Example 1 with ECDSAVerifier
use of com.nimbusds.jose.crypto.ECDSAVerifier in project fitpay-android-sdk by fitpay.
the class StringUtils method getDecryptedString.
/**
* Get decrypted string
*
* @param type key type
* @param encryptedString encrypted string
* @return decrypted string
*/
public static String getDecryptedString(@KeysManager.KeyType int type, String encryptedString) {
KeysManager keysManager = KeysManager.getInstance();
JWEObject jweObject;
try {
jweObject = JWEObject.parse(encryptedString);
JWEHeader jweHeader = jweObject.getHeader();
if (jweHeader.getKeyID() == null || jweHeader.getKeyID().equals(keysManager.getKeyId(type))) {
jweObject.decrypt(new AESDecrypter(keysManager.getSecretKey(type)));
if ("JWT".equals(jweObject.getHeader().getContentType())) {
SignedJWT signedJwt = jweObject.getPayload().toSignedJWT();
ECCKeyPair keyPair = keysManager.getPairForType(type);
ECPublicKey key = null;
if ("https://fit-pay.com".equals(signedJwt.getJWTClaimsSet().getIssuer())) {
key = (ECPublicKey) keysManager.getPublicKey("EC", Hex.hexStringToBytes(keyPair.getServerPublicKey()));
} else {
key = (ECPublicKey) keysManager.getPublicKey("EC", Hex.hexStringToBytes(keyPair.getPublicKey()));
}
JWSVerifier verifier = new ECDSAVerifier(key);
if (!signedJwt.verify(verifier)) {
throw new IllegalArgumentException("jwt did not pass signature validation");
}
return signedJwt.getJWTClaimsSet().getStringClaim("data");
} else {
return jweObject.getPayload().toString();
}
}
} catch (Exception e) {
FPLog.e(e);
}
return null;
}
Also used :
ECDSAVerifier(com.nimbusds.jose.crypto.ECDSAVerifier)
JWEHeader(com.nimbusds.jose.JWEHeader)
ECPublicKey(java.security.interfaces.ECPublicKey)
JWEObject(com.nimbusds.jose.JWEObject)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
AESDecrypter(com.nimbusds.jose.crypto.AESDecrypter)
SignedJWT(com.nimbusds.jwt.SignedJWT)
ECCKeyPair(com.fitpay.android.api.models.security.ECCKeyPair)
JOSEException(com.nimbusds.jose.JOSEException)
Example 2 with ECDSAVerifier
use of com.nimbusds.jose.crypto.ECDSAVerifier in project Payara by payara.
the class JwtTokenParser method verifyAndParseSignedJWT.
private JsonWebTokenImpl verifyAndParseSignedJWT(String issuer, PublicKey publicKey) throws JWTProcessingException {
if (signedJWT == null) {
throw new IllegalStateException("No parsed SignedJWT.");
}
JWSAlgorithm signAlgorithmName = signedJWT.getHeader().getAlgorithm();
// 1.0 4.1 alg + MP-JWT 1.0 6.1 1
if (!signAlgorithmName.equals(RS256) && !signAlgorithmName.equals(ES256)) {
throw new JWTProcessingException("Only RS256 or ES256 algorithms supported for JWT signing, used " + signAlgorithmName);
}
try (JsonReader reader = Json.createReader(new StringReader(signedJWT.getPayload().toString()))) {
Map<String, JsonValue> rawClaims = new HashMap<>(reader.readObject());
// Vendor - Process namespaced claims
rawClaims = handleNamespacedClaims(rawClaims);
// MP-JWT 1.0 4.1 Minimum MP-JWT Required Claims
if (!checkRequiredClaimsPresent(rawClaims)) {
throw new JWTProcessingException("Not all required claims present");
}
// MP-JWT 1.0 4.1 upn - has fallbacks
String callerPrincipalName = getCallerPrincipalName(rawClaims);
if (callerPrincipalName == null) {
throw new JWTProcessingException("One of upn, preferred_username or sub is required to be non null");
}
// MP-JWT 1.0 6.1 2
if (!checkIssuer(rawClaims, issuer)) {
throw new JWTProcessingException("Bad issuer");
}
if (!checkNotExpired(rawClaims)) {
throw new JWTProcessingException("JWT token expired");
}
// MP-JWT 1.0 6.1 2
try {
if (signAlgorithmName.equals(RS256)) {
if (!signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey))) {
throw new JWTProcessingException("Signature of the JWT token is invalid");
}
} else {
if (!signedJWT.verify(new ECDSAVerifier((ECPublicKey) publicKey))) {
throw new JWTProcessingException("Signature of the JWT token is invalid");
}
}
} catch (JOSEException ex) {
throw new JWTProcessingException("Exception during JWT signature validation", ex);
}
rawClaims.put(raw_token.name(), createObjectBuilder().add("token", rawToken).build().get("token"));
return new JsonWebTokenImpl(callerPrincipalName, rawClaims);
}
}
Also used :
HashMap(java.util.HashMap)
RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier)
JsonValue(javax.json.JsonValue)
JsonString(javax.json.JsonString)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
ECDSAVerifier(com.nimbusds.jose.crypto.ECDSAVerifier)
JWTProcessingException(fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException)
StringReader(java.io.StringReader)
JsonReader(javax.json.JsonReader)
JOSEException(com.nimbusds.jose.JOSEException)
Example 3 with ECDSAVerifier
use of com.nimbusds.jose.crypto.ECDSAVerifier in project java-docs-samples by GoogleCloudPlatform.
the class VerifyIapRequestHeader method verifyJwt.
private boolean verifyJwt(String jwtToken, String expectedAudience) throws Exception {
// parse signed token into header / claims
SignedJWT signedJwt = SignedJWT.parse(jwtToken);
JWSHeader jwsHeader = signedJwt.getHeader();
// header must have algorithm("alg") and "kid"
Preconditions.checkNotNull(jwsHeader.getAlgorithm());
Preconditions.checkNotNull(jwsHeader.getKeyID());
JWTClaimsSet claims = signedJwt.getJWTClaimsSet();
// claims must have audience, issuer
Preconditions.checkArgument(claims.getAudience().contains(expectedAudience));
Preconditions.checkArgument(claims.getIssuer().equals(IAP_ISSUER_URL));
// claim must have issued at time in the past
Date currentTime = Date.from(Instant.now(clock));
Preconditions.checkArgument(claims.getIssueTime().before(currentTime));
// claim must have expiration time in the future
Preconditions.checkArgument(claims.getExpirationTime().after(currentTime));
// must have subject, email
Preconditions.checkNotNull(claims.getSubject());
Preconditions.checkNotNull(claims.getClaim("email"));
// verify using public key : lookup with key id, algorithm name provided
ECPublicKey publicKey = getKey(jwsHeader.getKeyID(), jwsHeader.getAlgorithm().getName());
Preconditions.checkNotNull(publicKey);
JWSVerifier jwsVerifier = new ECDSAVerifier(publicKey);
return signedJwt.verify(jwsVerifier);
}
Also used :
ECDSAVerifier(com.nimbusds.jose.crypto.ECDSAVerifier)
ECPublicKey(java.security.interfaces.ECPublicKey)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
SignedJWT(com.nimbusds.jwt.SignedJWT)
JWSHeader(com.nimbusds.jose.JWSHeader)
Date(java.util.Date)
Example 4 with ECDSAVerifier
use of com.nimbusds.jose.crypto.ECDSAVerifier in project oxAuth by GluuFederation.
the class JwtCrossCheckTest method validate.
private static void validate(String jwtAsString, OxAuthCryptoProvider cryptoProvider, String kid, SignatureAlgorithm signatureAlgorithm) throws Exception {
SignedJWT signedJWT = SignedJWT.parse(jwtAsString);
Jwt jwt = Jwt.parse(jwtAsString);
JWSVerifier nimbusVerifier = null;
AbstractJwsSigner oxauthVerifier = null;
switch(signatureAlgorithm.getFamily()) {
case EC:
final ECKey ecKey = ECKey.load(cryptoProvider.getKeyStore(), kid, cryptoProvider.getKeyStoreSecret().toCharArray());
final ECPublicKey ecPublicKey = ecKey.toECPublicKey();
nimbusVerifier = new ECDSAVerifier(ecKey);
oxauthVerifier = new ECDSASigner(jwt.getHeader().getSignatureAlgorithm(), new ECDSAPublicKey(jwt.getHeader().getSignatureAlgorithm(), ecPublicKey.getW().getAffineX(), ecPublicKey.getW().getAffineY()));
break;
case RSA:
RSAKey rsaKey = RSAKey.load(cryptoProvider.getKeyStore(), kid, cryptoProvider.getKeyStoreSecret().toCharArray());
final java.security.interfaces.RSAPublicKey rsaPublicKey = rsaKey.toRSAPublicKey();
nimbusVerifier = new RSASSAVerifier(rsaKey);
oxauthVerifier = new RSASigner(signatureAlgorithm, new RSAPublicKey(rsaPublicKey.getModulus(), rsaPublicKey.getPublicExponent()));
break;
}
assertNotNull(nimbusVerifier);
assertNotNull(oxauthVerifier);
// Nimbus
assertTrue(signedJWT.verify(nimbusVerifier));
// oxauth cryptoProvider
boolean validJwt = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), kid, null, null, jwt.getHeader().getSignatureAlgorithm());
assertTrue(validJwt);
// oxauth verifier
assertTrue(oxauthVerifier.validate(jwt));
}
Also used :
RSAKey(com.nimbusds.jose.jwk.RSAKey)
ECDSASigner(org.gluu.oxauth.model.jws.ECDSASigner)
Jwt(org.gluu.oxauth.model.jwt.Jwt)
RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
AbstractJwsSigner(org.gluu.oxauth.model.jws.AbstractJwsSigner)
ECKey(com.nimbusds.jose.jwk.ECKey)
SignedJWT(com.nimbusds.jwt.SignedJWT)
ECDSAVerifier(com.nimbusds.jose.crypto.ECDSAVerifier)
ECPublicKey(java.security.interfaces.ECPublicKey)
RSAPublicKey(org.gluu.oxauth.model.crypto.signature.RSAPublicKey)
RSASigner(org.gluu.oxauth.model.jws.RSASigner)
ECDSAPublicKey(org.gluu.oxauth.model.crypto.signature.ECDSAPublicKey)
Aggregations
ECDSAVerifier (com.nimbusds.jose.crypto.ECDSAVerifier)4
JWSVerifier (com.nimbusds.jose.JWSVerifier)3
SignedJWT (com.nimbusds.jwt.SignedJWT)3
ECPublicKey (java.security.interfaces.ECPublicKey)3
JOSEException (com.nimbusds.jose.JOSEException)2
RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)2
ECCKeyPair (com.fitpay.android.api.models.security.ECCKeyPair)1
JWEHeader (com.nimbusds.jose.JWEHeader)1
JWEObject (com.nimbusds.jose.JWEObject)1
JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)1
JWSHeader (com.nimbusds.jose.JWSHeader)1
AESDecrypter (com.nimbusds.jose.crypto.AESDecrypter)1
ECKey (com.nimbusds.jose.jwk.ECKey)1
RSAKey (com.nimbusds.jose.jwk.RSAKey)1
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)1
JWTProcessingException (fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException)1
StringReader (java.io.StringReader)1
Date (java.util.Date)1
HashMap (java.util.HashMap)1
JsonReader (javax.json.JsonReader)1
