Search in sources :

Example 1 with BlockEncryptionAlgorithm

use of io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm in project jans by JanssenProject.

the class JwrService method encryptJwe.

private Jwe encryptJwe(Jwe jwe, Client client) throws Exception {
    if (appConfiguration.getUseNestedJwtDuringEncryption()) {
        JwtSigner jwtSigner = JwtSigner.newJwtSigner(appConfiguration, webKeysConfiguration, client);
        Jwt jwt = jwtSigner.newJwt();
        jwt.setClaims(jwe.getClaims());
        jwe.setSignedJWTPayload(signJwt(jwt, client));
    }
    KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.fromName(jwe.getHeader().getClaimAsString(ALGORITHM));
    final BlockEncryptionAlgorithm encryptionMethod = jwe.getHeader().getEncryptionMethod();
    if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
        JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
        String keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), Algorithm.fromString(keyEncryptionAlgorithm.getName()), Use.ENCRYPTION);
        PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jsonWebKeys, null);
        jwe.getHeader().setKeyId(keyId);
        if (publicKey == null) {
            throw new InvalidJweException("The public key is not valid");
        }
        JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, encryptionMethod, publicKey);
        return jweEncrypter.encrypt(jwe);
    }
    if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
        byte[] sharedSymmetricKey = clientService.decryptSecret(client.getClientSecret()).getBytes(StandardCharsets.UTF_8);
        JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, encryptionMethod, sharedSymmetricKey);
        return jweEncrypter.encrypt(jwe);
    }
    throw new IllegalArgumentException("Unsupported encryption algorithm: " + keyEncryptionAlgorithm);
}
Also used : ServerCryptoProvider(io.jans.as.server.service.ServerCryptoProvider) Jwt(io.jans.as.model.jwt.Jwt) PublicKey(java.security.PublicKey) BlockEncryptionAlgorithm(io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm) JSONObject(org.json.JSONObject) KeyEncryptionAlgorithm(io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm) JweEncrypterImpl(io.jans.as.model.jwe.JweEncrypterImpl) JweEncrypter(io.jans.as.model.jwe.JweEncrypter) InvalidJweException(io.jans.as.model.exception.InvalidJweException)

Example 2 with BlockEncryptionAlgorithm

use of io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm in project jans by JanssenProject.

the class RegisterSiteOperation method createRegisterClientRequest.

private RegisterRequest createRegisterClientRequest(RegisterSiteParams params, String rpId) {
    String clientName = "jans_client_api client for rp: " + rpId;
    if (!Strings.isNullOrEmpty(params.getClientName())) {
        clientName = params.getClientName();
    }
    final RegisterRequest request = new RegisterRequest(ApplicationType.WEB, clientName, params.getRedirectUris());
    request.setResponseTypesStrings(params.getResponseTypes());
    request.setJwksUri(params.getClientJwksUri());
    request.setClaimsRedirectUris(params.getClaimsRedirectUri() != null ? params.getClaimsRedirectUri() : new ArrayList<String>());
    request.setPostLogoutRedirectUris(params.getPostLogoutRedirectUris() != null ? params.getPostLogoutRedirectUris() : Lists.newArrayList());
    request.setContacts(params.getContacts());
    request.setScope(params.getScope());
    request.setDefaultAcrValues(params.getAcrValues());
    if (StringUtils.isNotBlank(params.getClientTokenEndpointAuthSigningAlg())) {
        SignatureAlgorithm signatureAlgorithms = SignatureAlgorithm.fromString(params.getClientTokenEndpointAuthSigningAlg());
        if (signatureAlgorithms == null) {
            LOG.error("Received invalid algorithm in `client_token_endpoint_auth_signing_alg` property. Value: " + params.getClientTokenEndpointAuthSigningAlg());
            throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
        }
        request.setTokenEndpointAuthSigningAlg(signatureAlgorithms);
    }
    if (StringUtils.isNotBlank(rpId)) {
        request.addCustomAttribute("rp_id", rpId);
    }
    List<GrantType> grantTypes = Lists.newArrayList();
    for (String grantType : params.getGrantTypes()) {
        grantTypes.add(GrantType.fromString(grantType));
    }
    request.setGrantTypes(grantTypes);
    if (StringUtils.isNotBlank(params.getClientFrontchannelLogoutUri())) {
        request.setFrontChannelLogoutUri(params.getClientFrontchannelLogoutUri());
    }
    if (StringUtils.isNotBlank(params.getClientTokenEndpointAuthMethod())) {
        final AuthenticationMethod authenticationMethod = AuthenticationMethod.fromString(params.getClientTokenEndpointAuthMethod());
        if (authenticationMethod != null) {
            request.setTokenEndpointAuthMethod(authenticationMethod);
        }
    }
    if (params.getClientRequestUris() != null && !params.getClientRequestUris().isEmpty()) {
        request.setRequestUris(params.getClientRequestUris());
    }
    if (!Strings.isNullOrEmpty(params.getClientSectorIdentifierUri())) {
        request.setSectorIdentifierUri(params.getClientSectorIdentifierUri());
    }
    request.setAccessTokenAsJwt(params.getAccessTokenAsJwt());
    request.setAccessTokenSigningAlg(SignatureAlgorithm.fromString(params.getAccessTokenSigningAlg()));
    request.setRptAsJwt(params.getRptAsJwt());
    if (!Strings.isNullOrEmpty(params.getLogoUri())) {
        request.setLogoUri(params.getLogoUri());
    }
    if (!Strings.isNullOrEmpty(params.getClientUri())) {
        request.setClientUri(params.getClientUri());
    }
    if (!Strings.isNullOrEmpty(params.getPolicyUri())) {
        request.setPolicyUri(params.getPolicyUri());
    }
    if (params.getFrontChannelLogoutSessionRequired() != null) {
        request.setFrontChannelLogoutSessionRequired(params.getFrontChannelLogoutSessionRequired());
    }
    if (!Strings.isNullOrEmpty(params.getTosUri())) {
        request.setTosUri(params.getTosUri());
    }
    if (!Strings.isNullOrEmpty(params.getJwks())) {
        request.setJwks(params.getJwks());
    }
    if (!Strings.isNullOrEmpty(params.getIdTokenBindingCnf())) {
        request.setIdTokenTokenBindingCnf(params.getIdTokenBindingCnf());
    }
    if (!Strings.isNullOrEmpty(params.getTlsClientAuthSubjectDn())) {
        request.setTlsClientAuthSubjectDn(params.getTlsClientAuthSubjectDn());
    }
    if (!Strings.isNullOrEmpty(params.getSubjectType())) {
        SubjectType subjectType = SubjectType.fromString(params.getSubjectType());
        if (subjectType == null) {
            LOG.error("Received invalid values in `subject_type` property. Value: " + params.getSubjectType());
            throw new HttpException(ErrorResponseCode.INVALID_SUBJECT_TYPE);
        }
        request.setSubjectType(subjectType);
    }
    if (params.getRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims() != null) {
        request.setRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims(params.getRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims());
    }
    if (!Strings.isNullOrEmpty(params.getIdTokenSignedResponseAlg())) {
        SignatureAlgorithm signatureAlgorithms = SignatureAlgorithm.fromString(params.getIdTokenSignedResponseAlg());
        if (signatureAlgorithms == null) {
            LOG.error("Received invalid algorithm in `id_token_signed_response_alg` property. Value: " + params.getIdTokenSignedResponseAlg());
            throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
        }
        if (signatureAlgorithms == SignatureAlgorithm.NONE && !getConfigurationService().getConfiguration().getAcceptIdTokenWithoutSignature()) {
            LOG.error("`ID_TOKEN` without signature is not allowed. To allow `ID_TOKEN` without signature set `accept_id_token_without_signature` field to 'true' in client-api-server.yml.");
            throw new HttpException(ErrorResponseCode.ID_TOKEN_WITHOUT_SIGNATURE_NOT_ALLOWED);
        }
        request.setIdTokenSignedResponseAlg(signatureAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getIdTokenEncryptedResponseAlg())) {
        KeyEncryptionAlgorithm keyEncryptionAlgorithms = KeyEncryptionAlgorithm.fromName(params.getIdTokenEncryptedResponseAlg());
        if (keyEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `id_token_encrypted_response_alg` property. Value: " + params.getIdTokenEncryptedResponseAlg());
            throw new HttpException(ErrorResponseCode.INVALID_KEY_ENCRYPTION_ALGORITHM);
        }
        request.setIdTokenEncryptedResponseAlg(keyEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getIdTokenEncryptedResponseEnc())) {
        BlockEncryptionAlgorithm blockEncryptionAlgorithms = BlockEncryptionAlgorithm.fromName(params.getIdTokenEncryptedResponseEnc());
        if (blockEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `id_token_encrypted_response_enc` property. Value: " + params.getIdTokenEncryptedResponseEnc());
            throw new HttpException(ErrorResponseCode.INVALID_BLOCK_ENCRYPTION_ALGORITHM);
        }
        request.setIdTokenEncryptedResponseEnc(blockEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getUserInfoSignedResponseAlg())) {
        SignatureAlgorithm signatureAlgorithms = SignatureAlgorithm.fromString(params.getUserInfoSignedResponseAlg());
        if (signatureAlgorithms == null) {
            LOG.error("Received invalid algorithm in `user_info_signed_response_alg` property. Value: " + params.getUserInfoSignedResponseAlg());
            throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
        }
        request.setUserInfoSignedResponseAlg(signatureAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getUserInfoEncryptedResponseAlg())) {
        KeyEncryptionAlgorithm keyEncryptionAlgorithms = KeyEncryptionAlgorithm.fromName(params.getUserInfoEncryptedResponseAlg());
        if (keyEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `user_info_encrypted_response_alg` property. Value: " + params.getUserInfoEncryptedResponseAlg());
            throw new HttpException(ErrorResponseCode.INVALID_KEY_ENCRYPTION_ALGORITHM);
        }
        request.setUserInfoEncryptedResponseAlg(keyEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getUserInfoEncryptedResponseEnc())) {
        BlockEncryptionAlgorithm blockEncryptionAlgorithms = BlockEncryptionAlgorithm.fromName(params.getUserInfoEncryptedResponseEnc());
        if (blockEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `user_info_encrypted_response_enc` property. Value: " + params.getUserInfoEncryptedResponseEnc());
            throw new HttpException(ErrorResponseCode.INVALID_BLOCK_ENCRYPTION_ALGORITHM);
        }
        request.setUserInfoEncryptedResponseEnc(blockEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getRequestObjectSigningAlg())) {
        SignatureAlgorithm signatureAlgorithms = SignatureAlgorithm.fromString(params.getRequestObjectSigningAlg());
        if (signatureAlgorithms == null) {
            LOG.error("Received invalid algorithm in `request_object_signing_alg` property. Value: " + params.getRequestObjectSigningAlg());
            throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
        }
        request.setRequestObjectSigningAlg(signatureAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getRequestObjectEncryptionAlg())) {
        KeyEncryptionAlgorithm keyEncryptionAlgorithms = KeyEncryptionAlgorithm.fromName(params.getRequestObjectEncryptionAlg());
        if (keyEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `request_object_encryption_alg` property. Value: " + params.getRequestObjectEncryptionAlg());
            throw new HttpException(ErrorResponseCode.INVALID_KEY_ENCRYPTION_ALGORITHM);
        }
        request.setRequestObjectEncryptionAlg(keyEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getRequestObjectEncryptionEnc())) {
        BlockEncryptionAlgorithm blockEncryptionAlgorithms = BlockEncryptionAlgorithm.fromName(params.getRequestObjectEncryptionEnc());
        if (blockEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `request_object_encryption_enc` property. Value: " + params.getRequestObjectEncryptionEnc());
            throw new HttpException(ErrorResponseCode.INVALID_BLOCK_ENCRYPTION_ALGORITHM);
        }
        request.setRequestObjectEncryptionEnc(blockEncryptionAlgorithms);
    }
    if (params.getDefaultMaxAge() != null && NumberUtils.isNumber(params.getDefaultMaxAge().toString())) {
        request.setDefaultMaxAge(params.getDefaultMaxAge());
    }
    if (params.getRequireAuthTime() != null) {
        request.setRequireAuthTime(params.getRequireAuthTime());
    }
    if (!Strings.isNullOrEmpty(params.getInitiateLoginUri())) {
        request.setInitiateLoginUri(params.getInitiateLoginUri());
    }
    if (params.getAuthorizedOrigins() != null && !params.getAuthorizedOrigins().isEmpty()) {
        request.setAuthorizedOrigins(params.getAuthorizedOrigins());
    }
    if (params.getAccessTokenLifetime() != null && NumberUtils.isNumber(params.getAccessTokenLifetime().toString())) {
        request.setAccessTokenLifetime(params.getAccessTokenLifetime());
    }
    if (!Strings.isNullOrEmpty(params.getSoftwareId())) {
        request.setSoftwareId(params.getSoftwareId());
    }
    if (!Strings.isNullOrEmpty(params.getSoftwareVersion())) {
        request.setSoftwareVersion(params.getSoftwareVersion());
    }
    if (!Strings.isNullOrEmpty(params.getSoftwareStatement())) {
        request.setSoftwareStatement(params.getSoftwareStatement());
    }
    if (params.getAllowSpontaneousScopes() != null) {
        request.setAllowSpontaneousScopes(params.getAllowSpontaneousScopes());
    }
    if (CollectionUtils.isNotEmpty(params.getSpontaneousScopes())) {
        request.setSpontaneousScopes(params.getSpontaneousScopes());
    }
    if (params.getCustomAttributes() != null && !params.getCustomAttributes().isEmpty()) {
        params.getCustomAttributes().entrySet().removeIf(entry -> entry.getKey().contains("oxAuthTrustedClient"));
        params.getCustomAttributes().entrySet().stream().forEach(e -> {
            request.addCustomAttribute(e.getKey(), e.getValue());
        });
    }
    return request;
}
Also used : RegisterRequest(io.jans.as.client.RegisterRequest) SubjectType(io.jans.as.model.common.SubjectType) KeyEncryptionAlgorithm(io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm) ArrayList(java.util.ArrayList) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) HttpException(io.jans.ca.server.HttpException) GrantType(io.jans.as.model.common.GrantType) AuthenticationMethod(io.jans.as.model.common.AuthenticationMethod) BlockEncryptionAlgorithm(io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm)

Example 3 with BlockEncryptionAlgorithm

use of io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm in project jans by JanssenProject.

the class UpdateSiteOperation method createRegisterClientRequest.

private RegisterRequest createRegisterClientRequest(Rp rp, UpdateSiteParams params) {
    final RegisterRequest request = RegisterRequestMapper.createRegisterRequest(rp);
    // force update
    request.setHttpMethod(HttpMethod.PUT);
    if (params.getResponseTypes() != null && !params.getResponseTypes().isEmpty()) {
        request.setResponseTypesStrings(params.getResponseTypes());
    }
    if (params.getRptAsJwt() != null) {
        request.setRptAsJwt(params.getRptAsJwt());
    }
    if (params.getGrantType() != null && !params.getGrantType().isEmpty()) {
        request.setGrantTypes(params.getGrantType().stream().map(item -> GrantType.fromString(item)).collect(Collectors.toList()));
    }
    Set<String> redirectUris = Sets.newLinkedHashSet();
    if (params.getRedirectUris() != null && !params.getRedirectUris().isEmpty()) {
        if (!params.getRedirectUris().stream().allMatch(uri -> Utils.isValidUrl(uri))) {
            throw new HttpException(ErrorResponseCode.INVALID_REDIRECT_URI);
        }
        redirectUris.addAll(params.getRedirectUris());
        List<String> redirectUriList = Lists.newArrayList(redirectUris);
        request.setRedirectUris(redirectUriList);
    }
    if (params.getAcrValues() != null && !params.getAcrValues().isEmpty()) {
        request.setDefaultAcrValues(params.getAcrValues());
    }
    if (params.getClaimsRedirectUri() != null && !params.getClaimsRedirectUri().isEmpty()) {
        request.setClaimsRedirectUris(params.getClaimsRedirectUri());
    }
    if (params.getAccessTokenAsJwt() != null) {
        request.setAccessTokenAsJwt(params.getAccessTokenAsJwt());
    }
    if (params.getAccessTokenSigningAlg() != null) {
        SignatureAlgorithm signatureAlgorithms = SignatureAlgorithm.fromString(params.getAccessTokenSigningAlg());
        if (signatureAlgorithms == null) {
            LOG.error("Received invalid algorithm in `access_token_signing_alg` property. Value: " + params.getAccessTokenSigningAlg());
            throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
        }
        request.setAccessTokenSigningAlg(signatureAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getClientJwksUri())) {
        request.setJwksUri(params.getClientJwksUri());
    }
    if (params.getPostLogoutRedirectUris() != null && !params.getPostLogoutRedirectUris().isEmpty()) {
        request.setPostLogoutRedirectUris(Lists.newArrayList(params.getPostLogoutRedirectUris()));
    }
    if (params.getContacts() != null) {
        request.setContacts(params.getContacts());
    }
    if (params.getScope() != null) {
        request.setScope(params.getScope());
    }
    if (!Strings.isNullOrEmpty(params.getClientSectorIdentifierUri())) {
        request.setSectorIdentifierUri(params.getClientSectorIdentifierUri());
    }
    if (!Strings.isNullOrEmpty(params.getClientFrontchannelLogoutUri())) {
        request.setFrontChannelLogoutUri(params.getClientFrontchannelLogoutUri());
    }
    if (params.getClientRequestUris() != null && !params.getClientRequestUris().isEmpty()) {
        request.setRequestUris(params.getClientRequestUris());
    }
    if (params.getClientTokenEndpointAuthSigningAlg() != null) {
        SignatureAlgorithm signatureAlgorithms = SignatureAlgorithm.fromString(params.getClientTokenEndpointAuthSigningAlg());
        if (signatureAlgorithms == null) {
            LOG.error("Received invalid algorithm in `client_token_endpoint_auth_signing_alg` property. Value: " + params.getClientTokenEndpointAuthSigningAlg());
            throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
        }
        request.setTokenEndpointAuthSigningAlg(SignatureAlgorithm.fromString(params.getClientTokenEndpointAuthSigningAlg()));
    }
    if (!Strings.isNullOrEmpty(params.getClientName())) {
        request.setClientName(params.getClientName());
    }
    if (!Strings.isNullOrEmpty(params.getLogoUri())) {
        request.setLogoUri(params.getLogoUri());
    }
    if (!Strings.isNullOrEmpty(params.getClientUri())) {
        request.setClientUri(params.getClientUri());
    }
    if (!Strings.isNullOrEmpty(params.getPolicyUri())) {
        request.setPolicyUri(params.getPolicyUri());
    }
    if (params.getFrontChannelLogoutSessionRequired() != null) {
        request.setFrontChannelLogoutSessionRequired(params.getFrontChannelLogoutSessionRequired());
    }
    if (!Strings.isNullOrEmpty(params.getTosUri())) {
        request.setTosUri(params.getTosUri());
    }
    if (!Strings.isNullOrEmpty(params.getJwks())) {
        request.setJwks(params.getJwks());
    }
    if (!Strings.isNullOrEmpty(params.getIdTokenBindingCnf())) {
        request.setIdTokenTokenBindingCnf(params.getIdTokenBindingCnf());
    }
    if (!Strings.isNullOrEmpty(params.getTlsClientAuthSubjectDn())) {
        request.setTlsClientAuthSubjectDn(params.getTlsClientAuthSubjectDn());
    }
    if (!Strings.isNullOrEmpty(params.getSubjectType())) {
        SubjectType subjectType = SubjectType.fromString(params.getSubjectType());
        if (subjectType == null) {
            LOG.error("Received invalid values in `subject_type` property. Value: " + params.getSubjectType());
            throw new HttpException(ErrorResponseCode.INVALID_SUBJECT_TYPE);
        }
        request.setSubjectType(subjectType);
    }
    if (params.getRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims() != null) {
        request.setRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims(params.getRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims());
    }
    if (!Strings.isNullOrEmpty(params.getIdTokenSignedResponseAlg())) {
        SignatureAlgorithm signatureAlgorithms = SignatureAlgorithm.fromString(params.getIdTokenSignedResponseAlg());
        if (signatureAlgorithms == null) {
            LOG.error("Received invalid algorithm in `id_token_signed_response_alg` property. Value: " + params.getIdTokenSignedResponseAlg());
            throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
        }
        if (signatureAlgorithms == SignatureAlgorithm.NONE && !getConfigurationService().getConfiguration().getAcceptIdTokenWithoutSignature()) {
            LOG.error("`ID_TOKEN` without signature is not allowed. To allow `ID_TOKEN` without signature set `accept_id_token_without_signature` field to 'true' in client-api-server.yml.");
            throw new HttpException(ErrorResponseCode.ID_TOKEN_WITHOUT_SIGNATURE_NOT_ALLOWED);
        }
        request.setIdTokenSignedResponseAlg(signatureAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getIdTokenEncryptedResponseAlg())) {
        KeyEncryptionAlgorithm keyEncryptionAlgorithms = KeyEncryptionAlgorithm.fromName(params.getIdTokenEncryptedResponseAlg());
        if (keyEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `id_token_encrypted_response_alg` property. Value: " + params.getIdTokenEncryptedResponseAlg());
            throw new HttpException(ErrorResponseCode.INVALID_KEY_ENCRYPTION_ALGORITHM);
        }
        request.setIdTokenEncryptedResponseAlg(keyEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getIdTokenEncryptedResponseEnc())) {
        BlockEncryptionAlgorithm blockEncryptionAlgorithms = BlockEncryptionAlgorithm.fromName(params.getIdTokenEncryptedResponseEnc());
        if (blockEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `id_token_encrypted_response_enc` property. Value: " + params.getIdTokenEncryptedResponseEnc());
            throw new HttpException(ErrorResponseCode.INVALID_BLOCK_ENCRYPTION_ALGORITHM);
        }
        request.setIdTokenEncryptedResponseEnc(blockEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getUserInfoSignedResponseAlg())) {
        SignatureAlgorithm signatureAlgorithms = SignatureAlgorithm.fromString(params.getUserInfoSignedResponseAlg());
        if (signatureAlgorithms == null) {
            LOG.error("Received invalid algorithm in `user_info_signed_response_alg` property. Value: " + params.getUserInfoSignedResponseAlg());
            throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
        }
        request.setUserInfoSignedResponseAlg(signatureAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getUserInfoEncryptedResponseAlg())) {
        KeyEncryptionAlgorithm keyEncryptionAlgorithms = KeyEncryptionAlgorithm.fromName(params.getUserInfoEncryptedResponseAlg());
        if (keyEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `user_info_encrypted_response_alg` property. Value: " + params.getUserInfoEncryptedResponseAlg());
            throw new HttpException(ErrorResponseCode.INVALID_KEY_ENCRYPTION_ALGORITHM);
        }
        request.setUserInfoEncryptedResponseAlg(keyEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getUserInfoEncryptedResponseEnc())) {
        BlockEncryptionAlgorithm blockEncryptionAlgorithms = BlockEncryptionAlgorithm.fromName(params.getUserInfoEncryptedResponseEnc());
        if (blockEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `user_info_encrypted_response_enc` property. Value: " + params.getUserInfoEncryptedResponseEnc());
            throw new HttpException(ErrorResponseCode.INVALID_BLOCK_ENCRYPTION_ALGORITHM);
        }
        request.setUserInfoEncryptedResponseEnc(blockEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getRequestObjectSigningAlg())) {
        SignatureAlgorithm signatureAlgorithms = SignatureAlgorithm.fromString(params.getRequestObjectSigningAlg());
        if (signatureAlgorithms == null) {
            LOG.error("Received invalid algorithm in `request_object_signing_alg` property. Value: " + params.getRequestObjectSigningAlg());
            throw new HttpException(ErrorResponseCode.INVALID_SIGNATURE_ALGORITHM);
        }
        request.setRequestObjectSigningAlg(signatureAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getRequestObjectEncryptionAlg())) {
        KeyEncryptionAlgorithm keyEncryptionAlgorithms = KeyEncryptionAlgorithm.fromName(params.getRequestObjectEncryptionAlg());
        if (keyEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `request_object_encryption_alg` property. Value: " + params.getRequestObjectEncryptionAlg());
            throw new HttpException(ErrorResponseCode.INVALID_KEY_ENCRYPTION_ALGORITHM);
        }
        request.setRequestObjectEncryptionAlg(keyEncryptionAlgorithms);
    }
    if (!Strings.isNullOrEmpty(params.getRequestObjectEncryptionEnc())) {
        BlockEncryptionAlgorithm blockEncryptionAlgorithms = BlockEncryptionAlgorithm.fromName(params.getRequestObjectEncryptionEnc());
        if (blockEncryptionAlgorithms == null) {
            LOG.error("Received invalid algorithm in `request_object_encryption_enc` property. Value: " + params.getRequestObjectEncryptionEnc());
            throw new HttpException(ErrorResponseCode.INVALID_BLOCK_ENCRYPTION_ALGORITHM);
        }
        request.setRequestObjectEncryptionEnc(blockEncryptionAlgorithms);
    }
    if (params.getDefaultMaxAge() != null && NumberUtils.isNumber(params.getDefaultMaxAge().toString())) {
        request.setDefaultMaxAge(params.getDefaultMaxAge());
    }
    if (params.getRequireAuthTime() != null) {
        request.setRequireAuthTime(params.getRequireAuthTime());
    }
    if (!Strings.isNullOrEmpty(params.getInitiateLoginUri())) {
        request.setInitiateLoginUri(params.getInitiateLoginUri());
    }
    if (params.getAuthorizedOrigins() != null && !params.getAuthorizedOrigins().isEmpty()) {
        request.setAuthorizedOrigins(params.getAuthorizedOrigins());
    }
    if (params.getAccessTokenLifetime() != null && NumberUtils.isNumber(params.getAccessTokenLifetime().toString())) {
        request.setAccessTokenLifetime(params.getAccessTokenLifetime());
    }
    if (!Strings.isNullOrEmpty(params.getSoftwareId())) {
        request.setSoftwareId(params.getSoftwareId());
    }
    if (!Strings.isNullOrEmpty(params.getSoftwareVersion())) {
        request.setSoftwareVersion(params.getSoftwareVersion());
    }
    if (!Strings.isNullOrEmpty(params.getSoftwareStatement())) {
        request.setSoftwareStatement(params.getSoftwareStatement());
    }
    if (params.getAllowSpontaneousScopes() != null) {
        request.setAllowSpontaneousScopes(params.getAllowSpontaneousScopes());
    }
    if (CollectionUtils.isNotEmpty(params.getSpontaneousScopes())) {
        request.setSpontaneousScopes(params.getSpontaneousScopes());
    }
    if (params.getCustomAttributes() != null && !params.getCustomAttributes().isEmpty()) {
        params.getCustomAttributes().entrySet().removeIf(entry -> entry.getKey().contains("oxAuthTrustedClient"));
        params.getCustomAttributes().entrySet().stream().forEach(e -> {
            request.addCustomAttribute(e.getKey(), e.getValue());
        });
    }
    if (StringUtils.isNotBlank(rp.getRpId())) {
        request.addCustomAttribute("rp_id", rp.getRpId());
    }
    return request;
}
Also used : StringUtils(org.apache.commons.lang.StringUtils) UpdateSiteParams(io.jans.ca.common.params.UpdateSiteParams) SubjectType(io.jans.as.model.common.SubjectType) UpdateSiteResponse(io.jans.ca.common.response.UpdateSiteResponse) Utils(io.jans.ca.server.Utils) LoggerFactory(org.slf4j.LoggerFactory) RegisterRequestMapper(io.jans.ca.server.mapper.RegisterRequestMapper) BlockEncryptionAlgorithm(io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm) HttpMethod(javax.ws.rs.HttpMethod) NumberUtils(org.apache.commons.lang.math.NumberUtils) HttpException(io.jans.ca.server.HttpException) Strings(com.google.common.base.Strings) ErrorResponseCode(io.jans.ca.common.ErrorResponseCode) IOpResponse(io.jans.ca.common.response.IOpResponse) Lists(com.google.common.collect.Lists) CollectionUtils(org.apache.commons.collections.CollectionUtils) RegisterClient(io.jans.as.client.RegisterClient) Command(io.jans.ca.common.Command) Logger(org.slf4j.Logger) Set(java.util.Set) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) RegisterRequest(io.jans.as.client.RegisterRequest) Collectors(java.util.stream.Collectors) Sets(com.google.common.collect.Sets) Injector(com.google.inject.Injector) RegisterResponse(io.jans.as.client.RegisterResponse) List(java.util.List) GrantType(io.jans.as.model.common.GrantType) KeyEncryptionAlgorithm(io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm) Rp(io.jans.ca.server.service.Rp) RegisterRequest(io.jans.as.client.RegisterRequest) SubjectType(io.jans.as.model.common.SubjectType) KeyEncryptionAlgorithm(io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm) HttpException(io.jans.ca.server.HttpException) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) BlockEncryptionAlgorithm(io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm)

Example 4 with BlockEncryptionAlgorithm

use of io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm in project jans by JanssenProject.

the class UserInfoRestWebServiceImpl method requestUserInfo.

private Response requestUserInfo(String accessToken, String authorization, HttpServletRequest request, SecurityContext securityContext) {
    if (tokenService.isBearerAuthToken(authorization)) {
        accessToken = tokenService.getBearerToken(authorization);
    }
    log.debug("Attempting to request User Info, Access token = {}, Is Secure = {}", accessToken, securityContext.isSecure());
    errorResponseFactory.validateComponentEnabled(ComponentType.USERINFO);
    Response.ResponseBuilder builder = Response.ok();
    OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.USER_INFO);
    try {
        if (!UserInfoParamsValidator.validateParams(accessToken)) {
            return response(400, UserInfoErrorResponseType.INVALID_REQUEST, "access token is not valid.");
        }
        AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken);
        if (authorizationGrant == null) {
            log.trace("Failed to find authorization grant by access_token: {}", accessToken);
            return response(401, UserInfoErrorResponseType.INVALID_TOKEN);
        }
        oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, false);
        final AbstractToken accessTokenObject = authorizationGrant.getAccessToken(accessToken);
        if (accessTokenObject == null || !accessTokenObject.isValid()) {
            log.trace("Invalid access token object, access_token: {}, isNull: {}, isValid: {}", accessToken, accessTokenObject == null, false);
            return response(401, UserInfoErrorResponseType.INVALID_TOKEN);
        }
        if (authorizationGrant.getAuthorizationGrantType() == AuthorizationGrantType.CLIENT_CREDENTIALS) {
            return response(403, UserInfoErrorResponseType.INSUFFICIENT_SCOPE, "Grant object has client_credentials grant_type which is not valid.");
        }
        if (appConfiguration.getOpenidScopeBackwardCompatibility() && !authorizationGrant.getScopes().contains(DefaultScope.OPEN_ID.toString()) && !authorizationGrant.getScopes().contains(DefaultScope.PROFILE.toString())) {
            return response(403, UserInfoErrorResponseType.INSUFFICIENT_SCOPE, "Both openid and profile scopes are not present.");
        }
        if (!appConfiguration.getOpenidScopeBackwardCompatibility() && !authorizationGrant.getScopes().contains(DefaultScope.OPEN_ID.toString())) {
            return response(403, UserInfoErrorResponseType.INSUFFICIENT_SCOPE, "Missed openid scope.");
        }
        oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
        builder.cacheControl(ServerUtil.cacheControlWithNoStoreTransformAndPrivate());
        builder.header(Constants.PRAGMA, Constants.NO_CACHE);
        User currentUser = authorizationGrant.getUser();
        try {
            currentUser = userService.getUserByDn(authorizationGrant.getUserDn());
        } catch (EntryPersistenceException ex) {
            log.warn("Failed to reload user entry: '{}'", authorizationGrant.getUserDn());
        }
        if (authorizationGrant.getClient() != null && authorizationGrant.getClient().getUserInfoEncryptedResponseAlg() != null && authorizationGrant.getClient().getUserInfoEncryptedResponseEnc() != null) {
            KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.fromName(authorizationGrant.getClient().getUserInfoEncryptedResponseAlg());
            BlockEncryptionAlgorithm blockEncryptionAlgorithm = BlockEncryptionAlgorithm.fromName(authorizationGrant.getClient().getUserInfoEncryptedResponseEnc());
            builder.type("application/jwt");
            builder.entity(getJweResponse(keyEncryptionAlgorithm, blockEncryptionAlgorithm, currentUser, authorizationGrant, authorizationGrant.getScopes()));
        } else if (authorizationGrant.getClient() != null && authorizationGrant.getClient().getUserInfoSignedResponseAlg() != null) {
            SignatureAlgorithm algorithm = SignatureAlgorithm.fromString(authorizationGrant.getClient().getUserInfoSignedResponseAlg());
            builder.type("application/jwt");
            builder.entity(getJwtResponse(algorithm, currentUser, authorizationGrant, authorizationGrant.getScopes()));
        } else {
            builder.type((MediaType.APPLICATION_JSON + ";charset=UTF-8"));
            builder.entity(getJSonResponse(currentUser, authorizationGrant, authorizationGrant.getScopes()));
        }
        return builder.build();
    } catch (Exception e) {
        log.error(e.getMessage(), e);
        // 500
        return Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode()).build();
    } finally {
        applicationAuditLogger.sendMessage(oAuth2AuditLog);
    }
}
Also used : JsonWebResponse(io.jans.as.model.token.JsonWebResponse) Response(javax.ws.rs.core.Response) User(io.jans.as.common.model.common.User) AbstractToken(io.jans.as.server.model.common.AbstractToken) OAuth2AuditLog(io.jans.as.server.model.audit.OAuth2AuditLog) KeyEncryptionAlgorithm(io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm) EntryPersistenceException(io.jans.orm.exception.EntryPersistenceException) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) UnmodifiableAuthorizationGrant(io.jans.as.server.model.common.UnmodifiableAuthorizationGrant) AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant) InvalidClaimException(io.jans.as.model.exception.InvalidClaimException) ParseException(java.text.ParseException) EntryPersistenceException(io.jans.orm.exception.EntryPersistenceException) InvalidJweException(io.jans.as.model.exception.InvalidJweException) BlockEncryptionAlgorithm(io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm)

Example 5 with BlockEncryptionAlgorithm

use of io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm in project jans by JanssenProject.

the class JwrService method createJwr.

public io.jans.as.model.token.JsonWebResponse createJwr(Client client) {
    try {
        KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.fromName(client.getIdTokenEncryptedResponseAlg());
        BlockEncryptionAlgorithm blockEncryptionAlgorithm = BlockEncryptionAlgorithm.fromName(client.getIdTokenEncryptedResponseEnc());
        if (keyEncryptionAlgorithm != null && blockEncryptionAlgorithm != null) {
            Jwe jwe = new Jwe();
            // Header
            jwe.getHeader().setType(JwtType.JWT);
            jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
            jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
            return jwe;
        } else {
            JwtSigner jwtSigner = JwtSigner.newJwtSigner(appConfiguration, webKeysConfiguration, client);
            return jwtSigner.newJwt();
        }
    } catch (Exception e) {
        log.error("Failed to create token.", e);
        return null;
    }
}
Also used : KeyEncryptionAlgorithm(io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm) Jwe(io.jans.as.model.jwe.Jwe) InvalidJweException(io.jans.as.model.exception.InvalidJweException) BlockEncryptionAlgorithm(io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm)

Aggregations

BlockEncryptionAlgorithm (io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm)7 KeyEncryptionAlgorithm (io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm)7 SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)4 InvalidJweException (io.jans.as.model.exception.InvalidJweException)4 Jwe (io.jans.as.model.jwe.Jwe)3 JweEncrypterImpl (io.jans.as.model.jwe.JweEncrypterImpl)3 RSAKey (com.nimbusds.jose.jwk.RSAKey)2 RegisterRequest (io.jans.as.client.RegisterRequest)2 GrantType (io.jans.as.model.common.GrantType)2 SubjectType (io.jans.as.model.common.SubjectType)2 CryptoProviderException (io.jans.as.model.exception.CryptoProviderException)2 Jwt (io.jans.as.model.jwt.Jwt)2 HttpException (io.jans.ca.server.HttpException)2 PublicKey (java.security.PublicKey)2 ParseException (java.text.ParseException)2 ArrayList (java.util.ArrayList)2 Strings (com.google.common.base.Strings)1 Lists (com.google.common.collect.Lists)1 Sets (com.google.common.collect.Sets)1 Injector (com.google.inject.Injector)1