Search in sources :

Example 1 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project killbill by killbill.

the class KillBillAuth0Realm method loadPublicKey.

private PublicKey loadPublicKey(final String keyId) {
    final BoundRequestBuilder builder = httpClient.prepareGet(securityConfig.getShiroAuth0Url() + "/.well-known/jwks.json");
    final Response response;
    try {
        final ListenableFuture<Response> futureStatus = builder.execute(new AsyncCompletionHandler<Response>() {

            @Override
            public Response onCompleted(final Response response) throws Exception {
                return response;
            }
        });
        response = futureStatus.get(DEFAULT_TIMEOUT_SECS, TimeUnit.SECONDS);
    } catch (final TimeoutException toe) {
        throw new SignatureException("Timeout while connecting to Auth0 to fetch public keys", toe);
    } catch (final Exception e) {
        throw new SignatureException("Error while connecting to Auth0 to fetch public keys", e);
    }
    final Map<String, List<Map<String, Object>>> keysResponse;
    try {
        keysResponse = mapper.readValue(response.getResponseBodyAsStream(), new TypeReference<Map<String, List<Map<String, Object>>>>() {
        });
    } catch (final IOException e) {
        throw new SignatureException("Unable to read public keys from Auth0", e);
    }
    if (keysResponse.get("keys") == null || keysResponse.get("keys").isEmpty()) {
        throw new SignatureException("Auth0 returned no key");
    }
    final List<Map<String, Object>> newKeys = keysResponse.get("keys");
    for (final Map<String, Object> newKey : newKeys) {
        if (newKey.get("kid") == null || !newKey.get("kid").equals(keyId) || newKey.get("kty") == null) {
            continue;
        }
        final String kty = (String) newKey.get("kty");
        switch(kty) {
            case "RSA":
                final BigInteger modulus = getBigInteger(newKey.get("n"));
                final BigInteger exponent = getBigInteger(newKey.get("e"));
                if (modulus == null || exponent == null) {
                    continue;
                }
                return new RSAPublicKey() {

                    @Override
                    public BigInteger getPublicExponent() {
                        return exponent;
                    }

                    @Override
                    public String getAlgorithm() {
                        return "RSA";
                    }

                    @Override
                    public String getFormat() {
                        return "JWK";
                    }

                    @Override
                    public byte[] getEncoded() {
                        throw new UnsupportedOperationException();
                    }

                    @Override
                    public BigInteger getModulus() {
                        return modulus;
                    }
                };
            case "EC":
                final String curveName = (String) newKey.get("crv");
                final BigInteger x = getBigInteger(newKey.get("x"));
                final BigInteger y = getBigInteger(newKey.get("y"));
                if (curveName == null || x == null || y == null) {
                    continue;
                }
                final ECParameterSpec curve = EcCurve.tryGet(curveName);
                if (curve == null) {
                    continue;
                }
                final ECPoint w = new ECPoint(x, y);
                return new ECPublicKey() {

                    @Override
                    public ECPoint getW() {
                        return w;
                    }

                    @Override
                    public String getAlgorithm() {
                        return "EC";
                    }

                    @Override
                    public String getFormat() {
                        return "JWK";
                    }

                    @Override
                    public byte[] getEncoded() {
                        throw new UnsupportedOperationException();
                    }

                    @Override
                    public ECParameterSpec getParams() {
                        return curve;
                    }
                };
            default:
        }
    }
    throw new SignatureException("Could not find Auth0 public key " + keyId);
}
Also used : SignatureException(io.jsonwebtoken.security.SignatureException) IOException(java.io.IOException) ECPoint(java.security.spec.ECPoint) TimeoutException(java.util.concurrent.TimeoutException) AuthorizationException(org.apache.shiro.authz.AuthorizationException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) SignatureException(io.jsonwebtoken.security.SignatureException) IOException(java.io.IOException) ExecutionException(java.util.concurrent.ExecutionException) AuthenticationException(org.apache.shiro.authc.AuthenticationException) JwtException(io.jsonwebtoken.JwtException) Response(org.asynchttpclient.Response) BoundRequestBuilder(org.asynchttpclient.BoundRequestBuilder) RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) ECParameterSpec(java.security.spec.ECParameterSpec) BigInteger(java.math.BigInteger) List(java.util.List) TypeReference(com.fasterxml.jackson.core.type.TypeReference) Map(java.util.Map) TimeoutException(java.util.concurrent.TimeoutException)

Example 2 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project jjwt by jwtk.

the class EllipticCurveSignatureValidator method isValid.

@Override
public boolean isValid(byte[] data, byte[] signature) {
    Signature sig = createSignatureInstance();
    PublicKey publicKey = (PublicKey) key;
    try {
        int expectedSize = getSignatureByteArrayLength(alg);
        /**
         * If the expected size is not valid for JOSE, fall back to ASN.1 DER signature.
         * This fallback is for backwards compatibility ONLY (to support tokens generated by previous versions of jjwt)
         * and backwards compatibility will possibly be removed in a future version of this library.
         *
         * *
         */
        byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : EllipticCurveProvider.transcodeSignatureToDER(signature);
        return doVerify(sig, publicKey, data, derSignature);
    } catch (Exception e) {
        String msg = "Unable to verify Elliptic Curve signature using configured ECPublicKey. " + e.getMessage();
        throw new SignatureException(msg, e);
    }
}
Also used : PublicKey(java.security.PublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) Signature(java.security.Signature) SignatureException(io.jsonwebtoken.security.SignatureException) InvalidKeyException(java.security.InvalidKeyException) SignatureException(io.jsonwebtoken.security.SignatureException)

Example 3 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project sonarqube by SonarSource.

the class JwtSerializer method decode.

Optional<Claims> decode(String token) {
    checkIsStarted();
    Claims claims = null;
    try {
        claims = Jwts.parserBuilder().setSigningKey(secretKey).build().parseClaimsJws(token).getBody();
        requireNonNull(claims.getId(), "Token id hasn't been found");
        requireNonNull(claims.getSubject(), "Token subject hasn't been found");
        requireNonNull(claims.getExpiration(), "Token expiration date hasn't been found");
        requireNonNull(claims.getIssuedAt(), "Token creation date hasn't been found");
        return Optional.of(claims);
    } catch (UnsupportedJwtException | ExpiredJwtException | SignatureException e) {
        return Optional.empty();
    } catch (Exception e) {
        throw AuthenticationException.newBuilder().setSource(Source.jwt()).setLogin(claims == null ? null : claims.getSubject()).setMessage(e.getMessage()).build();
    }
}
Also used : Claims(io.jsonwebtoken.Claims) ExpiredJwtException(io.jsonwebtoken.ExpiredJwtException) SignatureException(io.jsonwebtoken.security.SignatureException) UnsupportedJwtException(io.jsonwebtoken.UnsupportedJwtException) AuthenticationException(org.sonar.server.authentication.event.AuthenticationException) ExpiredJwtException(io.jsonwebtoken.ExpiredJwtException) SignatureException(io.jsonwebtoken.security.SignatureException) UnsupportedJwtException(io.jsonwebtoken.UnsupportedJwtException)

Example 4 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.

the class ZTSImplTest method testPostAccessTokenRequestProxyUserMismatchRolesIntersection.

@Test
public void testPostAccessTokenRequestProxyUserMismatchRolesIntersection() {
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
    CloudStore cloudStore = new CloudStore();
    cloudStore.setHttpClient(null);
    ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
    // set back to our zts rsa private key
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
    List<RoleMember> writers = new ArrayList<>();
    writers.add(new RoleMember().setMemberName("user_domain.proxy-user1"));
    writers.add(new RoleMember().setMemberName("user_domain.joe"));
    List<RoleMember> readers = new ArrayList<>();
    readers.add(new RoleMember().setMemberName("user_domain.proxy-user2"));
    readers.add(new RoleMember().setMemberName("user_domain.jane"));
    readers.add(new RoleMember().setMemberName("user_domain.proxy-user1"));
    SignedDomain signedDomain = createSignedDomain("coretech-proxy3", "weather-proxy3", "storage", writers, readers, true);
    store.processSignedDomain(signedDomain, false);
    Principal principal = SimplePrincipal.create("user_domain", "proxy-user1", "v=U1;d=user_domain;n=proxy-user1;s=sig", 0, null);
    ResourceContext context = createResourceContext(principal);
    AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=coretech-proxy3:domain&proxy_for_principal=user_domain.joe");
    assertNotNull(resp);
    assertEquals("coretech-proxy3:role.writers", resp.getScope());
    String accessTokenStr = resp.getAccess_token();
    assertNotNull(accessTokenStr);
    Jws<Claims> claims;
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("user_domain.joe", claims.getBody().getSubject());
    assertEquals("user_domain.proxy-user1", claims.getBody().get("proxy"));
    assertEquals("coretech-proxy3", claims.getBody().getAudience());
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    List<String> scopes = (List<String>) claims.getBody().get("scp");
    assertNotNull(scopes);
    assertEquals(1, scopes.size());
    assertEquals("writers", scopes.get(0));
}
Also used : Claims(io.jsonwebtoken.Claims) SignatureException(io.jsonwebtoken.security.SignatureException) MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore) CloudStore(com.yahoo.athenz.zts.store.CloudStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Example 5 with SignatureException

use of io.jsonwebtoken.security.SignatureException in project athenz by yahoo.

the class ZTSImplTest method testPostAccessTokenRequest.

@Test
public void testPostAccessTokenRequest() throws UnsupportedEncodingException {
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_at_private.pem");
    CloudStore cloudStore = new CloudStore();
    cloudStore.setHttpClient(null);
    ZTSImpl ztsImpl = new ZTSImpl(cloudStore, store);
    // set back to our zts rsa private key
    System.setProperty(FilePrivateKeyStore.ATHENZ_PROP_PRIVATE_KEY, "src/test/resources/unit_test_zts_private.pem");
    SignedDomain signedDomain = createSignedDomain("coretech", "weather", "storage", true);
    store.processSignedDomain(signedDomain, false);
    Principal principal = SimplePrincipal.create("user_domain", "user", "v=U1;d=user_domain;n=user;s=signature", 0, null);
    ResourceContext context = createResourceContext(principal);
    final String scope = URLEncoder.encode("coretech:domain", "UTF-8");
    AccessTokenResponse resp = ztsImpl.postAccessTokenRequest(context, "grant_type=client_credentials&scope=" + scope);
    assertNotNull(resp);
    assertEquals("coretech:role.writers", resp.getScope());
    String accessTokenStr = resp.getAccess_token();
    assertNotNull(accessTokenStr);
    Jws<Claims> claims;
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertNotNull(claims.getBody().getId());
    assertEquals("user_domain.user", claims.getBody().getSubject());
    assertEquals("coretech", claims.getBody().getAudience());
    assertEquals("writers", claims.getBody().get("scope"));
    assertEquals(ztsImpl.ztsOAuthIssuer, claims.getBody().getIssuer());
    List<String> scopes = (List<String>) claims.getBody().get("scp");
    assertNotNull(scopes);
    assertEquals(1, scopes.size());
    assertEquals("writers", scopes.get(0));
    Principal principal1 = SimplePrincipal.create("user_domain", "user1", "v=U1;d=user_domain;n=user1;s=signature", 0, null);
    ResourceContext context1 = createResourceContext(principal1);
    resp = ztsImpl.postAccessTokenRequest(context1, "grant_type=client_credentials&scope=coretech:domain&expires_in=100");
    assertNotNull(resp);
    assertEquals("coretech:role.readers coretech:role.writers", resp.getScope());
    accessTokenStr = resp.getAccess_token();
    assertNotNull(accessTokenStr);
    assertEquals(Integer.valueOf(100), resp.getExpires_in());
    try {
        claims = Jwts.parserBuilder().setSigningKey(Crypto.extractPublicKey(ztsImpl.privateKey.getKey())).build().parseClaimsJws(accessTokenStr);
    } catch (SignatureException e) {
        throw new ResourceException(ResourceException.UNAUTHORIZED);
    }
    assertNotNull(claims);
    assertEquals("user_domain.user1", claims.getBody().getSubject());
    assertEquals("coretech", claims.getBody().getAudience());
    assertEquals(100 * 1000, claims.getBody().getExpiration().getTime() - claims.getBody().getIssuedAt().getTime());
    assertEquals("readers writers", claims.getBody().get("scope"));
}
Also used : Claims(io.jsonwebtoken.Claims) SignatureException(io.jsonwebtoken.security.SignatureException) MockCloudStore(com.yahoo.athenz.zts.store.MockCloudStore) CloudStore(com.yahoo.athenz.zts.store.CloudStore) Principal(com.yahoo.athenz.auth.Principal) Test(org.testng.annotations.Test)

Aggregations

SignatureException (io.jsonwebtoken.security.SignatureException)20 Claims (io.jsonwebtoken.Claims)17 CloudStore (com.yahoo.athenz.zts.store.CloudStore)15 MockCloudStore (com.yahoo.athenz.zts.store.MockCloudStore)15 Principal (com.yahoo.athenz.auth.Principal)14 Test (org.testng.annotations.Test)14 HttpServletResponse (javax.servlet.http.HttpServletResponse)3 Response (javax.ws.rs.core.Response)3 JWSObject (com.nimbusds.jose.JWSObject)2 AthenzObject (com.yahoo.athenz.zts.ZTSImpl.AthenzObject)2 ExpiredJwtException (io.jsonwebtoken.ExpiredJwtException)2 UnsupportedJwtException (io.jsonwebtoken.UnsupportedJwtException)2 Path (java.nio.file.Path)2 InvalidKeyException (java.security.InvalidKeyException)2 PublicKey (java.security.PublicKey)2 Signature (java.security.Signature)2 X509Certificate (java.security.cert.X509Certificate)2 ECPublicKey (java.security.interfaces.ECPublicKey)2 RSAPublicKey (java.security.interfaces.RSAPublicKey)2 Map (java.util.Map)2