Search in sources :

Example 1 with PublicKey

use of io.jans.as.model.crypto.PublicKey in project jans by JanssenProject.

the class JwkClient method getECDSAPublicKey.

public static ECDSAPublicKey getECDSAPublicKey(String jwkSetUrl, String keyId, ClientHttpEngine engine) {
    ECDSAPublicKey publicKey = null;
    JwkClient jwkClient = new JwkClient(jwkSetUrl);
    if (engine != null) {
        jwkClient.setExecutor(engine);
    }
    JwkResponse jwkResponse = jwkClient.exec();
    if (jwkResponse != null && jwkResponse.getStatus() == 200) {
        PublicKey pk = jwkResponse.getPublicKey(keyId);
        if (pk instanceof ECDSAPublicKey) {
            publicKey = (ECDSAPublicKey) pk;
        }
    }
    return publicKey;
}
Also used : PublicKey(io.jans.as.model.crypto.PublicKey) ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey) RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey) ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey)

Example 2 with PublicKey

use of io.jans.as.model.crypto.PublicKey in project jans by JanssenProject.

the class JwkResponse method getPublicKey.

@Deprecated
public PublicKey getPublicKey(String keyId) {
    PublicKey publicKey = null;
    JSONWebKey JSONWebKey = getKeyValue(keyId);
    if (JSONWebKey != null) {
        switch(JSONWebKey.getKty()) {
            case RSA:
                publicKey = new RSAPublicKey(JSONWebKey.getN(), JSONWebKey.getE());
                break;
            case EC:
                publicKey = new ECDSAPublicKey(SignatureAlgorithm.fromString(JSONWebKey.getAlg().getParamName()), JSONWebKey.getX(), JSONWebKey.getY());
                break;
            default:
                break;
        }
    }
    return publicKey;
}
Also used : JSONWebKey(io.jans.as.model.jwk.JSONWebKey) RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey) PublicKey(io.jans.as.model.crypto.PublicKey) ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey) RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey) ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey)

Example 3 with PublicKey

use of io.jans.as.model.crypto.PublicKey in project jans by JanssenProject.

the class JwkClient method getRSAPublicKey.

public static RSAPublicKey getRSAPublicKey(String jwkSetUri, String keyId, ClientHttpEngine engine) {
    RSAPublicKey publicKey = null;
    JwkClient jwkClient = new JwkClient(jwkSetUri);
    jwkClient.setExecutor(engine);
    JwkResponse jwkResponse = jwkClient.exec();
    if (jwkResponse != null && jwkResponse.getStatus() == 200) {
        PublicKey pk = jwkResponse.getPublicKey(keyId);
        if (pk instanceof RSAPublicKey) {
            publicKey = (RSAPublicKey) pk;
        }
    }
    return publicKey;
}
Also used : RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey) PublicKey(io.jans.as.model.crypto.PublicKey) ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey) RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey)

Example 4 with PublicKey

use of io.jans.as.model.crypto.PublicKey in project jans by JanssenProject.

the class JwtUtil method validateSignature.

public boolean validateSignature(Jwt jwt, JSONWebKeySet jsonWebKeySet) {
    log.trace("\n\n JwtUtil::validateSignature() - jwt = " + jwt + " , jsonWebKeySet =" + jsonWebKeySet + "\n");
    try {
        final String kid = jwt.getHeader().getClaimAsString(JwtHeaderName.KEY_ID);
        final String algorithm = jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM);
        final SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getSignatureAlgorithm();
        log.trace("\n\n JwtUtil::validateSignature() - kid = " + kid + " , algorithm =" + algorithm + " signatureAlgorithm = " + signatureAlgorithm + "\n");
        PublicKey publicKey = getPublicKey(kid, jsonWebKeySet, signatureAlgorithm);
        log.trace("\n\n JwtUtil::validateSignature() - publicKey = " + publicKey + "\n");
        if (publicKey == null) {
            log.error("Failed to get RSA public key.");
            return false;
        }
        // Validate
        AbstractJwsSigner signer = null;
        if (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily())) {
            signer = new RSASigner(SignatureAlgorithm.fromString(algorithm), (RSAPublicKey) publicKey);
        } else if (AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily())) {
            signer = new ECDSASigner(SignatureAlgorithm.fromString(algorithm), (ECDSAPublicKey) publicKey);
        }
        if (signer == null) {
            log.error("ID Token signer is not found!");
            return false;
        }
        boolean signature = signer.validate(jwt);
        if (signature) {
            log.debug("ID Token is successfully validated.");
            return true;
        }
        log.error("ID Token signature invalid.");
        return false;
    } catch (Exception e) {
        log.error("Failed to validate id_token. Message: " + e.getMessage(), e);
        return false;
    }
}
Also used : RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey) ECDSASigner(io.jans.as.model.jws.ECDSASigner) ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey) PublicKey(io.jans.as.model.crypto.PublicKey) RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey) RSASigner(io.jans.as.model.jws.RSASigner) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) AbstractJwsSigner(io.jans.as.model.jws.AbstractJwsSigner) InvalidJwtException(io.jans.as.model.exception.InvalidJwtException) IOException(java.io.IOException) WebApplicationException(javax.ws.rs.WebApplicationException)

Example 5 with PublicKey

use of io.jans.as.model.crypto.PublicKey in project jans by JanssenProject.

the class PublicOpKeyService method getPublicKey.

public PublicKey getPublicKey(String jwkSetUrl, String keyId, SignatureAlgorithm signatureAlgorithm, Use use) {
    // Get keys from cache if present
    Optional<PublicKey> cachedKey = getCachedKey(jwkSetUrl, keyId);
    if (cachedKey.isPresent()) {
        LOG.debug("Taken public key from cache. jwks_url: {}, kid : {} ", jwkSetUrl, keyId);
        return cachedKey.get();
    }
    // Request jwks from OP
    JwkClient jwkClient = opClientFactory.createJwkClient(jwkSetUrl);
    jwkClient.setExecutor(new ApacheHttpClient43Engine(httpService.getHttpClient()));
    JwkResponse jwkResponse = jwkClient.exec();
    if (jwkResponse == null || jwkResponse.getStatus() != 200) {
        LOG.error("Failed to fetch public key from OP. Obtained Response : {}", (jwkResponse == null ? jwkResponse : jwkResponse.getStatus()));
        throw new RuntimeException("Failed to fetch public key from OP. Obtained Response : " + (jwkResponse == null ? jwkResponse : jwkResponse.getStatus()));
    }
    if (!Strings.isNullOrEmpty(keyId)) {
        PublicKey publicKey = jwkResponse.getPublicKey(keyId);
        if (publicKey != null) {
            cache.put((new Pair<>(jwkSetUrl, keyId)), publicKey);
            return publicKey;
        }
    } else {
        JSONWebKeySet jsonWebKeySet = jwkResponse.getJwks();
        List<PublicKey> pks = Lists.newArrayList();
        for (JSONWebKey key : jsonWebKeySet.getKeys()) {
            if (key.getKty() == null)
                continue;
            if (signatureAlgorithm.getFamily().toString().equals(key.getKty().toString()) && (use == null || use == key.getUse())) {
                pks.add(getPublicKey(key));
            }
        }
        if (pks.size() > 1) {
            LOG.error("Multiple matching keys found in issuer's jwks_uri for algorithm : {}. `kid` must be provided in this case.", signatureAlgorithm.getName());
            throw new RuntimeException("Multiple matching keys found in issuer's jwks_uri for algorithm : " + signatureAlgorithm.getName() + ". `kid` must be provided in this case.");
        }
        if (pks.size() == 1) {
            if (!Strings.isNullOrEmpty(pks.get(0).getKeyId())) {
                cache.put((new Pair<>(jwkSetUrl, pks.get(0).getKeyId())), pks.get(0));
            }
            return pks.get(0);
        }
    }
    LOG.error("Failed to fetch public key from OP.");
    throw new RuntimeException("Failed to fetch public key from OP.");
}
Also used : JSONWebKey(io.jans.as.model.jwk.JSONWebKey) JwkResponse(io.jans.as.client.JwkResponse) JSONWebKeySet(io.jans.as.model.jwk.JSONWebKeySet) PublicKey(io.jans.as.model.crypto.PublicKey) RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey) ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey) ApacheHttpClient43Engine(org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient43Engine) JwkClient(io.jans.as.client.JwkClient) Pair(io.jans.util.Pair)

Aggregations

PublicKey (io.jans.as.model.crypto.PublicKey)5 ECDSAPublicKey (io.jans.as.model.crypto.signature.ECDSAPublicKey)5 RSAPublicKey (io.jans.as.model.crypto.signature.RSAPublicKey)5 JSONWebKey (io.jans.as.model.jwk.JSONWebKey)2 JwkClient (io.jans.as.client.JwkClient)1 JwkResponse (io.jans.as.client.JwkResponse)1 SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)1 InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)1 JSONWebKeySet (io.jans.as.model.jwk.JSONWebKeySet)1 AbstractJwsSigner (io.jans.as.model.jws.AbstractJwsSigner)1 ECDSASigner (io.jans.as.model.jws.ECDSASigner)1 RSASigner (io.jans.as.model.jws.RSASigner)1 Pair (io.jans.util.Pair)1 IOException (java.io.IOException)1 WebApplicationException (javax.ws.rs.WebApplicationException)1 ApacheHttpClient43Engine (org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient43Engine)1