Examples with JWSVerifier com.nimbusds.jose.JWSVerifier used on opensource projects

Search in sources :

Example 46 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project identity-inbound-auth-oauth by wso2-extensions.

the class OIDCLogoutServlet method validateIdToken.

/**
 * Validate Id token signature.
 *
 * @param idToken Id token
 * @return validation state
 */
private boolean validateIdToken(String idToken) {
    String tenantDomain = getTenantDomainForSignatureValidation(idToken);
    if (StringUtils.isEmpty(tenantDomain)) {
        return false;
    }
    int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
    RSAPublicKey publicKey;
    try {
        KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
        if (!tenantDomain.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) {
            String ksName = tenantDomain.trim().replace(".", "-");
            String jksName = ksName + ".jks";
            publicKey = (RSAPublicKey) keyStoreManager.getKeyStore(jksName).getCertificate(tenantDomain).getPublicKey();
        } else {
            publicKey = (RSAPublicKey) keyStoreManager.getDefaultPublicKey();
        }
        SignedJWT signedJWT = SignedJWT.parse(idToken);
        JWSVerifier verifier = new RSASSAVerifier(publicKey);
        return signedJWT.verify(verifier);
    } catch (JOSEException | ParseException e) {
        if (log.isDebugEnabled()) {
            log.debug("Error occurred while validating id token signature for the id token: " + idToken);
        }
        return false;
    } catch (Exception e) {
        log.error("Error occurred while validating id token signature.");
        return false;
    }
}
Also used : KeyStoreManager(org.wso2.carbon.core.util.KeyStoreManager) RSAPublicKey(java.security.interfaces.RSAPublicKey) RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier) JWSVerifier(com.nimbusds.jose.JWSVerifier) SignedJWT(com.nimbusds.jwt.SignedJWT) ParseException(java.text.ParseException) JOSEException(com.nimbusds.jose.JOSEException) ServletException(javax.servlet.ServletException) JOSEException(com.nimbusds.jose.JOSEException) URLBuilderException(org.wso2.carbon.identity.core.URLBuilderException) ParseException(java.text.ParseException) IdentityApplicationManagementException(org.wso2.carbon.identity.application.common.IdentityApplicationManagementException) InvalidOAuthClientException(org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) OIDCSessionManagementException(org.wso2.carbon.identity.oidc.session.OIDCSessionManagementException) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) IdentityOAuth2ClientException(org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException) IOException(java.io.IOException)

Example 47 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project identity-inbound-auth-oauth by wso2-extensions.

the class DefaultLogoutTokenBuilder method validateIdTokenHint.

/**
 * Validate Id Token Hint.
 *
 * @param clientId
 * @param idToken
 * @return
 * @throws IdentityOAuth2Exception
 * @throws InvalidOAuthClientException
 */
private Boolean validateIdTokenHint(String clientId, String idToken) throws IdentityOAuth2Exception, InvalidOAuthClientException {
    String tenantDomain = getSigningTenantDomain(getOAuthAppDO(clientId));
    if (StringUtils.isEmpty(tenantDomain)) {
        return false;
    }
    int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
    RSAPublicKey publicKey;
    try {
        KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
        if (!tenantDomain.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) {
            String ksName = tenantDomain.trim().replace(".", "-");
            String jksName = ksName + ".jks";
            publicKey = (RSAPublicKey) keyStoreManager.getKeyStore(jksName).getCertificate(tenantDomain).getPublicKey();
        } else {
            publicKey = (RSAPublicKey) keyStoreManager.getDefaultPublicKey();
        }
        SignedJWT signedJWT = SignedJWT.parse(idToken);
        JWSVerifier verifier = new RSASSAVerifier(publicKey);
        return signedJWT.verify(verifier);
    } catch (JOSEException | ParseException e) {
        if (log.isDebugEnabled()) {
            log.debug("Error occurred while validating id token signature.", e);
        }
        return false;
    } catch (Exception e) {
        log.error("Error occurred while validating id token signature.", e);
        return false;
    }
}
Also used : KeyStoreManager(org.wso2.carbon.core.util.KeyStoreManager) RSAPublicKey(java.security.interfaces.RSAPublicKey) RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier) JWSVerifier(com.nimbusds.jose.JWSVerifier) SignedJWT(com.nimbusds.jwt.SignedJWT) ParseException(java.text.ParseException) JOSEException(com.nimbusds.jose.JOSEException) JOSEException(com.nimbusds.jose.JOSEException) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) ParseException(java.text.ParseException) InvalidOAuthClientException(org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException) IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException)

Example 48 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2Util method validateIdToken.

/**
 * Validate Id token signature
 *
 * @param idToken Id token
 * @return validation state
 */
public static boolean validateIdToken(String idToken) {
    boolean isJWTSignedWithSPKey = OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey();
    String tenantDomain;
    try {
        String clientId = SignedJWT.parse(idToken).getJWTClaimsSet().getAudience().get(0);
        if (isJWTSignedWithSPKey) {
            OAuthAppDO oAuthAppDO = OAuth2Util.getAppInformationByClientId(clientId);
            tenantDomain = OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO);
        } else {
            // It is not sending tenant domain with the subject in id_token by default, So to work this as
            // expected, need to enable the option "Use tenant domain in local subject identifier" in SP config
            tenantDomain = MultitenantUtils.getTenantDomain(SignedJWT.parse(idToken).getJWTClaimsSet().getSubject());
        }
        if (StringUtils.isEmpty(tenantDomain)) {
            return false;
        }
        int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
        RSAPublicKey publicKey;
        KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
        if (!tenantDomain.equals(org.wso2.carbon.base.MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) {
            String ksName = tenantDomain.trim().replace(".", "-");
            String jksName = ksName + ".jks";
            publicKey = (RSAPublicKey) keyStoreManager.getKeyStore(jksName).getCertificate(tenantDomain).getPublicKey();
        } else {
            publicKey = (RSAPublicKey) keyStoreManager.getDefaultPublicKey();
        }
        SignedJWT signedJWT = SignedJWT.parse(idToken);
        JWSVerifier verifier = new RSASSAVerifier(publicKey);
        return signedJWT.verify(verifier);
    } catch (JOSEException | ParseException e) {
        if (log.isDebugEnabled()) {
            log.debug("Error occurred while validating id token signature.");
        }
        return false;
    } catch (Exception e) {
        log.error("Error occurred while validating id token signature.");
        return false;
    }
}
Also used : RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier) JWSVerifier(com.nimbusds.jose.JWSVerifier) SignedJWT(com.nimbusds.jwt.SignedJWT) JOSEException(com.nimbusds.jose.JOSEException) UserInfoEndpointException(org.wso2.carbon.identity.oauth.user.UserInfoEndpointException) IdentityOAuth2ScopeException(org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeException) KeyStoreException(java.security.KeyStoreException) JSONException(org.json.JSONException) RegistryException(org.wso2.carbon.registry.core.exceptions.RegistryException) UserSessionException(org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException) InvalidOAuthClientException(org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException) OAuthRuntimeException(org.apache.oltu.oauth2.common.exception.OAuthRuntimeException) UserIdNotFoundException(org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) IdentityException(org.wso2.carbon.identity.base.IdentityException) CertificateEncodingException(java.security.cert.CertificateEncodingException) IdentityOAuthAdminException(org.wso2.carbon.identity.oauth.IdentityOAuthAdminException) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) IOException(java.io.IOException) IdentityProviderManagementException(org.wso2.carbon.idp.mgt.IdentityProviderManagementException) URISyntaxException(java.net.URISyntaxException) URLBuilderException(org.wso2.carbon.identity.core.URLBuilderException) ParseException(java.text.ParseException) IdentityOAuth2ScopeServerException(org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeServerException) IdentityApplicationManagementException(org.wso2.carbon.identity.application.common.IdentityApplicationManagementException) UserStoreException(org.wso2.carbon.user.api.UserStoreException) IdentityOAuth2ClientException(org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException) CertificateException(java.security.cert.CertificateException) OAuthSystemException(org.apache.oltu.oauth2.common.exception.OAuthSystemException) KeyStoreManager(org.wso2.carbon.core.util.KeyStoreManager) OAuthAppDO(org.wso2.carbon.identity.oauth.dao.OAuthAppDO) RSAPublicKey(java.security.interfaces.RSAPublicKey) ParseException(java.text.ParseException) JOSEException(com.nimbusds.jose.JOSEException)

Example 49 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project VulnerableApp by SasanLabs.

the class JWTValidator method jwkKeyHeaderPublicKeyTrustingVulnerableValidator.

@Override
public boolean jwkKeyHeaderPublicKeyTrustingVulnerableValidator(String token) throws ServiceApplicationException {
    try {
        String[] jwtParts = token.split(JWTUtils.JWT_TOKEN_PERIOD_CHARACTER_REGEX, -1);
        JSONObject header = new JSONObject(JWTUtils.getString(Base64.getUrlDecoder().decode(jwtParts[0].getBytes(StandardCharsets.UTF_8))));
        if (header.has(JWTUtils.JWT_ALGORITHM_KEY_HEADER)) {
            String alg = header.getString(JWTUtils.JWT_ALGORITHM_KEY_HEADER);
            if (!alg.startsWith(JWTUtils.JWT_HMAC_ALGORITHM_IDENTIFIER)) {
                JWSVerifier verifier = null;
                if (header.has(JWTUtils.JSON_WEB_KEY_HEADER)) {
                    if (alg.startsWith(JWTUtils.JWT_RSA_ALGORITHM_IDENTIFIER) || alg.startsWith(JWTUtils.JWT_RSA_PSS_ALGORITHM_IDENTIFIER)) {
                        RSAKey rsaKey = RSAKey.parse(header.getJSONObject(JWTUtils.JSON_WEB_KEY_HEADER).toString());
                        verifier = new RSASSAVerifier(rsaKey.toRSAPublicKey());
                    } else if (alg.startsWith(JWTUtils.JWT_EC_ALGORITHM_IDENTIFIER)) {
                        ECKey ecKey = ECKey.parse(header.getJSONObject(JWTUtils.JSON_WEB_KEY_HEADER).toString());
                        verifier = new ECDSAVerifier(ecKey.toECPublicKey());
                    } else if (alg.startsWith(JWTUtils.JWT_OCTET_ALGORITHM_IDENTIFIER)) {
                        verifier = new Ed25519Verifier(OctetKeyPair.parse(header.getString(JWTUtils.JSON_WEB_KEY_HEADER)));
                    }
                    SignedJWT signedJWT = SignedJWT.parse(token);
                    return signedJWT.verify(verifier);
                }
            }
        }
    } catch (UnsupportedEncodingException | ParseException | JOSEException ex) {
        throw new ServiceApplicationException("Following exception occurred: ", ex, ExceptionStatusCodeEnum.SYSTEM_ERROR);
    }
    return false;
}
Also used : ServiceApplicationException(org.sasanlabs.service.exception.ServiceApplicationException) RSAKey(com.nimbusds.jose.jwk.RSAKey) RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier) JWSVerifier(com.nimbusds.jose.JWSVerifier) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ECKey(com.nimbusds.jose.jwk.ECKey) SignedJWT(com.nimbusds.jwt.SignedJWT) ECDSAVerifier(com.nimbusds.jose.crypto.ECDSAVerifier) Ed25519Verifier(com.nimbusds.jose.crypto.Ed25519Verifier) JSONObject(org.json.JSONObject) ParseException(java.text.ParseException) JOSEException(com.nimbusds.jose.JOSEException)

Example 50 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project spid-cie-oidc-java by italia.

the class JWTHelper method verifyJWS.

public boolean verifyJWS(SignedJWT jws, JWKSet jwkSet) throws OIDCException {
    String kid = jws.getHeader().getKeyID();
    JWK jwk = jwkSet.getKeyByKeyId(kid);
    if (jwk == null) {
        throw new JWTException.UnknownKid(kid, jwkSet.toString());
    }
    JWSAlgorithm alg = jws.getHeader().getAlgorithm();
    if (!isValidAlgorithm(alg)) {
        throw new JWTException.UnsupportedAlgorithm(alg.toString());
    }
    try {
        JWSVerifier verifier = getJWSVerifier(alg, jwk);
        return jws.verify(verifier);
    } catch (Exception e) {
        throw new JWTException.Verifier(e);
    }
}
Also used : JWTException(it.spid.cie.oidc.exception.JWTException) JWSVerifier(com.nimbusds.jose.JWSVerifier) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) JOSEException(com.nimbusds.jose.JOSEException) JWTException(it.spid.cie.oidc.exception.JWTException) OIDCException(it.spid.cie.oidc.exception.OIDCException) ParseException(java.text.ParseException) JWK(com.nimbusds.jose.jwk.JWK)

Aggregations

JWSVerifier (com.nimbusds.jose.JWSVerifier)53 RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)34 SignedJWT (com.nimbusds.jwt.SignedJWT)27 JOSEException (com.nimbusds.jose.JOSEException)20 RSAPublicKey (java.security.interfaces.RSAPublicKey)14 ParseException (java.text.ParseException)14 MACVerifier (com.nimbusds.jose.crypto.MACVerifier)10 JWSObject (com.nimbusds.jose.JWSObject)9 RSAKey (com.nimbusds.jose.jwk.RSAKey)8 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)8 Date (java.util.Date)8 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)6 ECDSAVerifier (com.nimbusds.jose.crypto.ECDSAVerifier)6 JWSVerificationKeySelector (com.nimbusds.jose.proc.JWSVerificationKeySelector)6 IOException (java.io.IOException)6 PublicKey (java.security.PublicKey)5 ECPublicKey (java.security.interfaces.ECPublicKey)5 Test (org.junit.Test)5 DefaultJWSVerifierFactory (com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory)4 JWKSet (com.nimbusds.jose.jwk.JWKSet)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial