Search in sources :

Example 1 with JWKSelector

use of com.nimbusds.jose.jwk.JWKSelector in project spring-security by spring-projects.

the class JwtDecoderProviderConfigurationUtils method getJWSAlgorithms.

static <C extends SecurityContext> Set<JWSAlgorithm> getJWSAlgorithms(JWKSource<C> jwkSource) {
    JWKMatcher jwkMatcher = new JWKMatcher.Builder().publicOnly(true).keyUses(KeyUse.SIGNATURE, null).keyTypes(KeyType.RSA, KeyType.EC).build();
    Set<JWSAlgorithm> jwsAlgorithms = new HashSet<>();
    try {
        List<? extends JWK> jwks = jwkSource.get(new JWKSelector(jwkMatcher), null);
        for (JWK jwk : jwks) {
            if (jwk.getAlgorithm() != null) {
                JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(jwk.getAlgorithm().getName());
                jwsAlgorithms.add(jwsAlgorithm);
            } else {
                if (jwk.getKeyType() == KeyType.RSA) {
                    jwsAlgorithms.addAll(JWSAlgorithm.Family.RSA);
                } else if (jwk.getKeyType() == KeyType.EC) {
                    jwsAlgorithms.addAll(JWSAlgorithm.Family.EC);
                }
            }
        }
    } catch (KeySourceException ex) {
        throw new IllegalStateException(ex);
    }
    Assert.notEmpty(jwsAlgorithms, "Failed to find any algorithms from the JWK set");
    return jwsAlgorithms;
}
Also used : JWKSelector(com.nimbusds.jose.jwk.JWKSelector) UriComponentsBuilder(org.springframework.web.util.UriComponentsBuilder) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) KeySourceException(com.nimbusds.jose.KeySourceException) JWKMatcher(com.nimbusds.jose.jwk.JWKMatcher) HashSet(java.util.HashSet) JWK(com.nimbusds.jose.jwk.JWK)

Example 2 with JWKSelector

use of com.nimbusds.jose.jwk.JWKSelector in project spring-security by spring-projects.

the class NimbusJwtEncoder method selectJwk.

private JWK selectJwk(JwsHeader headers) {
    List<JWK> jwks;
    try {
        JWKSelector jwkSelector = new JWKSelector(createJwkMatcher(headers));
        jwks = this.jwkSource.get(jwkSelector, null);
    } catch (Exception ex) {
        throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key -> " + ex.getMessage()), ex);
    }
    if (jwks.size() > 1) {
        throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Found multiple JWK signing keys for algorithm '" + headers.getAlgorithm().getName() + "'"));
    }
    if (jwks.isEmpty()) {
        throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key"));
    }
    return jwks.get(0);
}
Also used : JWKSelector(com.nimbusds.jose.jwk.JWKSelector) JOSEException(com.nimbusds.jose.JOSEException) JWK(com.nimbusds.jose.jwk.JWK)

Example 3 with JWKSelector

use of com.nimbusds.jose.jwk.JWKSelector in project spring-security by spring-projects.

the class NimbusJwtEncoderTests method encodeWhenKeysRotatedThenNewKeyUsed.

@Test
public void encodeWhenKeysRotatedThenNewKeyUsed() throws Exception {
    TestJWKSource jwkSource = new TestJWKSource();
    JWKSource<SecurityContext> jwkSourceDelegate = spy(new JWKSource<SecurityContext>() {

        @Override
        public List<JWK> get(JWKSelector jwkSelector, SecurityContext context) {
            return jwkSource.get(jwkSelector, context);
        }
    });
    NimbusJwtEncoder jwtEncoder = new NimbusJwtEncoder(jwkSourceDelegate);
    JwkListResultCaptor jwkListResultCaptor = new JwkListResultCaptor();
    willAnswer(jwkListResultCaptor).given(jwkSourceDelegate).get(any(), any());
    JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256).build();
    JwtClaimsSet jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build();
    Jwt encodedJws = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
    JWK jwk1 = jwkListResultCaptor.getResult().get(0);
    NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withPublicKey(((RSAKey) jwk1).toRSAPublicKey()).build();
    jwtDecoder.decode(encodedJws.getTokenValue());
    // Simulate key rotation
    jwkSource.rotate();
    encodedJws = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, jwtClaimsSet));
    JWK jwk2 = jwkListResultCaptor.getResult().get(0);
    jwtDecoder = NimbusJwtDecoder.withPublicKey(((RSAKey) jwk2).toRSAPublicKey()).build();
    jwtDecoder.decode(encodedJws.getTokenValue());
    assertThat(jwk1.getKeyID()).isNotEqualTo(jwk2.getKeyID());
}
Also used : JWKSelector(com.nimbusds.jose.jwk.JWKSelector) RSAKey(com.nimbusds.jose.jwk.RSAKey) SecurityContext(com.nimbusds.jose.proc.SecurityContext) ArrayList(java.util.ArrayList) List(java.util.List) JWK(com.nimbusds.jose.jwk.JWK) Test(org.junit.jupiter.api.Test)

Example 4 with JWKSelector

use of com.nimbusds.jose.jwk.JWKSelector in project dhis2-core by dhis2.

the class JwtUtils method jwkSource.

public JWKSource<SecurityContext> jwkSource() {
    RSAKey rsaKey = Jwks.generateRsa();
    JWKSet jwkSet = new JWKSet(rsaKey);
    return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
}
Also used : SecurityContext(com.nimbusds.jose.proc.SecurityContext) JWKSelector(com.nimbusds.jose.jwk.JWKSelector) URL(java.net.URL) Date(java.util.Date) JOSEException(com.nimbusds.jose.JOSEException) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) JWKSet(com.nimbusds.jose.jwk.JWKSet) JWSSignerFactory(com.nimbusds.jose.produce.JWSSignerFactory) Map(java.util.Map) Base64URL(com.nimbusds.jose.util.Base64URL) Jwt(org.springframework.security.oauth2.jwt.Jwt) Base64(com.nimbusds.jose.util.Base64) Converter(org.springframework.core.convert.converter.Converter) JWKSource(com.nimbusds.jose.jwk.source.JWKSource) DefaultJWSSignerFactory(com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Set(java.util.Set) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) UUID(java.util.UUID) Instant(java.time.Instant) Collectors(java.util.stream.Collectors) JWSHeader(com.nimbusds.jose.JWSHeader) SignedJWT(com.nimbusds.jwt.SignedJWT) JWK(com.nimbusds.jose.jwk.JWK) KeySourceException(com.nimbusds.jose.KeySourceException) List(java.util.List) JWSSigner(com.nimbusds.jose.JWSSigner) RSAKey(com.nimbusds.jose.jwk.RSAKey) JSONObject(net.minidev.json.JSONObject) CollectionUtils(org.springframework.util.CollectionUtils) JOSEObjectType(com.nimbusds.jose.JOSEObjectType) JWKMatcher(com.nimbusds.jose.jwk.JWKMatcher) Assert(org.springframework.util.Assert) StringUtils(org.springframework.util.StringUtils) RSAKey(com.nimbusds.jose.jwk.RSAKey) JWKSet(com.nimbusds.jose.jwk.JWKSet)

Example 5 with JWKSelector

use of com.nimbusds.jose.jwk.JWKSelector in project dhis2-core by dhis2.

the class JwtUtils method selectJwk.

private JWK selectJwk(JoseHeader headers) {
    JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(headers.getJwsAlgorithm().getName());
    JWSHeader jwsHeader = new JWSHeader(jwsAlgorithm);
    JWKSelector jwkSelector = new JWKSelector(JWKMatcher.forJWSHeader(jwsHeader));
    List<JWK> jwks;
    try {
        jwks = this.jwkSource.get(jwkSelector, null);
    } catch (KeySourceException ex) {
        throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key -> " + ex.getMessage()), ex);
    }
    if (jwks.size() > 1) {
        throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Found multiple JWK signing keys for algorithm '" + jwsAlgorithm.getName() + "'"));
    }
    return !jwks.isEmpty() ? jwks.get(0) : null;
}
Also used : JWKSelector(com.nimbusds.jose.jwk.JWKSelector) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) JWSHeader(com.nimbusds.jose.JWSHeader) KeySourceException(com.nimbusds.jose.KeySourceException) JWK(com.nimbusds.jose.jwk.JWK)

Aggregations

JWKSelector (com.nimbusds.jose.jwk.JWKSelector)6 JWK (com.nimbusds.jose.jwk.JWK)5 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)3 KeySourceException (com.nimbusds.jose.KeySourceException)3 JOSEException (com.nimbusds.jose.JOSEException)2 JWSHeader (com.nimbusds.jose.JWSHeader)2 JWKMatcher (com.nimbusds.jose.jwk.JWKMatcher)2 RSAKey (com.nimbusds.jose.jwk.RSAKey)2 SecurityContext (com.nimbusds.jose.proc.SecurityContext)2 List (java.util.List)2 JOSEObjectType (com.nimbusds.jose.JOSEObjectType)1 JWSSigner (com.nimbusds.jose.JWSSigner)1 DefaultJWSSignerFactory (com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory)1 JWKSet (com.nimbusds.jose.jwk.JWKSet)1 JWKSource (com.nimbusds.jose.jwk.source.JWKSource)1 JWSSignerFactory (com.nimbusds.jose.produce.JWSSignerFactory)1 Base64 (com.nimbusds.jose.util.Base64)1 Base64URL (com.nimbusds.jose.util.Base64URL)1 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)1 SignedJWT (com.nimbusds.jwt.SignedJWT)1