Examples with JsonWebKey org.apache.cxf.rs.security.jose.jwk.JsonWebKey used on opensource projects

Example 1 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JwsCompactReaderWriterTest method testReadJwsWithJwkSignedByMac.

@Test
public void testReadJwsWithJwkSignedByMac() throws Exception {
    JwsJwtCompactConsumer jws = new JwsJwtCompactConsumer(ENCODED_TOKEN_WITH_JSON_KEY_SIGNED_BY_MAC);
    assertTrue(jws.verifySignatureWith(new HmacJwsSignatureVerifier(ENCODED_MAC_KEY, SignatureAlgorithm.HS256)));
    JwtToken token = jws.getJwtToken();
    JwsHeaders headers = new JwsHeaders(token.getJwsHeaders());
    assertEquals(JoseType.JWT, headers.getType());
    assertEquals(SignatureAlgorithm.HS256, headers.getSignatureAlgorithm());
    JsonWebKey key = headers.getJsonWebKey();
    assertEquals(KeyType.OCTET, key.getKeyType());
    List<KeyOperation> keyOps = key.getKeyOperation();
    assertEquals(2, keyOps.size());
    assertEquals(KeyOperation.SIGN, keyOps.get(0));
    assertEquals(KeyOperation.VERIFY, keyOps.get(1));
    validateSpecClaim(token.getClaims());
}

Example 2 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JwsJsonConsumerTest method testVerifySingleEntryInDualSignedDocument.

@Test
public void testVerifySingleEntryInDualSignedDocument() throws Exception {
    JwsJsonConsumer consumer = new JwsJsonConsumer(DUAL_SIGNED_DOCUMENT);
    JsonWebKeys jwks = readKeySet("jwkPublicJsonConsumerSet.txt");
    List<JwsJsonSignatureEntry> sigEntries = consumer.getSignatureEntries();
    assertEquals(2, sigEntries.size());
    // 1st signature
    String firstKid = sigEntries.get(0).getKeyId();
    assertEquals(KID_OF_THE_FIRST_SIGNER, firstKid);
    JsonWebKey rsaKey = jwks.getKey(firstKid);
    assertNotNull(rsaKey);
    JwsSignatureVerifier jws = JwsUtils.getSignatureVerifier(rsaKey);
    assertTrue(consumer.verifySignatureWith(jws));
    List<JwsJsonSignatureEntry> remainingEntries = consumer.verifyAndGetNonValidated(Collections.singletonList(jws));
    assertEquals(1, remainingEntries.size());
    assertEquals(KID_OF_THE_SECOND_SIGNER, remainingEntries.get(0).getKeyId());
}

Example 3 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JwsUtilsTest method testLoadVerificationKey.

@Test
public void testLoadVerificationKey() throws Exception {
    Properties p = new Properties();
    p.put(JoseConstants.RSSEC_KEY_STORE_FILE, "org/apache/cxf/rs/security/jose/jws/alice.jks");
    p.put(JoseConstants.RSSEC_KEY_STORE_PSWD, "password");
    p.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "alice");
    JsonWebKeys keySet = JwsUtils.loadPublicVerificationKeys(createMessage(), p);
    assertEquals(1, keySet.asMap().size());
    List<JsonWebKey> keys = keySet.getRsaKeys();
    assertEquals(1, keys.size());
    JsonWebKey key = keys.get(0);
    assertEquals(KeyType.RSA, key.getKeyType());
    assertEquals("alice", key.getKeyId());
    assertNotNull(key.getKeyProperty(JsonWebKey.RSA_PUBLIC_EXP));
    assertNotNull(key.getKeyProperty(JsonWebKey.RSA_MODULUS));
    assertNull(key.getKeyProperty(JsonWebKey.RSA_PRIVATE_EXP));
    assertNull(key.getX509Chain());
}

Example 4 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class OidcClaimsValidator method getInitializedSignatureVerifier.

@Override
protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) {
    JsonWebKey key = null;
    if (supportSelfIssuedProvider && SELF_ISSUED_ISSUER.equals(jwt.getClaim("issuer"))) {
        String publicKeyJson = (String) jwt.getClaim("sub_jwk");
        if (publicKeyJson != null) {
            JsonWebKey publicKey = JwkUtils.readJwkKey(publicKeyJson);
            String thumbprint = JwkUtils.getThumbprint(publicKey);
            if (thumbprint.equals(jwt.getClaim("sub"))) {
                key = publicKey;
            }
        }
        if (key == null) {
            throw new SecurityException("Self-issued JWK key is invalid or not available");
        }
    } else {
        String keyId = jwt.getJwsHeaders().getKeyId();
        key = keyId != null ? keyMap.get(keyId) : null;
        if (key == null && jwkSetClient != null) {
            JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);
            if (keyId != null) {
                key = keys.getKey(keyId);
            } else if (keys.getKeys().size() == 1) {
                key = keys.getKeys().get(0);
            }
            // jwkSetClient returns the most up-to-date keys
            keyMap.clear();
            keyMap.putAll(keys.getKeyIdMap());
        }
    }
    JwsSignatureVerifier theJwsVerifier = null;
    if (key != null) {
        theJwsVerifier = JwsUtils.getSignatureVerifier(key);
    } else {
        theJwsVerifier = super.getInitializedSignatureVerifier(jwt.getJwsHeaders());
    }
    if (theJwsVerifier == null) {
        throw new SecurityException("JWS Verifier is not available");
    }
    return theJwsVerifier;
}

Example 5 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JweUtils method loadDecryptionProvider.

public static JweDecryptionProvider loadDecryptionProvider(Properties props, JweHeaders inHeaders) {
    Message m = PhaseInterceptorChain.getCurrentMessage();
    KeyDecryptionProvider keyDecryptionProvider = null;
    ContentAlgorithm contentAlgo = getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM);
    SecretKey ctDecryptionKey = null;
    KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null);
    if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) {
        // Supporting loading a private key via a certificate for now
        List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain());
        KeyManagementUtils.validateCertificateChain(props, chain);
        X509Certificate cert = chain == null ? null : chain.get(0);
        PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT);
        if (keyAlgo == null) {
            keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
        }
        contentAlgo = inHeaders.getContentEncryptionAlgorithm();
        keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
    } else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) {
        X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), MessageDigestUtils.ALGO_SHA_1, m, props);
        if (foundCert != null) {
            PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
            if (keyAlgo == null) {
                keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
            }
            contentAlgo = inHeaders.getContentEncryptionAlgorithm();
            keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
        }
    } else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT_SHA256) != null) {
        X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509ThumbprintSHA256(), MessageDigestUtils.ALGO_SHA_256, m, props);
        if (foundCert != null) {
            PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
            if (keyAlgo == null) {
                keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
            }
            contentAlgo = inHeaders.getContentEncryptionAlgorithm();
            keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
        }
    } else {
        if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
            JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.DECRYPT);
            if (jwk == null) {
                LOG.warning("Extracting the JsonWebKey failed");
                throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
            }
            if (KeyAlgorithm.DIRECT == keyAlgo) {
                contentAlgo = getContentEncryptionAlgorithm(m, props, ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()), ContentAlgorithm.A128GCM);
                ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentAlgo.getJwaName());
            } else {
                keyAlgo = getKeyEncryptionAlgorithm(m, props, KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()), getDefaultKeyAlgorithm(jwk));
                keyDecryptionProvider = getKeyDecryptionProvider(jwk, keyAlgo);
            }
        } else if (keyAlgo != null && AlgorithmUtils.PBES_HS_SET.contains(keyAlgo.getJwaName())) {
            PrivateKeyPasswordProvider provider = KeyManagementUtils.loadPasswordProvider(m, props, KeyOperation.DECRYPT);
            char[] password = provider != null ? provider.getPassword(props) : null;
            if (password == null) {
                throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
            }
            keyDecryptionProvider = new PbesHmacAesWrapKeyDecryptionAlgorithm(new String(password));
        } else {
            PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, KeyOperation.DECRYPT);
            if (keyAlgo == null) {
                keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
            }
            keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
        }
    }
    return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentAlgo);
}