Increase decoupling and move code to the place it should be

vietj · vietj · commit 29dc5eaa962f · 2025-09-30T21:27:07.000+02:00
diff --git a/vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/jose/JWK.java b/vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/jose/JWK.java
@@ -15,6 +15,7 @@
  */
 package io.vertx.ext.auth.impl.jose;
 
+import io.vertx.core.VertxException;
 import io.vertx.core.buffer.Buffer;
 import io.vertx.core.internal.logging.Logger;
 import io.vertx.core.internal.logging.LoggerFactory;
@@ -82,6 +83,22 @@ private static PubKeySigningAlgorithm createPubKeySigningAlgorithm(Algorithm alg
     return PubKeySigningAlgorithm.createPubKeySigningAlgorithm(alg.name(), privateKey, null, null, alg.signatureProvider, length);
   }
 
+  private static char[] password(String keyStorePassword, Map<String, String> passwordProtection, String alias) {
+    String password;
+    if (passwordProtection == null || (password = passwordProtection.get(alias)) == null) {
+      password = keyStorePassword;
+    }
+    return password.toCharArray();
+  }
+
+  private static boolean invalidAlgAlias(String alg, String alias) {
+    try {
+      Algorithm algo = Algorithm.valueOf(alias);
+      return !alg.equalsIgnoreCase(algo.jce) && !alg.equalsIgnoreCase(algo.oid);
+    } catch (IllegalArgumentException e) {
+      return true;
+    }
+  }
 
   static final Logger LOG = LoggerFactory.getLogger(JWK.class);
 
@@ -102,30 +119,40 @@ private static PubKeySigningAlgorithm createPubKeySigningAlgorithm(Algorithm alg
   private final Algorithm algo;
 
   public static List<JWK> load(KeyStore keyStore, String keyStorePassword, Map<String, String> passwordProtection) {
-    final List<Callable<SigningAlgorithm>> keys = SigningAlgorithm.create(keyStore, keyStorePassword, passwordProtection);
-    return keys.stream().flatMap(fact -> {
+    List<JWK> keys = new ArrayList<>();
+    // load MACs
+    for (String alias : Arrays.asList("HS256", "HS384", "HS512")) {
+      // algorithm is valid
       try {
-        SigningAlgorithm algo = fact.call();
-        if (algo instanceof PubKeySigningAlgorithm) {
-          PubKeySigningAlgorithm psa = (PubKeySigningAlgorithm) algo;
-          return Stream.of(new JWK(psa.name(), psa.id(), psa));
-        } else {
-          MacSigningAlgorithm msa = (MacSigningAlgorithm) algo;
-          return Stream.of(new JWK(msa));
+        char[] password = password(keyStorePassword, passwordProtection, alias);
+        MacSigningAlgorithm a = (MacSigningAlgorithm) SigningAlgorithm.create(keyStore, alias, password);
+        // key store does not have the requested algorithm
+        if (a != null) {
+          // the algorithm cannot be null, and it cannot be different from the alias list
+          if (invalidAlgAlias(a.name(), alias)) {
+            throw new Exception("The key algorithm does not match: {" + alias + ": " + a.name() + "}");
+          }
+          keys.add(new JWK(a));
         }
       } catch (Exception e) {
         LOG.warn("Failed to load key for algorithm", e);
-        return Stream.empty();
       }
-    }).collect(Collectors.toList());
-  }
-
-  private static char[] password(String keyStorePassword, Map<String, String> passwordProtection, String alias) {
-    String password;
-    if (passwordProtection == null || (password = passwordProtection.get(alias)) == null) {
-      password = keyStorePassword;
     }
-    return password.toCharArray();
+    for (String alias : Arrays.asList("RS256", "RS384", "RS512", "ES256K", "ES256", "ES384", "ES512")) {
+      try {
+        char[] password = password(keyStorePassword, passwordProtection, alias);
+        PubKeySigningAlgorithm a = (PubKeySigningAlgorithm) SigningAlgorithm.create(keyStore, alias, password);
+        if (a != null) {
+          if (invalidAlgAlias(a.signature().getAlgorithm(), alias)) {
+            throw new Exception("The key algorithm does not match: {" + alias + ": " + a.signature().getAlgorithm() + "}");
+          }
+          keys.add(new JWK(a));
+        }
+      } catch (Exception e) {
+        LOG.warn("Failed to load key for algorithm", e);
+      }
+    }
+    return keys;
   }
 
   /**
@@ -283,7 +310,9 @@ private JWK(MacSigningAlgorithm signingAlgo) throws NoSuchAlgorithmException, In
     }
   }
 
-  private JWK(String algorithm, String id, PubKeySigningAlgorithm signingAlg) throws NoSuchAlgorithmException {
+  private JWK(PubKeySigningAlgorithm signingAlgo) throws NoSuchAlgorithmException {
+
+    String algorithm = signingAlgo.name();
 
     try {
       algo = Algorithm.valueOf(algorithm);
@@ -292,28 +321,28 @@ private JWK(String algorithm, String id, PubKeySigningAlgorithm signingAlg) thro
     }
 
     kid = null;
-    label = signingAlg.canSign() ? algorithm + '#' + id + "-" + signingAlg.privateKey().hashCode() : algorithm + '#' + id;
+    label = signingAlgo.canSign() ? algorithm + '#' + signingAlgo.id() + "-" + signingAlgo.privateKey().hashCode() : algorithm + '#' + signingAlgo.id();
     use = null;
 
     switch (algo) {
       case RS256:
       case RS384:
       case RS512:
         kty = "RSA";
-        signingAlgorithm = signingAlg;
+        signingAlgorithm = signingAlgo;
         break;
       case PS256:
       case PS384:
       case PS512:
         kty = "RSASSA";
-        signingAlgorithm = signingAlg;
+        signingAlgorithm = signingAlgo;
         break;
       case ES256:
       case ES384:
       case ES512:
       case ES256K:
         kty = "EC";
-        signingAlgorithm = wrapECAlgo(signingAlg);
+        signingAlgorithm = wrapECAlgo(signingAlgo);
         break;
       default:
         throw new NoSuchAlgorithmException("Unknown algorithm: " + algorithm);
diff --git a/vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/jose/algo/SigningAlgorithm.java b/vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/jose/algo/SigningAlgorithm.java
@@ -22,23 +22,6 @@
 
 public abstract class SigningAlgorithm {
 
-  private static char[] password(String keyStorePassword, Map<String, String> passwordProtection, String alias) {
-    String password;
-    if (passwordProtection == null || (password = passwordProtection.get(alias)) == null) {
-      password = keyStorePassword;
-    }
-    return password.toCharArray();
-  }
-
-  private static boolean invalidAlgAlias(String alg, String alias) {
-    try {
-      Algorithm algo = Algorithm.valueOf(alias);
-      return !alg.equalsIgnoreCase(algo.jce) && !alg.equalsIgnoreCase(algo.oid);
-    } catch (IllegalArgumentException e) {
-      return true;
-    }
-  }
-
   public static SigningAlgorithm create(KeyStore keyStore, String alias, char[] password) throws UnrecoverableEntryException, NoSuchAlgorithmException, KeyStoreException, CertificateNotYetValidException, CertificateExpiredException {
     KeyStore.Entry entry = keyStore.getEntry(alias, new KeyStore.PasswordProtection(password));
     if (entry != null) {
@@ -81,79 +64,6 @@ public static SigningAlgorithm create(KeyStore keyStore, String alias, char[] pa
     return null;
   }
 
-  public static List<Callable<SigningAlgorithm>> create(KeyStore keyStore, String keyStorePassword, Map<String, String> passwordProtection) {
-
-    class Failure implements Callable<SigningAlgorithm> {
-      final Exception exception;
-      Failure(String msg) {
-        this.exception = VertxException.noStackTrace(msg);
-      }
-      Failure(Exception exception) {
-        this.exception = exception;
-      }
-      @Override
-      public SigningAlgorithm call() throws Exception {
-        throw exception;
-      }
-    }
-
-    class Algo implements Callable<SigningAlgorithm> {
-      final SigningAlgorithm algo;
-      Algo(SigningAlgorithm algo) {
-        this.algo = algo;
-      }
-      @Override
-      public SigningAlgorithm call() throws Exception {
-        return algo;
-      }
-    }
-
-    List<Callable<SigningAlgorithm>> keys = new ArrayList<>();
-
-    // TODO : merge the two for-each blocks
-
-    // load MACs
-    for (String alias : Arrays.asList("HS256", "HS384", "HS512")) {
-      // algorithm is valid
-      try {
-        char[] password = password(keyStorePassword, passwordProtection, alias);
-        SigningAlgorithm a = create(keyStore, alias, password);
-        // key store does not have the requested algorithm
-        if (a == null) {
-          continue;
-        }
-        // the algorithm cannot be null, and it cannot be different from the alias list
-        if (invalidAlgAlias(a.name(), alias)) {
-          keys.add(new Failure("The key algorithm does not match: {" + alias + ": " + a.name() + "}"));
-          continue;
-        }
-
-        keys.add(new Algo(a));
-      } catch (Exception e) {
-        keys.add(new Failure(e));
-      }
-    }
-
-    for (String alias : Arrays.asList("RS256", "RS384", "RS512", "ES256K", "ES256", "ES384", "ES512")) {
-      try {
-        char[] password = password(keyStorePassword, passwordProtection, alias);
-        PubKeySigningAlgorithm a = (PubKeySigningAlgorithm) create(keyStore, alias, password);
-        if (a == null) {
-          continue;
-        }
-        if (invalidAlgAlias(a.signature().getAlgorithm(), alias)) {
-          keys.add(new Failure("The key algorithm does not match: {" + alias + ": " + a.signature().getAlgorithm() + "}"));
-          continue;
-        }
-        keys.add(new Algo(a));
-      } catch (Exception e) {
-        keys.add(new Failure(e));
-      }
-    }
-
-    return keys;
-  }
-
   public abstract String name();
 
   public abstract String id();
