Improve JWT Signature logging for Troubleshooting Web Environments (#485)

Author: ggallotti

common/src/main/java/com/genexus/util/Encryption.java

@@ -5,6 +5,8 @@
 import com.genexus.common.interfaces.SpecificImplementation;
 import java.nio.charset.StandardCharsets;
 
+import com.genexus.diagnostics.core.ILogger;
+import com.genexus.diagnostics.core.LogManager;
 import org.apache.commons.codec.binary.Base64;
 import org.bouncycastle.crypto.BlockCipher;
 import org.bouncycastle.crypto.BufferedBlockCipher;
@@ -23,6 +25,7 @@
 
 public class Encryption
 {
+	public static final ILogger logger = LogManager.getLogger(Encryption.class);
     public static String AJAX_ENCRYPTION_KEY = "GX_AJAX_KEY";
 	public static String AJAX_ENCRYPTION_IV = "GX_AJAX_IV";
 	public static String AJAX_SECURITY_TOKEN = "AJAX_SECURITY_TOKEN";
@@ -210,12 +213,12 @@ public static String decrypt64(String value, String key, boolean safeEncoding)
 		}
 		catch (InvalidKeyException e)
 		{
-			System.err.println(e);
+			logger.error("decrypt64 error", e);
 			throw new InvalidGXKeyException(e.getMessage());
 		}
 		catch(UnsupportedEncodingException e)
 		{
-			System.err.println(e);
+			logger.error("decrypt64 error", e);
 			throw new RuntimeException(e.getMessage());
 		}
 		catch (ArrayIndexOutOfBoundsException e)
@@ -406,7 +409,7 @@ public static String encryptRijndael(String plainText, String key) {
 		try {
 			outputBytes = aesCipher(inputBytes, true, key, GX_AJAX_PRIVATE_IV);
 		} catch (DataLengthException | IllegalStateException | InvalidCipherTextException e) {
-			e.printStackTrace();
+			logger.error("encryptRijndael error", e);
 			return "";
 		}
 		return Hex.toHexString(outputBytes);

gxexternalproviders/src/test/java/com/genexus/db/driver/TestExternalProvider.java

@@ -1,5 +1,6 @@
 package com.genexus.db.driver;
 
+import com.genexus.specific.java.Connect;
 import org.junit.Assume;
 import org.junit.Before;
 import org.junit.Test;
@@ -37,6 +38,8 @@ public boolean supportsObjectAcls() {
 	@Before
 	public void beforeEachTestMethod() {
 
+		Connect.init();
+
 		boolean testEnabled = false;
 		try {
 			testEnabled = ExternalProviderHelper.getEnvironmentVariable(getProviderName() + "_TEST_ENABLED", false).equals("true");

java/src/main/java/com/genexus/security/web/SecureTokenHelper.java

@@ -2,7 +2,7 @@
 
 import java.util.Map;
 
-import org.apache.commons.lang.NotImplementedException;
+import com.fasterxml.jackson.core.JsonProcessingException;
 import org.apache.commons.lang.StringUtils;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -31,25 +31,29 @@ public static String sign(SecureToken token, SecurityMode mode, String secretKey
         String encoded = "";
         JWTSigner signer = new JWTSigner(secretKey);
         Map<String,Object> claims;
-		try {
+
+        try {
 			claims = new ObjectMapper().readValue(payload, Map.class);
-			switch (mode)
-	        {
-	            case Sign:
+		}
+        catch (JsonProcessingException e) {
+			logger.error("Signature Error - Failed to serialize payload", e);
+			return "";
+		}
+
+		switch (mode)
+		{
+			case Sign:
 				try {
-					encoded = signer.sign(claims);				
+					encoded = signer.sign(claims);
 				} catch (Exception e) {
-					logger.error("Sign Error", e);
+					logger.error("Signature Error", e);
 				}
-	                break;
-	            case SignEncrypt:
-	            case None:
-	                throw new NotImplementedException();	                	            	            
-	        }		
-		} 
-		catch (Exception e1) {
-			logger.error("Sign Error", e1);
-		}												      
+				break;
+			case SignEncrypt:
+			case None:
+				logger.warn(String.format("Signature Mode '%s' not implemented", mode));
+				break;
+		}
         return encoded;
     }
 

java/src/main/java/com/genexus/security/web/WebSecurityHelper.java

@@ -56,10 +56,5 @@ public static boolean verify(String pgmName, String issuer, String value, String
 		 }
 		 return ret;
      }
-    		 
-     /*public static boolean verify(String pgmName, String issuer, String value, String jwtToken, WebSecureToken token)
-     {     	 
-         boolean ok = SecureTokenHelper.Verify(jwtToken, token, GetSecretKey());            
-         return ok && !string.IsNullOrEmpty(pgmName) && token.ProgramName == pgmName && issuer == token.Issuer &&
-         */
+
 }

java/src/main/java/com/genexus/security/web/jose/jwt/JWTSigner.java

@@ -19,10 +19,15 @@
 import java.util.Map;
 import java.util.UUID;
 
+import org.apache.commons.lang.StringUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang.Validate;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -47,6 +52,7 @@ public class JWTSigner {
 
     private byte[] secret;
     private PrivateKey privateKey;
+	private static Logger logger = LogManager.getLogger(JWTSigner.class);
 
     // Default algorithm HMAC SHA-256 ("HS256")
     protected final static Algorithm DEFAULT_ALGORITHM = Algorithm.HS256;
@@ -55,7 +61,8 @@ public JWTSigner(final String secret) {
         this(secret.getBytes());
     }
 
-    public JWTSigner(final byte[] secret) {        
+    public JWTSigner(final byte[] secret) {
+        Validate.notNull(secret);
         this.secret = secret;
     }
 
@@ -78,7 +85,8 @@ public JWTSigner(final PrivateKey privateKey) {
      *                the "options" parameter override claims in this map.
      * @param options Allow choosing the signing algorithm, and automatic setting of some registered claims.
      */
-    public String sign(final Map<String, Object> claims, final Options options) {        
+    public String sign(final Map<String, Object> claims, final Options options) {
+		Validate.notNull(claims, "JWT claims cannot be null");
         final Algorithm algorithm = (options != null && options.algorithm != null) ? options.algorithm : DEFAULT_ALGORITHM;
         final List<String> segments = new ArrayList<String>();
         try {
@@ -87,6 +95,7 @@ public String sign(final Map<String, Object> claims, final Options options) {
             segments.add(encodedSignature(join(segments, "."), algorithm));
             return join(segments, ".");
         } catch (Exception e) {
+        	logger.error("JWT Sign error", e);
             throw new RuntimeException(e.getCause());
         }
     }
@@ -95,14 +104,17 @@ public String sign(final Map<String, Object> claims, final Options options) {
      * Generate a JSON Web Token using the default algorithm HMAC SHA-256 ("HS256")
      * and no claims automatically set.
      */
-    public String sign(final Map<String, Object> claims) {        
+    public String sign(final Map<String, Object> claims) {
+        Validate.notNull(claims);
         return sign(claims, null);
     }
 
     /**
      * Generate the header part of a JSON web token.
      */
-    private String encodedHeader(final Algorithm algorithm) throws UnsupportedEncodingException {        
+    private String encodedHeader(final Algorithm algorithm) throws UnsupportedEncodingException {
+        Validate.notNull(algorithm);
+        // create the header
         final ObjectNode header = JsonNodeFactory.instance.objectNode();
         header.put("typ", "JWT");
         header.put("alg", algorithm.name());
@@ -131,6 +143,8 @@ private String encodedPayload(final Map<String, Object> _claims, final Options o
     }
 
     private void processPayloadOptions(final Map<String, Object> claims, final Options options) {
+        Validate.notNull(claims);
+        Validate.notNull(options);
         final long now = System.currentTimeMillis() / 1000l;
         if (options.expirySeconds != null)
             claims.put("exp", now + options.expirySeconds);
@@ -144,6 +158,8 @@ private void processPayloadOptions(final Map<String, Object> claims, final Optio
 
     // consider cleanup
     private void enforceIntDate(final Map<String, Object> claims, final String claimName) {
+        Validate.notNull(claims);
+        Validate.notNull(claimName);
         final Object value = handleNullValue(claims, claimName);
         if (value == null)
             return;
@@ -226,6 +242,8 @@ private String checkStringOrURI(final Object value) {
      */
     private String encodedSignature(final String signingInput, final Algorithm algorithm) throws NoSuchAlgorithmException, InvalidKeyException,
             NoSuchProviderException, SignatureException, JWTAlgorithmException {
+        Validate.notNull(signingInput);
+        Validate.notNull(algorithm);
         switch (algorithm) {
             case HS256:
             case HS384:
@@ -244,13 +262,17 @@ private String encodedSignature(final String signingInput, final Algorithm algor
      * Safe URL encode a byte array to a String
      */
     private String base64UrlEncode(final byte[] str) {
+        Validate.notNull(str);
         return new String(Base64.encodeBase64URLSafe(str));
     }
 
     /**
      * Sign an input string using HMAC and return the encrypted bytes
      */
     private static byte[] signHmac(final Algorithm algorithm, final String msg, final byte[] secret) throws NoSuchAlgorithmException, InvalidKeyException {
+        Validate.notNull(algorithm);
+        Validate.notNull(msg);
+        Validate.notNull(secret);
         final Mac mac = Mac.getInstance(algorithm.getValue());
         mac.init(new SecretKeySpec(secret, algorithm.getValue()));
         return mac.doFinal(msg.getBytes());
@@ -261,15 +283,20 @@ private static byte[] signHmac(final Algorithm algorithm, final String msg, fina
      */
     private static byte[] signRs(final Algorithm algorithm, final String msg, final PrivateKey privateKey) throws NoSuchProviderException,
             NoSuchAlgorithmException, InvalidKeyException, SignatureException {
+        Validate.notNull(algorithm);
+        Validate.notNull(msg);
+        Validate.notNull(privateKey);
         final byte[] messageBytes = msg.getBytes();
         final Signature signature = Signature.getInstance(algorithm.getValue(), "BC");
         signature.initSign(privateKey);
         signature.update(messageBytes);
         return signature.sign();
     }
 
-    private String join(final List<String> input, final String separator) {    	
-        return org.apache.commons.lang.StringUtils.join(input.iterator(), separator);
+    private String join(final List<String> input, final String separator) {
+        Validate.notNull(input);
+        Validate.notNull(separator);
+        return StringUtils.join(input.iterator(), separator);
     }
 
     /**

java/src/main/java/com/genexus/webpanels/WebUtils.java

@@ -4,19 +4,20 @@
 import java.text.CharacterIterator;
 import java.text.StringCharacterIterator;
 import java.util.Date;
+import java.util.Locale;
 import java.util.Set;
 
-import com.genexus.ModelContext;
+import com.genexus.*;
 import com.genexus.internet.HttpContext;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.io.input.BOMInputStream;
 
-import com.genexus.CommonUtil;
-import com.genexus.GXutil;
-import com.genexus.PrivateUtilities;
 import com.genexus.diagnostics.core.ILogger;
 import com.genexus.diagnostics.core.LogManager;
 import com.genexus.xml.XMLReader;
+import org.apache.commons.lang.StringUtils;
+
+import static com.genexus.util.Encryption.decrypt64;
 
 
 public class WebUtils
@@ -419,7 +420,7 @@ protected static Object[] parmsToObjectArray(com.genexus.ModelContext context, S
         public static String decryptParm(Object parm, String encryptionKey) {
             String value = parm.toString();
             try {
-                if (!encryptionKey.equals("")) {
+                if (!encryptionKey.isEmpty()) {
                     String strValue = value.toString();
                     strValue = com.genexus.util.Encryption.uridecrypt64(strValue,
                             encryptionKey);
@@ -437,29 +438,31 @@ public static String decryptParm(Object parm, String encryptionKey) {
 
 		public static String parmsEncryptionKey(com.genexus.ModelContext context)
 		{
-			String GXKey = "";
             String keySourceType = com.genexus.Application.getClientPreferences().getUSE_ENCRYPTION();
-            if (!keySourceType.equals("")) {
-                GXKey = getEncryptionKey(context, keySourceType);
-            }
-            return GXKey;
+            if (keySourceType.isEmpty()) {
+				return "";
+			}
+            return getEncryptionKey(context, keySourceType);
 		}
 
-		public static String getEncryptionKey(com.genexus.ModelContext context, String keySourceType){
-			if (keySourceType.equals(""))
-			{
-				keySourceType = com.genexus.Application.getClientPreferences().getUSE_ENCRYPTION();
+		public static String getEncryptionKey(com.genexus.ModelContext context, String keySourceType) {
+			keySourceType = (keySourceType.isEmpty()) ? Application.getClientPreferences().getUSE_ENCRYPTION(): keySourceType;
+			String encryptionKey;
+
+			switch (keySourceType.toUpperCase(Locale.ROOT)) {
+				case "SESSION":
+					encryptionKey = decrypt64(((HttpContext) context.getHttpContext()).getCookie("GX_SESSION_ID"), context.getServerKey());
+					break;
+				default:
+					encryptionKey = context.getSiteKey();
+					break;
 			}
-            String GXKey = "";
-            if (keySourceType.equalsIgnoreCase("SESSION"))
-			{
-            	GXKey = com.genexus.util.Encryption.decrypt64(((HttpContext) context.getHttpContext()).getCookie("GX_SESSION_ID"), context.getServerKey());
-            }
-            else
-			{            	
-            	GXKey = context.getSiteKey();                
-            }                                                                                     
-            return GXKey;			
+
+			if (encryptionKey.isEmpty()) {
+				logger.error(String.format("Encryption Key cannot be empty - Key Source: %s", keySourceType));
+			}
+
+            return encryptionKey;
 		}
 
 	private static final String gxApplicationClassesFileName = "GXApplicationClasses.txt";