Search in sources :

Example 1 with GetPublicKeyRequest

use of com.amazonaws.services.kms.model.GetPublicKeyRequest in project documentproduction by qld-gov-au.

the class AwsContentSignerFactory method getPublicKey.

@Override
public PublicKey getPublicKey(SignatureKey key) {
    if ("stub".equals(this.region)) {
        return null;
    }
    AWSKMS kmsClient = AWSKMSClientBuilder.standard().withRegion(region).build();
    GetPublicKeyResult response = kmsClient.getPublicKey(new GetPublicKeyRequest().withKeyId(key.getKmsId()));
    SubjectPublicKeyInfo spki = SubjectPublicKeyInfo.getInstance(response.getPublicKey().array());
    JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
    try {
        return converter.getPublicKey(spki);
    } catch (PEMException e) {
        throw new IllegalStateException(e.getMessage(), e);
    }
}
Also used : GetPublicKeyRequest(com.amazonaws.services.kms.model.GetPublicKeyRequest) PEMException(org.bouncycastle.openssl.PEMException) JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter) GetPublicKeyResult(com.amazonaws.services.kms.model.GetPublicKeyResult) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) AWSKMS(com.amazonaws.services.kms.AWSKMS)

Example 2 with GetPublicKeyRequest

use of com.amazonaws.services.kms.model.GetPublicKeyRequest in project di-authentication-api by alphagov.

the class TokenValidationService method createJwk.

private ECKey.Builder createJwk() {
    GetPublicKeyRequest getPublicKeyRequest = new GetPublicKeyRequest();
    getPublicKeyRequest.setKeyId(configService.getTokenSigningKeyAlias());
    GetPublicKeyResult publicKeyResult = kmsConnectionService.getPublicKey(getPublicKeyRequest);
    PublicKey publicKey = createPublicKey(publicKeyResult);
    return new ECKey.Builder(Curve.P_256, (ECPublicKey) publicKey).keyID(hashSha256String(publicKeyResult.getKeyId())).keyUse(KeyUse.SIGNATURE).algorithm(new Algorithm(JWSAlgorithm.ES256.getName()));
}
Also used : ECPublicKey(java.security.interfaces.ECPublicKey) GetPublicKeyRequest(com.amazonaws.services.kms.model.GetPublicKeyRequest) PublicKey(java.security.PublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) GetPublicKeyResult(com.amazonaws.services.kms.model.GetPublicKeyResult) ECKey(com.nimbusds.jose.jwk.ECKey) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) Algorithm(com.nimbusds.jose.Algorithm)

Example 3 with GetPublicKeyRequest

use of com.amazonaws.services.kms.model.GetPublicKeyRequest in project di-authentication-api by alphagov.

the class TokenValidationService method createJwk.

private ECKey createJwk(String keyId) {
    GetPublicKeyRequest getPublicKeyRequest = new GetPublicKeyRequest();
    getPublicKeyRequest.setKeyId(keyId);
    GetPublicKeyResult publicKeyResult = kmsConnectionService.getPublicKey(getPublicKeyRequest);
    PublicKey publicKey = createPublicKey(publicKeyResult);
    return new ECKey.Builder(Curve.P_256, (ECPublicKey) publicKey).keyID(hashSha256String(publicKeyResult.getKeyId())).keyUse(KeyUse.SIGNATURE).algorithm(new Algorithm(JWSAlgorithm.ES256.getName())).build();
}
Also used : GetPublicKeyRequest(com.amazonaws.services.kms.model.GetPublicKeyRequest) PublicKey(java.security.PublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) GetPublicKeyResult(com.amazonaws.services.kms.model.GetPublicKeyResult) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) Algorithm(com.nimbusds.jose.Algorithm)

Example 4 with GetPublicKeyRequest

use of com.amazonaws.services.kms.model.GetPublicKeyRequest in project di-authentication-api by alphagov.

the class TokenService method generateSignedJWT.

public SignedJWT generateSignedJWT(JWTClaimsSet claimsSet, Optional<String> type) {
    var signingKeyId = kmsConnectionService.getPublicKey(new GetPublicKeyRequest().withKeyId(configService.getTokenSigningKeyAlias())).getKeyId();
    try {
        var jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(hashSha256String(signingKeyId));
        type.map(JOSEObjectType::new).ifPresent(jwsHeader::type);
        Base64URL encodedHeader = jwsHeader.build().toBase64URL();
        Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());
        String message = encodedHeader + "." + encodedClaims;
        ByteBuffer messageToSign = ByteBuffer.wrap(message.getBytes());
        SignRequest signRequest = new SignRequest();
        signRequest.setMessage(messageToSign);
        signRequest.setKeyId(configService.getTokenSigningKeyAlias());
        signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
        SignResult signResult = kmsConnectionService.sign(signRequest);
        LOG.info("Token has been signed successfully");
        String signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
        return SignedJWT.parse(message + "." + signature);
    } catch (java.text.ParseException | JOSEException e) {
        LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
        throw new RuntimeException(e);
    }
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) HashHelper.hashSha256String(uk.gov.di.authentication.shared.helpers.HashHelper.hashSha256String) ByteBuffer(java.nio.ByteBuffer) Base64URL(com.nimbusds.jose.util.Base64URL) GetPublicKeyRequest(com.amazonaws.services.kms.model.GetPublicKeyRequest) ParseException(com.nimbusds.oauth2.sdk.ParseException) JOSEException(com.nimbusds.jose.JOSEException) JWSHeader(com.nimbusds.jose.JWSHeader)

Example 5 with GetPublicKeyRequest

use of com.amazonaws.services.kms.model.GetPublicKeyRequest in project di-authentication-api by alphagov.

the class KmsConnectionService method warmUp.

private void warmUp(String keyId) {
    GetPublicKeyRequest request = new GetPublicKeyRequest();
    request.setKeyId(keyId);
    try {
        kmsClient.getPublicKey(request);
    } catch (Exception e) {
        LOG.info("Unable to retrieve Public Key whilst warming up");
    }
}
Also used : GetPublicKeyRequest(com.amazonaws.services.kms.model.GetPublicKeyRequest)

Aggregations

GetPublicKeyRequest (com.amazonaws.services.kms.model.GetPublicKeyRequest)5 GetPublicKeyResult (com.amazonaws.services.kms.model.GetPublicKeyResult)3 Algorithm (com.nimbusds.jose.Algorithm)2 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)2 PublicKey (java.security.PublicKey)2 ECPublicKey (java.security.interfaces.ECPublicKey)2 AWSKMS (com.amazonaws.services.kms.AWSKMS)1 SignRequest (com.amazonaws.services.kms.model.SignRequest)1 SignResult (com.amazonaws.services.kms.model.SignResult)1 JOSEException (com.nimbusds.jose.JOSEException)1 JWSHeader (com.nimbusds.jose.JWSHeader)1 ECKey (com.nimbusds.jose.jwk.ECKey)1 Base64URL (com.nimbusds.jose.util.Base64URL)1 ParseException (com.nimbusds.oauth2.sdk.ParseException)1 ByteBuffer (java.nio.ByteBuffer)1 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1 PEMException (org.bouncycastle.openssl.PEMException)1 JcaPEMKeyConverter (org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)1 HashHelper.hashSha256String (uk.gov.di.authentication.shared.helpers.HashHelper.hashSha256String)1