Search in sources :

Example 6 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class DocAppCriServiceTest method signJWTWithKMS.

private void signJWTWithKMS() throws JOSEException {
    var ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
    var claimsSet = new JWTAuthenticationClaimsSet(new ClientID(CLIENT_ID), singletonList(new Audience(buildURI(CRI_URI.toString(), "token"))), NowHelper.nowPlus(5, ChronoUnit.MINUTES), null, NowHelper.now(), new JWTID());
    var ecdsaSigner = new ECDSASigner(ecSigningKey);
    var jwsHeader = new JWSHeader.Builder(JWSAlgorithm.ES256).keyID(ecSigningKey.getKeyID()).build();
    var signedJWT = new SignedJWT(jwsHeader, claimsSet.toJWTClaimsSet());
    unchecked(signedJWT::sign).accept(ecdsaSigner);
    var signResult = new SignResult();
    byte[] idTokenSignatureDer = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
    signResult.setSignature(ByteBuffer.wrap(idTokenSignatureDer));
    signResult.setKeyId(KEY_ID);
    signResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
    when(kmsService.sign(any(SignRequest.class))).thenReturn(signResult);
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) Audience(com.nimbusds.oauth2.sdk.id.Audience) ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) ClientID(com.nimbusds.oauth2.sdk.id.ClientID) JWTID(com.nimbusds.oauth2.sdk.id.JWTID) JWTAuthenticationClaimsSet(com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet) SignedJWT(com.nimbusds.jwt.SignedJWT)

Example 7 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class IPVAuthorisationServiceTest method shouldConstructASignedRequestJWT.

@Test
void shouldConstructASignedRequestJWT() throws JOSEException, ParseException {
    var ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
    var ecdsaSigner = new ECDSASigner(ecSigningKey);
    var jwtClaimsSet = new JWTClaimsSet.Builder().build();
    var jwsHeader = new JWSHeader(JWSAlgorithm.ES256);
    var signedJWT = new SignedJWT(jwsHeader, jwtClaimsSet);
    signedJWT.sign(ecdsaSigner);
    var signResult = new SignResult();
    byte[] signatureToDER = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
    signResult.setSignature(ByteBuffer.wrap(signatureToDER));
    signResult.setKeyId(KEY_ID);
    signResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
    when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(signResult);
    var state = new State();
    var nonce = new Nonce();
    var scope = new Scope(OIDCScopeValue.OPENID);
    var pairwise = new Subject("pairwise-identifier");
    var claims = "{\"name\":{\"essential\":true}}";
    var encryptedJWT = authorisationService.constructRequestJWT(state, nonce, scope, pairwise, claims);
    var signedJWTResponse = decryptJWT(encryptedJWT);
    assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("client_id"), equalTo(IPV_CLIENT_ID));
    assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("state"), equalTo(state.getValue()));
    assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("nonce"), equalTo(nonce.getValue()));
    assertThat(signedJWTResponse.getJWTClaimsSet().getSubject(), equalTo(pairwise.getValue()));
    assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("scope"), equalTo(scope.toString()));
    assertThat(signedJWTResponse.getJWTClaimsSet().getIssuer(), equalTo(IPV_CLIENT_ID));
    assertThat(signedJWTResponse.getJWTClaimsSet().getAudience(), equalTo(singletonList(IPV_URI.toString())));
    assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("response_type"), equalTo("code"));
    assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("claims"), equalTo(claims));
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) SignedJWT(com.nimbusds.jwt.SignedJWT) Subject(com.nimbusds.oauth2.sdk.id.Subject) Nonce(com.nimbusds.openid.connect.sdk.Nonce) Scope(com.nimbusds.oauth2.sdk.Scope) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) State(com.nimbusds.oauth2.sdk.id.State) JWSHeader(com.nimbusds.jose.JWSHeader) Test(org.junit.jupiter.api.Test)

Example 8 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class TokenService method generateSignedJWT.

public SignedJWT generateSignedJWT(JWTClaimsSet claimsSet, Optional<String> type) {
    var signingKeyId = kmsConnectionService.getPublicKey(new GetPublicKeyRequest().withKeyId(configService.getTokenSigningKeyAlias())).getKeyId();
    try {
        var jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(hashSha256String(signingKeyId));
        type.map(JOSEObjectType::new).ifPresent(jwsHeader::type);
        Base64URL encodedHeader = jwsHeader.build().toBase64URL();
        Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());
        String message = encodedHeader + "." + encodedClaims;
        ByteBuffer messageToSign = ByteBuffer.wrap(message.getBytes());
        SignRequest signRequest = new SignRequest();
        signRequest.setMessage(messageToSign);
        signRequest.setKeyId(configService.getTokenSigningKeyAlias());
        signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
        SignResult signResult = kmsConnectionService.sign(signRequest);
        LOG.info("Token has been signed successfully");
        String signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
        return SignedJWT.parse(message + "." + signature);
    } catch (java.text.ParseException | JOSEException e) {
        LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
        throw new RuntimeException(e);
    }
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) HashHelper.hashSha256String(uk.gov.di.authentication.shared.helpers.HashHelper.hashSha256String) ByteBuffer(java.nio.ByteBuffer) Base64URL(com.nimbusds.jose.util.Base64URL) GetPublicKeyRequest(com.amazonaws.services.kms.model.GetPublicKeyRequest) ParseException(com.nimbusds.oauth2.sdk.ParseException) JOSEException(com.nimbusds.jose.JOSEException) JWSHeader(com.nimbusds.jose.JWSHeader)

Example 9 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class TokenServiceTest method createSignedIdToken.

private void createSignedIdToken() throws JOSEException {
    ECKey ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
    ECDSASigner ecdsaSigner = new ECDSASigner(ecSigningKey);
    SignedJWT signedIdToken = createSignedIdToken(ecSigningKey);
    SignResult idTokenSignedResult = new SignResult();
    byte[] idTokenSignatureDer = ECDSA.transcodeSignatureToDER(signedIdToken.getSignature().decode());
    idTokenSignedResult.setSignature(ByteBuffer.wrap(idTokenSignatureDer));
    idTokenSignedResult.setKeyId(KEY_ID);
    idTokenSignedResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
    when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(idTokenSignedResult);
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) ECKey(com.nimbusds.jose.jwk.ECKey) SignedJWT(com.nimbusds.jwt.SignedJWT)

Example 10 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class TokenServiceTest method createSignedAccessToken.

private void createSignedAccessToken() throws JOSEException {
    ECKey ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
    ECDSASigner signer = new ECDSASigner(ecSigningKey);
    SignedJWT signedJWT = TokenGeneratorHelper.generateSignedToken(CLIENT_ID, BASE_URL, SCOPES.toStringList(), signer, PUBLIC_SUBJECT, ecSigningKey.getKeyID());
    SignResult accessTokenResult = new SignResult();
    byte[] accessTokenSignatureDer = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
    accessTokenResult.setSignature(ByteBuffer.wrap(accessTokenSignatureDer));
    accessTokenResult.setKeyId(KEY_ID);
    accessTokenResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
    when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(accessTokenResult);
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) ECKey(com.nimbusds.jose.jwk.ECKey) SignedJWT(com.nimbusds.jwt.SignedJWT)

Aggregations

SignRequest (com.amazonaws.services.kms.model.SignRequest)14 SignResult (com.amazonaws.services.kms.model.SignResult)14 JOSEException (com.nimbusds.jose.JOSEException)6 ECDSASigner (com.nimbusds.jose.crypto.ECDSASigner)6 ECKeyGenerator (com.nimbusds.jose.jwk.gen.ECKeyGenerator)6 SignedJWT (com.nimbusds.jwt.SignedJWT)6 JWSHeader (com.nimbusds.jose.JWSHeader)5 Base64URL (com.nimbusds.jose.util.Base64URL)4 ParseException (com.nimbusds.oauth2.sdk.ParseException)4 ByteBuffer (java.nio.ByteBuffer)4 ECKey (com.nimbusds.jose.jwk.ECKey)2 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)2 JWTAuthenticationClaimsSet (com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet)2 PrivateKeyJWT (com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT)2 Audience (com.nimbusds.oauth2.sdk.id.Audience)2 ClientID (com.nimbusds.oauth2.sdk.id.ClientID)2 JWTID (com.nimbusds.oauth2.sdk.id.JWTID)2 State (com.nimbusds.oauth2.sdk.id.State)2 Subject (com.nimbusds.oauth2.sdk.id.Subject)2 Test (org.junit.jupiter.api.Test)2