use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class AccessTokenTest method testAccessTokenWithMismatchX509Cert.
@Test
public void testAccessTokenWithMismatchX509Cert() throws IOException {
long now = System.currentTimeMillis() / 1000;
AccessToken accessToken = createAccessToken(now);
// now get the signed token
PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
String accessJws = accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
assertNotNull(accessJws);
// now verify our signed token
JwtsSigningKeyResolver resolver = new JwtsSigningKeyResolver(null, null);
resolver.addPublicKey("eckey1", Crypto.loadPublicKey(ecPublicKey));
// use a different cert than one used for signing
Path path = Paths.get("src/test/resources/rsa_public_x509.cert");
String certStr = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(certStr);
try {
new AccessToken(accessJws, resolver, cert);
fail();
} catch (CryptoException ex) {
assertTrue(ex.getMessage().contains("X.509 Certificate Confirmation failure"));
}
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class AccessTokenTest method testAccessTokenSignedTokenConfigFileNoKeys.
void testAccessTokenSignedTokenConfigFileNoKeys(final String confPath) {
long now = System.currentTimeMillis() / 1000;
AccessToken accessToken = createAccessToken(now);
// now get the signed token
PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
String accessJws = accessToken.getSignedToken(privateKey, "eckey99", SignatureAlgorithm.ES256);
assertNotNull(accessJws);
// now verify our signed token
final String oldConf = System.setProperty(JwtsSigningKeyResolver.ZTS_PROP_ATHENZ_CONF, confPath);
JwtsSigningKeyResolver resolver = new JwtsSigningKeyResolver(null, null);
try {
new AccessToken(accessJws, resolver);
fail();
} catch (Exception ignored) {
}
resetConfProperty(oldConf);
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class AccessTokenTest method testConfirmX509CertMismatchProxyPrincipal.
@Test
public void testConfirmX509CertMismatchProxyPrincipal() throws IOException {
long now = System.currentTimeMillis() / 1000;
AccessToken accessToken = createAccessToken(now);
accessToken.setConfirmProxyPrincipalSpiffeUris(Collections.singletonList("spiffe://athenz/sports/service1"));
// now get the signed token
PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
String accessJws = accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
assertNotNull(accessJws);
// now verify our signed token
JwtsSigningKeyResolver resolver = new JwtsSigningKeyResolver(null, null);
resolver.addPublicKey("eckey1", Crypto.loadPublicKey(ecPublicKey));
Path path = Paths.get("src/test/resources/x509_altnames_singleuri.cert");
String certStr = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(certStr);
try {
new AccessToken(accessJws, resolver, cert);
fail();
} catch (CryptoException ex) {
assertTrue(ex.getMessage().contains("Confirmation failure"));
}
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class AccessTokenTest method testConfirmX509CertInvalidEmptyProxyPrincipal.
@Test
public void testConfirmX509CertInvalidEmptyProxyPrincipal() throws IOException {
long now = System.currentTimeMillis() / 1000;
AccessToken accessToken = createAccessToken(now);
accessToken.setConfirmProxyPrincipalSpiffeUris(Collections.emptyList());
// now get the signed token
PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
String accessJws = accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
assertNotNull(accessJws);
// now verify our signed token
JwtsSigningKeyResolver resolver = new JwtsSigningKeyResolver(null, null);
resolver.addPublicKey("eckey1", Crypto.loadPublicKey(ecPublicKey));
Path path = Paths.get("src/test/resources/x509_altnames_singleuri.cert");
String certStr = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(certStr);
try {
new AccessToken(accessJws, resolver, cert);
fail();
} catch (CryptoException ex) {
assertTrue(ex.getMessage().contains("Confirmation failure"));
}
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class AccessTokenTest method testConfirmX509CertInvalidProxyPrincipalDetails.
@Test
public void testConfirmX509CertInvalidProxyPrincipalDetails() throws IOException {
long now = System.currentTimeMillis() / 1000;
AccessToken accessToken = createAccessToken(now);
accessToken.setConfirmEntry("proxy-principals#spiffe", "spiffe://athenz/sports/service1");
// now get the signed token
PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
String accessJws = accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
assertNotNull(accessJws);
// now verify our signed token
JwtsSigningKeyResolver resolver = new JwtsSigningKeyResolver(null, null);
resolver.addPublicKey("eckey1", Crypto.loadPublicKey(ecPublicKey));
Path path = Paths.get("src/test/resources/x509_altnames_singleuri.cert");
String certStr = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(certStr);
try {
new AccessToken(accessJws, resolver, cert);
fail();
} catch (CryptoException ex) {
assertTrue(ex.getMessage().contains("Confirmation failure"));
}
}
Aggregations