Examples with SignatureException io.jsonwebtoken.security.SignatureException used on opensource projects

Example 1 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project killbill by killbill.

the class KillBillAuth0Realm method loadPublicKey.

private PublicKey loadPublicKey(final String keyId) {
    final BoundRequestBuilder builder = httpClient.prepareGet(securityConfig.getShiroAuth0Url() + "/.well-known/jwks.json");
    final Response response;
    try {
        final ListenableFuture<Response> futureStatus = builder.execute(new AsyncCompletionHandler<Response>() {

            @Override
            public Response onCompleted(final Response response) throws Exception {
                return response;
            }
        });
        response = futureStatus.get(DEFAULT_TIMEOUT_SECS, TimeUnit.SECONDS);
    } catch (final TimeoutException toe) {
        throw new SignatureException("Timeout while connecting to Auth0 to fetch public keys", toe);
    } catch (final Exception e) {
        throw new SignatureException("Error while connecting to Auth0 to fetch public keys", e);
    }
    final Map<String, List<Map<String, Object>>> keysResponse;
    try {
        keysResponse = mapper.readValue(response.getResponseBodyAsStream(), new TypeReference<Map<String, List<Map<String, Object>>>>() {
        });
    } catch (final IOException e) {
        throw new SignatureException("Unable to read public keys from Auth0", e);
    }
    if (keysResponse.get("keys") == null || keysResponse.get("keys").isEmpty()) {
        throw new SignatureException("Auth0 returned no key");
    }
    final List<Map<String, Object>> newKeys = keysResponse.get("keys");
    for (final Map<String, Object> newKey : newKeys) {
        if (newKey.get("kid") == null || !newKey.get("kid").equals(keyId) || newKey.get("kty") == null) {
            continue;
        }
        final String kty = (String) newKey.get("kty");
        switch(kty) {
            case "RSA":
                final BigInteger modulus = getBigInteger(newKey.get("n"));
                final BigInteger exponent = getBigInteger(newKey.get("e"));
                if (modulus == null || exponent == null) {
                    continue;
                }
                return new RSAPublicKey() {

                    @Override
                    public BigInteger getPublicExponent() {
                        return exponent;
                    }

                    @Override
                    public String getAlgorithm() {
                        return "RSA";
                    }

                    @Override
                    public String getFormat() {
                        return "JWK";
                    }

                    @Override
                    public byte[] getEncoded() {
                        throw new UnsupportedOperationException();
                    }

                    @Override
                    public BigInteger getModulus() {
                        return modulus;
                    }
                };
            case "EC":
                final String curveName = (String) newKey.get("crv");
                final BigInteger x = getBigInteger(newKey.get("x"));
                final BigInteger y = getBigInteger(newKey.get("y"));
                if (curveName == null || x == null || y == null) {
                    continue;
                }
                final ECParameterSpec curve = EcCurve.tryGet(curveName);
                if (curve == null) {
                    continue;
                }
                final ECPoint w = new ECPoint(x, y);
                return new ECPublicKey() {

                    @Override
                    public ECPoint getW() {
                        return w;
                    }

                    @Override
                    public String getAlgorithm() {
                        return "EC";
                    }

                    @Override
                    public String getFormat() {
                        return "JWK";
                    }

                    @Override
                    public byte[] getEncoded() {
                        throw new UnsupportedOperationException();
                    }

                    @Override
                    public ECParameterSpec getParams() {
                        return curve;
                    }
                };
            default:
        }
    }
    throw new SignatureException("Could not find Auth0 public key " + keyId);
}

Example 2 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project jjwt by jwtk.

the class EllipticCurveSignatureValidator method isValid.

@Override
public boolean isValid(byte[] data, byte[] signature) {
    Signature sig = createSignatureInstance();
    PublicKey publicKey = (PublicKey) key;
    try {
        int expectedSize = getSignatureByteArrayLength(alg);
        /**
         * If the expected size is not valid for JOSE, fall back to ASN.1 DER signature.
         * This fallback is for backwards compatibility ONLY (to support tokens generated by previous versions of jjwt)
         * and backwards compatibility will possibly be removed in a future version of this library.
         *
         * *
         */
        byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : EllipticCurveProvider.transcodeSignatureToDER(signature);
        return doVerify(sig, publicKey, data, derSignature);
    } catch (Exception e) {
        String msg = "Unable to verify Elliptic Curve signature using configured ECPublicKey. " + e.getMessage();
        throw new SignatureException(msg, e);
    }
}

Example 3 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project sonarqube by SonarSource.

the class JwtSerializer method decode.

Optional<Claims> decode(String token) {
    checkIsStarted();
    Claims claims = null;
    try {
        claims = Jwts.parserBuilder().setSigningKey(secretKey).build().parseClaimsJws(token).getBody();
        requireNonNull(claims.getId(), "Token id hasn't been found");
        requireNonNull(claims.getSubject(), "Token subject hasn't been found");
        requireNonNull(claims.getExpiration(), "Token expiration date hasn't been found");
        requireNonNull(claims.getIssuedAt(), "Token creation date hasn't been found");
        return Optional.of(claims);
    } catch (UnsupportedJwtException | ExpiredJwtException | SignatureException e) {
        return Optional.empty();
    } catch (Exception e) {
        throw AuthenticationException.newBuilder().setSource(Source.jwt()).setLogin(claims == null ? null : claims.getSubject()).setMessage(e.getMessage()).build();
    }
}

Example 4 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.

the class ZTSImplTest method testPostAccessTokenRequestProxyUserMismatchRolesIntersection.

@Test
public void testPostAccessTokenRequestProxyUserMismatchRolesIntersection() {
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
    CloudStore cloudStore = new CloudStore();
    cloudStore.setHttpClient(null);
    ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
    // set back to our zts rsa private key
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
    List<RoleMember> writers = new ArrayList<>();
    writers.add(new RoleMember().setMemberName("user_domain.proxy-user1"));
    writers.add(new RoleMember().setMemberName("user_domain.joe"));
    List<RoleMember> readers = new ArrayList<>();
    readers.add(new RoleMember().setMemberName("user_domain.proxy-user2"));
    readers.add(new RoleMember().setMemberName("user_domain.jane"));
    readers.add(new RoleMember().setMemberName("user_domain.proxy-user1"));
    SignedDomain signedDomain = createSignedDomain("coretech-proxy3", "weather-proxy3", "storage", writers, readers, true);
    store.processSignedDomain(signedDomain, false);
    Principal principal = SimplePrincipal.create("user_domain", "proxy-user1", "v=U1;d=user_domain;n=proxy-user1;s=sig", 0, null);
    ResourceContext context = createResourceContext(principal);
    AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech-proxy3:domain&proxy_for_principal=user_domain.joe");
    assertNotNull(resp);
    assertEquals("coretech-proxy3:role.writers", resp.getScope());
    String accessTokenStr = resp.getAccess_token();
    assertNotNull(accessTokenStr);
    Jws<Claims> claims;
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("user_domain.joe", claims.getBody().getSubject());
    assertEquals("user_domain.proxy-user1", claims.getBody().get("proxy"));
    assertEquals("coretech-proxy3", claims.getBody().getAudience());
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    List<String> scopes = (List<String>) claims.getBody().get("scp");
    assertNotNull(scopes);
    assertEquals(1, scopes.size());
    assertEquals("writers", scopes.get(0));
}

Example 5 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.

the class ZTSImplTest method testPostAccessTokenRequest.

@Test
public void testPostAccessTokenRequest() throws UnsupportedEncodingException {
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
    CloudStore cloudStore = new CloudStore();
    cloudStore.setHttpClient(null);
    ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
    // set back to our zts rsa private key
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
    SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true);
    store.processSignedDomain(signedDomain, false);
    Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
    ResourceContext context = createResourceContext(principal);
    final String scope = URLEncoder.encode("coretech:domain", "UTF-8");
    AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=" + scope);
    assertNotNull(resp);
    assertEquals("coretech:role.writers", resp.getScope());
    String accessTokenStr = resp.getAccess_token();
    assertNotNull(accessTokenStr);
    Jws<Claims> claims;
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertNotNull(claims.getBody().getId());
    assertEquals("user_domain.user", claims.getBody().getSubject());
    assertEquals("coretech", claims.getBody().getAudience());
    assertEquals("writers", claims.getBody().get("scope"));
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    List<String> scopes = (List<String>) claims.getBody().get("scp");
    assertNotNull(scopes);
    assertEquals(1, scopes.size());
    assertEquals("writers", scopes.get(0));
    Principal principal1 = SimplePrincipal.create("user_domain", "user1", "v=U1;d=user_domain;n=user1;s=signature", 0, null);
    ResourceContext context1 = createResourceContext(principal1);
    resp = ztsImpl.postAccessTokenRequest(context1, "grant_type=client_credentials&scope=coretech:domain&expires_in=100");
    assertNotNull(resp);
    assertEquals("coretech:role.readers coretech:role.writers", resp.getScope());
    accessTokenStr = resp.getAccess_token();
    assertNotNull(accessTokenStr);
    assertEquals(Integer.valueOf(100), resp.getExpires_in());
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("user_domain.user1", claims.getBody().getSubject());
    assertEquals("coretech", claims.getBody().getAudience());
    assertEquals(100 * 1000, claims.getBody().getExpiration().getTime() - claims.getBody().getIssuedAt().getTime());
    assertEquals("readers writers", claims.getBody().get("scope"));
}