Search in sources :

Example 11 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class DocAppCriService method generatePrivateKeyJwt.

private PrivateKeyJWT generatePrivateKeyJwt(JWTAuthenticationClaimsSet claimsSet) {
    try {
        var jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(configurationService.getDocAppTokenSigningKeyAlias()).build();
        var encodedHeader = jwsHeader.toBase64URL();
        var encodedClaims = Base64URL.encode(claimsSet.toJWTClaimsSet().toString());
        var message = encodedHeader + "." + encodedClaims;
        var messageToSign = ByteBuffer.wrap(message.getBytes());
        var signRequest = new SignRequest();
        signRequest.setMessage(messageToSign);
        signRequest.setKeyId(configurationService.getDocAppTokenSigningKeyAlias());
        signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
        SignResult signResult = kmsService.sign(signRequest);
        LOG.info("PrivateKeyJWT has been signed successfully");
        var signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
        return new PrivateKeyJWT(SignedJWT.parse(message + "." + signature));
    } catch (JOSEException | java.text.ParseException e) {
        LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
        throw new RuntimeException(e);
    }
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) ParseException(com.nimbusds.oauth2.sdk.ParseException) JOSEException(com.nimbusds.jose.JOSEException)

Example 12 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class DocAppAuthorisationServiceTest method shouldConstructASignedRequestJWT.

@Test
void shouldConstructASignedRequestJWT() throws JOSEException, ParseException {
    var ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
    var ecdsaSigner = new ECDSASigner(ecSigningKey);
    var jwtClaimsSet = new JWTClaimsSet.Builder().build();
    var jwsHeader = new JWSHeader(JWSAlgorithm.ES256);
    var signedJWT = new SignedJWT(jwsHeader, jwtClaimsSet);
    signedJWT.sign(ecdsaSigner);
    var signResult = new SignResult();
    byte[] signatureToDER = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
    signResult.setSignature(ByteBuffer.wrap(signatureToDER));
    signResult.setKeyId(KEY_ID);
    signResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
    when(kmsConnectionService.sign(any(SignRequest.class))).thenReturn(signResult);
    var state = new State();
    var pairwise = new Subject("pairwise-identifier");
    var encryptedJWT = authorisationService.constructRequestJWT(state, pairwise);
    var signedJWTResponse = decryptJWT(encryptedJWT);
    assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("client_id"), equalTo(DOC_APP_CLIENT_ID));
    assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("state"), equalTo(state.getValue()));
    assertThat(signedJWTResponse.getJWTClaimsSet().getSubject(), equalTo(pairwise.getValue()));
    assertThat(signedJWTResponse.getJWTClaimsSet().getIssuer(), equalTo(DOC_APP_CLIENT_ID));
    assertThat(signedJWTResponse.getJWTClaimsSet().getAudience(), equalTo(singletonList(DOC_APP_AUTHORISATION_URI.toString())));
    assertThat(signedJWTResponse.getJWTClaimsSet().getClaim("response_type"), equalTo("code"));
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) State(com.nimbusds.oauth2.sdk.id.State) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) SignedJWT(com.nimbusds.jwt.SignedJWT) JWSHeader(com.nimbusds.jose.JWSHeader) Subject(com.nimbusds.oauth2.sdk.id.Subject) Test(org.junit.jupiter.api.Test)

Example 13 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class IPVTokenService method generatePrivateKeyJwt.

private PrivateKeyJWT generatePrivateKeyJwt(JWTAuthenticationClaimsSet claimsSet) {
    try {
        var jwsHeader = new JWSHeader.Builder(TOKEN_ALGORITHM).keyID(configurationService.getIPVTokenSigningKeyAlias()).build();
        var encodedHeader = jwsHeader.toBase64URL();
        var encodedClaims = Base64URL.encode(claimsSet.toJWTClaimsSet().toString());
        var message = encodedHeader + "." + encodedClaims;
        var messageToSign = ByteBuffer.wrap(message.getBytes());
        var signRequest = new SignRequest();
        signRequest.setMessage(messageToSign);
        signRequest.setKeyId(configurationService.getIPVTokenSigningKeyAlias());
        signRequest.setSigningAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256.toString());
        SignResult signResult = kmsService.sign(signRequest);
        LOG.info("PrivateKeyJWT has been signed successfully");
        var signature = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signResult.getSignature().array(), ECDSA.getSignatureByteArrayLength(TOKEN_ALGORITHM))).toString();
        return new PrivateKeyJWT(SignedJWT.parse(message + "." + signature));
    } catch (JOSEException | java.text.ParseException e) {
        LOG.error("Exception thrown when trying to parse SignedJWT or JWTClaimSet", e);
        throw new RuntimeException(e);
    }
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) ParseException(com.nimbusds.oauth2.sdk.ParseException) JOSEException(com.nimbusds.jose.JOSEException)

Example 14 with SignResult

use of com.amazonaws.services.kms.model.SignResult in project di-authentication-api by alphagov.

the class IPVTokenServiceTest method signJWTWithKMS.

private void signJWTWithKMS() throws JOSEException {
    var ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
    var claimsSet = new JWTAuthenticationClaimsSet(new ClientID(CLIENT_ID), singletonList(new Audience(buildURI(IPV_URI.toString(), "token"))), NowHelper.nowPlus(5, ChronoUnit.MINUTES), null, NowHelper.now(), new JWTID());
    var ecdsaSigner = new ECDSASigner(ecSigningKey);
    var jwsHeader = new JWSHeader.Builder(JWSAlgorithm.ES256).keyID(ecSigningKey.getKeyID()).build();
    var signedJWT = new SignedJWT(jwsHeader, claimsSet.toJWTClaimsSet());
    unchecked(signedJWT::sign).accept(ecdsaSigner);
    var signResult = new SignResult();
    byte[] idTokenSignatureDer = ECDSA.transcodeSignatureToDER(signedJWT.getSignature().decode());
    signResult.setSignature(ByteBuffer.wrap(idTokenSignatureDer));
    signResult.setKeyId(KEY_ID);
    signResult.setSigningAlgorithm(JWSAlgorithm.ES256.getName());
    when(kmsService.sign(any(SignRequest.class))).thenReturn(signResult);
}
Also used : SignResult(com.amazonaws.services.kms.model.SignResult) SignRequest(com.amazonaws.services.kms.model.SignRequest) Audience(com.nimbusds.oauth2.sdk.id.Audience) ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) ClientID(com.nimbusds.oauth2.sdk.id.ClientID) JWTID(com.nimbusds.oauth2.sdk.id.JWTID) JWTAuthenticationClaimsSet(com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet) SignedJWT(com.nimbusds.jwt.SignedJWT)

Aggregations

SignRequest (com.amazonaws.services.kms.model.SignRequest)14 SignResult (com.amazonaws.services.kms.model.SignResult)14 JOSEException (com.nimbusds.jose.JOSEException)6 ECDSASigner (com.nimbusds.jose.crypto.ECDSASigner)6 ECKeyGenerator (com.nimbusds.jose.jwk.gen.ECKeyGenerator)6 SignedJWT (com.nimbusds.jwt.SignedJWT)6 JWSHeader (com.nimbusds.jose.JWSHeader)5 Base64URL (com.nimbusds.jose.util.Base64URL)4 ParseException (com.nimbusds.oauth2.sdk.ParseException)4 ByteBuffer (java.nio.ByteBuffer)4 ECKey (com.nimbusds.jose.jwk.ECKey)2 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)2 JWTAuthenticationClaimsSet (com.nimbusds.oauth2.sdk.auth.JWTAuthenticationClaimsSet)2 PrivateKeyJWT (com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT)2 Audience (com.nimbusds.oauth2.sdk.id.Audience)2 ClientID (com.nimbusds.oauth2.sdk.id.ClientID)2 JWTID (com.nimbusds.oauth2.sdk.id.JWTID)2 State (com.nimbusds.oauth2.sdk.id.State)2 Subject (com.nimbusds.oauth2.sdk.id.Subject)2 Test (org.junit.jupiter.api.Test)2