Search in sources :

Example 1 with SignRequest

use of com.amazonaws.services.kms.model.SignRequest in project di-ipv-cri-uk-passport-back by alphagov.

the class KmsSigner method sign.

@Override
public Base64URL sign(JWSHeader header, byte[] signingInput) throws JOSEException {
    byte[] signingInputHash;
    try {
        signingInputHash = MessageDigest.getInstance("SHA-256").digest(signingInput);
    } catch (NoSuchAlgorithmException e) {
        throw new JOSEException(e.getMessage());
    }
    SignRequest signRequest = new SignRequest().withSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString()).withKeyId(keyId).withMessage(ByteBuffer.wrap(signingInputHash)).withMessageType(MessageType.DIGEST);
    SignResult signResult = kmsClient.sign(signRequest);
    return new Base64URL(b64UrlEncoder.encodeToString(signResult.getSignature().array()));
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) JOSEException(com.nimbusds.jose.JOSEException) Base64URL(com.nimbusds.jose.util.Base64URL)

Example 2 with SignRequest

use of com.amazonaws.services.kms.model.SignRequest in project documentproduction by qld-gov-au.

the class AwsKmsContentSigner method getSignature.

@Override
public byte[] getSignature() {
    AWSKMS kmsClient = AWSKMSClientBuilder.standard().withRegion(region).build();
    ByteBuffer message = ByteBuffer.wrap(outputStream.toByteArray());
    SignRequest signRequest = new SignRequest().withSigningAlgorithm(signingAlgorithmSpec).withKeyId(key).withMessageType(MessageType.RAW).withMessage(message);
    SignResult signResult = kmsClient.sign(signRequest);
    return signResult.getSignature().array();
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ByteBuffer(java.nio.ByteBuffer) AWSKMS(com.amazonaws.services.kms.AWSKMS)

Example 3 with SignRequest

use of com.amazonaws.services.kms.model.SignRequest in project di-authentication-api by alphagov.

the class TokenService method generateSignedJWT.

private SignedJWT generateSignedJWT(JWTClaimsSet claimsSet) {
    try {
        JWSHeader jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(configService.getTokenSigningKeyAlias()).build();
        Base64URL encodedHeader = jwsHeader.toBase64URL();
        Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());
        String message = encodedHeader + "." + encodedClaims;
        ByteBuffer messageToSign = ByteBuffer.wrap(message.getBytes());
        SignRequest signRequest = new SignRequest();
        signRequest.setMessage(messageToSign);
        signRequest.setKeyId(configService.getTokenSigningKeyAlias());
        signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
        SignResult signResult = kmsConnectionService.sign(signRequest);
        LOG.info("Token has been signed successfully");
        String signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
        return SignedJWT.parse(message + "." + signature);
    } catch (java.text.ParseException | JOSEException e) {
        LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
        throw new RuntimeException(e);
    }
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ParseException(com.nimbusds.oauth2.sdk.ParseException) ByteBuffer(java.nio.ByteBuffer) JOSEException(com.nimbusds.jose.JOSEException) JWSHeader(com.nimbusds.jose.JWSHeader) Base64URL(com.nimbusds.jose.util.Base64URL)

Example 4 with SignRequest

use of com.amazonaws.services.kms.model.SignRequest in project di-authentication-api by alphagov.

the class TokenSigningExtension method signJwt.

public SignedJWT signJwt(JWTClaimsSet claimsSet) {
    try {
        JWSHeader jwsHeader = new JWSHeader.Builder(JWSAlgorithm.ES256).keyID(getKeyAlias()).build();
        Base64URL encodedHeader = jwsHeader.toBase64URL();
        Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());
        String message = encodedHeader + "." + encodedClaims;
        ByteBuffer messageToSign = ByteBuffer.wrap(message.getBytes());
        SignRequest signRequest = new SignRequest();
        signRequest.setMessage(messageToSign);
        signRequest.setKeyId(getKeyAlias());
        signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
        SignResult signResult = kmsConnectionService.sign(signRequest);
        String signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(JWSAlgorithm.ES256))).toString();
        return SignedJWT.parse(message + "." + signature);
    } catch (java.text.ParseException | JOSEException e) {
        throw new RuntimeException(e);
    }
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ByteBuffer(java.nio.ByteBuffer) JOSEException(com.nimbusds.jose.JOSEException) JWSHeader(com.nimbusds.jose.JWSHeader) Base64URL(com.nimbusds.jose.util.Base64URL)

Example 5 with SignRequest

use of com.amazonaws.services.kms.model.SignRequest in project di-authentication-api by alphagov.

the class DocAppAuthorisationService method constructRequestJWT.

public EncryptedJWT constructRequestJWT(State state, Subject subject) {
    LOG.info("Generating request JWT");
    var jwsHeader = new JWSHeader(SIGNING_ALGORITHM);
    var jwtID = IdGenerator.generate();
    var expiryDate = NowHelper.nowPlus(3, ChronoUnit.MINUTES);
    var claimsBuilder = new JWTClaimsSet.Builder().issuer(configurationService.getDocAppAuthorisationClientId()).audience(configurationService.getDocAppAuthorisationURI().toString()).expirationTime(expiryDate).subject(subject.getValue()).issueTime(NowHelper.now()).notBeforeTime(NowHelper.now()).jwtID(jwtID).claim("state", state.getValue()).claim("nonce", new Nonce(IdGenerator.generate()).getValue()).claim("redirect_uri", configurationService.getDocAppAuthorisationCallbackURI().toString()).claim("client_id", configurationService.getDocAppAuthorisationClientId()).claim("response_type", ResponseType.CODE.toString());
    var encodedHeader = jwsHeader.toBase64URL();
    var encodedClaims = Base64URL.encode(claimsBuilder.build().toString());
    var message = encodedHeader + "." + encodedClaims;
    var signRequest = new SignRequest();
    signRequest.setMessage(ByteBuffer.wrap(message.getBytes()));
    signRequest.setKeyId(configurationService.getDocAppTokenSigningKeyAlias());
    signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
    try {
        LOG.info("Signing request JWT");
        var signResult = kmsConnectionService.sign(signRequest);
        LOG.info("Request JWT has been signed successfully");
        var signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(SIGNING_ALGORITHM))).toString();
        var signedJWT = SignedJWT.parse(message + "." + signature);
        var encryptedJWT = encryptJWT(signedJWT);
        LOG.info("Encrypted request JWT has been generated");
        return encryptedJWT;
    } catch (ParseException | JOSEException e) {
        LOG.error("Error when generating SignedJWT", e);
        throw new RuntimeException(e);
    }
}
Also used : Nonce(com.nimbusds.openid.connect.sdk.Nonce) SignRequest(com.amazonaws.services.kms.model.SignRequest) ParseException(java.text.ParseException) JOSEException(com.nimbusds.jose.JOSEException) JWSHeader(com.nimbusds.jose.JWSHeader)

Aggregations

SignRequest (com.amazonaws.services.kms.model.SignRequest)9 SignResult (com.amazonaws.services.kms.model.SignResult)7 JOSEException (com.nimbusds.jose.JOSEException)7 JWSHeader (com.nimbusds.jose.JWSHeader)4 Base64URL (com.nimbusds.jose.util.Base64URL)4 ParseException (com.nimbusds.oauth2.sdk.ParseException)4 ByteBuffer (java.nio.ByteBuffer)4 PrivateKeyJWT (com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT)2 AWSKMS (com.amazonaws.services.kms.AWSKMS)1 GetPublicKeyRequest (com.amazonaws.services.kms.model.GetPublicKeyRequest)1 Nonce (com.nimbusds.openid.connect.sdk.Nonce)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 ParseException (java.text.ParseException)1 HashHelper.hashSha256String (uk.gov.di.authentication.shared.helpers.HashHelper.hashSha256String)1