use of io.jsonwebtoken.security.SignatureException in project killbill by killbill.
the class KillBillAuth0Realm method loadPublicKey.
private PublicKey loadPublicKey(final String keyId) {
final BoundRequestBuilder builder = httpClient.prepareGet(securityConfig.getShiroAuth0Url() + "/.well-known/jwks.json");
final Response response;
try {
final ListenableFuture<Response> futureStatus = builder.execute(new AsyncCompletionHandler<Response>() {
@Override
public Response onCompleted(final Response response) throws Exception {
return response;
}
});
response = futureStatus.get(DEFAULT_TIMEOUT_SECS, TimeUnit.SECONDS);
} catch (final TimeoutException toe) {
throw new SignatureException("Timeout while connecting to Auth0 to fetch public keys", toe);
} catch (final Exception e) {
throw new SignatureException("Error while connecting to Auth0 to fetch public keys", e);
}
final Map<String, List<Map<String, Object>>> keysResponse;
try {
keysResponse = mapper.readValue(response.getResponseBodyAsStream(), new TypeReference<Map<String, List<Map<String, Object>>>>() {
});
} catch (final IOException e) {
throw new SignatureException("Unable to read public keys from Auth0", e);
}
if (keysResponse.get("keys") == null || keysResponse.get("keys").isEmpty()) {
throw new SignatureException("Auth0 returned no key");
}
final List<Map<String, Object>> newKeys = keysResponse.get("keys");
for (final Map<String, Object> newKey : newKeys) {
if (newKey.get("kid") == null || !newKey.get("kid").equals(keyId) || newKey.get("kty") == null) {
continue;
}
final String kty = (String) newKey.get("kty");
switch(kty) {
case "RSA":
final BigInteger modulus = getBigInteger(newKey.get("n"));
final BigInteger exponent = getBigInteger(newKey.get("e"));
if (modulus == null || exponent == null) {
continue;
}
return new RSAPublicKey() {
@Override
public BigInteger getPublicExponent() {
return exponent;
}
@Override
public String getAlgorithm() {
return "RSA";
}
@Override
public String getFormat() {
return "JWK";
}
@Override
public byte[] getEncoded() {
throw new UnsupportedOperationException();
}
@Override
public BigInteger getModulus() {
return modulus;
}
};
case "EC":
final String curveName = (String) newKey.get("crv");
final BigInteger x = getBigInteger(newKey.get("x"));
final BigInteger y = getBigInteger(newKey.get("y"));
if (curveName == null || x == null || y == null) {
continue;
}
final ECParameterSpec curve = EcCurve.tryGet(curveName);
if (curve == null) {
continue;
}
final ECPoint w = new ECPoint(x, y);
return new ECPublicKey() {
@Override
public ECPoint getW() {
return w;
}
@Override
public String getAlgorithm() {
return "EC";
}
@Override
public String getFormat() {
return "JWK";
}
@Override
public byte[] getEncoded() {
throw new UnsupportedOperationException();
}
@Override
public ECParameterSpec getParams() {
return curve;
}
};
default:
}
}
throw new SignatureException("Could not find Auth0 public key " + keyId);
}
use of io.jsonwebtoken.security.SignatureException in project jjwt by jwtk.
the class EllipticCurveSignatureValidator method isValid.
@Override
public boolean isValid(byte[] data, byte[] signature) {
Signature sig = createSignatureInstance();
PublicKey publicKey = (PublicKey) key;
try {
int expectedSize = getSignatureByteArrayLength(alg);
/**
* If the expected size is not valid for JOSE, fall back to ASN.1 DER signature.
* This fallback is for backwards compatibility ONLY (to support tokens generated by previous versions of jjwt)
* and backwards compatibility will possibly be removed in a future version of this library.
*
* *
*/
byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : EllipticCurveProvider.transcodeSignatureToDER(signature);
return doVerify(sig, publicKey, data, derSignature);
} catch (Exception e) {
String msg = "Unable to verify Elliptic Curve signature using configured ECPublicKey. " + e.getMessage();
throw new SignatureException(msg, e);
}
}
use of io.jsonwebtoken.security.SignatureException in project sonarqube by SonarSource.
the class JwtSerializer method decode.
Optional<Claims> decode(String token) {
checkIsStarted();
Claims claims = null;
try {
claims = Jwts.parserBuilder().setSigningKey(secretKey).build().parseClaimsJws(token).getBody();
requireNonNull(claims.getId(), "Token id hasn't been found");
requireNonNull(claims.getSubject(), "Token subject hasn't been found");
requireNonNull(claims.getExpiration(), "Token expiration date hasn't been found");
requireNonNull(claims.getIssuedAt(), "Token creation date hasn't been found");
return Optional.of(claims);
} catch (UnsupportedJwtException | ExpiredJwtException | SignatureException e) {
return Optional.empty();
} catch (Exception e) {
throw AuthenticationException.newBuilder().setSource(Source.jwt()).setLogin(claims == null ? null : claims.getSubject()).setMessage(e.getMessage()).build();
}
}
use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.
the class ZTSImplTest method testPostAccessTokenRequestProxyUserMismatchRolesIntersection.
@Test
public void testPostAccessTokenRequestProxyUserMismatchRolesIntersection() {
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
CloudStore cloudStore = new CloudStore();
cloudStore.setHttpClient(null);
ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
// set back to our zts rsa private key
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
List<RoleMember> writers = new ArrayList<>();
writers.add(new RoleMember().setMemberName("user_domain.proxy-user1"));
writers.add(new RoleMember().setMemberName("user_domain.joe"));
List<RoleMember> readers = new ArrayList<>();
readers.add(new RoleMember().setMemberName("user_domain.proxy-user2"));
readers.add(new RoleMember().setMemberName("user_domain.jane"));
readers.add(new RoleMember().setMemberName("user_domain.proxy-user1"));
SignedDomain signedDomain = createSignedDomain("coretech-proxy3", "weather-proxy3", "storage", writers, readers, true);
store.processSignedDomain(signedDomain, false);
Principal principal = SimplePrincipal.create("user_domain", "proxy-user1", "v=U1;d=user_domain;n=proxy-user1;s=sig", 0, null);
ResourceContext context = createResourceContext(principal);
AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech-proxy3:domain&proxy_for_principal=user_domain.joe");
assertNotNull(resp);
assertEquals("coretech-proxy3:role.writers", resp.getScope());
String accessTokenStr = resp.getAccess_token();
assertNotNull(accessTokenStr);
Jws<Claims> claims;
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertEquals("user_domain.joe", claims.getBody().getSubject());
assertEquals("user_domain.proxy-user1", claims.getBody().get("proxy"));
assertEquals("coretech-proxy3", claims.getBody().getAudience());
assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
List<String> scopes = (List<String>) claims.getBody().get("scp");
assertNotNull(scopes);
assertEquals(1, scopes.size());
assertEquals("writers", scopes.get(0));
}
use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.
the class ZTSImplTest method testPostAccessTokenRequest.
@Test
public void testPostAccessTokenRequest() throws UnsupportedEncodingException {
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
CloudStore cloudStore = new CloudStore();
cloudStore.setHttpClient(null);
ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
// set back to our zts rsa private key
System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true);
store.processSignedDomain(signedDomain, false);
Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
ResourceContext context = createResourceContext(principal);
final String scope = URLEncoder.encode("coretech:domain", "UTF-8");
AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=" + scope);
assertNotNull(resp);
assertEquals("coretech:role.writers", resp.getScope());
String accessTokenStr = resp.getAccess_token();
assertNotNull(accessTokenStr);
Jws<Claims> claims;
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertNotNull(claims.getBody().getId());
assertEquals("user_domain.user", claims.getBody().getSubject());
assertEquals("coretech", claims.getBody().getAudience());
assertEquals("writers", claims.getBody().get("scope"));
assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
List<String> scopes = (List<String>) claims.getBody().get("scp");
assertNotNull(scopes);
assertEquals(1, scopes.size());
assertEquals("writers", scopes.get(0));
Principal principal1 = SimplePrincipal.create("user_domain", "user1", "v=U1;d=user_domain;n=user1;s=signature", 0, null);
ResourceContext context1 = createResourceContext(principal1);
resp = ztsImpl.postAccessTokenRequest(context1, "grant_type=client_credentials&scope=coretech:domain&expires_in=100");
assertNotNull(resp);
assertEquals("coretech:role.readers coretech:role.writers", resp.getScope());
accessTokenStr = resp.getAccess_token();
assertNotNull(accessTokenStr);
assertEquals(Integer.valueOf(100), resp.getExpires_in());
try {
claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
} catch (SignatureException e) {
throw new ResourceException(ResourceException.UNAUTHORIZED);
}
assertNotNull(claims);
assertEquals("user_domain.user1", claims.getBody().getSubject());
assertEquals("coretech", claims.getBody().getAudience());
assertEquals(100 * 1000, claims.getBody().getExpiration().getTime() - claims.getBody().getIssuedAt().getTime());
assertEquals("readers writers", claims.getBody().get("scope"));
}
Aggregations