Search in sources :

Example 1 with JweJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer in project cxf by apache.

the class JoseJwtConsumer method getJwtToken.

public JwtToken getJwtToken(String wrappedJwtToken, JweDecryptionProvider theDecryptor, JwsSignatureVerifier theSigVerifier) {
    super.checkProcessRequirements();
    JweHeaders jweHeaders = new JweHeaders();
    if (isJweRequired()) {
        JweJwtCompactConsumer jwtConsumer = new JweJwtCompactConsumer(wrappedJwtToken);
        if (theDecryptor == null) {
            theDecryptor = getInitializedDecryptionProvider(jwtConsumer.getHeaders());
        }
        if (theDecryptor == null) {
            throw new JwtException("Unable to decrypt JWT");
        }
        if (!isJwsRequired()) {
            return jwtConsumer.decryptWith(theDecryptor);
        }
        JweDecryptionOutput decOutput = theDecryptor.decrypt(wrappedJwtToken);
        wrappedJwtToken = decOutput.getContentText();
        jweHeaders = decOutput.getHeaders();
    }
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(wrappedJwtToken);
    JwtToken jwt = jwtConsumer.getJwtToken();
    // Store the encryption headers as well
    jwt = new JwtToken(jwt.getJwsHeaders(), jweHeaders, jwt.getClaims());
    if (isJwsRequired()) {
        if (theSigVerifier == null) {
            theSigVerifier = getInitializedSignatureVerifier(jwt);
        }
        if (theSigVerifier == null) {
            throw new JwtException("Unable to validate JWT");
        }
        if (!jwtConsumer.verifySignatureWith(theSigVerifier)) {
            throw new JwtException("Invalid Signature");
        }
    }
    validateToken(jwt);
    return jwt;
}
Also used : JweDecryptionOutput(org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) JweJwtCompactConsumer(org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer) JweHeaders(org.apache.cxf.rs.security.jose.jwe.JweHeaders)

Example 2 with JweJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer in project cxf by apache.

the class JWTTokenProviderTest method testCreateUnsignedEncryptedCBCJWT.

@org.junit.Test
public void testCreateUnsignedEncryptedCBCJWT() throws Exception {
    try {
        Security.addProvider(new BouncyCastleProvider());
        TokenProvider jwtTokenProvider = new JWTTokenProvider();
        ((JWTTokenProvider) jwtTokenProvider).setSignToken(false);
        TokenProviderParameters providerParameters = createProviderParameters();
        providerParameters.setEncryptToken(true);
        providerParameters.getEncryptionProperties().setEncryptionAlgorithm(ContentAlgorithm.A128CBC_HS256.name());
        assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
        TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
        assertNotNull(providerResponse);
        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
        String token = (String) providerResponse.getToken();
        assertNotNull(token);
        assertTrue(token.split("\\.").length == 5);
        if (unrestrictedPoliciesInstalled) {
            // Validate the token
            JweJwtCompactConsumer jwtConsumer = new JweJwtCompactConsumer(token);
            Properties decProperties = new Properties();
            Crypto decryptionCrypto = CryptoFactory.getInstance(getDecryptionProperties());
            KeyStore keystore = ((Merlin) decryptionCrypto).getKeyStore();
            decProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
            decProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "myservicekey");
            decProperties.put(JoseConstants.RSSEC_KEY_PSWD, "skpass");
            decProperties.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, ContentAlgorithm.A128CBC_HS256.name());
            JweDecryptionProvider decProvider = JweUtils.loadDecryptionProvider(decProperties, jwtConsumer.getHeaders());
            JweDecryptionOutput decOutput = decProvider.decrypt(token);
            String decToken = decOutput.getContentText();
            JwsJwtCompactConsumer jwtJwsConsumer = new JwsJwtCompactConsumer(decToken);
            JwtToken jwt = jwtJwsConsumer.getJwtToken();
            Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
            Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
            Assert.assertEquals(providerResponse.getCreated().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
            Assert.assertEquals(providerResponse.getExpires().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
        }
    } finally {
        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
    }
}
Also used : StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) SignatureProperties(org.apache.cxf.sts.SignatureProperties) Properties(java.util.Properties) KeyStore(java.security.KeyStore) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JWTTokenProvider(org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider) Crypto(org.apache.wss4j.common.crypto.Crypto) JweDecryptionOutput(org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput) JweDecryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) JweJwtCompactConsumer(org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer) Merlin(org.apache.wss4j.common.crypto.Merlin) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) JWTTokenProvider(org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)

Example 3 with JweJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer in project testcases by coheigea.

the class UserInfoTest method testEncryptedUserInfo.

@org.junit.Test
public void testEncryptedUserInfo() throws Exception {
    URL busFile = UserInfoTest.class.getResource("cxf-client.xml");
    String address = "https://localhost:" + PORT + "/services/";
    WebClient client = WebClient.create(address, setupProviders(), "alice", "security", busFile.toString());
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
    // Get Authorization Code
    String code = getAuthorizationCode(client, "openid");
    assertNotNull(code);
    // Now get the access token
    client = WebClient.create(address, setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString());
    // Save the Cookie for the second request...
    WebClient.getConfig(client).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
    ClientAccessToken accessToken = getAccessTokenWithAuthorizationCode(client, code);
    assertNotNull(accessToken.getTokenKey());
    assertTrue(accessToken.getApprovedScope().contains("openid"));
    // Now invoke on the UserInfo service with the access token
    String userInfoAddress = "https://localhost:" + USERINFO_PORT + "/services/encrypted/userinfo";
    WebClient userInfoClient = WebClient.create(userInfoAddress, busFile.toString());
    userInfoClient.accept("application/jwt");
    userInfoClient.header("Authorization", "Bearer " + accessToken.getTokenKey());
    Response serviceResponse = userInfoClient.get();
    assertEquals(serviceResponse.getStatus(), 200);
    String token = serviceResponse.readEntity(String.class);
    assertNotNull(token);
    KeyStore keystore = KeyStore.getInstance("JKS");
    keystore.load(Loader.getResource("clientstore.jks").openStream(), "cspass".toCharArray());
    JweJwtCompactConsumer jwtConsumer = new JweJwtCompactConsumer(token);
    PrivateKey privateKey = (PrivateKey) keystore.getKey("myclientkey", "ckpass".toCharArray());
    JwtToken jwt = jwtConsumer.decryptWith(privateKey);
    assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
    assertEquals("consumer-id", jwt.getClaim(JwtConstants.CLAIM_AUDIENCE));
}
Also used : Response(javax.ws.rs.core.Response) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) PrivateKey(java.security.PrivateKey) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) JweJwtCompactConsumer(org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer) WebClient(org.apache.cxf.jaxrs.client.WebClient) KeyStore(java.security.KeyStore) URL(java.net.URL)

Example 4 with JweJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer in project cxf by apache.

the class JWTTokenProviderTest method testCreateSignedEncryptedJWT.

@org.junit.Test
public void testCreateSignedEncryptedJWT() throws Exception {
    TokenProvider jwtTokenProvider = new JWTTokenProvider();
    TokenProviderParameters providerParameters = createProviderParameters();
    providerParameters.setEncryptToken(true);
    assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
    TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    String token = (String) providerResponse.getToken();
    assertNotNull(token);
    assertTrue(token.split("\\.").length == 5);
    if (unrestrictedPoliciesInstalled) {
        // Validate the token
        JweJwtCompactConsumer jwtConsumer = new JweJwtCompactConsumer(token);
        Properties decProperties = new Properties();
        Crypto decryptionCrypto = CryptoFactory.getInstance(getDecryptionProperties());
        KeyStore keystore = ((Merlin) decryptionCrypto).getKeyStore();
        decProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
        decProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "myservicekey");
        decProperties.put(JoseConstants.RSSEC_KEY_PSWD, "skpass");
        JweDecryptionProvider decProvider = JweUtils.loadDecryptionProvider(decProperties, jwtConsumer.getHeaders());
        JweDecryptionOutput decOutput = decProvider.decrypt(token);
        String decToken = decOutput.getContentText();
        JwsJwtCompactConsumer jwtJwsConsumer = new JwsJwtCompactConsumer(decToken);
        JwtToken jwt = jwtJwsConsumer.getJwtToken();
        Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
        Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
        Assert.assertEquals(providerResponse.getCreated().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
        Assert.assertEquals(providerResponse.getExpires().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
    }
}
Also used : StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) SignatureProperties(org.apache.cxf.sts.SignatureProperties) Properties(java.util.Properties) KeyStore(java.security.KeyStore) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JWTTokenProvider(org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider) Crypto(org.apache.wss4j.common.crypto.Crypto) JweDecryptionOutput(org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput) JweDecryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) JweJwtCompactConsumer(org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer) Merlin(org.apache.wss4j.common.crypto.Merlin) JWTTokenProvider(org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)

Example 5 with JweJwtCompactConsumer

use of org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer in project cxf by apache.

the class JWTTokenProviderTest method testCreateUnsignedEncryptedJWT.

@org.junit.Test
public void testCreateUnsignedEncryptedJWT() throws Exception {
    TokenProvider jwtTokenProvider = new JWTTokenProvider();
    ((JWTTokenProvider) jwtTokenProvider).setSignToken(false);
    TokenProviderParameters providerParameters = createProviderParameters();
    providerParameters.setEncryptToken(true);
    assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
    TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    String token = (String) providerResponse.getToken();
    assertNotNull(token);
    assertTrue(token.split("\\.").length == 5);
    if (unrestrictedPoliciesInstalled) {
        // Validate the token
        JweJwtCompactConsumer jwtConsumer = new JweJwtCompactConsumer(token);
        Properties decProperties = new Properties();
        Crypto decryptionCrypto = CryptoFactory.getInstance(getDecryptionProperties());
        KeyStore keystore = ((Merlin) decryptionCrypto).getKeyStore();
        decProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
        decProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "myservicekey");
        decProperties.put(JoseConstants.RSSEC_KEY_PSWD, "skpass");
        JweDecryptionProvider decProvider = JweUtils.loadDecryptionProvider(decProperties, jwtConsumer.getHeaders());
        JweDecryptionOutput decOutput = decProvider.decrypt(token);
        String decToken = decOutput.getContentText();
        JwsJwtCompactConsumer jwtJwsConsumer = new JwsJwtCompactConsumer(decToken);
        JwtToken jwt = jwtJwsConsumer.getJwtToken();
        Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
        Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
        Assert.assertEquals(providerResponse.getCreated().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
        Assert.assertEquals(providerResponse.getExpires().getEpochSecond(), jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
    }
}
Also used : StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) EncryptionProperties(org.apache.cxf.sts.service.EncryptionProperties) SignatureProperties(org.apache.cxf.sts.SignatureProperties) Properties(java.util.Properties) KeyStore(java.security.KeyStore) JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken) JWTTokenProvider(org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider) Crypto(org.apache.wss4j.common.crypto.Crypto) JweDecryptionOutput(org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput) JweDecryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) JweJwtCompactConsumer(org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer) Merlin(org.apache.wss4j.common.crypto.Merlin) JWTTokenProvider(org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)

Aggregations

JweJwtCompactConsumer (org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer)6 KeyStore (java.security.KeyStore)5 JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)5 JweDecryptionOutput (org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput)4 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)4 Properties (java.util.Properties)3 JweDecryptionProvider (org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider)3 SignatureProperties (org.apache.cxf.sts.SignatureProperties)3 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)3 EncryptionProperties (org.apache.cxf.sts.service.EncryptionProperties)3 JWTTokenProvider (org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider)3 Crypto (org.apache.wss4j.common.crypto.Crypto)3 Merlin (org.apache.wss4j.common.crypto.Merlin)3 URL (java.net.URL)2 PrivateKey (java.security.PrivateKey)2 Response (javax.ws.rs.core.Response)2 WebClient (org.apache.cxf.jaxrs.client.WebClient)2 ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)2 JweHeaders (org.apache.cxf.rs.security.jose.jwe.JweHeaders)1 BouncyCastleProvider (org.bouncycastle.jce.provider.BouncyCastleProvider)1