Example 1 with KeySourceException
use of com.nimbusds.jose.KeySourceException in project spring-security by spring-projects.
the class JwtDecoderProviderConfigurationUtils method getJWSAlgorithms.
static <C extends SecurityContext> Set<JWSAlgorithm> getJWSAlgorithms(JWKSource<C> jwkSource) {
JWKMatcher jwkMatcher = new JWKMatcher.Builder().publicOnly(true).keyUses(KeyUse.SIGNATURE, null).keyTypes(KeyType.RSA, KeyType.EC).build();
Set<JWSAlgorithm> jwsAlgorithms = new HashSet<>();
try {
List<? extends JWK> jwks = jwkSource.get(new JWKSelector(jwkMatcher), null);
for (JWK jwk : jwks) {
if (jwk.getAlgorithm() != null) {
JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(jwk.getAlgorithm().getName());
jwsAlgorithms.add(jwsAlgorithm);
} else {
if (jwk.getKeyType() == KeyType.RSA) {
jwsAlgorithms.addAll(JWSAlgorithm.Family.RSA);
} else if (jwk.getKeyType() == KeyType.EC) {
jwsAlgorithms.addAll(JWSAlgorithm.Family.EC);
}
}
}
} catch (KeySourceException ex) {
throw new IllegalStateException(ex);
}
Assert.notEmpty(jwsAlgorithms, "Failed to find any algorithms from the JWK set");
return jwsAlgorithms;
}
Also used :
JWKSelector(com.nimbusds.jose.jwk.JWKSelector)
UriComponentsBuilder(org.springframework.web.util.UriComponentsBuilder)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
KeySourceException(com.nimbusds.jose.KeySourceException)
JWKMatcher(com.nimbusds.jose.jwk.JWKMatcher)
HashSet(java.util.HashSet)
JWK(com.nimbusds.jose.jwk.JWK)
Example 2 with KeySourceException
use of com.nimbusds.jose.KeySourceException in project spring-security by spring-projects.
the class NimbusJwtEncoderTests method encodeWhenJwkSelectFailedThenThrowJwtEncodingException.
@Test
public void encodeWhenJwkSelectFailedThenThrowJwtEncodingException() throws Exception {
this.jwkSource = mock(JWKSource.class);
this.jwtEncoder = new NimbusJwtEncoder(this.jwkSource);
given(this.jwkSource.get(any(), any())).willThrow(new KeySourceException("key source error"));
JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256).build();
JwtClaimsSet jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build();
assertThatExceptionOfType(JwtEncodingException.class).isThrownBy(() -> this.jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet))).withMessageContaining("Failed to select a JWK signing key -> key source error");
}
Also used :
JWKSource(com.nimbusds.jose.jwk.source.JWKSource)
KeySourceException(com.nimbusds.jose.KeySourceException)
Test(org.junit.jupiter.api.Test)
Example 3 with KeySourceException
use of com.nimbusds.jose.KeySourceException in project dhis2-core by dhis2.
the class JwtUtils method selectJwk.
private JWK selectJwk(JoseHeader headers) {
JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(headers.getJwsAlgorithm().getName());
JWSHeader jwsHeader = new JWSHeader(jwsAlgorithm);
JWKSelector jwkSelector = new JWKSelector(JWKMatcher.forJWSHeader(jwsHeader));
List<JWK> jwks;
try {
jwks = this.jwkSource.get(jwkSelector, null);
} catch (KeySourceException ex) {
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key -> " + ex.getMessage()), ex);
}
if (jwks.size() > 1) {
throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Found multiple JWK signing keys for algorithm '" + jwsAlgorithm.getName() + "'"));
}
return !jwks.isEmpty() ? jwks.get(0) : null;
}
Also used :
JWKSelector(com.nimbusds.jose.jwk.JWKSelector)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
JWSHeader(com.nimbusds.jose.JWSHeader)
KeySourceException(com.nimbusds.jose.KeySourceException)
JWK(com.nimbusds.jose.jwk.JWK)
Example 4 with KeySourceException
use of com.nimbusds.jose.KeySourceException in project midpoint by Evolveum.
the class OidcResourceServerModuleWebSecurityConfiguration method buildInternal.
private static OidcResourceServerModuleWebSecurityConfiguration buildInternal(OidcAuthenticationModuleType modelType, String prefixOfSequence) {
OidcResourceServerModuleWebSecurityConfiguration configuration = new OidcResourceServerModuleWebSecurityConfiguration();
build(configuration, modelType, prefixOfSequence);
OidcResourceServerAuthenticationModuleType resourceServer = modelType.getResourceServer();
if (resourceServer.getTrustingAsymmetricCertificate() != null || resourceServer.getKeyStoreTrustingAsymmetricKey() != null) {
NimbusJwtDecoder.PublicKeyJwtDecoderBuilder builder;
if (resourceServer.getKeyStoreTrustingAsymmetricKey() != null) {
builder = initializePublicKeyDecoderFromKeyStore(resourceServer.getKeyStoreTrustingAsymmetricKey());
} else {
builder = initializePublicKeyDecoderFromCertificate(resourceServer.getTrustingAsymmetricCertificate());
}
if (resourceServer.getTrustedAlgorithm() != null) {
builder.signatureAlgorithm(SignatureAlgorithm.from(resourceServer.getTrustedAlgorithm()));
}
configuration.decoder = builder.build();
} else if (resourceServer.getSingleSymmetricKey() != null) {
try {
byte[] key;
String clearValue = protector.decryptString(resourceServer.getSingleSymmetricKey());
if (Base64.isBase64(clearValue)) {
boolean isBase64Url = clearValue.contains("-") || clearValue.contains("_");
key = Base64Utility.decode(clearValue, isBase64Url);
} else {
key = protector.decryptString(resourceServer.getSingleSymmetricKey()).getBytes();
}
String algorithm = MacAlgorithm.HS256.getName();
if (resourceServer.getTrustedAlgorithm() != null) {
algorithm = resourceServer.getTrustedAlgorithm();
}
NimbusJwtDecoder.SecretKeyJwtDecoderBuilder builder = NimbusJwtDecoder.withSecretKey(new SecretKeySpec(key, algorithm));
builder.macAlgorithm(MacAlgorithm.from(algorithm));
configuration.decoder = builder.build();
} catch (EncryptionException e) {
throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get single symmetric key", e);
} catch (Base64Exception e) {
e.printStackTrace();
}
} else if (resourceServer.getJwkSetUri() != null) {
if (resourceServer.getTrustedAlgorithm() != null) {
configuration.decoder = NimbusJwtDecoder.withJwkSetUri(resourceServer.getJwkSetUri()).jwsAlgorithm(SignatureAlgorithm.from(resourceServer.getTrustedAlgorithm())).build();
} else {
try {
JWSKeySelector<SecurityContext> jwsKeySelector = JWSAlgorithmFamilyJWSKeySelector.fromJWKSetURL(new URL(resourceServer.getJwkSetUri()));
DefaultJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
jwtProcessor.setJWSKeySelector(jwsKeySelector);
configuration.decoder = new NimbusJwtDecoder(jwtProcessor);
} catch (KeySourceException | MalformedURLException e) {
e.printStackTrace();
}
}
} else if (resourceServer.getIssuerUri() != null) {
configuration.decoder = JwtDecoders.fromIssuerLocation(resourceServer.getIssuerUri());
}
return configuration;
}
Also used :
MalformedURLException(java.net.MalformedURLException)
NimbusJwtDecoder(org.springframework.security.oauth2.jwt.NimbusJwtDecoder)
URL(java.net.URL)
DefaultJWTProcessor(com.nimbusds.jwt.proc.DefaultJWTProcessor)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
Base64Exception(org.apache.cxf.common.util.Base64Exception)
EncryptionException(com.evolveum.midpoint.prism.crypto.EncryptionException)
SecurityContext(com.nimbusds.jose.proc.SecurityContext)
KeySourceException(com.nimbusds.jose.KeySourceException)
Aggregations
KeySourceException (com.nimbusds.jose.KeySourceException)4
JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)2
JWK (com.nimbusds.jose.jwk.JWK)2
JWKSelector (com.nimbusds.jose.jwk.JWKSelector)2
EncryptionException (com.evolveum.midpoint.prism.crypto.EncryptionException)1
JWSHeader (com.nimbusds.jose.JWSHeader)1
JWKMatcher (com.nimbusds.jose.jwk.JWKMatcher)1
JWKSource (com.nimbusds.jose.jwk.source.JWKSource)1
SecurityContext (com.nimbusds.jose.proc.SecurityContext)1
DefaultJWTProcessor (com.nimbusds.jwt.proc.DefaultJWTProcessor)1
MalformedURLException (java.net.MalformedURLException)1
URL (java.net.URL)1
HashSet (java.util.HashSet)1
SecretKeySpec (javax.crypto.spec.SecretKeySpec)1
Base64Exception (org.apache.cxf.common.util.Base64Exception)1
Test (org.junit.jupiter.api.Test)1
NimbusJwtDecoder (org.springframework.security.oauth2.jwt.NimbusJwtDecoder)1
UriComponentsBuilder (org.springframework.web.util.UriComponentsBuilder)1
