Search in sources :

Example 1 with AlgorithmFamily

use of io.jans.as.model.crypto.signature.AlgorithmFamily in project jans by JanssenProject.

the class AuthCryptoProvider method generateKeyEncryption.

private JSONObject generateKeyEncryption(Algorithm algorithm, Long expirationTime, int keyLength) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, OperatorCreationException, CertificateException, KeyStoreException, IOException {
    KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.fromName(algorithm.getParamName());
    if (keyEncryptionAlgorithm == null) {
        algorithm = Algorithm.RS256;
        keyEncryptionAlgorithm = KeyEncryptionAlgorithm.RSA1_5;
    }
    KeyPairGenerator keyGen = null;
    String signatureAlgorithm = null;
    final AlgorithmFamily algorithmFamily = algorithm.getFamily();
    switch(algorithmFamily) {
        case RSA:
            {
                keyGen = KeyPairGenerator.getInstance(algorithmFamily.toString(), "BC");
                keyGen.initialize(keyLength, new SecureRandom());
                signatureAlgorithm = "SHA256WITHRSA";
                break;
            }
        case EC:
            {
                ECGenParameterSpec eccgen = new ECGenParameterSpec(keyEncryptionAlgorithm.getCurve().getAlias());
                keyGen = KeyPairGenerator.getInstance(algorithmFamily.toString(), "BC");
                keyGen.initialize(eccgen, new SecureRandom());
                signatureAlgorithm = "SHA256WITHECDSA";
                break;
            }
        default:
            {
                throw new IllegalStateException("The provided key encryption algorithm parameter is not supported: algorithmFamily = " + algorithmFamily);
            }
    }
    return getJson(algorithm, keyGen, signatureAlgorithm, expirationTime);
}
Also used : KeyEncryptionAlgorithm(io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm) ECGenParameterSpec(java.security.spec.ECGenParameterSpec) SecureRandom(java.security.SecureRandom) KeyPairGenerator(java.security.KeyPairGenerator) AlgorithmFamily(io.jans.as.model.crypto.signature.AlgorithmFamily)

Example 2 with AlgorithmFamily

use of io.jans.as.model.crypto.signature.AlgorithmFamily in project jans by JanssenProject.

the class AbstractCryptoProvider method processKey.

private PublicKey processKey(Algorithm requestedAlgorithm, String alias, JSONObject key) throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidParameterSpecException, InvalidParameterException {
    PublicKey publicKey = null;
    AlgorithmFamily algorithmFamily = null;
    if (key.has(JWKParameter.ALGORITHM)) {
        Algorithm algorithm = Algorithm.fromString(key.optString(JWKParameter.ALGORITHM));
        if (requestedAlgorithm != null && !requestedAlgorithm.equals(algorithm)) {
            LOG.trace("kid matched but algorithm does not match. kid algorithm:" + algorithm + ", requestedAlgorithm:" + requestedAlgorithm + ", kid:" + alias);
            return null;
        }
        algorithmFamily = algorithm.getFamily();
    } else if (key.has(JWKParameter.KEY_TYPE)) {
        algorithmFamily = AlgorithmFamily.fromString(key.getString(JWKParameter.KEY_TYPE));
    } else {
        throw new InvalidParameterException("Wrong key (JSONObject): doesn't contain 'alg' and 'kty' properties");
    }
    switch(algorithmFamily) {
        case RSA:
            {
                KeyFactory keyFactory = KeyFactory.getInstance("RSA");
                RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec(new BigInteger(1, Base64Util.base64urldecode(key.getString(JWKParameter.MODULUS))), new BigInteger(1, Base64Util.base64urldecode(key.getString(JWKParameter.EXPONENT))));
                publicKey = keyFactory.generatePublic(pubKeySpec);
                break;
            }
        case EC:
            {
                EllipticEdvardsCurve curve = EllipticEdvardsCurve.fromString(key.optString(JWKParameter.CURVE));
                AlgorithmParameters parameters = AlgorithmParameters.getInstance(AlgorithmFamily.EC.toString());
                parameters.init(new ECGenParameterSpec(curve.getAlias()));
                ECParameterSpec ecParameters = parameters.getParameterSpec(ECParameterSpec.class);
                publicKey = KeyFactory.getInstance(AlgorithmFamily.EC.toString()).generatePublic(new ECPublicKeySpec(new ECPoint(new BigInteger(1, Base64Util.base64urldecode(key.getString(JWKParameter.X))), new BigInteger(1, Base64Util.base64urldecode(key.getString(JWKParameter.Y)))), ecParameters));
                break;
            }
        case ED:
            {
                X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(Base64Util.base64urldecode(key.getString(JWKParameter.X)));
                publicKey = KeyFactory.getInstance(key.optString(JWKParameter.ALGORITHM)).generatePublic(publicKeySpec);
                break;
            }
        default:
            {
                throw new InvalidParameterException(String.format("Wrong AlgorithmFamily value: %s", algorithmFamily));
            }
    }
    if (key.has(JWKParameter.EXPIRATION_TIME)) {
        checkKeyExpiration(alias, key.getLong(JWKParameter.EXPIRATION_TIME));
    }
    return publicKey;
}
Also used : PublicKey(java.security.PublicKey) ECGenParameterSpec(java.security.spec.ECGenParameterSpec) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) RSAPublicKeySpec(java.security.spec.RSAPublicKeySpec) EllipticEdvardsCurve(io.jans.as.model.crypto.signature.EllipticEdvardsCurve) ECPoint(java.security.spec.ECPoint) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) Algorithm(io.jans.as.model.jwk.Algorithm) AlgorithmFamily(io.jans.as.model.crypto.signature.AlgorithmFamily) ECPublicKeySpec(java.security.spec.ECPublicKeySpec) InvalidParameterException(io.jans.as.model.exception.InvalidParameterException) ECParameterSpec(java.security.spec.ECParameterSpec) BigInteger(java.math.BigInteger) KeyFactory(java.security.KeyFactory) AlgorithmParameters(java.security.AlgorithmParameters)

Example 3 with AlgorithmFamily

use of io.jans.as.model.crypto.signature.AlgorithmFamily in project jans by JanssenProject.

the class JwtUtil method getPublicKey.

public static io.jans.as.model.crypto.PublicKey getPublicKey(String jwksUri, String jwks, SignatureAlgorithm signatureAlgorithm, String keyId) {
    JSONObject jsonKeyValue = getJsonKey(jwksUri, jwks, keyId);
    if (jsonKeyValue == null) {
        return null;
    }
    io.jans.as.model.crypto.PublicKey publicKey = null;
    try {
        String resultKeyId = jsonKeyValue.getString(KEY_ID);
        if (signatureAlgorithm == null) {
            signatureAlgorithm = SignatureAlgorithm.fromString(jsonKeyValue.getString(ALGORITHM));
            if (signatureAlgorithm == null) {
                log.error(String.format("Failed to determine key '%s' signature algorithm", resultKeyId));
                return null;
            }
        }
        JSONObject jsonPublicKey = jsonKeyValue;
        if (jsonKeyValue.has(PUBLIC_KEY)) {
            // Use internal jwks.json format
            jsonPublicKey = jsonKeyValue.getJSONObject(PUBLIC_KEY);
        }
        AlgorithmFamily algorithmFamily = signatureAlgorithm.getFamily();
        if (algorithmFamily == AlgorithmFamily.RSA) {
            String exp = jsonPublicKey.getString(EXPONENT);
            String mod = jsonPublicKey.getString(MODULUS);
            BigInteger publicExponent = new BigInteger(1, Base64Util.base64urldecode(exp));
            BigInteger modulus = new BigInteger(1, Base64Util.base64urldecode(mod));
            publicKey = new RSAPublicKey(modulus, publicExponent);
        } else if (algorithmFamily == AlgorithmFamily.EC) {
            String xx = jsonPublicKey.getString(X);
            String yy = jsonPublicKey.getString(Y);
            BigInteger x = new BigInteger(1, Base64Util.base64urldecode(xx));
            BigInteger y = new BigInteger(1, Base64Util.base64urldecode(yy));
            publicKey = new ECDSAPublicKey(signatureAlgorithm, x, y);
        } else if (algorithmFamily == AlgorithmFamily.ED) {
            String xx = jsonPublicKey.getString(X);
            BigInteger x = new BigInteger(1, Base64Util.base64urldecode(xx));
            publicKey = new EDDSAPublicKey(signatureAlgorithm, x.toByteArray());
        } else {
            throw new InvalidParameterException("Wrong value of the AlgorithmFamily: algorithmFamily = " + algorithmFamily);
        }
        if (jsonKeyValue.has(CERTIFICATE_CHAIN)) {
            final String BEGIN = "-----BEGIN CERTIFICATE-----";
            final String END = "-----END CERTIFICATE-----";
            JSONArray certChain = jsonKeyValue.getJSONArray(CERTIFICATE_CHAIN);
            String certificateString = BEGIN + "\n" + certChain.getString(0) + "\n" + END;
            StringReader sr = new StringReader(certificateString);
            PEMParser pemReader = new PEMParser(sr);
            X509Certificate cert = (X509CertificateObject) pemReader.readObject();
            io.jans.as.model.crypto.Certificate certificate = new Certificate(signatureAlgorithm, cert);
            publicKey.setCertificate(certificate);
        }
        publicKey.setKeyId(resultKeyId);
        publicKey.setSignatureAlgorithm(signatureAlgorithm);
    } catch (Exception ex) {
        log.error(ex.getMessage(), ex);
    }
    return publicKey;
}
Also used : EDDSAPublicKey(io.jans.as.model.crypto.signature.EDDSAPublicKey) JSONArray(org.json.JSONArray) AlgorithmFamily(io.jans.as.model.crypto.signature.AlgorithmFamily) X509Certificate(java.security.cert.X509Certificate) InvalidParameterException(io.jans.as.model.exception.InvalidParameterException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) NoSuchProviderException(java.security.NoSuchProviderException) Certificate(io.jans.as.model.crypto.Certificate) InvalidParameterException(io.jans.as.model.exception.InvalidParameterException) JSONObject(org.json.JSONObject) RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey) PEMParser(org.bouncycastle.openssl.PEMParser) X509CertificateObject(org.bouncycastle.jce.provider.X509CertificateObject) StringReader(java.io.StringReader) BigInteger(java.math.BigInteger) ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey) X509Certificate(java.security.cert.X509Certificate) Certificate(io.jans.as.model.crypto.Certificate)

Example 4 with AlgorithmFamily

use of io.jans.as.model.crypto.signature.AlgorithmFamily in project jans by JanssenProject.

the class AuthCryptoProvider method generateKeySignature.

private JSONObject generateKeySignature(Algorithm algorithm, Long expirationTime, int keyLength) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, OperatorCreationException, CertificateException, KeyStoreException, IOException {
    SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(algorithm.getParamName());
    if (signatureAlgorithm == null) {
        algorithm = Algorithm.ES384;
        signatureAlgorithm = SignatureAlgorithm.ES384;
    }
    KeyPairGenerator keyGen = null;
    final AlgorithmFamily algorithmFamily = algorithm.getFamily();
    switch(algorithmFamily) {
        case RSA:
            {
                keyGen = KeyPairGenerator.getInstance(algorithmFamily.toString(), "BC");
                keyGen.initialize(keyLength, new SecureRandom());
                break;
            }
        case EC:
            {
                ECGenParameterSpec eccgen = new ECGenParameterSpec(signatureAlgorithm.getCurve().getAlias());
                keyGen = KeyPairGenerator.getInstance(algorithmFamily.toString(), "BC");
                keyGen.initialize(eccgen, new SecureRandom());
                break;
            }
        case ED:
            {
                EdDSAParameterSpec edSpec = new EdDSAParameterSpec(signatureAlgorithm.getCurve().getAlias());
                keyGen = KeyPairGenerator.getInstance(signatureAlgorithm.getName(), "BC");
                keyGen.initialize(edSpec, new SecureRandom());
                break;
            }
        default:
            {
                throw new IllegalStateException("The provided signature algorithm parameter is not supported: algorithmFamily = " + algorithmFamily);
            }
    }
    return getJson(algorithm, keyGen, signatureAlgorithm.getAlgorithm(), expirationTime);
}
Also used : EdDSAParameterSpec(org.bouncycastle.jcajce.spec.EdDSAParameterSpec) ECGenParameterSpec(java.security.spec.ECGenParameterSpec) SecureRandom(java.security.SecureRandom) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) KeyPairGenerator(java.security.KeyPairGenerator) AlgorithmFamily(io.jans.as.model.crypto.signature.AlgorithmFamily)

Example 5 with AlgorithmFamily

use of io.jans.as.model.crypto.signature.AlgorithmFamily in project jans by JanssenProject.

the class JwtCrossCheckTest method createNimbusJwt.

private static String createNimbusJwt(AuthCryptoProvider cryptoProvider, String kid, SignatureAlgorithm signatureAlgorithm) throws Exception {
    final AlgorithmFamily family = signatureAlgorithm.getFamily();
    JWSSigner signer = null;
    switch(family) {
        case RSA:
            signer = new RSASSASigner(RSAKey.load(cryptoProvider.getKeyStore(), kid, cryptoProvider.getKeyStoreSecret().toCharArray()));
            break;
        case EC:
            signer = new com.nimbusds.jose.crypto.ECDSASigner(ECKey.load(cryptoProvider.getKeyStore(), kid, cryptoProvider.getKeyStoreSecret().toCharArray()));
            break;
    }
    JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().subject("1202.d50a4eeb-ab5d-474b-aaaf-e4aa47bc54a5").issuer("1202.d50a4eeb-ab5d-474b-aaaf-e4aa47bc54a5").expirationTime(new Date(1575559276888000L)).issueTime(new Date(1575559276888000L)).audience("https://gomer-vbox/jans-auth/restv1/token").build();
    SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(signatureAlgorithm.getJwsAlgorithm()).keyID(kid).build(), claimsSet);
    signedJWT.sign(signer);
    return signedJWT.serialize();
}
Also used : JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) RSASSASigner(com.nimbusds.jose.crypto.RSASSASigner) SignedJWT(com.nimbusds.jwt.SignedJWT) JWSSigner(com.nimbusds.jose.JWSSigner) AlgorithmFamily(io.jans.as.model.crypto.signature.AlgorithmFamily) Date(java.util.Date) JWSHeader(com.nimbusds.jose.JWSHeader)

Aggregations

AlgorithmFamily (io.jans.as.model.crypto.signature.AlgorithmFamily)5 ECGenParameterSpec (java.security.spec.ECGenParameterSpec)3 SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)2 InvalidParameterException (io.jans.as.model.exception.InvalidParameterException)2 BigInteger (java.math.BigInteger)2 KeyPairGenerator (java.security.KeyPairGenerator)2 SecureRandom (java.security.SecureRandom)2 JWSHeader (com.nimbusds.jose.JWSHeader)1 JWSSigner (com.nimbusds.jose.JWSSigner)1 RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)1 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)1 SignedJWT (com.nimbusds.jwt.SignedJWT)1 Certificate (io.jans.as.model.crypto.Certificate)1 KeyEncryptionAlgorithm (io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm)1 ECDSAPublicKey (io.jans.as.model.crypto.signature.ECDSAPublicKey)1 EDDSAPublicKey (io.jans.as.model.crypto.signature.EDDSAPublicKey)1 EllipticEdvardsCurve (io.jans.as.model.crypto.signature.EllipticEdvardsCurve)1 RSAPublicKey (io.jans.as.model.crypto.signature.RSAPublicKey)1 Algorithm (io.jans.as.model.jwk.Algorithm)1 IOException (java.io.IOException)1