Example 1 with AbstractJwsSigner
use of io.jans.as.model.jws.AbstractJwsSigner in project jans by JanssenProject.
the class JwtUtil method validateSignature.
public boolean validateSignature(Jwt jwt, JSONWebKeySet jsonWebKeySet) {
log.trace("\n\n JwtUtil::validateSignature() - jwt = " + jwt + " , jsonWebKeySet =" + jsonWebKeySet + "\n");
try {
final String kid = jwt.getHeader().getClaimAsString(JwtHeaderName.KEY_ID);
final String algorithm = jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM);
final SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getSignatureAlgorithm();
log.trace("\n\n JwtUtil::validateSignature() - kid = " + kid + " , algorithm =" + algorithm + " signatureAlgorithm = " + signatureAlgorithm + "\n");
PublicKey publicKey = getPublicKey(kid, jsonWebKeySet, signatureAlgorithm);
log.trace("\n\n JwtUtil::validateSignature() - publicKey = " + publicKey + "\n");
if (publicKey == null) {
log.error("Failed to get RSA public key.");
return false;
}
// Validate
AbstractJwsSigner signer = null;
if (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily())) {
signer = new RSASigner(SignatureAlgorithm.fromString(algorithm), (RSAPublicKey) publicKey);
} else if (AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily())) {
signer = new ECDSASigner(SignatureAlgorithm.fromString(algorithm), (ECDSAPublicKey) publicKey);
}
if (signer == null) {
log.error("ID Token signer is not found!");
return false;
}
boolean signature = signer.validate(jwt);
if (signature) {
log.debug("ID Token is successfully validated.");
return true;
}
log.error("ID Token signature invalid.");
return false;
} catch (Exception e) {
log.error("Failed to validate id_token. Message: " + e.getMessage(), e);
return false;
}
}
Also used :
RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey)
ECDSASigner(io.jans.as.model.jws.ECDSASigner)
ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey)
PublicKey(io.jans.as.model.crypto.PublicKey)
RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey)
RSASigner(io.jans.as.model.jws.RSASigner)
SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm)
AbstractJwsSigner(io.jans.as.model.jws.AbstractJwsSigner)
InvalidJwtException(io.jans.as.model.exception.InvalidJwtException)
IOException(java.io.IOException)
WebApplicationException(javax.ws.rs.WebApplicationException)
Example 2 with AbstractJwsSigner
use of io.jans.as.model.jws.AbstractJwsSigner in project jans by JanssenProject.
the class JwtCrossCheckTest method validate.
private static void validate(String jwtAsString, AuthCryptoProvider cryptoProvider, String kid, SignatureAlgorithm signatureAlgorithm) throws Exception {
SignedJWT signedJWT = SignedJWT.parse(jwtAsString);
Jwt jwt = Jwt.parse(jwtAsString);
JWSVerifier nimbusVerifier = null;
AbstractJwsSigner oxauthVerifier = null;
switch(signatureAlgorithm.getFamily()) {
case EC:
final ECKey ecKey = ECKey.load(cryptoProvider.getKeyStore(), kid, cryptoProvider.getKeyStoreSecret().toCharArray());
final ECPublicKey ecPublicKey = ecKey.toECPublicKey();
nimbusVerifier = new ECDSAVerifier(ecKey);
oxauthVerifier = new ECDSASigner(jwt.getHeader().getSignatureAlgorithm(), new ECDSAPublicKey(jwt.getHeader().getSignatureAlgorithm(), ecPublicKey.getW().getAffineX(), ecPublicKey.getW().getAffineY()));
break;
case RSA:
RSAKey rsaKey = RSAKey.load(cryptoProvider.getKeyStore(), kid, cryptoProvider.getKeyStoreSecret().toCharArray());
final java.security.interfaces.RSAPublicKey rsaPublicKey = rsaKey.toRSAPublicKey();
nimbusVerifier = new RSASSAVerifier(rsaKey);
oxauthVerifier = new RSASigner(signatureAlgorithm, new RSAPublicKey(rsaPublicKey.getModulus(), rsaPublicKey.getPublicExponent()));
break;
}
assertNotNull(nimbusVerifier);
assertNotNull(oxauthVerifier);
// Nimbus
assertTrue(signedJWT.verify(nimbusVerifier));
// oxauth cryptoProvider
boolean validJwt = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), kid, null, null, jwt.getHeader().getSignatureAlgorithm());
assertTrue(validJwt);
// oxauth verifier
assertTrue(oxauthVerifier.validate(jwt));
}
Also used :
RSAKey(com.nimbusds.jose.jwk.RSAKey)
ECDSASigner(io.jans.as.model.jws.ECDSASigner)
Jwt(io.jans.as.model.jwt.Jwt)
RSASSAVerifier(com.nimbusds.jose.crypto.RSASSAVerifier)
JWSVerifier(com.nimbusds.jose.JWSVerifier)
AbstractJwsSigner(io.jans.as.model.jws.AbstractJwsSigner)
ECKey(com.nimbusds.jose.jwk.ECKey)
SignedJWT(com.nimbusds.jwt.SignedJWT)
ECDSAVerifier(com.nimbusds.jose.crypto.ECDSAVerifier)
ECPublicKey(java.security.interfaces.ECPublicKey)
RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey)
RSASigner(io.jans.as.model.jws.RSASigner)
ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey)
Example 3 with AbstractJwsSigner
use of io.jans.as.model.jws.AbstractJwsSigner in project jans by JanssenProject.
the class Validator method createJwsSigner.
public static AbstractJwsSigner createJwsSigner(Jwt idToken, OpenIdConfigurationResponse discoveryResponse, PublicOpKeyService keyService, OpClientFactory opClientFactory, Rp rp, RpServerConfiguration configuration) {
final String algorithm = idToken.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM);
final SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(algorithm);
final String jwkUrl = discoveryResponse.getJwksUri();
String kid = idToken.getHeader().getClaimAsString(JwtHeaderName.KEY_ID);
if (signatureAlgorithm == null)
throw new HttpException(ErrorResponseCode.INVALID_ALGORITHM);
if (Strings.isNullOrEmpty(kid) && (signatureAlgorithm.getFamily() == AlgorithmFamily.RSA || signatureAlgorithm.getFamily() == AlgorithmFamily.EC)) {
LOG.warn("Warning:`kid` is missing in id_token header. oxd will throw error if RP is unable to determine the key to used for `id_token` validation.");
}
if (signatureAlgorithm == SignatureAlgorithm.NONE) {
if (!configuration.getAcceptIdTokenWithoutSignature()) {
LOG.error("`ID_TOKEN` without signature is not allowed. To allow `ID_TOKEN` without signature set `accept_id_token_without_signature` field to 'true' in client-api-server.yml.");
throw new HttpException(ErrorResponseCode.ID_TOKEN_WITHOUT_SIGNATURE_NOT_ALLOWED);
}
return new AbstractJwsSigner(signatureAlgorithm) {
@Override
public String generateSignature(String signingInput) throws SignatureException {
return null;
}
@Override
public boolean validateSignature(String signingInput, String signature) throws SignatureException {
return true;
}
};
} else if (signatureAlgorithm.getFamily() == AlgorithmFamily.RSA) {
final RSAPublicKey publicKey = (RSAPublicKey) keyService.getPublicKey(jwkUrl, kid, signatureAlgorithm, Use.SIGNATURE);
return opClientFactory.createRSASigner(signatureAlgorithm, publicKey);
} else if (signatureAlgorithm.getFamily() == AlgorithmFamily.HMAC) {
return new HMACSigner(signatureAlgorithm, rp.getClientSecret());
} else if (signatureAlgorithm.getFamily() == AlgorithmFamily.EC) {
final ECDSAPublicKey publicKey = (ECDSAPublicKey) keyService.getPublicKey(jwkUrl, kid, signatureAlgorithm, Use.SIGNATURE);
return new ECDSASigner(signatureAlgorithm, publicKey);
}
throw new HttpException(ErrorResponseCode.ALGORITHM_NOT_SUPPORTED);
}
Also used :
RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey)
HMACSigner(io.jans.as.model.jws.HMACSigner)
ECDSASigner(io.jans.as.model.jws.ECDSASigner)
SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm)
HttpException(io.jans.ca.server.HttpException)
AbstractJwsSigner(io.jans.as.model.jws.AbstractJwsSigner)
ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey)
Aggregations
ECDSAPublicKey (io.jans.as.model.crypto.signature.ECDSAPublicKey)3
RSAPublicKey (io.jans.as.model.crypto.signature.RSAPublicKey)3
AbstractJwsSigner (io.jans.as.model.jws.AbstractJwsSigner)3
ECDSASigner (io.jans.as.model.jws.ECDSASigner)3
SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)2
RSASigner (io.jans.as.model.jws.RSASigner)2
JWSVerifier (com.nimbusds.jose.JWSVerifier)1
ECDSAVerifier (com.nimbusds.jose.crypto.ECDSAVerifier)1
RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)1
ECKey (com.nimbusds.jose.jwk.ECKey)1
RSAKey (com.nimbusds.jose.jwk.RSAKey)1
SignedJWT (com.nimbusds.jwt.SignedJWT)1
PublicKey (io.jans.as.model.crypto.PublicKey)1
InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)1
HMACSigner (io.jans.as.model.jws.HMACSigner)1
Jwt (io.jans.as.model.jwt.Jwt)1
HttpException (io.jans.ca.server.HttpException)1
IOException (java.io.IOException)1
ECPublicKey (java.security.interfaces.ECPublicKey)1
WebApplicationException (javax.ws.rs.WebApplicationException)1
