Search in sources :

Example 1 with JWTProcessingException

use of fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException in project Payara by payara.

the class JwtTokenParser method verifyAndParseSignedJWT.

private JsonWebTokenImpl verifyAndParseSignedJWT(String issuer, PublicKey publicKey) throws JWTProcessingException {
    if (signedJWT == null) {
        throw new IllegalStateException("No parsed SignedJWT.");
    }
    JWSAlgorithm signAlgorithmName = signedJWT.getHeader().getAlgorithm();
    // 1.0 4.1 alg + MP-JWT 1.0 6.1 1
    if (!signAlgorithmName.equals(RS256) && !signAlgorithmName.equals(ES256)) {
        throw new JWTProcessingException("Only RS256 or ES256 algorithms supported for JWT signing, used " + signAlgorithmName);
    }
    try (JsonReader reader = Json.createReader(new StringReader(signedJWT.getPayload().toString()))) {
        Map<String, JsonValue> rawClaims = new HashMap<>(reader.readObject());
        // Vendor - Process namespaced claims
        rawClaims = handleNamespacedClaims(rawClaims);
        // MP-JWT 1.0 4.1 Minimum MP-JWT Required Claims
        if (!checkRequiredClaimsPresent(rawClaims)) {
            throw new JWTProcessingException("Not all required claims present");
        }
        // MP-JWT 1.0 4.1 upn - has fallbacks
        String callerPrincipalName = getCallerPrincipalName(rawClaims);
        if (callerPrincipalName == null) {
            throw new JWTProcessingException("One of upn, preferred_username or sub is required to be non null");
        }
        // MP-JWT 1.0 6.1 2
        if (!checkIssuer(rawClaims, issuer)) {
            throw new JWTProcessingException("Bad issuer");
        }
        if (!checkNotExpired(rawClaims)) {
            throw new JWTProcessingException("JWT token expired");
        }
        // MP-JWT 1.0 6.1 2
        try {
            if (signAlgorithmName.equals(RS256)) {
                if (!signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey))) {
                    throw new JWTProcessingException("Signature of the JWT token is invalid");
                }
            } else {
                if (!signedJWT.verify(new ECDSAVerifier((ECPublicKey) publicKey))) {
                    throw new JWTProcessingException("Signature of the JWT token is invalid");
                }
            }
        } catch (JOSEException ex) {
            throw new JWTProcessingException("Exception during JWT signature validation", ex);
        }
        rawClaims.put(raw_token.name(), createObjectBuilder().add("token", rawToken).build().get("token"));
        return new JsonWebTokenImpl(callerPrincipalName, rawClaims);
    }
}
Also used : HashMap(java.util.HashMap) RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier) JsonValue(javax.json.JsonValue) JsonString(javax.json.JsonString) JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm) ECDSAVerifier(com.nimbusds.jose.crypto.ECDSAVerifier) JWTProcessingException(fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException) StringReader(java.io.StringReader) JsonReader(javax.json.JsonReader) JOSEException(com.nimbusds.jose.JOSEException)

Example 2 with JWTProcessingException

use of fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException in project Payara by payara.

the class JwtTokenParser method parse.

public JsonWebTokenImpl parse(String bearerToken, boolean encryptionRequired, JwtPublicKeyStore publicKeyStore, String acceptedIssuer, JwtPrivateKeyStore privateKeyStore) throws JWTProcessingException {
    JsonWebTokenImpl jsonWebToken;
    try {
        rawToken = bearerToken;
        String keyId;
        // not interested in parts above 5
        int parts = rawToken.split("\\.", 5).length;
        if (parts == 3) {
            // signed JWT has 3 parts
            signedJWT = SignedJWT.parse(rawToken);
            if (!checkIsSignedJWT(signedJWT)) {
                throw new JWTProcessingException("Not signed JWT, typ must be 'JWT'");
            }
            keyId = signedJWT.getHeader().getKeyID();
        } else {
            // encrypted JWT has 5 parts
            encryptedJWT = EncryptedJWT.parse(rawToken);
            if (!checkIsEncryptedJWT(encryptedJWT)) {
                throw new JWTProcessingException("Not encrypted JWT, cty must be 'JWT'");
            }
            keyId = encryptedJWT.getHeader().getKeyID();
        }
        PublicKey publicKey = publicKeyStore.getPublicKey(keyId);
        // first, parse the payload of the encrypting envelope, save signedJWT
        if (encryptedJWT == null) {
            if (encryptionRequired) {
                // see JWT Auth 1.2, Requirements for accepting signed and encrypted tokens
                throw new JWTProcessingException("JWT expected to be encrypted, mp.jwt.decrypt.key.location was defined!");
            }
            jsonWebToken = verifyAndParseSignedJWT(acceptedIssuer, publicKey);
        } else {
            jsonWebToken = verifyAndParseEncryptedJWT(acceptedIssuer, publicKey, privateKeyStore.getPrivateKey(keyId));
        }
    } catch (JWTProcessingException | ParseException ex) {
        throw new JWTProcessingException(ex);
    }
    return jsonWebToken;
}
Also used : JWTProcessingException(fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException) RSAPublicKey(java.security.interfaces.RSAPublicKey) PublicKey(java.security.PublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) JsonString(javax.json.JsonString) ParseException(java.text.ParseException)

Example 3 with JWTProcessingException

use of fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException in project Payara by payara.

the class JwtTokenParser method verifyAndParseEncryptedJWT.

private JsonWebTokenImpl verifyAndParseEncryptedJWT(String issuer, PublicKey publicKey, PrivateKey privateKey) throws JWTProcessingException {
    if (encryptedJWT == null) {
        throw new IllegalStateException("EncryptedJWT not parsed");
    }
    String algName = encryptedJWT.getHeader().getAlgorithm().getName();
    if (!RSA_OAEP.getName().equals(algName)) {
        throw new JWTProcessingException("Only RSA-OAEP algorithm is supported for JWT encryption, used " + algName);
    }
    try {
        encryptedJWT.decrypt(new RSADecrypter(privateKey));
    } catch (JOSEException ex) {
        throw new JWTProcessingException("Exception during decrypting JWT token", ex);
    }
    signedJWT = encryptedJWT.getPayload().toSignedJWT();
    if (signedJWT == null) {
        throw new JWTProcessingException("Unable to parse signed JWT.");
    }
    return verifyAndParseSignedJWT(issuer, publicKey);
}
Also used : JWTProcessingException(fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException) JsonString(javax.json.JsonString) JOSEException(com.nimbusds.jose.JOSEException) RSADecrypter(com.nimbusds.jose.crypto.RSADecrypter)

Aggregations

JWTProcessingException (fish.payara.microprofile.jwtauth.eesecurity.JWTProcessingException)3 JsonString (javax.json.JsonString)3 JOSEException (com.nimbusds.jose.JOSEException)2 JWSAlgorithm (com.nimbusds.jose.JWSAlgorithm)1 ECDSAVerifier (com.nimbusds.jose.crypto.ECDSAVerifier)1 RSADecrypter (com.nimbusds.jose.crypto.RSADecrypter)1 RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)1 StringReader (java.io.StringReader)1 PublicKey (java.security.PublicKey)1 ECPublicKey (java.security.interfaces.ECPublicKey)1 RSAPublicKey (java.security.interfaces.RSAPublicKey)1 ParseException (java.text.ParseException)1 HashMap (java.util.HashMap)1 JsonReader (javax.json.JsonReader)1 JsonValue (javax.json.JsonValue)1