use of com.nimbusds.jose.jwk.RSAKey in project carbon-apimgt by wso2.
the class JWTValidatorImpl method validateSignature.
protected boolean validateSignature(SignedJWT signedJWT) throws APIManagementException {
String certificateAlias = APIConstants.GATEWAY_PUBLIC_CERTIFICATE_ALIAS;
try {
String keyID = signedJWT.getHeader().getKeyID();
if (StringUtils.isNotEmpty(keyID)) {
if (tokenIssuer.getJwksConfigurationDTO().isEnabled() && StringUtils.isNotEmpty(tokenIssuer.getJwksConfigurationDTO().getUrl())) {
// Check JWKSet Available in Cache
if (jwkSet == null) {
jwkSet = retrieveJWKSet();
}
if (jwkSet.getKeyByKeyId(keyID) == null) {
jwkSet = retrieveJWKSet();
}
if (jwkSet.getKeyByKeyId(keyID) instanceof RSAKey) {
RSAKey keyByKeyId = (RSAKey) jwkSet.getKeyByKeyId(keyID);
RSAPublicKey rsaPublicKey = keyByKeyId.toRSAPublicKey();
if (rsaPublicKey != null) {
return JWTUtil.verifyTokenSignature(signedJWT, rsaPublicKey);
}
} else {
if (log.isDebugEnabled()) {
log.debug("Key Algorithm not supported");
}
// return false to produce 401 unauthenticated response
return false;
}
} else if (tokenIssuer.getCertificate() != null) {
log.debug("Retrieve certificate from Token issuer and validating");
RSAPublicKey rsaPublicKey = (RSAPublicKey) tokenIssuer.getCertificate().getPublicKey();
return JWTUtil.verifyTokenSignature(signedJWT, rsaPublicKey);
} else {
return JWTUtil.verifyTokenSignature(signedJWT, keyID);
}
}
return JWTUtil.verifyTokenSignature(signedJWT, certificateAlias);
} catch (ParseException | JOSEException | IOException e) {
log.error("Error while parsing JWT", e);
}
return true;
}
use of com.nimbusds.jose.jwk.RSAKey in project SEPA by arces-wot.
the class AuthorizationManager method getJWK.
/**
* Gets the RSA Key from the keystore.
*
* @param keyAlias
* the key alias
* @param keyPwd
* the key password
* @return the RSAKey
* @throws JOSEException
* @throws KeyStoreException
*
* @see RSAKey
*/
public RSAKey getJWK(String keyAlias, String keyPwd) throws KeyStoreException, JOSEException {
RSAKey jwk = null;
jwk = RSAKey.load(sManager.getKeyStore(), keyAlias, keyPwd.toCharArray());
return jwk;
}
use of com.nimbusds.jose.jwk.RSAKey in project SEPA by arces-wot.
the class AuthorizationManager method init.
private boolean init(KeyStore keyStore, String keyAlias, String keyPwd) throws KeyStoreException, JOSEException {
// Load the key from the key store
RSAKey jwk = RSAKey.load(keyStore, keyAlias, keyPwd.toCharArray());
// Get the private and public keys to sign and verify
RSAPrivateKey privateKey;
RSAPublicKey publicKey;
privateKey = jwk.toRSAPrivateKey();
publicKey = jwk.toRSAPublicKey();
// Create RSA-signer with the private key
signer = new RSASSASigner(privateKey);
// Create RSA-verifier with the public key
verifier = new RSASSAVerifier(publicKey);
// Serialize the public key to be deliverer during registration
jwkPublicKey = new JsonParser().parse(jwk.toPublicJWK().toJSONString());
// Set up a JWT processor to parse the tokens and then check their signature
// and validity time window (bounded by the "iat", "nbf" and "exp" claims)
jwtProcessor = new DefaultJWTProcessor<SEPASecurityContext>();
JWKSet jws = new JWKSet(jwk);
JWKSource<SEPASecurityContext> keySource = new ImmutableJWKSet<SEPASecurityContext>(jws);
JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS256;
JWSKeySelector<SEPASecurityContext> keySelector = new JWSVerificationKeySelector<SEPASecurityContext>(expectedJWSAlg, keySource);
jwtProcessor.setJWSKeySelector(keySelector);
return true;
}
use of com.nimbusds.jose.jwk.RSAKey in project ORCID-Source by ORCID.
the class OpenIDConnectTest method checkJWT.
private SignedJWT checkJWT(String id) throws ParseException, JOSEException, InvalidHashException {
SignedJWT signedJWT = SignedJWT.parse(id);
Assert.assertEquals("https://orcid.org", signedJWT.getJWTClaimsSet().getIssuer());
Assert.assertEquals("https://orcid.org/9999-0000-0000-0004", signedJWT.getJWTClaimsSet().getSubject());
Assert.assertEquals("9999-0000-0000-0004", signedJWT.getJWTClaimsSet().getClaim("id_path"));
Assert.assertEquals("APP-9999999999999901", signedJWT.getJWTClaimsSet().getAudience().get(0));
Assert.assertEquals("yesMate", signedJWT.getJWTClaimsSet().getClaim("nonce"));
Assert.assertEquals("User One Credit name", signedJWT.getJWTClaimsSet().getClaim("name"));
Assert.assertEquals("One", signedJWT.getJWTClaimsSet().getClaim("family_name"));
Assert.assertEquals("User", signedJWT.getJWTClaimsSet().getClaim("given_name"));
// get JWKS
Client client = Client.create();
WebResource webResource = client.resource(baseUri + "/oauth/jwks");
ClientResponse jwksResponse = webResource.accept(MediaType.APPLICATION_JSON).get(ClientResponse.class);
String jwkString = jwksResponse.getEntity(String.class);
RSAKey jwk = (RSAKey) JWKSet.parse(jwkString).getKeyByKeyId(signedJWT.getHeader().getKeyID());
// check sig
JWSVerifier verifier = new RSASSAVerifier(jwk);
Assert.assertTrue(signedJWT.verify(verifier));
return signedJWT;
}
use of com.nimbusds.jose.jwk.RSAKey in project ORCID-Source by ORCID.
the class OpenIDConnectKeyServiceTest method testKeyGenAndSigning.
@Test
public void testKeyGenAndSigning() throws JOSEException, NoSuchAlgorithmException, IOException, ParseException, URISyntaxException {
OpenIDConnectKeyService.OpenIDConnectKeyServiceConfig config = new OpenIDConnectKeyServiceConfig();
config.keyName = "IntTestKey1";
config.jsonKey = testKey;
OpenIDConnectKeyService service = new OpenIDConnectKeyService(config);
HashMap<String, Object> map = new HashMap<String, Object>();
map.put("test", "abcd1234");
JWTClaimsSet claims = new JWTClaimsSet.Builder().issuer("me").build();
SignedJWT signed = service.sign(claims);
JWSVerifier verifier = new RSASSAVerifier(((RSAKey) service.getPublicJWK().getKeyByKeyId(signed.getHeader().getKeyID())));
Assert.assertTrue(signed.verify(verifier));
}
Aggregations