Example 11 with PreEnvironment
use of net.openid.conformance.condition.PreEnvironment in project conformance-suite by openid-certification.
the class EncryptUserInfoResponse method evaluate.
/**
* Also requires, either signed_user_info_endpoint_response or user_info_endpoint_response
* @param env
* @return
*/
@Override
@PreEnvironment(required = "client")
@PostEnvironment(strings = "encrypted_user_info_endpoint_response")
public Environment evaluate(Environment env) {
String userinfoResponse = env.getString("signed_user_info_endpoint_response");
if (userinfoResponse == null) {
JsonObject unsignedUserinfo = env.getObject("user_info_endpoint_response");
userinfoResponse = unsignedUserinfo.toString();
}
String alg = env.getString("client", "userinfo_encrypted_response_alg");
String enc = env.getString("client", "userinfo_encrypted_response_enc");
String clientSecret = env.getString("client", "client_secret");
// client jwks may be null
JsonElement clientJwksElement = env.getElementFromObject("client", "jwks");
JsonObject clientJwks = null;
if (clientJwksElement != null) {
clientJwks = clientJwksElement.getAsJsonObject();
}
String encryptedResponse = encrypt("client", userinfoResponse, clientSecret, clientJwks, alg, enc, "userinfo_encrypted_response_alg", "userinfo_encrypted_response_enc");
logSuccess("Encrypted userinfo response", args("userinfo", encryptedResponse, "userinfo_encrypted_response_alg", alg, "userinfo_encrypted_response_enc", enc));
env.putString("encrypted_user_info_endpoint_response", encryptedResponse);
return env;
}
Also used :
JsonElement(com.google.gson.JsonElement)
JsonObject(com.google.gson.JsonObject)
PostEnvironment(net.openid.conformance.condition.PostEnvironment)
PreEnvironment(net.openid.conformance.condition.PreEnvironment)
Example 12 with PreEnvironment
use of net.openid.conformance.condition.PreEnvironment in project conformance-suite by openid-certification.
the class FAPIBrazilSetGrantTypesSupportedInServerConfiguration method evaluate.
@Override
@PreEnvironment(required = { "server" })
@PostEnvironment(required = { "server" })
public Environment evaluate(Environment env) {
JsonArray grantTypes = new JsonArray();
grantTypes.add("authorization_code");
grantTypes.add("implicit");
grantTypes.add("client_credentials");
grantTypes.add("refresh_token");
JsonObject server = env.getObject("server");
server.add("grant_types_supported", grantTypes);
log("Successfully set grant_types_supported", args("server", server));
return env;
}
Also used :
JsonArray(com.google.gson.JsonArray)
JsonObject(com.google.gson.JsonObject)
PostEnvironment(net.openid.conformance.condition.PostEnvironment)
PreEnvironment(net.openid.conformance.condition.PreEnvironment)
Example 13 with PreEnvironment
use of net.openid.conformance.condition.PreEnvironment in project conformance-suite by openid-certification.
the class FAPIEnsureClientJwksContainsAnEncryptionKey method evaluate.
@SuppressWarnings("deprecation")
@Override
@PreEnvironment(required = { JWKS_KEY, "client" })
public Environment evaluate(Environment env) {
JsonObject jwks = env.getObject(JWKS_KEY);
if (jwks == null) {
throw error("Couldn't find " + JWKS_KEY + " in environment");
}
String alg = env.getString("client", "id_token_encrypted_response_alg");
if (alg == null) {
throw error("id_token_encrypted_response_alg is not set");
}
JWEAlgorithm jweAlgorithm = JWEAlgorithm.parse(alg);
JWKSet jwkset;
try {
jwkset = JWKSet.parse(jwks.toString());
} catch (ParseException e) {
throw error("Failure parsing " + JWKS_KEY, e);
}
JWK key = JWEUtil.selectAsymmetricKeyForEncryption(jwkset, jweAlgorithm);
if (key == null) {
throw error("Failed to find an encryption key in client jwks", args("id_token_encrypted_response_alg", alg, "client_jwks", jwks));
}
if (JWEAlgorithm.RSA1_5.equals(key.getAlgorithm())) {
throw error("RSA1_5 algorithm is not allowed", args("kid", (key.getKeyID() != null ? key.getKeyID() : "not set"), "algorithm", key.getAlgorithm().toString()));
}
logSuccess("Found an encryption key in client jwks", args("kid", (key.getKeyID() != null ? key.getKeyID() : "not set"), "algorithm", key.getAlgorithm().toString()));
return env;
}
Also used :
JWEAlgorithm(com.nimbusds.jose.JWEAlgorithm)
JWKSet(com.nimbusds.jose.jwk.JWKSet)
JsonObject(com.google.gson.JsonObject)
ParseException(java.text.ParseException)
JWK(com.nimbusds.jose.jwk.JWK)
PreEnvironment(net.openid.conformance.condition.PreEnvironment)
Example 14 with PreEnvironment
use of net.openid.conformance.condition.PreEnvironment in project conformance-suite by openid-certification.
the class FAPIValidateRequestObjectExp method evaluate.
@Override
@PreEnvironment(required = "authorization_request_object")
public Environment evaluate(Environment env) {
// to check timestamps
Instant now = Instant.now();
Long exp = env.getLong("authorization_request_object", "claims.exp");
if (exp == null) {
throw error("Missing exp, request object does not contain an 'exp' claim");
} else {
if (now.minusMillis(timeSkewMillis).isAfter(Instant.ofEpochSecond(exp))) {
throw error("Token expired", args("exp", new Date(exp * 1000L), "now", now));
}
if (now.plusMillis(sixtyMinutesMillis).isBefore(Instant.ofEpochSecond(exp))) {
throw error("Request object expires unreasonably far in the future", args("exp", new Date(exp * 1000L), "now", now));
}
}
logSuccess("Request object contains a valid exp claim, expiry time", args("exp", new Date(exp * 1000L)));
return env;
}
Also used :
Instant(java.time.Instant)
Date(java.util.Date)
PreEnvironment(net.openid.conformance.condition.PreEnvironment)
Example 15 with PreEnvironment
use of net.openid.conformance.condition.PreEnvironment in project conformance-suite by openid-certification.
the class ExtractClientCertificateFromTokenEndpointRequestHeaders method evaluate.
@Override
@PreEnvironment(required = "token_endpoint_request")
@PostEnvironment(required = "client_certificate")
public Environment evaluate(Environment env) {
// Remove any certificate from a previous connection
env.removeObject("client_certificate");
String certStr = env.getString("token_endpoint_request", "headers.x-ssl-cert");
if (certStr == null) {
throw error("Client certificate not found; likely the non-mtls version of the endpoint was called");
}
if (certStr.equals("(null)")) {
// "RequestHeader set X-Ssl-Cert "%{SSL_CLIENT_CERT}s"
throw error("Client certificate not found; the client did not supply a MTLS certification to the endpoint. In some cases this may be because the client is, incorrectly, configured to supply a TLS certificate only if the server explicitly requires a certificate at the TLS level.");
}
try {
// pre-process the cert string for the PEM parser
String certPem = certStr.replaceAll("\\s+(?!CERTIFICATE-----)", "\n");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(certPem.getBytes()));
JsonObject certInfo = new JsonObject();
certInfo.addProperty("cert", certStr);
certInfo.addProperty("pem", certPem);
JsonObject subjectInfo = new JsonObject();
X500Principal subject = cert.getSubjectX500Principal();
subjectInfo.addProperty("dn", subject.getName());
certInfo.add("subject", subjectInfo);
JsonArray sanDnsNames = new JsonArray();
JsonArray sanUris = new JsonArray();
JsonArray sanIPs = new JsonArray();
JsonArray sanEmails = new JsonArray();
Collection<List<?>> altNames = cert.getSubjectAlternativeNames();
if (altNames != null) {
for (List<?> altName : altNames) {
if (altName.size() < 2) {
continue;
}
String sanValue = String.valueOf(altName.get(1));
switch((Integer) altName.get(0)) {
case GeneralName.dNSName:
sanDnsNames.add(sanValue);
break;
case GeneralName.iPAddress:
sanIPs.add(sanValue);
break;
case GeneralName.uniformResourceIdentifier:
sanUris.add(sanValue);
break;
case GeneralName.rfc822Name:
sanEmails.add(sanValue);
break;
}
}
}
certInfo.add("sanDnsNames", sanDnsNames);
certInfo.add("sanUris", sanUris);
certInfo.add("sanIPs", sanIPs);
certInfo.add("sanEmails", sanEmails);
env.putObject("client_certificate", certInfo);
logSuccess("Extracted client certificate", args("client_certificate", certInfo));
return env;
} catch (CertificateException e) {
throw error("Error parsing certificate", e, args("cert", certStr));
}
}
Also used :
JsonArray(com.google.gson.JsonArray)
ByteArrayInputStream(java.io.ByteArrayInputStream)
JsonObject(com.google.gson.JsonObject)
X500Principal(javax.security.auth.x500.X500Principal)
List(java.util.List)
CertificateException(java.security.cert.CertificateException)
CertificateFactory(java.security.cert.CertificateFactory)
X509Certificate(java.security.cert.X509Certificate)
PostEnvironment(net.openid.conformance.condition.PostEnvironment)
PreEnvironment(net.openid.conformance.condition.PreEnvironment)
Aggregations
PreEnvironment (net.openid.conformance.condition.PreEnvironment)591
JsonObject (com.google.gson.JsonObject)469
PostEnvironment (net.openid.conformance.condition.PostEnvironment)379
JsonElement (com.google.gson.JsonElement)143
JsonArray (com.google.gson.JsonArray)74
Instant (java.time.Instant)40
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)29
IOException (java.io.IOException)25
CertificateException (java.security.cert.CertificateException)24
ParseException (java.text.ParseException)24
KeyManagementException (java.security.KeyManagementException)20
KeyStoreException (java.security.KeyStoreException)20
UnrecoverableKeyException (java.security.UnrecoverableKeyException)20
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)20
RestClientException (org.springframework.web.client.RestClientException)20
RestTemplate (org.springframework.web.client.RestTemplate)20
JsonPrimitive (com.google.gson.JsonPrimitive)18
Date (java.util.Date)17
JWK (com.nimbusds.jose.jwk.JWK)13
JOSEException (com.nimbusds.jose.JOSEException)11
