Search in sources :

Example 11 with SignatureAlgorithm

use of io.jans.as.model.crypto.signature.SignatureAlgorithm in project jans by JanssenProject.

the class KeyGeneratorService method generateKeys.

private JSONWebKeySet generateKeys(List<Algorithm> signatureAlgorithms, List<Algorithm> encryptionAlgorithms, int expiration_hours) {
    LOG.trace("Generating jwks keys...");
    JSONWebKeySet jwks = new JSONWebKeySet();
    Calendar calendar = new GregorianCalendar();
    calendar.add(Calendar.HOUR, expiration_hours);
    for (Algorithm algorithm : signatureAlgorithms) {
        try {
            SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(algorithm.name());
            JSONObject result = this.cryptoProvider.generateKey(algorithm, calendar.getTimeInMillis());
            JSONWebKey key = JSONWebKey.fromJSONObject(result);
            jwks.getKeys().add(key);
        } catch (Exception ex) {
            LOG.error(ex.getMessage(), ex);
        }
    }
    for (Algorithm algorithm : encryptionAlgorithms) {
        try {
            KeyEncryptionAlgorithm encryptionAlgorithm = KeyEncryptionAlgorithm.fromName(algorithm.getParamName());
            JSONObject result = this.cryptoProvider.generateKey(algorithm, calendar.getTimeInMillis());
            JSONWebKey key = JSONWebKey.fromJSONObject(result);
            jwks.getKeys().add(key);
        } catch (Exception ex) {
            LOG.error(ex.getMessage(), ex);
        }
    }
    // LOG.trace("jwks: ", jwks);
    LOG.trace("jwks generated successfully.");
    return jwks;
}
Also used : JSONWebKey(io.jans.as.model.jwk.JSONWebKey) JSONObject(org.json.JSONObject) JSONWebKeySet(io.jans.as.model.jwk.JSONWebKeySet) Calendar(java.util.Calendar) GregorianCalendar(java.util.GregorianCalendar) KeyEncryptionAlgorithm(io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm) GregorianCalendar(java.util.GregorianCalendar) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) Algorithm(io.jans.as.model.jwk.Algorithm) KeyEncryptionAlgorithm(io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm) CryptoProviderException(io.jans.as.model.exception.CryptoProviderException) HttpException(io.jans.ca.server.HttpException)

Example 12 with SignatureAlgorithm

use of io.jans.as.model.crypto.signature.SignatureAlgorithm in project jans by JanssenProject.

the class AuthorizationGrant method createAccessTokenAsJwt.

private String createAccessTokenAsJwt(AccessToken accessToken, ExecutionContext context) throws Exception {
    final User user = getUser();
    final Client client = getClient();
    SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(appConfiguration.getDefaultSignatureAlgorithm());
    if (client.getAccessTokenSigningAlg() != null && SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg()) != null) {
        signatureAlgorithm = SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg());
    }
    final JwtSigner jwtSigner = new JwtSigner(appConfiguration, webKeysConfiguration, signatureAlgorithm, client.getClientId(), clientService.decryptSecret(client.getClientSecret()));
    final Jwt jwt = jwtSigner.newJwt();
    jwt.getClaims().setClaim("scope", Lists.newArrayList(getScopes()));
    jwt.getClaims().setClaim("client_id", getClientId());
    jwt.getClaims().setClaim("username", user != null ? user.getAttribute("displayName") : null);
    jwt.getClaims().setClaim("token_type", accessToken.getTokenType().getName());
    // guarantee uniqueness : without it we can get race condition
    jwt.getClaims().setClaim("code", accessToken.getCode());
    jwt.getClaims().setExpirationTime(accessToken.getExpirationDate());
    jwt.getClaims().setIssuedAt(accessToken.getCreationDate());
    jwt.getClaims().setSubjectIdentifier(getSub());
    jwt.getClaims().setClaim("x5t#S256", accessToken.getX5ts256());
    // DPoP
    final String dpop = context.getDpop();
    if (StringUtils.isNotBlank(dpop)) {
        jwt.getClaims().setNotBefore(accessToken.getCreationDate());
        JSONObject cnf = new JSONObject();
        cnf.put("jkt", dpop);
        jwt.getClaims().setClaim("cnf", cnf);
    }
    Audience.setAudience(jwt.getClaims(), getClient());
    if (isTrue(client.getAttributes().getRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims())) {
        runIntrospectionScriptAndInjectValuesIntoJwt(jwt, context);
    }
    final String accessTokenCode = jwtSigner.sign().toString();
    if (log.isTraceEnabled())
        log.trace("Created access token JWT: {}", accessTokenCode + ", claims: " + jwt.getClaims().toJsonString());
    return accessTokenCode;
}
Also used : JwtSigner(io.jans.as.server.model.token.JwtSigner) User(io.jans.as.common.model.common.User) JSONObject(org.json.JSONObject) Jwt(io.jans.as.model.jwt.Jwt) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) Client(io.jans.as.common.model.registration.Client)

Example 13 with SignatureAlgorithm

use of io.jans.as.model.crypto.signature.SignatureAlgorithm in project jans by JanssenProject.

the class EDDSASigner method validateSignature.

/**
 * Validating a signature.
 */
@Override
public boolean validateSignature(String signingInput, String signature) throws SignatureException {
    SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm();
    if (signatureAlgorithm == null) {
        throw new SignatureException("The signature algorithm is null");
    }
    if (!signatureAlgorithm.getFamily().equals(AlgorithmFamily.ED)) {
        throw new SignatureException(String.format("Wrong value of the signature algorithm: %s", signatureAlgorithm.getFamily().toString()));
    }
    if (eddsaPublicKey == null) {
        throw new SignatureException("The EDDSA public key is null");
    }
    if (signingInput == null) {
        throw new SignatureException("The signing input is null");
    }
    try {
        X509EncodedKeySpec publicKeySpec = eddsaPublicKey.getPublicKeySpec();
        java.security.KeyFactory keyFactory = java.security.KeyFactory.getInstance(signatureAlgorithm.getName());
        BCEdDSAPublicKey publicKey = (BCEdDSAPublicKey) keyFactory.generatePublic(publicKeySpec);
        Signature virifier = Signature.getInstance(signatureAlgorithm.getName(), "BC");
        virifier.initVerify(publicKey);
        virifier.update(signingInput.getBytes());
        return virifier.verify(Base64Util.base64urldecode(signature));
    } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException | InvalidKeyException | IllegalArgumentException e) {
        throw new SignatureException(e);
    }
}
Also used : SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) BCEdDSAPublicKey(org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPublicKey) Signature(java.security.Signature) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) NoSuchProviderException(java.security.NoSuchProviderException)

Example 14 with SignatureAlgorithm

use of io.jans.as.model.crypto.signature.SignatureAlgorithm in project jans by JanssenProject.

the class EDDSASigner method generateSignature.

/**
 * Generating a signature,
 * using URL safe based format.
 */
@Override
public String generateSignature(String signingInput) throws SignatureException {
    SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm();
    if (signatureAlgorithm == null) {
        throw new SignatureException("The signature algorithm is null");
    }
    if (!signatureAlgorithm.getFamily().equals(AlgorithmFamily.ED)) {
        throw new SignatureException(String.format("Wrong value of the signature algorithm: %s", signatureAlgorithm.getFamily().toString()));
    }
    if (eddsaPrivateKey == null) {
        throw new SignatureException("The EDDSA private key is null");
    }
    if (signingInput == null) {
        throw new SignatureException("The signing input is null");
    }
    try {
        PKCS8EncodedKeySpec privateKeySpec = eddsaPrivateKey.getPrivateKeySpec();
        java.security.KeyFactory keyFactory = java.security.KeyFactory.getInstance(signatureAlgorithm.getName());
        BCEdDSAPrivateKey privateKey = (BCEdDSAPrivateKey) keyFactory.generatePrivate(privateKeySpec);
        Signature signer = Signature.getInstance(signatureAlgorithm.getName(), "BC");
        signer.initSign(privateKey);
        signer.update(signingInput.getBytes());
        byte[] signature = signer.sign();
        return Base64Util.base64urlencode(signature);
    } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException | InvalidKeyException | IllegalArgumentException e) {
        throw new SignatureException(e);
    }
}
Also used : SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec) Signature(java.security.Signature) BCEdDSAPrivateKey(org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPrivateKey) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) NoSuchProviderException(java.security.NoSuchProviderException)

Example 15 with SignatureAlgorithm

use of io.jans.as.model.crypto.signature.SignatureAlgorithm in project jans by JanssenProject.

the class ECDSASigner method validateSignature.

/**
 * Validating a signature.
 */
@Override
public boolean validateSignature(String signingInput, String signature) throws SignatureException {
    if (getSignatureAlgorithm() == null) {
        throw new SignatureException("The signature algorithm is null");
    }
    if (ecdsaPublicKey == null) {
        throw new SignatureException("The ECDSA public key is null");
    }
    if (signingInput == null) {
        throw new SignatureException("The signing input is null");
    }
    SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm();
    try {
        byte[] sigBytes = Base64Util.base64urldecode(signature);
        if (AlgorithmFamily.EC.equals(getSignatureAlgorithm().getFamily())) {
            sigBytes = ECDSA.transcodeSignatureToDER(sigBytes);
        }
        byte[] sigInBytes = signingInput.getBytes(StandardCharsets.UTF_8);
        ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec(signatureAlgorithm.getCurve().getAlias());
        ECPoint pointQ = ecSpec.getCurve().createPoint(ecdsaPublicKey.getX(), ecdsaPublicKey.getY());
        ECPublicKeySpec publicKeySpec = new ECPublicKeySpec(pointQ, ecSpec);
        KeyFactory keyFactory = KeyFactory.getInstance("ECDSA", "BC");
        PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
        Signature sig = Signature.getInstance(signatureAlgorithm.getAlgorithm(), "BC");
        sig.initVerify(publicKey);
        sig.update(sigInBytes);
        return sig.verify(sigBytes);
    } catch (Exception e) {
        throw new SignatureException(e);
    }
}
Also used : ECParameterSpec(org.bouncycastle.jce.spec.ECParameterSpec) PublicKey(java.security.PublicKey) ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey) Signature(java.security.Signature) SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm) SignatureException(java.security.SignatureException) ECPoint(org.bouncycastle.math.ec.ECPoint) ECPublicKeySpec(org.bouncycastle.jce.spec.ECPublicKeySpec) KeyFactory(java.security.KeyFactory) SignatureException(java.security.SignatureException)

Aggregations

SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)28 JSONObject (org.json.JSONObject)10 Jwt (io.jans.as.model.jwt.Jwt)8 InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)7 HttpException (io.jans.ca.server.HttpException)7 KeyEncryptionAlgorithm (io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm)6 WebApplicationException (javax.ws.rs.WebApplicationException)6 Client (io.jans.as.common.model.registration.Client)5 RSAPublicKey (io.jans.as.model.crypto.signature.RSAPublicKey)5 BlockEncryptionAlgorithm (io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm)4 ECDSAPublicKey (io.jans.as.model.crypto.signature.ECDSAPublicKey)4 Signature (java.security.Signature)4 SignatureException (java.security.SignatureException)4 Date (java.util.Date)4 User (io.jans.as.common.model.common.User)3 AuthenticationMethod (io.jans.as.model.common.AuthenticationMethod)3 CryptoProviderException (io.jans.as.model.exception.CryptoProviderException)3 ECDSASigner (io.jans.as.model.jws.ECDSASigner)3 RegisterRequest (io.jans.as.client.RegisterRequest)2 GrantType (io.jans.as.model.common.GrantType)2