Extract inner classes

Author: vietj

vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/jose/JWK.java

@@ -38,7 +38,6 @@
 
 import static io.vertx.ext.auth.impl.Codec.base64MimeDecode;
 import static io.vertx.ext.auth.impl.Codec.base64UrlDecode;
-import static io.vertx.ext.auth.impl.jose.JWS.getSignatureLength;
 
 /**
  * JWK https://tools.ietf.org/html/rfc7517
@@ -132,7 +131,7 @@ private static boolean invalidAlgAlias(String alg, String alias) {
   private final String label;
 
   // the cryptography objects, not all will be initialized
-  private SigningAlgorithm signingAlgorithm;
+  private final SigningAlgorithm signingAlgorithm;
 
   public static List<JWK> load(KeyStore keyStore, String keyStorePassword, Map<String, String> passwordProtection) {
     final List<JWK> keys = new ArrayList<>();
@@ -338,108 +337,6 @@ private static SigningAlgorithm parsePEM(String alg, String kty, KeyFactory kf,
     }
   }
 
-  static class MacSigningAlgorithm implements SigningAlgorithm {
-    private final String name;
-    private final Mac mac;
-    public MacSigningAlgorithm(String name, Mac mac) {
-      this.name = name;
-      this.mac = mac;
-    }
-    @Override
-    public String name() {
-      return name;
-    }
-    @Override
-    public Signer signer() {
-      return new Signer() {
-        @Override
-        public byte[] sign(byte[] data) {
-          synchronized (MacSigningAlgorithm.this) {
-            return mac.doFinal(data);
-          }
-        }
-        @Override
-        public synchronized boolean verify(byte[] expected, byte[] payload) {
-          synchronized (MacSigningAlgorithm.this) {
-            return MessageDigest.isEqual(expected, sign(payload));
-          }
-        }
-      };
-    }
-  }
-
-  static class PubKeySigningAlgorithm implements SigningAlgorithm {
-
-    private final String kty;
-    private final String alg;
-    private final PrivateKey privateKey;
-    private final PublicKey publicKey;
-
-    public PubKeySigningAlgorithm(String kty, String alg, PrivateKey privateKey, PublicKey publicKey) {
-      this.privateKey = privateKey;
-      this.publicKey = publicKey;
-      this.kty = kty;
-      this.alg = alg;
-    }
-
-    @Override
-    public String name() {
-      return alg;
-    }
-
-    @Override
-    public Signer signer() throws GeneralSecurityException {
-      Signature signature = JWS.getSignature(alg);
-      // the length of the signature. This is derived from the algorithm name
-      // this will help to cope with signatures that are longer (yet valid) than
-      // the expected result
-      int len = getSignatureLength(alg, publicKey);
-      return new Signer() {
-        @Override
-        public synchronized byte[] sign(byte[] data) throws GeneralSecurityException {
-          if (privateKey == null) {
-            throw new IllegalStateException("JWK doesn't contain secKey material");
-          }
-          signature.initSign(privateKey);
-          signature.update(data);
-          byte[] sig = signature.sign();
-          switch (kty) {
-            case "EC":
-              return JWS.toJWS(sig, len);
-            default:
-              return sig;
-          }
-        }
-        @Override
-        public synchronized boolean verify(byte[] expected, byte[] payload) throws GeneralSecurityException {
-          if (publicKey == null) {
-            throw new IllegalStateException("JWK doesn't contain pubKey material");
-          }
-          signature.initVerify(publicKey);
-          signature.update(payload);
-          switch (kty) {
-            case "EC":
-              // JCA EC signatures expect ASN1 formatted signatures
-              // while JWS uses it's own format (R+S), while this will be true
-              // for all JWS, it may not be true for COSE keys
-              if (!JWS.isASN1(expected)) {
-                expected = JWS.toASN1(expected);
-              }
-              break;
-          }
-          if (expected.length < len) {
-            // need to adapt the expectation to make the RSA? engine happy
-            byte[] normalized = new byte[len];
-            System.arraycopy(expected, 0, normalized, 0, expected.length);
-            return signature.verify(normalized);
-          } else {
-            return signature.verify(expected);
-          }
-        }
-      };
-    }
-  }
-
   private JWK(String algorithm, Mac mac) throws NoSuchAlgorithmException {
 
     kid = null;
@@ -780,23 +677,19 @@ public String kty() {
     if (signingAlgorithm instanceof MacSigningAlgorithm) {
       return "oct";
     } else {
-      return ((PubKeySigningAlgorithm)signingAlgorithm).kty;
+      return ((PubKeySigningAlgorithm)signingAlgorithm).kty();
     }
   }
 
-  public Mac mac() {
-    return signingAlgorithm instanceof MacSigningAlgorithm ? ((MacSigningAlgorithm)signingAlgorithm).mac : null;
-  }
-
   public SigningAlgorithm signingAlgorithm() {
     return signingAlgorithm;
   }
 
   public PublicKey publicKey() {
-    return signingAlgorithm instanceof PubKeySigningAlgorithm ? ((PubKeySigningAlgorithm)signingAlgorithm).publicKey : null;
+    return signingAlgorithm instanceof PubKeySigningAlgorithm ? ((PubKeySigningAlgorithm)signingAlgorithm).publicKey() : null;
   }
 
   public PrivateKey privateKey() {
-    return signingAlgorithm instanceof PubKeySigningAlgorithm ? ((PubKeySigningAlgorithm)signingAlgorithm).privateKey : null;
+    return signingAlgorithm instanceof PubKeySigningAlgorithm ? ((PubKeySigningAlgorithm)signingAlgorithm).privateKey() : null;
   }
 }

vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/jose/JWT.java

@@ -68,11 +68,11 @@ public JWT addJWK(JWK jwk) {
     if (jwk.use() == null || "sig".equals(jwk.use())) {
       List<JWS> current;
       synchronized (this) {
-        if (jwk.mac() != null || jwk.publicKey() != null) {
+        if (jwk.signingAlgorithm().canVerify()) {
           current = VERIFY.computeIfAbsent(jwk.getAlgorithm(), k -> new ArrayList<>());
           addJWK(current, jwk);
         }
-        if (jwk.mac() != null || jwk.privateKey() != null) {
+        if (jwk.signingAlgorithm().canSign()) {
           current = SIGN.computeIfAbsent(jwk.getAlgorithm(), k -> new ArrayList<>());
           addJWK(current, jwk);
         }

vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/jose/MacSigningAlgorithm.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2025 Red Hat, Inc.
+ *
+ *  All rights reserved. This program and the accompanying materials
+ *  are made available under the terms of the Eclipse Public License v1.0
+ *  and Apache License v2.0 which accompanies this distribution.
+ *
+ *  The Eclipse Public License is available at
+ *  http://www.eclipse.org/legal/epl-v10.html
+ *
+ *  The Apache License v2.0 is available at
+ *  http://www.opensource.org/licenses/apache2.0.php
+ *
+ *  You may elect to redistribute this code under either of these licenses.
+ */
+package io.vertx.ext.auth.impl.jose;
+
+import javax.crypto.Mac;
+import java.security.MessageDigest;
+
+/**
+ * @author Paulo Lopes
+ */
+class MacSigningAlgorithm implements SigningAlgorithm {
+
+  private final String name;
+  private final Mac mac;
+
+  MacSigningAlgorithm(String name, Mac mac) {
+    this.name = name;
+    this.mac = mac;
+  }
+
+  @Override
+  public boolean canSign() {
+    return true;
+  }
+
+  @Override
+  public boolean canVerify() {
+    return true;
+  }
+
+  @Override
+  public String name() {
+    return name;
+  }
+
+  @Override
+  public Signer signer() {
+    return new Signer() {
+      @Override
+      public byte[] sign(byte[] data) {
+        synchronized (MacSigningAlgorithm.this) {
+          return mac.doFinal(data);
+        }
+      }
+
+      @Override
+      public synchronized boolean verify(byte[] expected, byte[] payload) {
+        synchronized (MacSigningAlgorithm.this) {
+          return MessageDigest.isEqual(expected, sign(payload));
+        }
+      }
+    };
+  }
+}

vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/jose/PubKeySigningAlgorithm.java

@@ -0,0 +1,121 @@
+/*
+ * Copyright 2025 Red Hat, Inc.
+ *
+ *  All rights reserved. This program and the accompanying materials
+ *  are made available under the terms of the Eclipse Public License v1.0
+ *  and Apache License v2.0 which accompanies this distribution.
+ *
+ *  The Eclipse Public License is available at
+ *  http://www.eclipse.org/legal/epl-v10.html
+ *
+ *  The Apache License v2.0 is available at
+ *  http://www.opensource.org/licenses/apache2.0.php
+ *
+ *  You may elect to redistribute this code under either of these licenses.
+ */
+package io.vertx.ext.auth.impl.jose;
+
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+
+import static io.vertx.ext.auth.impl.jose.JWS.getSignatureLength;
+
+/**
+ * @author Paulo Lopes
+ */
+class PubKeySigningAlgorithm implements SigningAlgorithm {
+
+  private final String kty;
+  private final String alg;
+  private final PrivateKey privateKey;
+  private final PublicKey publicKey;
+
+  PubKeySigningAlgorithm(String kty, String alg, PrivateKey privateKey, PublicKey publicKey) {
+    this.privateKey = privateKey;
+    this.publicKey = publicKey;
+    this.kty = kty;
+    this.alg = alg;
+  }
+
+  public String kty() {
+    return kty;
+  }
+
+  public PrivateKey privateKey() {
+    return privateKey;
+  }
+
+  public PublicKey publicKey() {
+    return publicKey;
+  }
+
+  @Override
+  public boolean canSign() {
+    return privateKey != null;
+  }
+
+  @Override
+  public boolean canVerify() {
+    return publicKey != null;
+  }
+
+  @Override
+  public String name() {
+    return alg;
+  }
+
+  @Override
+  public Signer signer() throws GeneralSecurityException {
+    Signature signature = JWS.getSignature(alg);
+    // the length of the signature. This is derived from the algorithm name
+    // this will help to cope with signatures that are longer (yet valid) than
+    // the expected result
+    int len = getSignatureLength(alg, publicKey);
+    return new Signer() {
+      @Override
+      public synchronized byte[] sign(byte[] data) throws GeneralSecurityException {
+        if (privateKey == null) {
+          throw new IllegalStateException("JWK doesn't contain secKey material");
+        }
+        signature.initSign(privateKey);
+        signature.update(data);
+        byte[] sig = signature.sign();
+        switch (kty) {
+          case "EC":
+            return JWS.toJWS(sig, len);
+          default:
+            return sig;
+        }
+      }
+
+      @Override
+      public synchronized boolean verify(byte[] expected, byte[] payload) throws GeneralSecurityException {
+        if (publicKey == null) {
+          throw new IllegalStateException("JWK doesn't contain pubKey material");
+        }
+        signature.initVerify(publicKey);
+        signature.update(payload);
+        switch (kty) {
+          case "EC":
+            // JCA EC signatures expect ASN1 formatted signatures
+            // while JWS uses it's own format (R+S), while this will be true
+            // for all JWS, it may not be true for COSE keys
+            if (!JWS.isASN1(expected)) {
+              expected = JWS.toASN1(expected);
+            }
+            break;
+        }
+        if (expected.length < len) {
+          // need to adapt the expectation to make the RSA? engine happy
+          byte[] normalized = new byte[len];
+          System.arraycopy(expected, 0, normalized, 0, expected.length);
+          return signature.verify(normalized);
+        } else {
+          return signature.verify(expected);
+        }
+      }
+    };
+  }
+}

vertx-auth-common/src/main/java/io/vertx/ext/auth/impl/jose/SigningAlgorithm.java

@@ -6,6 +6,10 @@ public interface SigningAlgorithm {
 
   String name();
 
+  boolean canSign();
+
+  boolean canVerify();
+
   Signer signer() throws GeneralSecurityException;
 
 }