Merge pull request #22886 from jhanders34/perf-improvement3

Updates to MP JWT features

Author: jhanders34

dev/com.ibm.websphere.appserver.features/visibility/public/mpJwt-1.2/com.ibm.websphere.appserver.mpJwt-1.2.feature

@@ -20,8 +20,7 @@ Subsystem-Name: MicroProfile JSON Web Token 1.2
   com.ibm.websphere.appserver.authFilter-1.0
 -bundles=com.ibm.ws.security.mp.jwt,\
   com.ibm.ws.security.mp.jwt.cdi,\
-  io.openliberty.security.mp.jwt.1.2.config,\
-  com.ibm.ws.security.mp.jwt.1.1.config
+  io.openliberty.security.mp.jwt.1.2.config
 kind=ga
 edition=core
 WLP-Activation-Type: parallel

dev/com.ibm.websphere.appserver.features/visibility/public/mpJwt-2.0/io.openliberty.mpJwt-2.0.feature

@@ -20,8 +20,7 @@ Subsystem-Name: MicroProfile JSON Web Token 2.0
   com.ibm.websphere.appserver.authFilter-1.0
 -bundles=io.openliberty.security.mp.jwt.internal,\
   io.openliberty.security.mp.jwt.cdi.internal,\
-  io.openliberty.security.mp.jwt.1.2.config,\
-  com.ibm.ws.security.mp.jwt.1.1.config
+  io.openliberty.security.mp.jwt.1.2.config
 kind=ga
 edition=core
 WLP-Activation-Type: parallel

dev/com.ibm.websphere.appserver.features/visibility/public/mpJwt-2.1/io.openliberty.mpJwt-2.1.feature

@@ -17,9 +17,7 @@ Subsystem-Name: MicroProfile JSON Web Token 2.1
   io.openliberty.cdi-4.0
 -bundles=io.openliberty.security.mp.jwt.internal,\
   io.openliberty.security.mp.jwt.cdi.internal,\
-  io.openliberty.security.mp.jwt.2.1.config,\
-  io.openliberty.security.mp.jwt.1.2.config,\
-  com.ibm.ws.security.mp.jwt.1.1.config
+  io.openliberty.security.mp.jwt.2.1.config
 kind=beta
 edition=core
 WLP-Activation-Type: parallel

dev/com.ibm.ws.security.common.jsonwebkey/src/com/ibm/ws/security/common/jwk/impl/JWKProvider.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2016, 2020 IBM Corporation and others.
+ * Copyright (c) 2016, 2022 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -55,8 +55,6 @@ public class JWKProvider {
 
     protected String publicKeyKid = null;
 
-    private KeyAlgorithmChecker keyAlgChecker = new KeyAlgorithmChecker();
-
     protected JWKProvider() {
         this(DEFAULT_KEY_SIZE, RS256, DEFAULT_ROTATION_TIME);
     }
@@ -142,14 +140,14 @@ protected JWK generateJWK(String alg, int size) {
     }
 
     boolean isValidJwkAlgorithm(String alg) {
-        return keyAlgChecker.isRSAlgorithm(alg) || keyAlgChecker.isESAlgorithm(alg);
+        return KeyAlgorithmChecker.isRSAlgorithm(alg) || KeyAlgorithmChecker.isESAlgorithm(alg);
     }
 
     JWK generateJwkForValidAlgorithmWithExistingKeys(String alg, int size, PublicKey publicKey, PrivateKey privateKey) {
         JWK jwk = null;
-        if (keyAlgChecker.isRSAlgorithm(alg)) {
+        if (KeyAlgorithmChecker.isRSAlgorithm(alg)) {
             jwk = generateRsaJwkWithExistingKeys(alg, publicKey, privateKey);
-        } else if (keyAlgChecker.isESAlgorithm(alg)) {
+        } else if (KeyAlgorithmChecker.isESAlgorithm(alg)) {
             jwk = generateEcJwkWithExistingKeys(alg, publicKey, privateKey);
         }
         if (jwk != null) {
@@ -174,9 +172,9 @@ JWK generateEcJwkWithExistingKeys(String alg, PublicKey publicKey, PrivateKey pr
 
     JWK generateJwkForValidAlgorithm(String alg, int size) {
         JWK jwk = null;
-        if (keyAlgChecker.isRSAlgorithm(alg)) {
+        if (KeyAlgorithmChecker.isRSAlgorithm(alg)) {
             jwk = generateRsaJWK(alg, size);
-        } else if (keyAlgChecker.isESAlgorithm(alg)) {
+        } else if (KeyAlgorithmChecker.isESAlgorithm(alg)) {
             jwk = generateEcJwk(alg);
         }
         return jwk;

dev/com.ibm.ws.security.common.jsonwebkey/src/com/ibm/ws/security/common/jwk/impl/JwKRetriever.java

@@ -96,8 +96,6 @@ public enum JwkKeyType {
     String keyText = null;
     String locationUsed = null;
 
-    KeyAlgorithmChecker keyAlgChecker = new KeyAlgorithmChecker();
-    
     public HttpUtils httpUtils;
 
     public JwKRetriever(JWKSet jwkSet) {
@@ -528,7 +526,7 @@ protected boolean parseKeyText(@Sensitive String keyText, String location, JWKSe
     }
 
     boolean isPemSupportedAlgorithm(String signatureAlgorithm) {
-        return keyAlgChecker.isRSAlgorithm(signatureAlgorithm) || keyAlgChecker.isESAlgorithm(signatureAlgorithm);
+        return KeyAlgorithmChecker.isRSAlgorithm(signatureAlgorithm) || KeyAlgorithmChecker.isESAlgorithm(signatureAlgorithm);
     }
 
     @Sensitive
@@ -556,7 +554,7 @@ boolean isPublicKeyJwk(KeyType keyType) {
 
     JWK parsePublicKeyJwk(String keyText, String signatureAlgorithm) throws Exception {
         PublicKey pubKey = PemKeyUtil.getPublicKey(keyText);
-        if (keyAlgChecker.isESAlgorithm(signatureAlgorithm)) {
+        if (KeyAlgorithmChecker.isESAlgorithm(signatureAlgorithm)) {
             return getEcJwkPublicKey(pubKey, signatureAlgorithm);
         } else {
             return getRsaJwkPublicKey(pubKey, signatureAlgorithm);
@@ -566,7 +564,7 @@ JWK parsePublicKeyJwk(String keyText, String signatureAlgorithm) throws Exceptio
     @Sensitive
     JWK parsePrivateKeyJwk(@Sensitive String keyText, String signatureAlgorithm) throws Exception {
         PrivateKey privateKey = PemKeyUtil.getPrivateKey(keyText);
-        if (keyAlgChecker.isESAlgorithm(signatureAlgorithm)) {
+        if (KeyAlgorithmChecker.isESAlgorithm(signatureAlgorithm)) {
             return getEcJwkPrivateKey(privateKey, signatureAlgorithm);
         } else {
             return getRsaJwkPrivateKey(privateKey, signatureAlgorithm);

dev/com.ibm.ws.security.common/src/com/ibm/ws/security/common/crypto/KeyAlgorithmChecker.java

@@ -35,15 +35,19 @@ public class KeyAlgorithmChecker {
 
     public static int UNKNOWN_HASH_SIZE = 0;
 
-    public boolean isHSAlgorithm(String alg) {
+    private KeyAlgorithmChecker() {
+        // no one should new up an instance of this class.
+    }
+
+    public static boolean isHSAlgorithm(String alg) {
         if (alg == null) {
             return false;
         }
         Matcher m = HSA_PATTERN.matcher(alg);
         return m.matches();
     }
 
-    public boolean isPublicKeyValidType(Key key, String supportedSigAlg) {
+    public static boolean isPublicKeyValidType(Key key, String supportedSigAlg) {
         if (key == null || supportedSigAlg == null) {
             // Rely on caller to do the appropriate checks if the key or algorithm is null
             return true;
@@ -59,36 +63,36 @@ public boolean isPublicKeyValidType(Key key, String supportedSigAlg) {
         return false;
     }
 
-    public boolean isRSAlgorithm(String alg) {
+    public static boolean isRSAlgorithm(String alg) {
         if (alg == null) {
             return false;
         }
         Matcher m = RSA_PATTERN.matcher(alg);
         return m.matches();
     }
 
-    public boolean isValidRSAPublicKey(Key key) {
+    public static boolean isValidRSAPublicKey(Key key) {
         String keyAlgorithm = key.getAlgorithm();
         // TODO - any way to check hash bit size?
         return (keyAlgorithm.equals("RSA") && key instanceof RSAPublicKey);
     }
 
-    public boolean isESAlgorithm(String alg) {
+    public static boolean isESAlgorithm(String alg) {
         if (alg == null) {
             return false;
         }
         Matcher m = ESA_PATTERN.matcher(alg);
         return m.matches();
     }
 
-    public boolean isValidECPublicKey(String supportedSigAlg, Key key) {
+    public static boolean isValidECPublicKey(String supportedSigAlg, Key key) {
         if (!("EC".equals(key.getAlgorithm()) && key instanceof ECPublicKey)) {
             return false;
         }
         return isValidECKeyParameters(supportedSigAlg, (ECPublicKey) key);
     }
 
-    boolean isValidECKeyParameters(String supportedSigAlg, ECKey key) {
+    static boolean isValidECKeyParameters(String supportedSigAlg, ECKey key) {
         ECParameterSpec params = key.getParams();
         int fieldSize = params.getCurve().getField().getFieldSize();
         if (tc.isDebugEnabled()) {
@@ -106,7 +110,7 @@ boolean isValidECKeyParameters(String supportedSigAlg, ECKey key) {
      * Extracts the hash size from algorithm strings such as RS256, HS384, or ES512.
      */
     @FFDCIgnore(Exception.class)
-    public int getHashSizeFromAlgorithm(String algorithm) {
+    public static int getHashSizeFromAlgorithm(String algorithm) {
         int hashSize = UNKNOWN_HASH_SIZE;
         Matcher algMatcher = ALG_PATTERN.matcher(algorithm);
         if (!algMatcher.matches()) {
@@ -127,7 +131,7 @@ public int getHashSizeFromAlgorithm(String algorithm) {
         return hashSize;
     }
 
-    public boolean isPrivateKeyValidType(Key key, String supportedSigAlg) {
+    public static boolean isPrivateKeyValidType(Key key, String supportedSigAlg) {
         if (key == null || supportedSigAlg == null) {
             // Rely on caller to do the appropriate checks if the key or algorithm is null
             return true;
@@ -143,13 +147,13 @@ public boolean isPrivateKeyValidType(Key key, String supportedSigAlg) {
         return false;
     }
 
-    public boolean isValidRSAPrivateKey(Key key) {
+    public static boolean isValidRSAPrivateKey(Key key) {
         String keyAlgorithm = key.getAlgorithm();
         // TODO - any way to check hash bit size?
         return (keyAlgorithm.equals("RSA") && key instanceof RSAPrivateKey);
     }
 
-    public boolean isValidECPrivateKey(String supportedSigAlg, Key key) {
+    public static boolean isValidECPrivateKey(String supportedSigAlg, Key key) {
         if (!("EC".equals(key.getAlgorithm()) && key instanceof ECPrivateKey)) {
             return false;
         }