Example 16 with JWSVerifier
use of com.nimbusds.jose.JWSVerifier in project token-support by navikt.
the class ClientAssertionTest method testCreateAssertion.
@Test
void testCreateAssertion() throws ParseException, JOSEException {
ClientAuthenticationProperties clientAuth = ClientAuthenticationProperties.builder().clientJwk("src/test/resources/jwk.json").clientId("client1").clientAuthMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT).build();
ClientProperties clientProperties = ClientProperties.builder().grantType(OAuth2GrantType.CLIENT_CREDENTIALS).tokenEndpointUrl(URI.create("http://token")).authentication(clientAuth).build();
Instant now = Instant.now();
ClientAssertion clientAssertion = new ClientAssertion(clientProperties.getTokenEndpointUrl(), clientProperties.getAuthentication());
assertThat(clientAssertion).isNotNull();
assertThat(clientAssertion.assertionType()).isEqualTo("urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
String assertion = clientAssertion.assertion();
assertThat(clientAssertion.assertion()).isNotNull();
SignedJWT signedJWT = SignedJWT.parse(assertion);
String keyId = clientProperties.getAuthentication().getClientRsaKey().getKeyID();
assertThat(signedJWT.getHeader().getKeyID()).isEqualTo(keyId);
assertThat(signedJWT.getHeader().getType()).isEqualTo(JOSEObjectType.JWT);
assertThat(signedJWT.getHeader().getAlgorithm()).isEqualTo(JWSAlgorithm.RS256);
JWSVerifier verifier = new RSASSAVerifier(clientAuth.getClientRsaKey());
assertThat(signedJWT.verify(verifier)).isTrue();
JWTClaimsSet claims = signedJWT.getJWTClaimsSet();
assertThat(claims.getSubject()).isEqualTo(clientAuth.getClientId());
assertThat(claims.getIssuer()).isEqualTo(clientAuth.getClientId());
assertThat(claims.getAudience()).containsExactly(clientProperties.getTokenEndpointUrl().toString());
assertThat(claims.getExpirationTime()).isAfter(Date.from(now));
assertThat(claims.getNotBeforeTime()).isBefore(claims.getExpirationTime());
}
Also used :
ClientProperties(no.nav.security.token.support.client.core.ClientProperties)
RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
Instant(java.time.Instant)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
SignedJWT(com.nimbusds.jwt.SignedJWT)
ClientAuthenticationProperties(no.nav.security.token.support.client.core.ClientAuthenticationProperties)
Test(org.junit.jupiter.api.Test)
Example 17 with JWSVerifier
use of com.nimbusds.jose.JWSVerifier in project athenz by AthenZ.
the class ZMSImplTest method testGetJWSDomainP1363Signature.
@Test
public void testGetJWSDomainP1363Signature() throws JsonProcessingException, ParseException, JOSEException {
final String domainName = "jws-domain-p1363";
TopLevelDomain dom1 = zmsTestInitializer.createTopLevelDomainObject(domainName, "Test Domain1", "testOrg", zmsTestInitializer.getAdminUser());
zmsTestInitializer.getZms().postTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), zmsTestInitializer.getAuditRef(), dom1);
Response response = zmsTestInitializer.getZms().getJWSDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, Boolean.TRUE, null);
JWSDomain jwsDomain = (JWSDomain) response.getEntity();
JWSObject jwsObject = new JWSObject(Base64URL.from(jwsDomain.getProtectedHeader()), Base64URL.from(jwsDomain.getPayload()), Base64URL.from(jwsDomain.getSignature()));
JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) Crypto.extractPublicKey(zmsTestInitializer.getZms().privateKey.getKey()));
assertTrue(jwsObject.verify(verifier));
zmsTestInitializer.getZms().deleteTopLevelDomain(zmsTestInitializer.getMockDomRsrcCtx(), domainName, zmsTestInitializer.getAuditRef());
}
Also used :
Response(javax.ws.rs.core.Response)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
JWSObject(com.nimbusds.jose.JWSObject)
Example 18 with JWSVerifier
use of com.nimbusds.jose.JWSVerifier in project identity-inbound-auth-oauth by wso2-extensions.
the class RequestObjectValidatorUtil method isSignatureVerified.
/**
* Validate the signedJWT signature with given certificate
*
* @param signedJWT signed JWT
* @param x509Certificate X509 certificate
* @return signature validity
*/
public static boolean isSignatureVerified(SignedJWT signedJWT, Certificate x509Certificate) {
JWSVerifier verifier;
JWSHeader header = signedJWT.getHeader();
if (x509Certificate == null) {
if (log.isDebugEnabled()) {
log.debug("Unable to locate certificate for JWT " + header.toString());
}
return false;
}
String alg = signedJWT.getHeader().getAlgorithm().getName();
if (log.isDebugEnabled()) {
log.debug("Signature Algorithm found in the JWT Header: " + alg);
}
if (alg.indexOf(RS) == 0 || alg.indexOf(PS) == 0) {
// At this point 'x509Certificate' will never be null.
PublicKey publicKey = x509Certificate.getPublicKey();
if (publicKey instanceof RSAPublicKey) {
verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
} else {
if (log.isDebugEnabled()) {
log.debug("Public key is not an RSA public key.");
}
return false;
}
} else {
if (log.isDebugEnabled()) {
log.debug("Signature Algorithm not supported yet : " + alg);
}
return false;
}
// At this point 'verifier' will never be null;
try {
return signedJWT.verify(verifier);
} catch (JOSEException e) {
if (log.isDebugEnabled()) {
log.debug("Unable to verify the signature of the request object: " + signedJWT.serialize(), e);
}
return false;
}
}
Also used :
RSAPublicKey(java.security.interfaces.RSAPublicKey)
PublicKey(java.security.PublicKey)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
JOSEException(com.nimbusds.jose.JOSEException)
JWSHeader(com.nimbusds.jose.JWSHeader)
Example 19 with JWSVerifier
use of com.nimbusds.jose.JWSVerifier in project identity-inbound-auth-oauth by wso2-extensions.
the class JWTSignatureValidationUtils method validateUsingCertificate.
/**
* Method to validate the signature using certificate
*
* @param signedJWT Signed JWT whose signature is to be validated.
* @param idp Identity provider to get the certificate.
* @return boolean value depending on the success of the validation.
* @throws IdentityOAuth2Exception
* @throws JOSEException
*/
private static boolean validateUsingCertificate(SignedJWT signedJWT, IdentityProvider idp) throws IdentityOAuth2Exception, JOSEException {
JWSVerifier verifier = null;
JWSHeader header = signedJWT.getHeader();
X509Certificate x509Certificate = resolveSignerCertificate(header, idp);
if (x509Certificate == null) {
handleClientException("Unable to locate certificate for Identity Provider " + idp.getDisplayName() + "; JWT " + header.toString());
}
checkValidity(x509Certificate);
String alg = signedJWT.getHeader().getAlgorithm().getName();
if (StringUtils.isEmpty(alg)) {
handleClientException("Algorithm must not be null.");
} else {
if (log.isDebugEnabled()) {
log.debug("Signature Algorithm found in the JWT Header: " + alg);
}
if (alg.startsWith("RS")) {
// At this point 'x509Certificate' will never be null.
PublicKey publicKey = x509Certificate.getPublicKey();
if (publicKey instanceof RSAPublicKey) {
verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
} else {
handleClientException("Public key is not an RSA public key.");
}
} else {
if (log.isDebugEnabled()) {
log.debug("Signature Algorithm not supported yet : " + alg);
}
}
if (verifier == null) {
handleServerException("Could not create a signature verifier for algorithm type: " + alg);
}
}
// At this point 'verifier' will never be null;
return signedJWT.verify(verifier);
}
Also used :
RSAPublicKey(java.security.interfaces.RSAPublicKey)
PublicKey(java.security.PublicKey)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
JWSHeader(com.nimbusds.jose.JWSHeader)
X509Certificate(java.security.cert.X509Certificate)
Example 20 with JWSVerifier
use of com.nimbusds.jose.JWSVerifier in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2JWTTokenValidator method validateSignature.
private boolean validateSignature(SignedJWT signedJWT, IdentityProvider idp) throws JOSEException, IdentityOAuth2Exception {
JWSVerifier verifier = null;
JWSHeader header = signedJWT.getHeader();
X509Certificate x509Certificate = resolveSignerCertificate(header, idp);
if (x509Certificate == null) {
throw new IdentityOAuth2Exception("Unable to locate certificate for Identity Provider: " + idp.getDisplayName());
}
String alg = signedJWT.getHeader().getAlgorithm().getName();
if (StringUtils.isEmpty(alg)) {
throw new IdentityOAuth2Exception("Algorithm must not be null.");
} else {
if (log.isDebugEnabled()) {
log.debug("Signature Algorithm found in the Token Header: " + alg);
}
if (alg.indexOf(ALGO_PREFIX) == 0 || alg.indexOf(ALGO_PREFIX_PS) == 0) {
// At this point 'x509Certificate' will never be null.
PublicKey publicKey = x509Certificate.getPublicKey();
if (publicKey instanceof RSAPublicKey) {
verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
} else {
throw new IdentityOAuth2Exception("Public key is not an RSA public key.");
}
} else {
if (log.isDebugEnabled()) {
log.debug("Signature Algorithm not supported yet: " + alg);
}
}
if (verifier == null) {
throw new IdentityOAuth2Exception("Could not create a signature verifier for algorithm type: " + alg);
}
}
boolean isValid = signedJWT.verify(verifier);
if (log.isDebugEnabled()) {
log.debug("Signature verified: " + isValid);
}
return isValid;
}
Also used :
IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
PublicKey(java.security.PublicKey)
RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
JWSHeader(com.nimbusds.jose.JWSHeader)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
JWSVerifier (com.nimbusds.jose.JWSVerifier)53
RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)34
SignedJWT (com.nimbusds.jwt.SignedJWT)27
JOSEException (com.nimbusds.jose.JOSEException)20
RSAPublicKey (java.security.interfaces.RSAPublicKey)14
ParseException (java.text.ParseException)14
MACVerifier (com.nimbusds.jose.crypto.MACVerifier)10
JWSObject (com.nimbusds.jose.JWSObject)9
RSAKey (com.nimbusds.jose.jwk.RSAKey)8
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)8
Date (java.util.Date)8
JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)6
ECDSAVerifier (com.nimbusds.jose.crypto.ECDSAVerifier)6
JWSVerificationKeySelector (com.nimbusds.jose.proc.JWSVerificationKeySelector)6
IOException (java.io.IOException)6
PublicKey (java.security.PublicKey)5
ECPublicKey (java.security.interfaces.ECPublicKey)5
Test (org.junit.Test)5
DefaultJWSVerifierFactory (com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory)4
JWKSet (com.nimbusds.jose.jwk.JWKSet)4
