tokenValidationParameters.requireSignedTokens = true;
         this.allowedSigningAlgorithms = withAllowedSigningAlgorithms;
-        this.openIdMetadata = OPENID_METADATA_CACHE
-            .computeIfAbsent(withMetadataUrl, key -> new OpenIdMetadata(withMetadataUrl));
+
+        if (tokenValidationParameters.issuerSigningKeyResolver == null) {
+            this.openIdMetadataResolver = new CachingOpenIdMetadataResolver();
+        } else {
+            this.openIdMetadataResolver = tokenValidationParameters.issuerSigningKeyResolver;
+        }
+
+        this.openIdMetadata = this.openIdMetadataResolver.get(withMetadataUrl);
     }
 
     /**
@@ -143,13 +150,27 @@ private CompletableFuture<ClaimsIdentity> validateToken(
             try {
                 verification.build().verify(token);
 
+                // If specified, validate the signing certificate.
+                if (
+                    tokenValidationParameters.validateIssuerSigningKey
+                    && key.certificateChain != null
+                    && key.certificateChain.size() > 0
+                ) {
+                    // Note that decodeCertificate will return null if the cert could not
+                    // be decoded.  This would likely be the case if it were in an unexpected
+                    // encoding.  Going to err on the side of ignoring this check.
+                    // May want to reconsider this and throw on null cert.
+                    X509Certificate cert = decodeCertificate(key.certificateChain.get(0));
+                    if (cert != null && !isCertValid(cert)) {
+                        throw new JWTVerificationException("Signing certificate is not valid");
+                    }
+                }
+
                 // Note: On the Emulator Code Path, the endorsements collection is null so the
-                // validation code
-                // below won't run. This is normal.
+                // validation code below won't run. This is normal.
                 if (key.endorsements != null) {
                     // Validate Channel / Token Endorsements. For this, the channelID present on the
-                    // Activity
-                    // needs to be matched by an endorsement.
+                    // Activity needs to be matched by an endorsement.
                     boolean isEndorsed =
                         EndorsementsValidator.validate(channelId, key.endorsements);
                     if (!isEndorsed) {
@@ -162,8 +183,7 @@ private CompletableFuture<ClaimsIdentity> validateToken(
                     }
 
                     // Verify that additional endorsements are satisfied. If no additional
-                    // endorsements are expected,
-                    // the requirement is satisfied as well
+                    // endorsements are expected, the requirement is satisfied as well
                     boolean additionalEndorsementsSatisfied = requiredEndorsements.stream()
                         .allMatch(
                             (endorsement) -> EndorsementsValidator
@@ -195,4 +215,22 @@ private CompletableFuture<ClaimsIdentity> validateToken(
             }
         }, ExecutorFactory.getExecutor());
     }
+
+    private X509Certificate decodeCertificate(String certStr) {
+        try {
+            byte[] decoded = Base64.getDecoder().decode(certStr);
+            return (X509Certificate) CertificateFactory
+                .getInstance("X.509").generateCertificate(new ByteArrayInputStream(decoded));
+        } catch (Throwable t) {
+            return null;
+        }
+    }
+
+    private boolean isCertValid(X509Certificate cert) {
+        long now = new Date().getTime();
+        long clockskew = tokenValidationParameters.clockSkew.toMillis();
+        long startValid = cert.getNotBefore().getTime() - clockskew;
+        long endValid = cert.getNotAfter().getTime() + clockskew;
+        return now >= startValid && now <= endValid;
+    }
 }

libraries/bot-connector/src/main/java/com/microsoft/bot/connector/authentication/OpenIdMetadata.java

@@ -3,108 +3,15 @@
 
 package com.microsoft.bot.connector.authentication;
 
-import com.auth0.jwk.Jwk;
-import com.auth0.jwk.JwkException;
-import com.auth0.jwk.SigningKeyNotFoundException;
-import com.auth0.jwk.UrlJwkProvider;
-import com.fasterxml.jackson.core.type.TypeReference;
-import com.fasterxml.jackson.databind.ObjectMapper;
-
-import java.io.IOException;
-import java.net.URL;
-import java.security.interfaces.RSAPublicKey;
-import java.time.Duration;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 /**
- * Maintains a cache of OpenID metadata keys.
+ * Fetches Jwk data.
  */
-class OpenIdMetadata {
-    private static final Logger LOGGER = LoggerFactory.getLogger(OpenIdMetadata.class);
-    private static final int CACHE_DAYS = 5;
-
-    private String url;
-    private long lastUpdated;
-    private ObjectMapper mapper;
-    private Map<String, Jwk> keyCache = new HashMap<>();
-    private final Object sync = new Object();
-
-    /**
-     * Constructs a OpenIdMetaData cache for a url.
-     * 
-     * @param withUrl The url.
-     */
-    OpenIdMetadata(String withUrl) {
-        url = withUrl;
-        mapper = new ObjectMapper().findAndRegisterModules();
-    }
+public interface OpenIdMetadata {
 
     /**
-     * Gets a openid key.
-     *
-     * <p>
-     * Note: This could trigger a cache refresh, which will incur network calls.
-     * </p>
-     *
-     * @param keyId The JWT key.
-     * @return The cached key.
+     * Returns the partial Jwk data for a key.
+     * @param keyId The key id.
+     * @return The Jwk data.
      */
-    public OpenIdMetadataKey getKey(String keyId) {
-        synchronized (sync) {
-            // If keys are more than 5 days old, refresh them
-            if (lastUpdated < System.currentTimeMillis() - Duration.ofDays(CACHE_DAYS).toMillis()) {
-                refreshCache();
-            }
-
-            // Search the cache even if we failed to refresh
-            return findKey(keyId);
-        }
-    }
-
-    private void refreshCache() {
-        keyCache.clear();
-
-        try {
-            URL openIdUrl = new URL(this.url);
-            HashMap<String, String> openIdConf =
-                this.mapper.readValue(openIdUrl, new TypeReference<HashMap<String, Object>>() {
-                });
-            URL keysUrl = new URL(openIdConf.get("jwks_uri"));
-            lastUpdated = System.currentTimeMillis();
-            UrlJwkProvider provider = new UrlJwkProvider(keysUrl);
-            keyCache = provider.getAll().stream().collect(Collectors.toMap(Jwk::getId, jwk -> jwk));
-        } catch (IOException e) {
-            LOGGER.error(String.format("Failed to load openID config: %s", e.getMessage()));
-            lastUpdated = 0;
-        } catch (SigningKeyNotFoundException keyexception) {
-            LOGGER.error("refreshCache", keyexception);
-            lastUpdated = 0;
-        }
-    }
-
-    @SuppressWarnings("unchecked")
-    private OpenIdMetadataKey findKey(String keyId) {
-        if (!keyCache.containsKey(keyId)) {
-            LOGGER.warn("findKey: keyId " + keyId + " doesn't exist.");
-            return null;
-        }
-
-        try {
-            Jwk jwk = keyCache.get(keyId);
-            OpenIdMetadataKey key = new OpenIdMetadataKey();
-            key.key = (RSAPublicKey) jwk.getPublicKey();
-            key.endorsements = (List<String>) jwk.getAdditionalAttributes().get("endorsements");
-            return key;
-        } catch (JwkException e) {
-            String errorDescription = String.format("Failed to load keys: %s", e.getMessage());
-            LOGGER.warn(errorDescription);
-        }
-        return null;
-    }
+    OpenIdMetadataKey getKey(String keyId);
 }