Search in sources :

Example 21 with JSONWebKey

use of io.jans.as.model.jwk.JSONWebKey in project jans by JanssenProject.

the class DpopTokenRequestHttpTest method testDPoP_RS384.

@Parameters({ "userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri", "clientJwksUri", "RS384_keyId", "dnName", "keyStoreFile", "keyStoreSecret" })
@Test
public void testDPoP_RS384(final String userId, final String userSecret, final String redirectUris, final String redirectUri, final String sectorIdentifierUri, final String clientJwksUri, final String keyId, final String dnName, final String keyStoreFile, final String keyStoreSecret) throws Exception {
    showTitle("testDPoP_RS384");
    List<ResponseType> responseTypes = Collections.singletonList(ResponseType.CODE);
    // 1. Dynamic Registration
    String clientId = dynamicRegistration(redirectUris, sectorIdentifierUri, clientJwksUri, responseTypes);
    // 2. Request authorization
    String authorizationCode = requestAuthorizationCode(userId, userSecret, redirectUri, responseTypes, clientId);
    AuthCryptoProvider cryptoProvider = new AuthCryptoProvider(keyStoreFile, keyStoreSecret, dnName);
    RSAPublicKeyImpl publicKey = (RSAPublicKeyImpl) cryptoProvider.getPublicKey(keyId);
    JSONWebKey jsonWebKey = new JSONWebKey();
    jsonWebKey.setKty(KeyType.RSA);
    jsonWebKey.setN(Base64Util.base64urlencodeUnsignedBigInt(publicKey.getModulus()));
    jsonWebKey.setE(Base64Util.base64urlencodeUnsignedBigInt(publicKey.getPublicExponent()));
    String jwkThumbprint = jsonWebKey.getJwkThumbprint();
    String jti1 = DPoP.generateJti();
    DPoP dpop1 = new DPoP(AsymmetricSignatureAlgorithm.RS384, jsonWebKey, jti1, HttpMethod.POST, tokenEndpoint, keyId, cryptoProvider);
    // 3. Request access token using the authorization code.
    TokenResponse tokenResponse = requestAccessToken(redirectUri, authorizationCode, dpop1);
    String accessToken = tokenResponse.getAccessToken();
    String refreshToken = tokenResponse.getRefreshToken();
    // 4. JWK Thumbprint Confirmation Method
    thumbprintConfirmationMethod(jwkThumbprint, accessToken);
    // 5. JWK Thumbprint Confirmation Method in Token Introspection
    tokenIntrospection(jwkThumbprint, accessToken);
    // 5. Request new access token using the refresh token.
    String accessTokenHash = Base64Util.base64urlencode(JwtUtil.getMessageDigestSHA256(accessToken));
    String jti2 = DPoP.generateJti();
    DPoP dpop2 = new DPoP(AsymmetricSignatureAlgorithm.RS384, jsonWebKey, jti2, HttpMethod.POST, tokenEndpoint, keyId, cryptoProvider);
    dpop2.setAth(accessTokenHash);
    requestAccessTokenWithRefreshToken(refreshToken, dpop2);
}
Also used : RSAPublicKeyImpl(sun.security.rsa.RSAPublicKeyImpl) JSONWebKey(io.jans.as.model.jwk.JSONWebKey) TokenResponse(io.jans.as.client.TokenResponse) DPoP(io.jans.as.model.jwt.DPoP) AuthCryptoProvider(io.jans.as.model.crypto.AuthCryptoProvider) ResponseType(io.jans.as.model.common.ResponseType) Parameters(org.testng.annotations.Parameters) Test(org.testng.annotations.Test) BaseTest(io.jans.as.client.BaseTest)

Example 22 with JSONWebKey

use of io.jans.as.model.jwk.JSONWebKey in project jans by JanssenProject.

the class DpopTokenRequestHttpTest method testDPoP_ES512.

@Parameters({ "userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri", "clientJwksUri", "ES512_keyId", "dnName", "keyStoreFile", "keyStoreSecret" })
@Test
public void testDPoP_ES512(final String userId, final String userSecret, final String redirectUris, final String redirectUri, final String sectorIdentifierUri, final String clientJwksUri, final String keyId, final String dnName, final String keyStoreFile, final String keyStoreSecret) throws Exception {
    showTitle("testDPoP_ES512");
    List<ResponseType> responseTypes = Collections.singletonList(ResponseType.CODE);
    // 1. Dynamic Registration
    String clientId = dynamicRegistration(redirectUris, sectorIdentifierUri, clientJwksUri, responseTypes);
    // 2. Request authorization
    String authorizationCode = requestAuthorizationCode(userId, userSecret, redirectUri, responseTypes, clientId);
    AuthCryptoProvider cryptoProvider = new AuthCryptoProvider(keyStoreFile, keyStoreSecret, dnName);
    ECPublicKeyImpl publicKey = (ECPublicKeyImpl) cryptoProvider.getPublicKey(keyId);
    JSONWebKey jsonWebKey = new JSONWebKey();
    jsonWebKey.setKty(KeyType.EC);
    jsonWebKey.setX(Base64Util.base64urlencodeUnsignedBigInt(publicKey.getW().getAffineX()));
    jsonWebKey.setY(Base64Util.base64urlencodeUnsignedBigInt(publicKey.getW().getAffineY()));
    jsonWebKey.setCrv(EllipticEdvardsCurve.P_521);
    String jwkThumbprint = jsonWebKey.getJwkThumbprint();
    String jti1 = DPoP.generateJti();
    DPoP dpop1 = new DPoP(AsymmetricSignatureAlgorithm.ES512, jsonWebKey, jti1, HttpMethod.POST, tokenEndpoint, keyId, cryptoProvider);
    // 3. Request access token using the authorization code.
    TokenResponse tokenResponse = requestAccessToken(redirectUri, authorizationCode, dpop1);
    String accessToken = tokenResponse.getAccessToken();
    String refreshToken = tokenResponse.getRefreshToken();
    // 4. JWK Thumbprint Confirmation Method
    thumbprintConfirmationMethod(jwkThumbprint, accessToken);
    // 5. JWK Thumbprint Confirmation Method in Token Introspection
    tokenIntrospection(jwkThumbprint, accessToken);
    // 5. Request new access token using the refresh token.
    String accessTokenHash = Base64Util.base64urlencode(JwtUtil.getMessageDigestSHA256(accessToken));
    String jti2 = DPoP.generateJti();
    DPoP dpop2 = new DPoP(AsymmetricSignatureAlgorithm.ES512, jsonWebKey, jti2, HttpMethod.POST, tokenEndpoint, keyId, cryptoProvider);
    dpop2.setAth(accessTokenHash);
    requestAccessTokenWithRefreshToken(refreshToken, dpop2);
}
Also used : ECPublicKeyImpl(sun.security.ec.ECPublicKeyImpl) JSONWebKey(io.jans.as.model.jwk.JSONWebKey) TokenResponse(io.jans.as.client.TokenResponse) DPoP(io.jans.as.model.jwt.DPoP) AuthCryptoProvider(io.jans.as.model.crypto.AuthCryptoProvider) ResponseType(io.jans.as.model.common.ResponseType) Parameters(org.testng.annotations.Parameters) Test(org.testng.annotations.Test) BaseTest(io.jans.as.client.BaseTest)

Example 23 with JSONWebKey

use of io.jans.as.model.jwk.JSONWebKey in project jans by JanssenProject.

the class DpopTokenRequestHttpTest method testDPoP_RS256.

@Parameters({ "userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri", "clientJwksUri", "RS256_keyId", "dnName", "keyStoreFile", "keyStoreSecret" })
@Test
public void testDPoP_RS256(final String userId, final String userSecret, final String redirectUris, final String redirectUri, final String sectorIdentifierUri, final String clientJwksUri, final String keyId, final String dnName, final String keyStoreFile, final String keyStoreSecret) throws Exception {
    showTitle("testDPoP_RS256");
    List<ResponseType> responseTypes = Collections.singletonList(ResponseType.CODE);
    // 1. Dynamic Registration
    String clientId = dynamicRegistration(redirectUris, sectorIdentifierUri, clientJwksUri, responseTypes);
    // 2. Request authorization
    String authorizationCode = requestAuthorizationCode(userId, userSecret, redirectUri, responseTypes, clientId);
    AuthCryptoProvider cryptoProvider = new AuthCryptoProvider(keyStoreFile, keyStoreSecret, dnName);
    RSAPublicKeyImpl publicKey = (RSAPublicKeyImpl) cryptoProvider.getPublicKey(keyId);
    JSONWebKey jsonWebKey = new JSONWebKey();
    jsonWebKey.setKty(KeyType.RSA);
    jsonWebKey.setN(Base64Util.base64urlencodeUnsignedBigInt(publicKey.getModulus()));
    jsonWebKey.setE(Base64Util.base64urlencodeUnsignedBigInt(publicKey.getPublicExponent()));
    String jwkThumbprint = jsonWebKey.getJwkThumbprint();
    String jti1 = DPoP.generateJti();
    DPoP dpop1 = new DPoP(AsymmetricSignatureAlgorithm.RS256, jsonWebKey, jti1, HttpMethod.POST, tokenEndpoint, keyId, cryptoProvider);
    // 3. Request access token using the authorization code.
    TokenResponse tokenResponse = requestAccessToken(redirectUri, authorizationCode, dpop1);
    String accessToken = tokenResponse.getAccessToken();
    String refreshToken = tokenResponse.getRefreshToken();
    // 4. JWK Thumbprint Confirmation Method
    thumbprintConfirmationMethod(jwkThumbprint, accessToken);
    // 5. JWK Thumbprint Confirmation Method in Token Introspection
    tokenIntrospection(jwkThumbprint, accessToken);
    // 5. Request new access token using the refresh token.
    String accessTokenHash = Base64Util.base64urlencode(JwtUtil.getMessageDigestSHA256(accessToken));
    String jti2 = DPoP.generateJti();
    DPoP dpop2 = new DPoP(AsymmetricSignatureAlgorithm.RS256, jsonWebKey, jti2, HttpMethod.POST, tokenEndpoint, keyId, cryptoProvider);
    dpop2.setAth(accessTokenHash);
    requestAccessTokenWithRefreshToken(refreshToken, dpop2);
}
Also used : RSAPublicKeyImpl(sun.security.rsa.RSAPublicKeyImpl) JSONWebKey(io.jans.as.model.jwk.JSONWebKey) TokenResponse(io.jans.as.client.TokenResponse) DPoP(io.jans.as.model.jwt.DPoP) AuthCryptoProvider(io.jans.as.model.crypto.AuthCryptoProvider) ResponseType(io.jans.as.model.common.ResponseType) Parameters(org.testng.annotations.Parameters) Test(org.testng.annotations.Test) BaseTest(io.jans.as.client.BaseTest)

Example 24 with JSONWebKey

use of io.jans.as.model.jwk.JSONWebKey in project jans by JanssenProject.

the class AuthCryptoProvider method getKeyId.

@Override
public String getKeyId(JSONWebKeySet jsonWebKeySet, Algorithm algorithm, Use use) throws CryptoProviderException {
    if (algorithm == null || AlgorithmFamily.HMAC.equals(algorithm.getFamily())) {
        return null;
    }
    try {
        String kid = null;
        final List<JSONWebKey> keys = jsonWebKeySet.getKeys();
        LOG.trace("WebKeys:" + keys.stream().map(JSONWebKey::getKid).collect(Collectors.toList()));
        LOG.trace("KeyStoreKeys:" + getKeys());
        List<JSONWebKey> keysByAlgAndUse = new ArrayList<>();
        for (JSONWebKey key : keys) {
            if (algorithm == key.getAlg() && (use == null || use == key.getUse())) {
                kid = key.getKid();
                Key keyFromStore;
                keyFromStore = keyStore.getKey(kid, keyStoreSecret.toCharArray());
                if (keyFromStore != null) {
                    keysByAlgAndUse.add(key);
                }
            }
        }
        if (keysByAlgAndUse.isEmpty()) {
            LOG.trace("kid is not in keystore, algorithm: " + algorithm + ", kid: " + kid + ", keyStorePath:" + keyStoreFile);
            return kid;
        }
        final JSONWebKey selectedKey = keySelectionStrategy.select(keysByAlgAndUse);
        final String selectedKid = selectedKey != null ? selectedKey.getKid() : null;
        LOG.trace("Selected kid: " + selectedKid + ", keySelection Strategy: " + keySelectionStrategy);
        return selectedKid;
    } catch (UnrecoverableKeyException | KeyStoreException | NoSuchAlgorithmException e) {
        throw new CryptoProviderException(e);
    }
}
Also used : JSONWebKey(io.jans.as.model.jwk.JSONWebKey) UnrecoverableKeyException(java.security.UnrecoverableKeyException) ArrayList(java.util.ArrayList) KeyStoreException(java.security.KeyStoreException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) RSAPublicKey(java.security.interfaces.RSAPublicKey) JSONWebKey(io.jans.as.model.jwk.JSONWebKey) Key(java.security.Key) PrivateKey(java.security.PrivateKey) SecretKey(javax.crypto.SecretKey) ECPublicKey(java.security.interfaces.ECPublicKey) PublicKey(java.security.PublicKey) EdDSAPublicKey(org.bouncycastle.jcajce.interfaces.EdDSAPublicKey) CryptoProviderException(io.jans.as.model.exception.CryptoProviderException)

Example 25 with JSONWebKey

use of io.jans.as.model.jwk.JSONWebKey in project jans by JanssenProject.

the class ConfigurationFactory method generateWebKeys.

private void generateWebKeys() {
    log.info("Failed to load JWKS. Attempting to generate new JWKS...");
    String newWebKeys = null;
    try {
        final AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(getAppConfiguration());
        // Generate new JWKS
        JSONObject jsonObject = AbstractCryptoProvider.generateJwks(cryptoProvider, getAppConfiguration());
        newWebKeys = jsonObject.toString();
        // Attempt to load new JWKS
        jwks = ServerUtil.createJsonMapper().readValue(newWebKeys, io.jans.as.model.config.WebKeysConfiguration.class);
        // Store new JWKS in LDAP
        Conf configuration = Objects.requireNonNull(loadConfigurationFromPersistence());
        configuration.setWebKeys(jwks);
        long nextRevision = configuration.getRevision() + 1;
        configuration.setRevision(nextRevision);
        final PersistenceEntryManager ldapManager = persistenceEntryManagerInstance.get();
        ldapManager.merge(configuration);
        log.info("Generated new JWKS successfully.");
        if (log.isTraceEnabled()) {
            log.trace("JWKS keys: {}", configuration.getWebKeys().getKeys().stream().map(JSONWebKey::getKid).collect(Collectors.toList()));
            log.trace("KeyStore keys: {}", cryptoProvider.getKeys());
        }
    } catch (Exception ex2) {
        log.error("Failed to re-generate JWKS keys", ex2);
    }
}
Also used : PersistenceEntryManager(io.jans.orm.PersistenceEntryManager) JSONWebKey(io.jans.as.model.jwk.JSONWebKey) JSONObject(org.json.JSONObject) WebKeysConfiguration(io.jans.as.model.config.WebKeysConfiguration) Conf(io.jans.as.model.config.Conf) AbstractCryptoProvider(io.jans.as.model.crypto.AbstractCryptoProvider) ConfigurationException(io.jans.exception.ConfigurationException) BasePersistenceException(io.jans.orm.exception.BasePersistenceException)

Aggregations

JSONWebKey (io.jans.as.model.jwk.JSONWebKey)27 Test (org.testng.annotations.Test)12 BaseTest (io.jans.as.client.BaseTest)11 ResponseType (io.jans.as.model.common.ResponseType)10 Parameters (org.testng.annotations.Parameters)10 TokenResponse (io.jans.as.client.TokenResponse)9 AuthCryptoProvider (io.jans.as.model.crypto.AuthCryptoProvider)9 DPoP (io.jans.as.model.jwt.DPoP)9 JSONWebKeySet (io.jans.as.model.jwk.JSONWebKeySet)6 JSONObject (org.json.JSONObject)6 RSAPublicKeyImpl (sun.security.rsa.RSAPublicKeyImpl)6 PublicKey (java.security.PublicKey)5 RSAPublicKey (io.jans.as.model.crypto.signature.RSAPublicKey)4 CryptoProviderException (io.jans.as.model.exception.CryptoProviderException)4 JwkClient (io.jans.as.client.JwkClient)3 JwkResponse (io.jans.as.client.JwkResponse)3 WebKeysConfiguration (io.jans.as.model.config.WebKeysConfiguration)3 ECDSAPublicKey (io.jans.as.model.crypto.signature.ECDSAPublicKey)3 Jwt (io.jans.as.model.jwt.Jwt)3 AuthorizationGrant (io.jans.as.server.model.common.AuthorizationGrant)3