Examples with JWSVerifier com.nimbusds.jose.JWSVerifier used on opensource projects

Search in sources :

Example 21 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project conformance-suite by openid-certification.

the class ValidateRequestObjectSignature method evaluate.

@Override
@PreEnvironment(required = { "authorization_request_object", "client_public_jwks", "client" })
@PostEnvironment(strings = "request_object_signing_alg")
public Environment evaluate(Environment env) {
    String requestObject = env.getString("authorization_request_object", "value");
    JsonObject clientJwks = env.getObject("client_public_jwks");
    try {
        SignedJWT jwt = SignedJWT.parse(requestObject);
        JWKSet jwkSet = JWKSet.parse(clientJwks.toString());
        JsonObject client = env.getObject("client");
        if (client.has("request_object_signing_alg")) {
            // https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
            // request_object_signing_alg
            // All Request Objects from this Client MUST be rejected, if not signed with this algorithm.
            // The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used
            String expectedAlg = OIDFJSON.getString(client.get("request_object_signing_alg"));
            JWSAlgorithm jwsAlgorithm = jwt.getHeader().getAlgorithm();
            if (!jwsAlgorithm.getName().equals(expectedAlg)) {
                throw error("Algorithm in JWT header does not match client request_object_signing_alg.", args("actual", jwsAlgorithm.getName(), "expected", expectedAlg));
            }
        }
        SecurityContext context = new SimpleSecurityContext();
        JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(jwkSet);
        JWSKeySelector<SecurityContext> selector = new JWSVerificationKeySelector<>(jwt.getHeader().getAlgorithm(), jwkSource);
        // TODO signature verification should be changed to use kids
        List<? extends Key> keys = selector.selectJWSKeys(jwt.getHeader(), context);
        if (keys == null || keys.isEmpty()) {
            throw error("Could not find any keys that can be used to verify this signature", args("requestObject", requestObject, "clientJwks", clientJwks));
        }
        for (Key key : keys) {
            JWSVerifierFactory factory = new DefaultJWSVerifierFactory();
            JWSVerifier verifier = factory.createJWSVerifier(jwt.getHeader(), key);
            if (jwt.verify(verifier)) {
                String alg = jwt.getHeader().getAlgorithm().getName();
                env.putString("request_object_signing_alg", alg);
                logSuccess("Request object signature validated using a key in the client's JWKS " + "and using the client's registered request_object_signing_alg", args("request_object_signing_alg", alg, "jwk", key.toString(), "request_object", requestObject));
                return env;
            } else {
                // failed to verify with this key, moving on
                // not a failure yet as it might pass a different key
                log("Failed to verify signature using key", args("key", key.toString(), "requestObject", requestObject));
            }
        }
        // if we got here, it hasn't been verified by any key
        throw error("Unable to verify request object signature based on client keys", args("jwt_header", jwt.getHeader().toString(), "keys", new GsonBuilder().setPrettyPrinting().create().toJson(keys), "clientJwks", clientJwks, "requestObject", requestObject));
    } catch (JOSEException | ParseException e) {
        throw error("error validating request object signature", e);
    }
}
Also used : GsonBuilder(com.google.gson.GsonBuilder) DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) JWSVerifier(com.nimbusds.jose.JWSVerifier) JsonObject(com.google.gson.JsonObject) JWSVerifierFactory(com.nimbusds.jose.proc.JWSVerifierFactory) DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) SignedJWT(com.nimbusds.jwt.SignedJWT) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) JWKSet(com.nimbusds.jose.jwk.JWKSet) SecurityContext(com.nimbusds.jose.proc.SecurityContext) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) ParseException(java.text.ParseException) JOSEException(com.nimbusds.jose.JOSEException) Key(java.security.Key) PostEnvironment(net.openid.conformance.condition.PostEnvironment) PreEnvironment(net.openid.conformance.condition.PreEnvironment)

Example 22 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project conformance-suite by openid-certification.

the class AbstractValidateJWKs method verifyJWTAfterSigned.

private void verifyJWTAfterSigned(JWKSet jwkSet, SignedJWT jwt) throws JOSEException {
    SecurityContext context = new SimpleSecurityContext();
    JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(jwkSet);
    JWSKeySelector<SecurityContext> selector = new JWSVerificationKeySelector<>(jwt.getHeader().getAlgorithm(), jwkSource);
    List<? extends Key> keys = selector.selectJWSKeys(jwt.getHeader(), context);
    for (Key key : keys) {
        JWSVerifierFactory factory = new DefaultJWSVerifierFactory();
        JWSVerifier verifier = factory.createJWSVerifier(jwt.getHeader(), key);
        if (!jwt.verify(verifier)) {
            throw error("Invalid JWKs supplied in configuration. Private and public exponent don't match (test JWS could not be verified)", args("jws", jwt.serialize(), "jwks", JWKUtil.getPrivateJwksAsJsonObject(jwkSet)));
        }
    }
}
Also used : DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) JWSVerifier(com.nimbusds.jose.JWSVerifier) SecurityContext(com.nimbusds.jose.proc.SecurityContext) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) JWSVerifierFactory(com.nimbusds.jose.proc.JWSVerifierFactory) DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) ECKey(com.nimbusds.jose.jwk.ECKey) Key(java.security.Key) RSAKey(com.nimbusds.jose.jwk.RSAKey) JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector)

Example 23 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project conformance-suite by openid-certification.

the class AbstractVerifyJwsSignature method verifySignature.

protected boolean verifySignature(SignedJWT jwt, JWKSet jwkSet) throws JOSEException {
    SecurityContext context = new SimpleSecurityContext();
    JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(jwkSet);
    JWSKeySelector<SecurityContext> selector = new JWSVerificationKeySelector<>(jwt.getHeader().getAlgorithm(), jwkSource);
    List<? extends Key> keys = selector.selectJWSKeys(jwt.getHeader(), context);
    for (Key key : keys) {
        JWSVerifierFactory factory = new DefaultJWSVerifierFactory();
        JWSVerifier verifier = factory.createJWSVerifier(jwt.getHeader(), key);
        if (jwt.verify(verifier)) {
            return true;
        } else {
        // failed to verify with this key, moving on
        // not a failure yet as it might pass a different key
        }
    }
    // if we got here, it hasn't been verified on any key
    return false;
}
Also used : DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) JWSVerifier(com.nimbusds.jose.JWSVerifier) SecurityContext(com.nimbusds.jose.proc.SecurityContext) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) JWSVerifierFactory(com.nimbusds.jose.proc.JWSVerifierFactory) DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) Key(java.security.Key) JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector)

Example 24 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project conformance-suite by openid-certification.

the class SignRequestObject_UnitTest method testEvaluate_valuesPresent.

/**
 * Test method for {@link SignRequestObject#evaluate(Environment)}.
 *
 * @throws JOSEException,
 *             ParseException
 */
@Test
public void testEvaluate_valuesPresent() throws JOSEException, ParseException {
    env.putObject("client_jwks", jwks);
    env.putObject("request_object_claims", requestObjectClaims);
    cond.execute(env);
    verify(env, atLeastOnce()).getObject("request_object_claims");
    String requestObjectString = env.getString("request_object");
    assertThat(requestObjectString).isNotNull();
    // Validate the signed object
    boolean validSignature = false;
    SignedJWT jwt = SignedJWT.parse(requestObjectString);
    JWKSet jwkSet = JWKSet.parse(jwks.toString());
    SecurityContext context = new SimpleSecurityContext();
    JWKSource<SecurityContext> jwkSource = new ImmutableJWKSet<>(jwkSet);
    JWSKeySelector<SecurityContext> selector = new JWSVerificationKeySelector<>(jwt.getHeader().getAlgorithm(), jwkSource);
    List<? extends Key> keys = selector.selectJWSKeys(jwt.getHeader(), context);
    for (Key key : keys) {
        JWSVerifierFactory factory = new DefaultJWSVerifierFactory();
        JWSVerifier verifier = factory.createJWSVerifier(jwt.getHeader(), key);
        if (jwt.verify(verifier)) {
            validSignature = true;
            break;
        }
    }
    assertThat(validSignature).isTrue();
}
Also used : DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) JWSVerifier(com.nimbusds.jose.JWSVerifier) JWSVerifierFactory(com.nimbusds.jose.proc.JWSVerifierFactory) DefaultJWSVerifierFactory(com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory) SignedJWT(com.nimbusds.jwt.SignedJWT) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) JWSVerificationKeySelector(com.nimbusds.jose.proc.JWSVerificationKeySelector) JWKSet(com.nimbusds.jose.jwk.JWKSet) ImmutableJWKSet(com.nimbusds.jose.jwk.source.ImmutableJWKSet) SecurityContext(com.nimbusds.jose.proc.SecurityContext) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) SimpleSecurityContext(com.nimbusds.jose.proc.SimpleSecurityContext) Key(java.security.Key) Test(org.junit.Test)

Example 25 with JWSVerifier

use of com.nimbusds.jose.JWSVerifier in project Kustvakt by KorAP.

the class OAuth2OpenIdControllerTest method verifyingIdToken.

private void verifyingIdToken(String id_token, String username, String client_id, String nonce) throws ParseException, InvalidKeySpecException, NoSuchAlgorithmException, JOSEException {
    JWKSet keySet = config.getPublicKeySet();
    RSAKey publicKey = (RSAKey) keySet.getKeyByKeyId(config.getRsaKeyId());
    SignedJWT signedJWT = SignedJWT.parse(id_token);
    JWSVerifier verifier = new RSASSAVerifier(publicKey);
    assertTrue(signedJWT.verify(verifier));
    JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet();
    assertEquals(client_id, claimsSet.getAudience().get(0));
    assertEquals(username, claimsSet.getSubject());
    assertEquals(config.getIssuerURI().toString(), claimsSet.getIssuer());
    assertTrue(new Date().before(claimsSet.getExpirationTime()));
    assertNotNull(claimsSet.getClaim(Attributes.AUTHENTICATION_TIME));
    assertEquals(nonce, claimsSet.getClaim("nonce"));
}
Also used : RSAKey(com.nimbusds.jose.jwk.RSAKey) RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) JWKSet(com.nimbusds.jose.jwk.JWKSet) JWSVerifier(com.nimbusds.jose.JWSVerifier) SignedJWT(com.nimbusds.jwt.SignedJWT) Date(java.util.Date)

Aggregations

JWSVerifier (com.nimbusds.jose.JWSVerifier)53 RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)34 SignedJWT (com.nimbusds.jwt.SignedJWT)27 JOSEException (com.nimbusds.jose.JOSEException)20 RSAPublicKey (java.security.interfaces.RSAPublicKey)14 ParseException (java.text.ParseException)14 MACVerifier (com.nimbusds.jose.crypto.MACVerifier)10 JWSObject (com.nimbusds.jose.JWSObject)9 RSAKey (com.nimbusds.jose.jwk.RSAKey)8 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)8 Date (java.util.Date)8 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)6 ECDSAVerifier (com.nimbusds.jose.crypto.ECDSAVerifier)6 JWSVerificationKeySelector (com.nimbusds.jose.proc.JWSVerificationKeySelector)6 IOException (java.io.IOException)6 PublicKey (java.security.PublicKey)5 ECPublicKey (java.security.interfaces.ECPublicKey)5 Test (org.junit.Test)5 DefaultJWSVerifierFactory (com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory)4 JWKSet (com.nimbusds.jose.jwk.JWKSet)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial