use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.
the class DocAppCriService method generatePrivateKeyJwt.
private PrivateKeyJWT generatePrivateKeyJwt(JWTAuthenticationClaimsSet claimsSet) {
try {
var jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(configurationService.getDocAppTokenSigningKeyAlias()).build();
var encodedHeader = jwsHeader.toBase64URL();
var encodedClaims = Base64URL.encode(claimsSet.toJWTClaimsSet().toString());
var message = encodedHeader + "." + encodedClaims;
var messageToSign = ByteBuffer.wrap(message.getBytes());
var signRequest = new SignRequest();
signRequest.setMessage(messageToSign);
signRequest.setKeyId(configurationService.getDocAppTokenSigningKeyAlias());
signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
SignResult signResult = kmsService.sign(signRequest);
LOG.info("PrivateKeyJWT has been signed successfully");
var signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
return new PrivateKeyJWT(SignedJWT.parse(message + "." + signature));
} catch (JOSEException | java.text.ParseException e) {
LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
throw new RuntimeException(e);
}
}
use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.
the class DocAppAuthorisationServiceTest method shouldConstructASignedRequestJWT.
@Test
void shouldConstructASignedRequestJWT() throws JOSEException, ParseException {
var ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
var ecdsaSigner = new ECDSASigner(ecSigningKey);
var jwtClaimsSet = new JWTClaimsSet.Builder().build();
var jwsHeader = new JWSHeader(JWSAlgorithm.ES256);
var signedJWT = new SignedJWT(jwsHeader, jwtClaimsSet);
signedJWT.sign(ecdsaSigner);
var signResult = new SignResult();
byte[] signatureToDER = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
signResult.setSignature(ByteBuffer.wrap(signatureToDER));
signResult.setKeyId(KEY_ID);
signResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(signResult);
var state = new State();
var pairwise = new Subject("pairwise-identifier");
var encryptedJWT = authorisationService.constructRequestJWT(state, pairwise);
var signedJWTResponse = decryptJWT(encryptedJWT);
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("client_id"), equalTo(DOC_APP_CLIENT_ID));
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("state"), equalTo(state.getValue()));
assertThat(signedJWTResponse.getJWTClaimsSet().getSubject(), equalTo(pairwise.getValue()));
assertThat(signedJWTResponse.getJWTClaimsSet().getIssuer(), equalTo(DOC_APP_CLIENT_ID));
assertThat(signedJWTResponse.getJWTClaimsSet().getAudience(), equalTo(singletonList(DOC_APP_AUTHORISATION_URI.toString())));
assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("response_type"), equalTo("code"));
}
use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.
the class IPVTokenService method generatePrivateKeyJwt.
private PrivateKeyJWT generatePrivateKeyJwt(JWTAuthenticationClaimsSet claimsSet) {
try {
var jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(configurationService.getIPVTokenSigningKeyAlias()).build();
var encodedHeader = jwsHeader.toBase64URL();
var encodedClaims = Base64URL.encode(claimsSet.toJWTClaimsSet().toString());
var message = encodedHeader + "." + encodedClaims;
var messageToSign = ByteBuffer.wrap(message.getBytes());
var signRequest = new SignRequest();
signRequest.setMessage(messageToSign);
signRequest.setKeyId(configurationService.getIPVTokenSigningKeyAlias());
signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
SignResult signResult = kmsService.sign(signRequest);
LOG.info("PrivateKeyJWT has been signed successfully");
var signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
return new PrivateKeyJWT(SignedJWT.parse(message + "." + signature));
} catch (JOSEException | java.text.ParseException e) {
LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
throw new RuntimeException(e);
}
}
use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.
the class IPVTokenServiceTest method signJWTWithKMS.
private void signJWTWithKMS() throws JOSEException {
var ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
var claimsSet = new JWTAuthenticationClaimsSet(new ClientID(CLIENT_ID), singletonList(new Audience(buildURI(IPV_URI.toString(), "token"))), NowHelper.nowPlus(5, ChronoUnit.MINUTES), null, NowHelper.now(), new JWTID());
var ecdsaSigner = new ECDSASigner(ecSigningKey);
var jwsHeader = new JWSHeader.Builder(JWSAlgorithm.ES256).keyID(ecSigningKey.getKeyID()).build();
var signedJWT = new SignedJWT(jwsHeader, claimsSet.toJWTClaimsSet());
unchecked(signedJWT::sign).accept(ecdsaSigner);
var signResult = new SignResult();
byte[] idTokenSignatureDer = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
signResult.setSignature(ByteBuffer.wrap(idTokenSignatureDer));
signResult.setKeyId(KEY_ID);
signResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
when(kmsService.sign(any(SignRequest.class))).thenReturn(signResult);
}
Aggregations