use of com.amazonaws.services.kms.model.SignRequest in project di-ipv-cri-uk-passport-back by alphagov.
the class KmsSigner method sign.
@Override
public Base64URL sign(JWSHeader header, byte[] signingInput) throws JOSEException {
byte[] signingInputHash;
try {
signingInputHash = MessageDigest.getInstance("SHA-256").digest(signingInput);
} catch (NoSuchAlgorithmException e) {
throw new JOSEException(e.getMessage());
}
SignRequest signRequest = new SignRequest().withSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString()).withKeyId(keyId).withMessage(ByteBuffer.wrap(signingInputHash)).withMessageType(MessageType.DIGEST);
SignResult signResult = kmsClient.sign(signRequest);
return new Base64URL(b64UrlEncoder.encodeToString(signResult.getSignature().array()));
}
use of com.amazonaws.services.kms.model.SignRequest in project documentproduction by qld-gov-au.
the class AwsKmsContentSigner method getSignature.
@Override
public byte[] getSignature() {
AWSKMS kmsClient = AWSKMSClientBuilder.standard().withRegion(region).build();
ByteBuffer message = ByteBuffer.wrap(outputStream.toByteArray());
SignRequest signRequest = new SignRequest().withSigningAlgorithm(signingAlgorithmSpec).withKeyId(key).withMessageType(MessageType.RAW).withMessage(message);
SignResult signResult = kmsClient.sign(signRequest);
return signResult.getSignature().array();
}
use of com.amazonaws.services.kms.model.SignRequest in project di-authentication-api by alphagov.
the class TokenService method generateSignedJWT.
private SignedJWT generateSignedJWT(JWTClaimsSet claimsSet) {
try {
JWSHeader jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(configService.getTokenSigningKeyAlias()).build();
Base64URL encodedHeader = jwsHeader.toBase64URL();
Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());
String message = encodedHeader + "." + encodedClaims;
ByteBuffer messageToSign = ByteBuffer.wrap(message.getBytes());
SignRequest signRequest = new SignRequest();
signRequest.setMessage(messageToSign);
signRequest.setKeyId(configService.getTokenSigningKeyAlias());
signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
SignResult signResult = kmsConnectionService.sign(signRequest);
LOG.info("Token has been signed successfully");
String signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
return SignedJWT.parse(message + "." + signature);
} catch (java.text.ParseException | JOSEException e) {
LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
throw new RuntimeException(e);
}
}
use of com.amazonaws.services.kms.model.SignRequest in project di-authentication-api by alphagov.
the class TokenSigningExtension method signJwt.
public SignedJWT signJwt(JWTClaimsSet claimsSet) {
try {
JWSHeader jwsHeader = new JWSHeader.Builder(JWSAlgorithm.ES256).keyID(getKeyAlias()).build();
Base64URL encodedHeader = jwsHeader.toBase64URL();
Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());
String message = encodedHeader + "." + encodedClaims;
ByteBuffer messageToSign = ByteBuffer.wrap(message.getBytes());
SignRequest signRequest = new SignRequest();
signRequest.setMessage(messageToSign);
signRequest.setKeyId(getKeyAlias());
signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
SignResult signResult = kmsConnectionService.sign(signRequest);
String signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(JWSAlgorithm.ES256))).toString();
return SignedJWT.parse(message + "." + signature);
} catch (java.text.ParseException | JOSEException e) {
throw new RuntimeException(e);
}
}
use of com.amazonaws.services.kms.model.SignRequest in project di-authentication-api by alphagov.
the class DocAppAuthorisationService method constructRequestJWT.
public EncryptedJWT constructRequestJWT(State state, Subject subject) {
LOG.info("Generating request JWT");
var jwsHeader = new JWSHeader(SIGNING_ALGORITHM);
var jwtID = IdGenerator.generate();
var expiryDate = NowHelper.nowPlus(3, ChronoUnit.MINUTES);
var claimsBuilder = new JWTClaimsSet.Builder().issuer(configurationService.getDocAppAuthorisationClientId()).audience(configurationService.getDocAppAuthorisationURI().toString()).expirationTime(expiryDate).subject(subject.getValue()).issueTime(NowHelper.now()).notBeforeTime(NowHelper.now()).jwtID(jwtID).claim("state", state.getValue()).claim("nonce", new Nonce(IdGenerator.generate()).getValue()).claim("redirect_uri", configurationService.getDocAppAuthorisationCallbackURI().toString()).claim("client_id", configurationService.getDocAppAuthorisationClientId()).claim("response_type", ResponseType.CODE.toString());
var encodedHeader = jwsHeader.toBase64URL();
var encodedClaims = Base64URL.encode(claimsBuilder.build().toString());
var message = encodedHeader + "." + encodedClaims;
var signRequest = new SignRequest();
signRequest.setMessage(ByteBuffer.wrap(message.getBytes()));
signRequest.setKeyId(configurationService.getDocAppTokenSigningKeyAlias());
signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
try {
LOG.info("Signing request JWT");
var signResult = kmsConnectionService.sign(signRequest);
LOG.info("Request JWT has been signed successfully");
var signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(SIGNING_ALGORITHM))).toString();
var signedJWT = SignedJWT.parse(message + "." + signature);
var encryptedJWT = encryptJWT(signedJWT);
LOG.info("Encrypted request JWT has been generated");
return encryptedJWT;
} catch (ParseException | JOSEException e) {
LOG.error("Error when generating SignedJWT", e);
throw new RuntimeException(e);
}
}
Aggregations