Search in sources :

Example 1 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-ipv-cri-uk-passport-back by alphagov.

the class KmsSigner method sign.

@Override
public Base64URL sign(JWSHeader header, byte[] signingInput) throws JOSEException {
    byte[] signingInputHash;
    try {
        signingInputHash = MessageDigest.getInstance("SHA-256").digest(signingInput);
    } catch (NoSuchAlgorithmException e) {
        throw new JOSEException(e.getMessage());
    }
    SignRequest signRequest = new SignRequest().withSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString()).withKeyId(keyId).withMessage(ByteBuffer.wrap(signingInputHash)).withMessageType(MessageType.DIGEST);
    SignResult signResult = kmsClient.sign(signRequest);
    return new Base64URL(b64UrlEncoder.encodeToString(signResult.getSignature().array()));
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) JOSEException(com.nimbusds.jose.JOSEException) Base64URL(com.nimbusds.jose.util.Base64URL)

Example 2 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project documentproduction by qld-gov-au.

the class AwsKmsContentSigner method getSignature.

@Override
public byte[] getSignature() {
    AWSKMS kmsClient = AWSKMSClientBuilder.standard().withRegion(region).build();
    ByteBuffer message = ByteBuffer.wrap(outputStream.toByteArray());
    SignRequest signRequest = new SignRequest().withSigningAlgorithm(signingAlgorithmSpec).withKeyId(key).withMessageType(MessageType.RAW).withMessage(message);
    SignResult signResult = kmsClient.sign(signRequest);
    return signResult.getSignature().array();
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ByteBuffer(java.nio.ByteBuffer) AWSKMS(com.amazonaws.services.kms.AWSKMS)

Example 3 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class TokenService method generateSignedJWT.

private SignedJWT generateSignedJWT(JWTClaimsSet claimsSet) {
    try {
        JWSHeader jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(configService.getTokenSigningKeyAlias()).build();
        Base64URL encodedHeader = jwsHeader.toBase64URL();
        Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());
        String message = encodedHeader + "." + encodedClaims;
        ByteBuffer messageToSign = ByteBuffer.wrap(message.getBytes());
        SignRequest signRequest = new SignRequest();
        signRequest.setMessage(messageToSign);
        signRequest.setKeyId(configService.getTokenSigningKeyAlias());
        signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
        SignResult signResult = kmsConnectionService.sign(signRequest);
        LOG.info("Token has been signed successfully");
        String signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
        return SignedJWT.parse(message + "." + signature);
    } catch (java.text.ParseException | JOSEException e) {
        LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
        throw new RuntimeException(e);
    }
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ParseException(com.nimbusds.oauth2.sdk.ParseException) ByteBuffer(java.nio.ByteBuffer) JOSEException(com.nimbusds.jose.JOSEException) JWSHeader(com.nimbusds.jose.JWSHeader) Base64URL(com.nimbusds.jose.util.Base64URL)

Example 4 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class AuditServiceTest method beforeEach.

@BeforeEach
void beforeEach() {
    var stubSignature = new SignResult().withSignature(ByteBuffer.wrap("signature".getBytes()));
    when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(stubSignature);
    MockitoAnnotations.openMocks(this);
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) BeforeEach(org.junit.jupiter.api.BeforeEach)

Example 5 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class TokenSigningExtension method signJwt.

public SignedJWT signJwt(JWTClaimsSet claimsSet) {
    try {
        JWSHeader jwsHeader = new JWSHeader.Builder(JWSAlgorithm.ES256).keyID(getKeyAlias()).build();
        Base64URL encodedHeader = jwsHeader.toBase64URL();
        Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());
        String message = encodedHeader + "." + encodedClaims;
        ByteBuffer messageToSign = ByteBuffer.wrap(message.getBytes());
        SignRequest signRequest = new SignRequest();
        signRequest.setMessage(messageToSign);
        signRequest.setKeyId(getKeyAlias());
        signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
        SignResult signResult = kmsConnectionService.sign(signRequest);
        String signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(JWSAlgorithm.ES256))).toString();
        return SignedJWT.parse(message + "." + signature);
    } catch (java.text.ParseException | JOSEException e) {
        throw new RuntimeException(e);
    }
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ByteBuffer(java.nio.ByteBuffer) JOSEException(com.nimbusds.jose.JOSEException) JWSHeader(com.nimbusds.jose.JWSHeader) Base64URL(com.nimbusds.jose.util.Base64URL)

Aggregations

SignRequest (com.amazonaws.services.kms.model.SignRequest)14 SignResult (com.amazonaws.services.kms.model.SignResult)14 JOSEException (com.nimbusds.jose.JOSEException)6 ECDSASigner (com.nimbusds.jose.crypto.ECDSASigner)6 ECKeyGenerator (com.nimbusds.jose.jwk.gen.ECKeyGenerator)6 SignedJWT (com.nimbusds.jwt.SignedJWT)6 JWSHeader (com.nimbusds.jose.JWSHeader)5 Base64URL (com.nimbusds.jose.util.Base64URL)4 ParseException (com.nimbusds.oauth2.sdk.ParseException)4 ByteBuffer (java.nio.ByteBuffer)4 ECKey (com.nimbusds.jose.jwk.ECKey)2 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)2 JWTAuthenticationClaimsSet (com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet)2 PrivateKeyJWT (com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT)2 Audience (com.nimbusds.oauth2.sdk.id.Audience)2 ClientID (com.nimbusds.oauth2.sdk.id.ClientID)2 JWTID (com.nimbusds.oauth2.sdk.id.JWTID)2 State (com.nimbusds.oauth2.sdk.id.State)2 Subject (com.nimbusds.oauth2.sdk.id.Subject)2 Test (org.junit.jupiter.api.Test)2