use of com.auth0.jwt.interfaces.RSAKeyProvider in project sonarqube by SonarSource.
the class GithubAppSecurityImpl method readApplicationPrivateKey.
private static Algorithm readApplicationPrivateKey(long appId, String encodedPrivateKey) {
byte[] decodedPrivateKey = encodedPrivateKey.getBytes(UTF_8);
try (PemReader pemReader = new PemReader(new InputStreamReader(new ByteArrayInputStream(decodedPrivateKey)))) {
Security.addProvider(new BouncyCastleProvider());
PemObject pemObject = pemReader.readPemObject();
if (pemObject == null) {
throw new IllegalArgumentException("Failed to decode Github Application private key");
}
PKCS8EncodedKeySpec keySpec1 = new PKCS8EncodedKeySpec(pemObject.getContent());
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PrivateKey privateKey = keyFactory.generatePrivate(keySpec1);
return Algorithm.RSA256(new RSAKeyProvider() {
@Override
public RSAPublicKey getPublicKeyById(String keyId) {
throw new UnsupportedOperationException("getPublicKeyById not implemented");
}
@Override
public RSAPrivateKey getPrivateKey() {
return (RSAPrivateKey) privateKey;
}
@Override
public String getPrivateKeyId() {
return "github_app_" + appId;
}
});
} catch (Exception e) {
throw new IllegalArgumentException("Invalid Github Application private key", e);
} finally {
Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
}
}
use of com.auth0.jwt.interfaces.RSAKeyProvider in project snow-owl by b2ihealthcare.
the class IdentityPlugin method createRSAKeyProvider.
private RSAKeyProvider createRSAKeyProvider(IdentityConfiguration conf) throws MalformedURLException {
final String privateKeyId;
final RSAPrivateKey privateKey;
// read private key if provided
if (!Strings.isNullOrEmpty(conf.getSigningKey())) {
privateKeyId = Hashing.goodFastHash(16).hashString(conf.getSigningKey(), Charsets.UTF_8).toString();
privateKey = readPrivateKey(conf.getSigningKey());
} else {
privateKeyId = null;
privateKey = null;
}
if (!Strings.isNullOrEmpty(conf.getJwksUrl())) {
// prefer JSON Web Key Set provider URLs (if set) for token verification
JwkProvider jwkProvider = new JwkProviderBuilder(new URL(conf.getJwksUrl())).cached(5, 24, TimeUnit.HOURS).rateLimited(10, 1, TimeUnit.MINUTES).build();
return new RSAKeyProvider() {
@Override
public RSAPublicKey getPublicKeyById(String kid) {
try {
return (RSAPublicKey) jwkProvider.get(kid).getPublicKey();
} catch (JwkException e) {
throw new SnowowlRuntimeException(e.getMessage(), e);
}
}
@Override
public String getPrivateKeyId() {
return privateKeyId;
}
@Override
public RSAPrivateKey getPrivateKey() {
return privateKey;
}
};
} else if (!Strings.isNullOrEmpty(conf.getVerificationKey())) {
// if JWKS is not set, then fall back to verification key if set
RSAPublicKey publicKey = readPublicKey(conf.getVerificationKey());
return new RSAKeyProvider() {
@Override
public RSAPublicKey getPublicKeyById(String kid) {
return publicKey;
}
@Override
public String getPrivateKeyId() {
return privateKeyId;
}
@Override
public RSAPrivateKey getPrivateKey() {
return privateKey;
}
};
} else {
// if neither jwksUrl nor the verificationKey settings are configured then this not an RSA configuration (or an invalid configuration raised when creating the algorithm instance)
return null;
}
}
use of com.auth0.jwt.interfaces.RSAKeyProvider in project snow-owl by b2ihealthcare.
the class IdentityPlugin method configureJWT.
@VisibleForTesting
/*package*/
void configureJWT(ApplicationContext services, final IdentityProvider identityProvider, final IdentityConfiguration conf) throws MalformedURLException {
RSAKeyProvider rsaKeyProvider = createRSAKeyProvider(conf);
Algorithm algorithm;
if (!Strings.isNullOrEmpty(conf.getJws())) {
algorithm = SUPPORTED_JWS_ALGORITHMS.getOrDefault(conf.getJws(), this::throwUnsupportedJws).apply(conf, rsaKeyProvider);
} else {
IdentityProvider.LOG.warn("'identity.jws' configuration is missing, disabling JWT authorization token signing and verification.");
algorithm = null;
}
JWTGenerator generator;
JWTVerifier verifier;
if (algorithm == null) {
// both signing and verification is disabled
generator = JWT_GENERATOR_DISABLED;
verifier = JWT_VERIFIER_DISABLED;
} else if (rsaKeyProvider != null && rsaKeyProvider.getPrivateKey() == null) {
generator = JWT_GENERATOR_DISABLED;
verifier = createJWTVerifier(algorithm, conf);
} else {
generator = new DefaultJWTGenerator(algorithm, conf);
verifier = createJWTVerifier(algorithm, conf);
}
// always configure a JWTGenerator, a JWTVerifier and an AuthorizationHeader verifier
services.registerService(JWTGenerator.class, generator);
services.registerService(JWTVerifier.class, verifier);
services.registerService(AuthorizationHeaderVerifier.class, new AuthorizationHeaderVerifier(verifier, identityProvider, conf.getEmailClaimProperty(), conf.getPermissionsClaimProperty()));
}
Aggregations