Search in sources :

Example 36 with JWSHeader

use of com.nimbusds.jose.JWSHeader in project carbon-apimgt by wso2.

the class JWTWithRSASignatureImpl method rsaSignAndSerialize.

/**
 * {@inheritDoc}
 */
@Override
public String rsaSignAndSerialize(RSAPrivateKey rsaPrivateKey, JWTClaimsSet claimsSet) throws APIManagementException {
    if (rsaPrivateKey == null) {
        throw new IllegalArgumentException("The private key must not be null");
    }
    if (claimsSet == null) {
        throw new IllegalArgumentException("The JWTClaimsSet must not be null");
    }
    JWSSigner signer = new RSASSASigner(rsaPrivateKey);
    SignedJWT jwt = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
    try {
        jwt.sign(signer);
    } catch (JOSEException e) {
        throw new APIManagementException("Error signing JWT ", e);
    }
    return jwt.serialize();
}
Also used : APIManagementException(org.wso2.carbon.apimgt.core.exception.APIManagementException) RSASSASigner(com.nimbusds.jose.crypto.RSASSASigner) SignedJWT(com.nimbusds.jwt.SignedJWT) JWSSigner(com.nimbusds.jose.JWSSigner) JOSEException(com.nimbusds.jose.JOSEException) JWSHeader(com.nimbusds.jose.JWSHeader)

Example 37 with JWSHeader

use of com.nimbusds.jose.JWSHeader in project java-docs-samples by GoogleCloudPlatform.

the class BuildIapRequest method getSignedJwt.

private static String getSignedJwt(ServiceAccountCredentials credentials, String iapClientId) throws Exception {
    Instant now = Instant.now(clock);
    long expirationTime = now.getEpochSecond() + EXPIRATION_TIME_IN_SECONDS;
    // generate jwt signed by service account
    // header must contain algorithm ("alg") and key ID ("kid")
    JWSHeader jwsHeader = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(credentials.getPrivateKeyId()).build();
    // set required claims
    JWTClaimsSet claims = new JWTClaimsSet.Builder().audience(OAUTH_TOKEN_URI).issuer(credentials.getClientEmail()).subject(credentials.getClientEmail()).issueTime(Date.from(now)).expirationTime(Date.from(Instant.ofEpochSecond(expirationTime))).claim("target_audience", iapClientId).build();
    // sign using service account private key
    JWSSigner signer = new RSASSASigner(credentials.getPrivateKey());
    SignedJWT signedJwt = new SignedJWT(jwsHeader, claims);
    signedJwt.sign(signer);
    return signedJwt.serialize();
}
Also used : JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) Instant(java.time.Instant) RSASSASigner(com.nimbusds.jose.crypto.RSASSASigner) SignedJWT(com.nimbusds.jwt.SignedJWT) JWSSigner(com.nimbusds.jose.JWSSigner) JWSHeader(com.nimbusds.jose.JWSHeader)

Example 38 with JWSHeader

use of com.nimbusds.jose.JWSHeader in project java-docs-samples by GoogleCloudPlatform.

the class VerifyIapRequestHeader method verifyJwt.

private boolean verifyJwt(String jwtToken, String expectedAudience) throws Exception {
    // parse signed token into header / claims
    SignedJWT signedJwt = SignedJWT.parse(jwtToken);
    JWSHeader jwsHeader = signedJwt.getHeader();
    // header must have algorithm("alg") and "kid"
    Preconditions.checkNotNull(jwsHeader.getAlgorithm());
    Preconditions.checkNotNull(jwsHeader.getKeyID());
    JWTClaimsSet claims = signedJwt.getJWTClaimsSet();
    // claims must have audience, issuer
    Preconditions.checkArgument(claims.getAudience().contains(expectedAudience));
    Preconditions.checkArgument(claims.getIssuer().equals(IAP_ISSUER_URL));
    // claim must have issued at time in the past
    Date currentTime = Date.from(Instant.now(clock));
    Preconditions.checkArgument(claims.getIssueTime().before(currentTime));
    // claim must have expiration time in the future
    Preconditions.checkArgument(claims.getExpirationTime().after(currentTime));
    // must have subject, email
    Preconditions.checkNotNull(claims.getSubject());
    Preconditions.checkNotNull(claims.getClaim("email"));
    // verify using public key : lookup with key id, algorithm name provided
    ECPublicKey publicKey = getKey(jwsHeader.getKeyID(), jwsHeader.getAlgorithm().getName());
    Preconditions.checkNotNull(publicKey);
    JWSVerifier jwsVerifier = new ECDSAVerifier(publicKey);
    return signedJwt.verify(jwsVerifier);
}
Also used : ECDSAVerifier(com.nimbusds.jose.crypto.ECDSAVerifier) ECPublicKey(java.security.interfaces.ECPublicKey) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) JWSVerifier(com.nimbusds.jose.JWSVerifier) SignedJWT(com.nimbusds.jwt.SignedJWT) JWSHeader(com.nimbusds.jose.JWSHeader) Date(java.util.Date)

Example 39 with JWSHeader

use of com.nimbusds.jose.JWSHeader in project Payara by payara.

the class AzureSecretsConfigSource method buildJwt.

private static SignedJWT buildJwt(final String issuer, final String audience, final String thumbprint) {
    Instant now = Instant.now();
    Instant expiry = now.plus(1, ChronoUnit.MINUTES);
    JWTClaimsSet claims = new JWTClaimsSet.Builder().subject(issuer).audience(audience).expirationTime(Date.from(expiry)).issueTime(Date.from(now)).issuer(issuer).build();
    byte[] bytes = DatatypeConverter.parseHexBinary(thumbprint);
    JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).type(JOSEObjectType.JWT).x509CertThumbprint(Base64URL.encode(bytes)).build();
    return new SignedJWT(header, claims);
}
Also used : JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) Instant(java.time.Instant) ClientBuilder(javax.ws.rs.client.ClientBuilder) SignedJWT(com.nimbusds.jwt.SignedJWT) JWSHeader(com.nimbusds.jose.JWSHeader)

Example 40 with JWSHeader

use of com.nimbusds.jose.JWSHeader in project tomee by apache.

the class Tokens method asToken.

public static String asToken(final String claims) throws Exception {
    final PrivateKey pk = readPrivateKey("/testkey.pem");
    try {
        final JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.RS256).type(JOSEObjectType.JWT).build();
        final JWTClaimsSet claimsSet = JWTClaimsSet.parse(claims);
        final SignedJWT jwt = new SignedJWT(header, claimsSet);
        jwt.sign(new RSASSASigner(pk));
        return jwt.serialize();
    } catch (Exception e) {
        throw new RuntimeException("Could not sign JWT");
    }
}
Also used : PrivateKey(java.security.PrivateKey) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) RSASSASigner(com.nimbusds.jose.crypto.RSASSASigner) SignedJWT(com.nimbusds.jwt.SignedJWT) JWSHeader(com.nimbusds.jose.JWSHeader)

Aggregations

JWSHeader (com.nimbusds.jose.JWSHeader)67 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)56 SignedJWT (com.nimbusds.jwt.SignedJWT)50 Test (org.junit.Test)24 RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)21 JWSSigner (com.nimbusds.jose.JWSSigner)18 ArrayList (java.util.ArrayList)12 SecurityContext (org.springframework.security.core.context.SecurityContext)12 OAuth2TokenValidator (org.springframework.security.oauth2.core.OAuth2TokenValidator)12 JOSEException (com.nimbusds.jose.JOSEException)11 DelegatingOAuth2TokenValidator (org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator)10 RestOperations (org.springframework.web.client.RestOperations)10 Test (org.junit.jupiter.api.Test)9 Date (java.util.Date)8 Jwt (org.springframework.security.oauth2.jwt.Jwt)8 JSONObject (net.minidev.json.JSONObject)7 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)6 MACSigner (com.nimbusds.jose.crypto.MACSigner)6 JWK (com.nimbusds.jose.jwk.JWK)6 PrivateKey (java.security.PrivateKey)6