Search in sources :

Example 1 with ECKeyGenerator

use of com.nimbusds.jose.jwk.gen.ECKeyGenerator in project gravitee-access-management by gravitee-io.

the class JWEEllipticCurveTest method encryptIdToken.

@Test
public void encryptIdToken() {
    try {
        // prepare encryption private & public key
        com.nimbusds.jose.jwk.ECKey jwk = new ECKeyGenerator(this.crv).generate();
        ECKey key = new ECKey();
        key.setKid("ecEnc");
        key.setUse("enc");
        key.setCrv(jwk.getCurve().getName());
        key.setX(jwk.getX().toString());
        key.setY(jwk.getY().toString());
        Client client = new Client();
        client.setIdTokenEncryptedResponseAlg(alg);
        client.setIdTokenEncryptedResponseEnc(enc);
        when(jwkService.getKeys(client)).thenReturn(Maybe.just(new JWKSet()));
        when(jwkService.filter(any(), any())).thenReturn(Maybe.just(key));
        TestObserver testObserver = jweService.encryptIdToken("JWT", client).test();
        testObserver.assertNoErrors();
        testObserver.assertComplete();
        testObserver.assertValue(jweString -> {
            JWEObject jwe = JWEObject.parse((String) jweString);
            jwe.decrypt(new ECDHDecrypter(jwk));
            return "JWT".equals(jwe.getPayload().toString());
        });
    } catch (JOSEException e) {
        fail(e.getMessage());
    }
}
Also used : ECDHDecrypter(com.nimbusds.jose.crypto.ECDHDecrypter) JWEObject(com.nimbusds.jose.JWEObject) JWKSet(io.gravitee.am.model.oidc.JWKSet) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) ECKey(io.gravitee.am.model.jose.ECKey) Client(io.gravitee.am.model.oidc.Client) JOSEException(com.nimbusds.jose.JOSEException) TestObserver(io.reactivex.observers.TestObserver) Test(org.junit.Test)

Example 2 with ECKeyGenerator

use of com.nimbusds.jose.jwk.gen.ECKeyGenerator in project gravitee-access-management by gravitee-io.

the class JWEEllipticCurveTest method encryptUserinfo.

@Test
public void encryptUserinfo() {
    try {
        // prepare encryption private & public key
        com.nimbusds.jose.jwk.ECKey jwk = new ECKeyGenerator(this.crv).generate();
        ECKey key = new ECKey();
        key.setKid("ecEnc");
        key.setUse("enc");
        key.setCrv(jwk.getCurve().getName());
        key.setX(jwk.getX().toString());
        key.setY(jwk.getY().toString());
        Client client = new Client();
        client.setUserinfoEncryptedResponseAlg(alg);
        client.setUserinfoEncryptedResponseEnc(enc);
        when(jwkService.getKeys(client)).thenReturn(Maybe.just(new JWKSet()));
        when(jwkService.filter(any(), any())).thenReturn(Maybe.just(key));
        TestObserver testObserver = jweService.encryptUserinfo("JWT", client).test();
        testObserver.assertNoErrors();
        testObserver.assertComplete();
        testObserver.assertValue(jweString -> {
            JWEObject jwe = JWEObject.parse((String) jweString);
            jwe.decrypt(new ECDHDecrypter(jwk));
            return "JWT".equals(jwe.getPayload().toString());
        });
    } catch (JOSEException e) {
        fail(e.getMessage());
    }
}
Also used : ECDHDecrypter(com.nimbusds.jose.crypto.ECDHDecrypter) JWEObject(com.nimbusds.jose.JWEObject) JWKSet(io.gravitee.am.model.oidc.JWKSet) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) ECKey(io.gravitee.am.model.jose.ECKey) Client(io.gravitee.am.model.oidc.Client) JOSEException(com.nimbusds.jose.JOSEException) TestObserver(io.reactivex.observers.TestObserver) Test(org.junit.Test)

Example 3 with ECKeyGenerator

use of com.nimbusds.jose.jwk.gen.ECKeyGenerator in project di-authentication-api by alphagov.

the class TokenHandlerTest method shouldReturn200ForSuccessfulTokenRequest.

@ParameterizedTest
@MethodSource("validVectorValues")
public void shouldReturn200ForSuccessfulTokenRequest(String vectorValue) throws JOSEException {
    KeyPair keyPair = generateRsaKeyPair();
    UserProfile userProfile = generateUserProfile();
    SignedJWT signedJWT = generateIDToken(CLIENT_ID, PUBLIC_SUBJECT, "issuer-url", new ECKeyGenerator(Curve.P_256).algorithm(JWSAlgorithm.ES256).generate());
    OIDCTokenResponse tokenResponse = new OIDCTokenResponse(new OIDCTokens(signedJWT, accessToken, refreshToken));
    PrivateKeyJWT privateKeyJWT = generatePrivateKeyJWT(keyPair.getPrivate());
    ClientRegistry clientRegistry = generateClientRegistry(keyPair);
    when(tokenService.validateTokenRequestParams(anyString())).thenReturn(Optional.empty());
    when(clientService.getClient(eq(CLIENT_ID))).thenReturn(Optional.of(clientRegistry));
    when(tokenService.validatePrivateKeyJWT(anyString(), eq(clientRegistry.getPublicKey()), eq(BASE_URI), eq(CLIENT_ID))).thenReturn(Optional.empty());
    String authCode = new AuthorizationCode().toString();
    when(authorisationCodeService.getExchangeDataForCode(authCode)).thenReturn(Optional.of(new AuthCodeExchangeData().setEmail(TEST_EMAIL).setClientSessionId(CLIENT_SESSION_ID)));
    AuthenticationRequest authenticationRequest = generateAuthRequest(JsonArrayHelper.jsonArrayOf(vectorValue));
    VectorOfTrust vtr = VectorOfTrust.parseFromAuthRequestAttribute(authenticationRequest.getCustomParameter("vtr"));
    when(clientSessionService.getClientSession(CLIENT_SESSION_ID)).thenReturn(new ClientSession(authenticationRequest.toParameters(), LocalDateTime.now(), vtr));
    when(dynamoService.getUserProfileByEmail(eq(TEST_EMAIL))).thenReturn(userProfile);
    when(tokenService.generateTokenResponse(CLIENT_ID, INTERNAL_SUBJECT, SCOPES, Map.of("nonce", NONCE), PUBLIC_SUBJECT, vtr.retrieveVectorOfTrustForToken(), userProfile.getClientConsent(), clientRegistry.isConsentRequired(), null)).thenReturn(tokenResponse);
    APIGatewayProxyResponseEvent result = generateApiGatewayRequest(privateKeyJWT, authCode);
    assertThat(result, hasStatus(200));
    assertTrue(result.getBody().contains(refreshToken.getValue()));
    assertTrue(result.getBody().contains(accessToken.getValue()));
}
Also used : AuthorizationCode(com.nimbusds.oauth2.sdk.AuthorizationCode) KeyPair(java.security.KeyPair) UserProfile(uk.gov.di.authentication.shared.entity.UserProfile) OIDCTokenResponse(com.nimbusds.openid.connect.sdk.OIDCTokenResponse) PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) VectorOfTrust(uk.gov.di.authentication.shared.entity.VectorOfTrust) SignedJWT(com.nimbusds.jwt.SignedJWT) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) APIGatewayProxyResponseEvent(com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent) AuthCodeExchangeData(uk.gov.di.authentication.shared.entity.AuthCodeExchangeData) OIDCTokens(com.nimbusds.openid.connect.sdk.token.OIDCTokens) ClientSession(uk.gov.di.authentication.shared.entity.ClientSession) ClientRegistry(uk.gov.di.authentication.shared.entity.ClientRegistry) AuthenticationRequest(com.nimbusds.openid.connect.sdk.AuthenticationRequest) ParameterizedTest(org.junit.jupiter.params.ParameterizedTest) MethodSource(org.junit.jupiter.params.provider.MethodSource)

Example 4 with ECKeyGenerator

use of com.nimbusds.jose.jwk.gen.ECKeyGenerator in project di-authentication-api by alphagov.

the class AccessTokenServiceTest method createSignedAccessTokenWithIdentityClaims.

private AccessToken createSignedAccessTokenWithIdentityClaims(OIDCClaimsRequest identityClaims) {
    try {
        LocalDateTime localDateTime = LocalDateTime.now().plusMinutes(3);
        Date expiryDate = Date.from(localDateTime.atZone(ZoneId.of("UTC")).toInstant());
        ECKey ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
        ECDSASigner signer = new ECDSASigner(ecSigningKey);
        SignedJWT signedJWT = TokenGeneratorHelper.generateSignedToken(CLIENT_ID, BASE_URL, SCOPES, signer, SUBJECT, ecSigningKey.getKeyID(), expiryDate, identityClaims);
        return new BearerAccessToken(signedJWT.serialize());
    } catch (JOSEException e) {
        throw new RuntimeException(e);
    }
}
Also used : LocalDateTime(java.time.LocalDateTime) ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) ECKey(com.nimbusds.jose.jwk.ECKey) SignedJWT(com.nimbusds.jwt.SignedJWT) BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken) JOSEException(com.nimbusds.jose.JOSEException) Date(java.util.Date)

Example 5 with ECKeyGenerator

use of com.nimbusds.jose.jwk.gen.ECKeyGenerator in project di-authentication-api by alphagov.

the class UserInfoServiceTest method createSignedAccessToken.

private AccessToken createSignedAccessToken() throws JOSEException {
    ECKey ecSigningKey = new ECKeyGenerator(Curve.P_256).keyID(KEY_ID).algorithm(JWSAlgorithm.ES256).generate();
    ECDSASigner signer = new ECDSASigner(ecSigningKey);
    SignedJWT signedJWT = TokenGeneratorHelper.generateSignedToken(CLIENT_ID, BASE_URL, SCOPES, signer, SUBJECT, ecSigningKey.getKeyID());
    return new BearerAccessToken(signedJWT.serialize());
}
Also used : ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner) ECKeyGenerator(com.nimbusds.jose.jwk.gen.ECKeyGenerator) ECKey(com.nimbusds.jose.jwk.ECKey) SignedJWT(com.nimbusds.jwt.SignedJWT) BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken)

Aggregations

ECKeyGenerator (com.nimbusds.jose.jwk.gen.ECKeyGenerator)28 ECDSASigner (com.nimbusds.jose.crypto.ECDSASigner)18 SignedJWT (com.nimbusds.jwt.SignedJWT)17 ECKey (com.nimbusds.jose.jwk.ECKey)13 SignRequest (com.amazonaws.services.kms.model.SignRequest)6 SignResult (com.amazonaws.services.kms.model.SignResult)6 Test (org.junit.jupiter.api.Test)6 APIGatewayProxyResponseEvent (com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent)5 JOSEException (com.nimbusds.jose.JOSEException)5 JWSHeader (com.nimbusds.jose.JWSHeader)5 BearerAccessToken (com.nimbusds.oauth2.sdk.token.BearerAccessToken)5 JWEObject (com.nimbusds.jose.JWEObject)4 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)4 JWSSigner (com.nimbusds.jose.JWSSigner)3 RSAKeyGenerator (com.nimbusds.jose.jwk.gen.RSAKeyGenerator)3 AuthorizationCode (com.nimbusds.oauth2.sdk.AuthorizationCode)3 PrivateKeyJWT (com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT)3 OIDCTokenResponse (com.nimbusds.openid.connect.sdk.OIDCTokenResponse)3 OIDCTokens (com.nimbusds.openid.connect.sdk.token.OIDCTokens)3 KeyPair (java.security.KeyPair)3