Examples with JweDecryptionProvider org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider used on opensource projects

Example 1 with JweDecryptionProvider

use of org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider in project cxf by apache.

the class JwtRequestCodeFilter method process.

@Override
public MultivaluedMap<String, String> process(MultivaluedMap<String, String> params, UserSubject endUser, Client client) {
    String requestToken = params.getFirst(REQUEST_PARAM);
    if (requestToken == null) {
        String requestUri = params.getFirst(REQUEST_URI_PARAM);
        if (isRequestUriValid(client, requestUri)) {
            requestToken = WebClient.create(requestUri).get(String.class);
        }
    }
    if (requestToken != null) {
        JweDecryptionProvider theDecryptor = super.getInitializedDecryptionProvider(client.getClientSecret());
        JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(client);
        JwtToken jwt = getJwtToken(requestToken, theDecryptor, theSigVerifier);
        JwtClaims claims = jwt.getClaims();
        // Check issuer
        String iss = issuer != null ? issuer : client.getClientId();
        if (!iss.equals(claims.getIssuer())) {
            throw new SecurityException();
        }
        // Check client_id - if present it must match the client_id specified in the request
        if (claims.getClaim(OAuthConstants.CLIENT_ID) != null && !claims.getStringProperty(OAuthConstants.CLIENT_ID).equals(client.getClientId())) {
            throw new SecurityException();
        }
        // Check response_type - if present it must match the response_type specified in the request
        String tokenResponseType = (String) claims.getClaim(OAuthConstants.RESPONSE_TYPE);
        if (tokenResponseType != null && !tokenResponseType.equals(params.getFirst(OAuthConstants.RESPONSE_TYPE))) {
            throw new SecurityException();
        }
        MultivaluedMap<String, String> newParams = new MetadataMap<String, String>(params);
        Map<String, Object> claimsMap = claims.asMap();
        for (Map.Entry<String, Object> entry : claimsMap.entrySet()) {
            String key = entry.getKey();
            Object value = entry.getValue();
            if (value instanceof Map) {
                Map<String, Object> map = CastUtils.cast((Map<?, ?>) value);
                value = jsonHandler.toJson(map);
            } else if (value instanceof List) {
                List<Object> list = CastUtils.cast((List<?>) value);
                value = jsonHandler.toJson(list);
            }
            newParams.putSingle(key, value.toString());
        }
        return newParams;
    }
    return params;
}

Example 2 with JweDecryptionProvider

use of org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider in project cxf by apache.

the class JoseSessionTokenProvider method decryptStateString.

private String decryptStateString(String sessionToken) {
    JweDecryptionProvider jwe = getInitializedDecryptionProvider();
    String stateString = jwe.decrypt(sessionToken).getContentText();
    JwsSignatureVerifier jws = getInitializedSigVerifier();
    if (jws != null) {
        stateString = JwsUtils.verify(jws, stateString).getDecodedJwsPayload();
    }
    return stateString;
}

Example 3 with JweDecryptionProvider

use of org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider in project cxf by apache.

the class JoseConsumer method getData.

public String getData(String data) {
    super.checkProcessRequirements();
    if (isJweRequired()) {
        JweCompactConsumer jweConsumer = new JweCompactConsumer(data);
        JweDecryptionProvider theDecryptor = getInitializedDecryptionProvider(jweConsumer.getJweHeaders());
        if (theDecryptor == null) {
            throw new JwtException("Unable to decrypt JWT");
        }
        if (!isJwsRequired()) {
            return jweConsumer.getDecryptedContentText(theDecryptor);
        }
        JweDecryptionOutput decOutput = theDecryptor.decrypt(data);
        data = decOutput.getContentText();
    }
    JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(data);
    if (isJwsRequired()) {
        JwsSignatureVerifier theSigVerifier = getInitializedSignatureVerifier(jwsConsumer.getJwsHeaders());
        if (theSigVerifier == null) {
            throw new JwtException("Unable to validate JWT");
        }
        if (!jwsConsumer.verifySignatureWith(theSigVerifier)) {
            throw new JwtException("Invalid Signature");
        }
    }
    return jwsConsumer.getDecodedJwsPayload();
}

Example 4 with JweDecryptionProvider

use of org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider in project cxf by apache.

the class JWTTokenProviderTest method testCreateUnsignedEncryptedCBCJWT.

@org.junit.Test
public void testCreateUnsignedEncryptedCBCJWT() throws Exception {
    try {
        Security.addProvider(new BouncyCastleProvider());
        TokenProvider jwtTokenProvider = new JWTTokenProvider();
        ((JWTTokenProvider) jwtTokenProvider).setSignToken(false);
        TokenProviderParameters providerParameters = createProviderParameters();
        providerParameters.setEncryptToken(true);
        providerParameters.getEncryptionProperties().setEncryptionAlgorithm(ContentAlgorithm.A128CBC_HS256.name());
        assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
        TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
        assertTrue(providerResponse != null);
        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
        String token = (String) providerResponse.getToken();
        assertNotNull(token);
        assertTrue(token.split("\\.").length == 5);
        if (unrestrictedPoliciesInstalled) {
            // Validate the token
            JweJwtCompactConsumer jwtConsumer = new JweJwtCompactConsumer(token);
            Properties decProperties = new Properties();
            Crypto decryptionCrypto = CryptoFactory.getInstance(getDecryptionProperties());
            KeyStore keystore = ((Merlin) decryptionCrypto).getKeyStore();
            decProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
            decProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "myservicekey");
            decProperties.put(JoseConstants.RSSEC_KEY_PSWD, "skpass");
            decProperties.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, ContentAlgorithm.A128CBC_HS256.name());
            JweDecryptionProvider decProvider = JweUtils.loadDecryptionProvider(decProperties, jwtConsumer.getHeaders());
            JweDecryptionOutput decOutput = decProvider.decrypt(token);
            String decToken = decOutput.getContentText();
            JwsJwtCompactConsumer jwtJwsConsumer = new JwsJwtCompactConsumer(decToken);
            JwtToken jwt = jwtJwsConsumer.getJwtToken();
            Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
            Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
            Assert.assertEquals(providerResponse.getCreated().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
            Assert.assertEquals(providerResponse.getExpires().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
        }
    } finally {
        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
    }
}

Example 5 with JweDecryptionProvider

use of org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider in project cxf by apache.

the class AbstractJweDecryptingFilter method decrypt.

protected JweDecryptionOutput decrypt(InputStream is) throws IOException {
    JweCompactConsumer jwe = new JweCompactConsumer(new String(IOUtils.readBytesFromStream(is), StandardCharsets.UTF_8));
    JweDecryptionProvider theDecryptor = getInitializedDecryptionProvider(jwe.getJweHeaders());
    JweDecryptionOutput out = new JweDecryptionOutput(jwe.getJweHeaders(), jwe.getDecryptedContent(theDecryptor));
    JoseUtils.traceHeaders(out.getHeaders());
    validateHeaders(out.getHeaders());
    return out;
}