use of com.auth0.jwt.interfaces.Verification in project cryptography by norkator.
the class JWT method verifyECDSA256Jwt.
/**
* Verify elliptic curve based JWT
*
* @param publicPem of key pair
* @param issuer party name
* @param token of created jwt
* @return DecodedJWT including claims
* @throws JWTVerificationException thrown if verification fails
*/
public static DecodedJWT verifyECDSA256Jwt(String publicPem, String issuer, final String token) throws JWTVerificationException, InvalidKeySpecException, NoSuchAlgorithmException {
ECKey publicKey = (ECKey) PEMToKey.getPemPublicKey(publicPem, "ECDSA");
Algorithm algorithm = Algorithm.ECDSA256(publicKey);
JWTVerifier verifier = com.auth0.jwt.JWT.require(algorithm).withIssuer(issuer).build();
return verifier.verify(token);
}
use of com.auth0.jwt.interfaces.Verification in project open-kilda by telstra.
the class PathVerificationService method handlePacketIn.
private IListener.Command handlePacketIn(IOFSwitch sw, OFPacketIn pkt, FloodlightContext context) {
long time = System.currentTimeMillis();
logger.debug("packet_in {} received from {}", pkt.getXid(), sw.getId());
VerificationPacket verificationPacket = null;
Ethernet eth = IFloodlightProviderService.bcStore.get(context, IFloodlightProviderService.CONTEXT_PI_PAYLOAD);
try {
verificationPacket = deserialize(eth);
} catch (Exception exception) {
logger.error("Deserialization failure: {}, exception: {}", exception.getMessage(), exception);
return Command.CONTINUE;
}
try {
OFPort inPort = pkt.getVersion().compareTo(OFVersion.OF_12) < 0 ? pkt.getInPort() : pkt.getMatch().get(MatchField.IN_PORT);
ByteBuffer portBB = ByteBuffer.wrap(verificationPacket.getPortId().getValue());
portBB.position(1);
OFPort remotePort = OFPort.of(portBB.getShort());
long timestamp = 0;
int pathOrdinal = 10;
IOFSwitch remoteSwitch = null;
boolean signed = false;
for (LLDPTLV lldptlv : verificationPacket.getOptionalTLVList()) {
if (lldptlv.getType() == 127 && lldptlv.getLength() == 12 && lldptlv.getValue()[0] == 0x0 && lldptlv.getValue()[1] == 0x26 && lldptlv.getValue()[2] == (byte) 0xe1 && lldptlv.getValue()[3] == 0x0) {
ByteBuffer dpidBB = ByteBuffer.wrap(lldptlv.getValue());
remoteSwitch = switchService.getSwitch(DatapathId.of(dpidBB.getLong(4)));
} else if (lldptlv.getType() == 127 && lldptlv.getLength() == 12 && lldptlv.getValue()[0] == 0x0 && lldptlv.getValue()[1] == 0x26 && lldptlv.getValue()[2] == (byte) 0xe1 && lldptlv.getValue()[3] == 0x01) {
ByteBuffer tsBB = ByteBuffer.wrap(lldptlv.getValue());
/* skip OpenFlow OUI (4 bytes above) */
long swLatency = sw.getLatency().getValue();
timestamp = tsBB.getLong(4);
/* include the RX switch latency to "subtract" it */
timestamp = timestamp + swLatency;
} else if (lldptlv.getType() == 127 && lldptlv.getLength() == 8 && lldptlv.getValue()[0] == 0x0 && lldptlv.getValue()[1] == 0x26 && lldptlv.getValue()[2] == (byte) 0xe1 && lldptlv.getValue()[3] == 0x02) {
ByteBuffer typeBB = ByteBuffer.wrap(lldptlv.getValue());
pathOrdinal = typeBB.getInt(4);
} else if (lldptlv.getType() == 127 && lldptlv.getValue()[0] == 0x0 && lldptlv.getValue()[1] == 0x26 && lldptlv.getValue()[2] == (byte) 0xe1 && lldptlv.getValue()[3] == 0x03) {
ByteBuffer bb = ByteBuffer.wrap(lldptlv.getValue());
bb.position(4);
byte[] tokenArray = new byte[lldptlv.getLength() - 4];
bb.get(tokenArray, 0, tokenArray.length);
String token = new String(tokenArray);
try {
DecodedJWT jwt = verifier.verify(token);
signed = true;
} catch (JWTVerificationException e) {
logger.error("Packet verification failed", e);
return Command.STOP;
}
}
}
if (remoteSwitch == null) {
return Command.STOP;
}
if (!signed) {
logger.warn("verification packet without sign");
return Command.STOP;
}
U64 latency = (timestamp != 0 && (time - timestamp) > 0) ? U64.of(time - timestamp) : U64.ZERO;
logger.debug("link discovered: {}-{} ===( {} ms )===> {}-{}", remoteSwitch.getId(), remotePort, latency.getValue(), sw.getId(), inPort);
// this verification packet was sent from remote switch/port to received switch/port
// so the link direction is from remote switch/port to received switch/port
List<PathNode> nodes = Arrays.asList(new PathNode(remoteSwitch.getId().toString(), remotePort.getPortNumber(), 0, latency.getValue()), new PathNode(sw.getId().toString(), inPort.getPortNumber(), 1));
OFPortDesc port = sw.getPort(inPort);
long speed = Integer.MAX_VALUE;
if (port.getVersion().compareTo(OFVersion.OF_13) > 0) {
for (OFPortDescProp prop : port.getProperties()) {
if (prop.getType() == 0x0) {
speed = ((OFPortDescPropEthernet) prop).getCurrSpeed();
}
}
} else {
speed = port.getCurrSpeed();
}
IslInfoData path = new IslInfoData(latency.getValue(), nodes, speed, IslChangeType.DISCOVERED, getAvailableBandwidth(speed));
Message message = new InfoMessage(path, System.currentTimeMillis(), "system", null);
final String json = MAPPER.writeValueAsString(message);
logger.debug("about to send {}", json);
producer.send(new ProducerRecord<>(TOPIC, json));
logger.debug("packet_in processed for {}-{}", sw.getId(), inPort);
} catch (JsonProcessingException exception) {
logger.error("could not create json for path packet_in: {}", exception.getMessage(), exception);
} catch (UnsupportedOperationException exception) {
logger.error("could not parse packet_in message: {}", exception.getMessage(), exception);
} catch (Exception exception) {
logger.error("unknown error during packet_in message processing: {}", exception.getMessage(), exception);
throw exception;
}
return Command.STOP;
}
use of com.auth0.jwt.interfaces.Verification in project open-kilda by telstra.
the class PathVerificationService method generateVerificationPacket.
public OFPacketOut generateVerificationPacket(IOFSwitch srcSw, OFPort port, IOFSwitch dstSw, boolean sign) {
try {
OFPortDesc ofPortDesc = srcSw.getPort(port);
byte[] chassisId = new byte[] { 4, 0, 0, 0, 0, 0, 0 };
byte[] portId = new byte[] { 2, 0, 0 };
byte[] ttlValue = new byte[] { 0, 0x78 };
byte[] dpidTLVValue = new byte[] { 0x0, 0x26, (byte) 0xe1, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
LLDPTLV dpidTLV = new LLDPTLV().setType((byte) 127).setLength((short) dpidTLVValue.length).setValue(dpidTLVValue);
byte[] dpidArray = new byte[8];
ByteBuffer dpidBB = ByteBuffer.wrap(dpidArray);
ByteBuffer portBB = ByteBuffer.wrap(portId, 1, 2);
DatapathId dpid = srcSw.getId();
dpidBB.putLong(dpid.getLong());
System.arraycopy(dpidArray, 2, chassisId, 1, 6);
// Set the optionalTLV to the full SwitchID
System.arraycopy(dpidArray, 0, dpidTLVValue, 4, 8);
byte[] zeroMac = { 0, 0, 0, 0, 0, 0 };
byte[] srcMac = ofPortDesc.getHwAddr().getBytes();
if (Arrays.equals(srcMac, zeroMac)) {
int portVal = ofPortDesc.getPortNo().getPortNumber();
// this is a common scenario
logger.debug("Port {}/{} has zero hardware address: overwrite with lower 6 bytes of dpid", dpid.toString(), portVal);
System.arraycopy(dpidArray, 2, srcMac, 0, 6);
}
portBB.putShort(port.getShortPortNumber());
VerificationPacket vp = new VerificationPacket();
vp.setChassisId(new LLDPTLV().setType((byte) 1).setLength((short) chassisId.length).setValue(chassisId));
vp.setPortId(new LLDPTLV().setType((byte) 2).setLength((short) portId.length).setValue(portId));
vp.setTtl(new LLDPTLV().setType((byte) 3).setLength((short) ttlValue.length).setValue(ttlValue));
vp.getOptionalTLVList().add(dpidTLV);
// Add the controller identifier to the TLV value.
// vp.getOptionalTLVList().add(controllerTLV);
// Add T0 based on format from Floodlight LLDP
long time = System.currentTimeMillis();
long swLatency = srcSw.getLatency().getValue();
byte[] timestampTLVValue = ByteBuffer.allocate(Long.SIZE / 8 + 4).put((byte) 0x00).put((byte) 0x26).put((byte) 0xe1).put(// 0x01 is what we'll use to differentiate DPID (0x00) from time (0x01)
(byte) 0x01).putLong(time + swLatency).array();
LLDPTLV timestampTLV = new LLDPTLV().setType((byte) 127).setLength((short) timestampTLVValue.length).setValue(timestampTLVValue);
vp.getOptionalTLVList().add(timestampTLV);
// Type
byte[] typeTLVValue = ByteBuffer.allocate(Integer.SIZE / 8 + 4).put((byte) 0x00).put((byte) 0x26).put((byte) 0xe1).put((byte) 0x02).putInt(PathType.ISL.ordinal()).array();
LLDPTLV typeTLV = new LLDPTLV().setType((byte) 127).setLength((short) typeTLVValue.length).setValue(typeTLVValue);
vp.getOptionalTLVList().add(typeTLV);
if (sign) {
String token = JWT.create().withClaim("dpid", dpid.getLong()).withClaim("ts", time + swLatency).sign(algorithm);
byte[] tokenBytes = token.getBytes(Charset.forName("UTF-8"));
byte[] tokenTLVValue = ByteBuffer.allocate(4 + tokenBytes.length).put((byte) 0x00).put((byte) 0x26).put((byte) 0xe1).put((byte) 0x03).put(tokenBytes).array();
LLDPTLV tokenTLV = new LLDPTLV().setType((byte) 127).setLength((short) tokenTLVValue.length).setValue(tokenTLVValue);
vp.getOptionalTLVList().add(tokenTLV);
}
MacAddress dstMac = MacAddress.of(VERIFICATION_BCAST_PACKET_DST);
if (dstSw != null) {
OFPortDesc sw2OfPortDesc = dstSw.getPort(port);
dstMac = sw2OfPortDesc.getHwAddr();
}
Ethernet l2 = new Ethernet().setSourceMACAddress(MacAddress.of(srcMac)).setDestinationMACAddress(dstMac).setEtherType(EthType.IPv4);
IPv4Address dstIp = IPv4Address.of(VERIFICATION_PACKET_IP_DST);
if (dstSw != null) {
dstIp = IPv4Address.of(((InetSocketAddress) dstSw.getInetAddress()).getAddress().getAddress());
}
IPv4 l3 = new IPv4().setSourceAddress(IPv4Address.of(((InetSocketAddress) srcSw.getInetAddress()).getAddress().getAddress())).setDestinationAddress(dstIp).setTtl((byte) 64).setProtocol(IpProtocol.UDP);
UDP l4 = new UDP();
l4.setSourcePort(TransportPort.of(VERIFICATION_PACKET_UDP_PORT));
l4.setDestinationPort(TransportPort.of(VERIFICATION_PACKET_UDP_PORT));
l2.setPayload(l3);
l3.setPayload(l4);
l4.setPayload(vp);
byte[] data = l2.serialize();
OFPacketOut.Builder pob = srcSw.getOFFactory().buildPacketOut().setBufferId(OFBufferId.NO_BUFFER).setActions(getDiscoveryActions(srcSw, port)).setData(data);
OFMessageUtils.setInPort(pob, OFPort.CONTROLLER);
return pob.build();
} catch (Exception exception) {
logger.error("error generating verification packet: {}", exception);
}
return null;
}
use of com.auth0.jwt.interfaces.Verification in project DragonProxy by DragonetMC.
the class LoginChainDecoder method decode.
/**
* decode the chain data in Login packet for MCPE Note: the credit of this
* function goes to Nukkit development team
*/
public void decode() {
Map<String, List<String>> map = gson.fromJson(new String(this.chainJWT, StandardCharsets.UTF_8), new TypeToken<Map<String, List<String>>>() {
}.getType());
if (map.isEmpty() || !map.containsKey("chain") || map.get("chain").isEmpty())
return;
List<DecodedJWT> chainJWTs = new ArrayList<>();
// Add the JWT tokens to a chain
for (String token : map.get("chain")) chainJWTs.add(JWT.decode(token));
DecodedJWT clientJWT = null;
if (this.clientDataJWT != null) {
clientJWT = JWT.decode(new String(this.clientDataJWT, StandardCharsets.UTF_8));
chainJWTs.add(clientJWT);
}
// first step, check if the public provided key can decode the received chain
try {
ECPublicKey prevPublicKey = null;
for (DecodedJWT jwt : chainJWTs) {
JsonObject payload = gson.fromJson(new String(Base64.getDecoder().decode(jwt.getPayload())), JsonObject.class);
String encodedPublicKey = null;
ECPublicKey publicKey = null;
if (payload.has("identityPublicKey")) {
encodedPublicKey = payload.get("identityPublicKey").getAsString();
publicKey = (ECPublicKey) EC_KEY_FACTORY.generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(encodedPublicKey)));
}
// Trust the root ca public key and use it to verify the chain
if (ENCODED_ROOT_CA_KEY.equals(encodedPublicKey) && payload.has("certificateAuthority") && payload.get("certificateAuthority").getAsBoolean()) {
prevPublicKey = publicKey;
continue;
}
// This will happen if the root ca key we have does not match the one presented by the client chain
if (prevPublicKey == null)
throw new NullPointerException("No trusted public key found in chain, is the client logged in or cracked");
// Throws a SignatureVerificationException if the verification failed
Algorithm.ECDSA384(prevPublicKey, null).verify(jwt);
// Verification was successful since no exception was thrown
// Set the previous public key to this one so that it can be used
// to verify the next JWT token in the chain
prevPublicKey = publicKey;
}
// The for loop successfully verified all JWT tokens with no exceptions thrown
this.loginVerified = true;
Logger.getLogger(this.getClass().getSimpleName()).info("The LoginPacket has been successfully verified for integrity");
} catch (Exception e) {
this.loginVerified = false;
Logger.getLogger(this.getClass().getSimpleName()).info("Failed to verify the integrity of the LoginPacket");
e.printStackTrace();
}
// This is in its own for loop due to the possibility that the chain verification failed
for (DecodedJWT jwt : chainJWTs) {
JsonObject payload = gson.fromJson(new String(Base64.getDecoder().decode(jwt.getPayload())), JsonObject.class);
// Get the information we care about - The UUID and display name
if (payload.has("extraData") && !payload.has("certificateAuthority")) {
extraData = payload.get("extraData").getAsJsonObject();
if (extraData.has("displayName"))
this.username = extraData.get("displayName").getAsString();
if (extraData.has("identity"))
this.clientUniqueId = UUID.fromString(extraData.get("identity").getAsString());
break;
}
}
// debug purpose
if (log_profiles_files) {
try {
BufferedWriter writer1 = new BufferedWriter(new FileWriter("logs/" + username + ".rawChainJTW"));
writer1.write(getChainJWT());
writer1.close();
BufferedWriter writer = new BufferedWriter(new FileWriter("logs/" + username + ".rawClientDataJTW"));
writer.write(getClientDataJWT());
writer.close();
} catch (Exception ex) {
ex.printStackTrace();
}
// debug purpose
int index = 0;
for (DecodedJWT jwt : chainJWTs) {
JsonObject payload = gson.fromJson(new String(Base64.getDecoder().decode(jwt.getPayload())), JsonObject.class);
try {
BufferedWriter writer = new BufferedWriter(new FileWriter("logs/" + username + "_" + index + ".decodedChain"));
writer.write(payload.toString());
writer.close();
index++;
} catch (Exception ex) {
ex.printStackTrace();
}
}
}
// client data & skin
if (clientJWT != null) {
this.clientData = gson.fromJson(new String(Base64.getDecoder().decode(clientJWT.getPayload()), StandardCharsets.UTF_8), JsonObject.class);
// debug purpose
if (log_profiles_files) {
try {
BufferedWriter writer1 = new BufferedWriter(new FileWriter("logs/" + username + ".decodedData"));
writer1.write(this.clientData.toString());
writer1.close();
} catch (Exception ex) {
ex.printStackTrace();
}
}
if (this.clientData.has("ClientRandomId"))
this.clientId = this.clientData.get("ClientRandomId").getAsLong();
if (this.clientData.has("SkinData") && this.clientData.has("SkinId")) {
this.skin = new Skin(this.clientData.get("SkinData").getAsString(), this.clientData.get("SkinId").getAsString());
if (this.clientData.has("CapeData"))
this.skin.setCape(this.skin.new Cape(Base64.getDecoder().decode(this.clientData.get("CapeData").getAsString())));
} else
this.skin = Skin.DEFAULT_SKIN_STEVE;
if (this.clientData.has("SkinGeometryName"))
this.skinGeometryName = this.clientData.get("SkinGeometryName").getAsString();
if (this.clientData.has("SkinGeometry"))
this.skinGeometry = Base64.getDecoder().decode(this.clientData.get("SkinGeometry").getAsString());
}
}
use of com.auth0.jwt.interfaces.Verification in project ddf by codice.
the class TestOidc method processCredentialFlow.
/**
* Processes a credential flow request/response
*
* <ul>
* <li>Sets up a userinfo endpoint that responds with the given {@param userInfoResponse} when
* given {@param accessToken}
* <li>Sends a request to Intrigue with the {@param accessToken} as a parameter
* <li>Asserts that the response is teh expected response
* <li>Verifies if the userinfo endpoint is hit or not
* </ul>
*
* @return the response for additional verification
*/
private Response processCredentialFlow(String accessToken, String userInfoResponse, boolean isSigned, int expectedStatusCode, boolean userInfoShouldBeHit) {
// Host the user info endpoint with the access token in the auth header
String basicAuthHeader = "Bearer " + accessToken;
String contentType = isSigned ? "application/jwt" : APPLICATION_JSON;
whenHttp(server).match(get(USER_INFO_ENDPOINT_PATH), withHeader(AUTHORIZATION, basicAuthHeader)).then(ok(), contentType(contentType), bytesContent(userInfoResponse.getBytes()));
// Send a request to DDF with the access token
Response response = given().redirects().follow(false).expect().statusCode(expectedStatusCode).when().get(ROOT_URL.getUrl() + "?access_token=" + accessToken);
List<Call> endpointCalls = server.getCalls().stream().filter(call -> call.getMethod().getMethodString().equals(GET)).filter(call -> call.getUrl().equals(URL_START + USER_INFO_ENDPOINT_PATH)).collect(Collectors.toList());
if (userInfoShouldBeHit) {
assertThat(endpointCalls.size(), is(greaterThanOrEqualTo(1)));
} else {
assertThat(endpointCalls.size(), is(0));
}
return response;
}
Aggregations