Search in sources :

Example 1 with RSAKeyProvider

use of com.auth0.jwt.interfaces.RSAKeyProvider in project sonarqube by SonarSource.

the class GithubAppSecurityImpl method readApplicationPrivateKey.

private static Algorithm readApplicationPrivateKey(long appId, String encodedPrivateKey) {
    byte[] decodedPrivateKey = encodedPrivateKey.getBytes(UTF_8);
    try (PemReader pemReader = new PemReader(new InputStreamReader(new ByteArrayInputStream(decodedPrivateKey)))) {
        Security.addProvider(new BouncyCastleProvider());
        PemObject pemObject = pemReader.readPemObject();
        if (pemObject == null) {
            throw new IllegalArgumentException("Failed to decode Github Application private key");
        }
        PKCS8EncodedKeySpec keySpec1 = new PKCS8EncodedKeySpec(pemObject.getContent());
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        PrivateKey privateKey = keyFactory.generatePrivate(keySpec1);
        return Algorithm.RSA256(new RSAKeyProvider() {

            @Override
            public RSAPublicKey getPublicKeyById(String keyId) {
                throw new UnsupportedOperationException("getPublicKeyById not implemented");
            }

            @Override
            public RSAPrivateKey getPrivateKey() {
                return (RSAPrivateKey) privateKey;
            }

            @Override
            public String getPrivateKeyId() {
                return "github_app_" + appId;
            }
        });
    } catch (Exception e) {
        throw new IllegalArgumentException("Invalid Github Application private key", e);
    } finally {
        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
    }
}
Also used : RSAKeyProvider(com.auth0.jwt.interfaces.RSAKeyProvider) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) PrivateKey(java.security.PrivateKey) InputStreamReader(java.io.InputStreamReader) PemReader(org.bouncycastle.util.io.pem.PemReader) PemObject(org.bouncycastle.util.io.pem.PemObject) RSAPublicKey(java.security.interfaces.RSAPublicKey) ByteArrayInputStream(java.io.ByteArrayInputStream) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) KeyFactory(java.security.KeyFactory) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 2 with RSAKeyProvider

use of com.auth0.jwt.interfaces.RSAKeyProvider in project snow-owl by b2ihealthcare.

the class IdentityPlugin method createRSAKeyProvider.

private RSAKeyProvider createRSAKeyProvider(IdentityConfiguration conf) throws MalformedURLException {
    final String privateKeyId;
    final RSAPrivateKey privateKey;
    // read private key if provided
    if (!Strings.isNullOrEmpty(conf.getSigningKey())) {
        privateKeyId = Hashing.goodFastHash(16).hashString(conf.getSigningKey(), Charsets.UTF_8).toString();
        privateKey = readPrivateKey(conf.getSigningKey());
    } else {
        privateKeyId = null;
        privateKey = null;
    }
    if (!Strings.isNullOrEmpty(conf.getJwksUrl())) {
        // prefer JSON Web Key Set provider URLs (if set) for token verification
        JwkProvider jwkProvider = new JwkProviderBuilder(new URL(conf.getJwksUrl())).cached(5, 24, TimeUnit.HOURS).rateLimited(10, 1, TimeUnit.MINUTES).build();
        return new RSAKeyProvider() {

            @Override
            public RSAPublicKey getPublicKeyById(String kid) {
                try {
                    return (RSAPublicKey) jwkProvider.get(kid).getPublicKey();
                } catch (JwkException e) {
                    throw new SnowowlRuntimeException(e.getMessage(), e);
                }
            }

            @Override
            public String getPrivateKeyId() {
                return privateKeyId;
            }

            @Override
            public RSAPrivateKey getPrivateKey() {
                return privateKey;
            }
        };
    } else if (!Strings.isNullOrEmpty(conf.getVerificationKey())) {
        // if JWKS is not set, then fall back to verification key if set
        RSAPublicKey publicKey = readPublicKey(conf.getVerificationKey());
        return new RSAKeyProvider() {

            @Override
            public RSAPublicKey getPublicKeyById(String kid) {
                return publicKey;
            }

            @Override
            public String getPrivateKeyId() {
                return privateKeyId;
            }

            @Override
            public RSAPrivateKey getPrivateKey() {
                return privateKey;
            }
        };
    } else {
        // if neither jwksUrl nor the verificationKey settings are configured then this not an RSA configuration (or an invalid configuration raised when creating the algorithm instance)
        return null;
    }
}
Also used : RSAKeyProvider(com.auth0.jwt.interfaces.RSAKeyProvider) RSAPublicKey(java.security.interfaces.RSAPublicKey) JwkProvider(com.auth0.jwk.JwkProvider) JwkProviderBuilder(com.auth0.jwk.JwkProviderBuilder) JwkException(com.auth0.jwk.JwkException) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) URL(java.net.URL) SnowowlRuntimeException(com.b2international.snowowl.core.api.SnowowlRuntimeException)

Example 3 with RSAKeyProvider

use of com.auth0.jwt.interfaces.RSAKeyProvider in project snow-owl by b2ihealthcare.

the class IdentityPlugin method configureJWT.

@VisibleForTesting
/*package*/
void configureJWT(ApplicationContext services, final IdentityProvider identityProvider, final IdentityConfiguration conf) throws MalformedURLException {
    RSAKeyProvider rsaKeyProvider = createRSAKeyProvider(conf);
    Algorithm algorithm;
    if (!Strings.isNullOrEmpty(conf.getJws())) {
        algorithm = SUPPORTED_JWS_ALGORITHMS.getOrDefault(conf.getJws(), this::throwUnsupportedJws).apply(conf, rsaKeyProvider);
    } else {
        IdentityProvider.LOG.warn("'identity.jws' configuration is missing, disabling JWT authorization token signing and verification.");
        algorithm = null;
    }
    JWTGenerator generator;
    JWTVerifier verifier;
    if (algorithm == null) {
        // both signing and verification is disabled
        generator = JWT_GENERATOR_DISABLED;
        verifier = JWT_VERIFIER_DISABLED;
    } else if (rsaKeyProvider != null && rsaKeyProvider.getPrivateKey() == null) {
        generator = JWT_GENERATOR_DISABLED;
        verifier = createJWTVerifier(algorithm, conf);
    } else {
        generator = new DefaultJWTGenerator(algorithm, conf);
        verifier = createJWTVerifier(algorithm, conf);
    }
    // always configure a JWTGenerator, a JWTVerifier and an AuthorizationHeader verifier
    services.registerService(JWTGenerator.class, generator);
    services.registerService(JWTVerifier.class, verifier);
    services.registerService(AuthorizationHeaderVerifier.class, new AuthorizationHeaderVerifier(verifier, identityProvider, conf.getEmailClaimProperty(), conf.getPermissionsClaimProperty()));
}
Also used : RSAKeyProvider(com.auth0.jwt.interfaces.RSAKeyProvider) Algorithm(com.auth0.jwt.algorithms.Algorithm) JWTVerifier(com.auth0.jwt.interfaces.JWTVerifier) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Aggregations

RSAKeyProvider (com.auth0.jwt.interfaces.RSAKeyProvider)3 RSAPrivateKey (java.security.interfaces.RSAPrivateKey)2 RSAPublicKey (java.security.interfaces.RSAPublicKey)2 JwkException (com.auth0.jwk.JwkException)1 JwkProvider (com.auth0.jwk.JwkProvider)1 JwkProviderBuilder (com.auth0.jwk.JwkProviderBuilder)1 Algorithm (com.auth0.jwt.algorithms.Algorithm)1 JWTVerifier (com.auth0.jwt.interfaces.JWTVerifier)1 SnowowlRuntimeException (com.b2international.snowowl.core.api.SnowowlRuntimeException)1 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 InputStreamReader (java.io.InputStreamReader)1 URL (java.net.URL)1 KeyFactory (java.security.KeyFactory)1 PrivateKey (java.security.PrivateKey)1 PKCS8EncodedKeySpec (java.security.spec.PKCS8EncodedKeySpec)1 BouncyCastleProvider (org.bouncycastle.jce.provider.BouncyCastleProvider)1 PemObject (org.bouncycastle.util.io.pem.PemObject)1 PemReader (org.bouncycastle.util.io.pem.PemReader)1