use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.
the class DocAppCriServiceTest method signJWTWithKMS.
private void signJWTWithKMS() throws JOSEException {
var ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
var claimsSet = new JWTAuthenticationClaimsSet(new ClientID(CLIENT_ID), singletonList(new Audience(buildURI(CRI_URI.toString(), "token"))), NowHelper.nowPlus(5, ChronoUnit.MINUTES), null, NowHelper.now(), new JWTID());
var ecdsaSigner = new ECDSASigner(ecSigningKey);
var jwsHeader = new JWSHeader.Builder(JWSAlgorithm.ES256).keyID(ecSigningKey.getKeyID()).build();
var signedJWT = new SignedJWT(jwsHeader, claimsSet.toJWTClaimsSet());
unchecked(signedJWT::sign).accept(ecdsaSigner);
var signResult = new SignResult();
byte[] idTokenSignatureDer = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
signResult.setSignature(ByteBuffer.wrap(idTokenSignatureDer));
signResult.setKeyId(KEY_ID);
signResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
when(kmsService.sign(any(SignRequest.class))).thenReturn(signResult);
}
use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.
the class IPVAuthorisationServiceTest method shouldConstructASignedRequestJWT.
@Test
void shouldConstructASignedRequestJWT() throws JOSEException, ParseException {
var ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
var ecdsaSigner = new ECDSASigner(ecSigningKey);
var jwtClaimsSet = new JWTClaimsSet.Builder().build();
var jwsHeader = new JWSHeader(JWSAlgorithm.ES256);
var signedJWT = new SignedJWT(jwsHeader, jwtClaimsSet);
signedJWT.sign(ecdsaSigner);
var signResult = new SignResult();
byte[] signatureToDER = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
signResult.setSignature(ByteBuffer.wrap(signatureToDER));
signResult.setKeyId(KEY_ID);
signResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(signResult);
var state = new State();
var nonce = new Nonce();
var scope = new Scope(OIDCScopeValue.OPENID);
var pairwise = new Subject("pairwise-identifier");
var claims = "{\"name\":{\"essential\":true}}";
var encryptedJWT = authorisationService.constructRequestJWT(state, nonce, scope, pairwise, claims);
var signedJWTResponse = decryptJWT(encryptedJWT);
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("client_id"), equalTo(IPV_CLIENT_ID));
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("state"), equalTo(state.getValue()));
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("nonce"), equalTo(nonce.getValue()));
assertThat(signedJWTResponse.getJWTClaimsSet().getSubject(), equalTo(pairwise.getValue()));
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("scope"), equalTo(scope.toString()));
assertThat(signedJWTResponse.getJWTClaimsSet().getIssuer(), equalTo(IPV_CLIENT_ID));
assertThat(signedJWTResponse.getJWTClaimsSet().getAudience(), equalTo(singletonList(IPV_URI.toString())));
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("response_type"), equalTo("code"));
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("claims"), equalTo(claims));
}
use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.
the class TokenService method generateSignedJWT.
public SignedJWT generateSignedJWT(JWTClaimsSet claimsSet, Optional<String> type) {
var signingKeyId = kmsConnectionService.getPublicKey(new GetPublicKeyRequest().withKeyId(configService.getTokenSigningKeyAlias())).getKeyId();
try {
var jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(hashSha256String(signingKeyId));
type.map(JOSEObjectType::new).ifPresent(jwsHeader::type);
Base64URL encodedHeader = jwsHeader.build().toBase64URL();
Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());
String message = encodedHeader + "." + encodedClaims;
ByteBuffer messageToSign = ByteBuffer.wrap(message.getBytes());
SignRequest signRequest = new SignRequest();
signRequest.setMessage(messageToSign);
signRequest.setKeyId(configService.getTokenSigningKeyAlias());
signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
SignResult signResult = kmsConnectionService.sign(signRequest);
LOG.info("Token has been signed successfully");
String signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
return SignedJWT.parse(message + "." + signature);
} catch (java.text.ParseException | JOSEException e) {
LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
throw new RuntimeException(e);
}
}
use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.
the class TokenServiceTest method createSignedIdToken.
private void createSignedIdToken() throws JOSEException {
ECKey ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
ECDSASigner ecdsaSigner = new ECDSASigner(ecSigningKey);
SignedJWT signedIdToken = createSignedIdToken(ecSigningKey);
SignResult idTokenSignedResult = new SignResult();
byte[] idTokenSignatureDer = ECDSA.transcodeSignatureToDER(signedIdToken.getSignature().decode());
idTokenSignedResult.setSignature(ByteBuffer.wrap(idTokenSignatureDer));
idTokenSignedResult.setKeyId(KEY_ID);
idTokenSignedResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(idTokenSignedResult);
}
use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.
the class TokenServiceTest method createSignedAccessToken.
private void createSignedAccessToken() throws JOSEException {
ECKey ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
ECDSASigner signer = new ECDSASigner(ecSigningKey);
SignedJWT signedJWT = TokenGeneratorHelper.generateSignedToken(CLIENT_ID, BASE_URL, SCOPES.toStringList(), signer, PUBLIC_SUBJECT, ecSigningKey.getKeyID());
SignResult accessTokenResult = new SignResult();
byte[] accessTokenSignatureDer = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
accessTokenResult.setSignature(ByteBuffer.wrap(accessTokenSignatureDer));
accessTokenResult.setKeyId(KEY_ID);
accessTokenResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(accessTokenResult);
}
Aggregations