Examples with JsonWebKey org.apache.cxf.rs.security.jose.jwk.JsonWebKey used on opensource projects

Example 11 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JwsJoseCookBookTest method testProtectingSpecificHeaderFieldsSignature.

@Test
public void testProtectingSpecificHeaderFieldsSignature() throws Exception {
    JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD);
    assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
    assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
    JwsHeaders protectedHeader = new JwsHeaders();
    protectedHeader.setSignatureAlgorithm(SignatureAlgorithm.HS256);
    JwsHeaders unprotectedHeader = new JwsHeaders();
    unprotectedHeader.setKeyId(HMAC_KID_VALUE);
    JsonWebKeys jwks = readKeySet("cookbookSecretSet.txt");
    List<JsonWebKey> keys = jwks.getKeys();
    JsonWebKey key = keys.get(0);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader, unprotectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(), PROTECTING_SPECIFIC_HEADER_FIELDS_JSON_GENERAL_SERIALIZATION);
    JwsJsonConsumer jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));
    jsonProducer = new JwsJsonProducer(PAYLOAD, true);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader, unprotectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(), PROTECTING_SPECIFIC_HEADER_FIELDS_JSON_FLATTENED_SERIALIZATION);
    jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));
}

Example 12 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JweCompactReaderWriterTest method testRejectInvalidCurve.

@Test
public void testRejectInvalidCurve() throws Exception {
    // Test vectors are provided by Antonio Sanso, test follows a pattern based
    // on a similar contribution from Antonio to jose4j.
    String receiverJwkJson = "\n{\"kty\":\"EC\",\n" + " \"crv\":\"P-256\",\n" + " \"x\":\"weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ\",\n" + " \"y\":\"e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck\",\n" + " \"d\":\"VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw\"\n" + "}";
    JsonWebKey receiverJwk = JwkUtils.readJwkKey(receiverJwkJson);
    ECPrivateKey privateKey = JwkUtils.toECPrivateKey(receiverJwk);
    // ========================= attacking point #1 with order 113 ======================
    // The malicious JWE contains a public key with order 113
    String maliciousJWE1 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRU" + "MiLCJ4IjoiZ1Rsa" + "TY1ZVRRN3otQmgxNDdmZjhLM203azJVaURpRzJMcFlrV0FhRkpDYyIsInkiOiJjTEFuakthNGJ6akQ3REpWUHdhOUVQclJ6TUc3" + "ck9OZ3NpVUQta" + "2YzMEZzIiwiY3J2IjoiUC0yNTYifX0.qGAdxtEnrV_3zbIxU2ZKrMWcejNltjA_dtefBFnRh9A2z9cNIqYRWg.pEA5kX304PMCOm" + "FSKX_cEg.a9f" + "wUrx2JXi1OnWEMOmZhXd94-bEGCH9xxRwqcGuG2AMo-AwHoljdsH5C_kcTqlXS5p51OB1tvgQcMwB5rpTxg.72CHiYFecyDvuUa4" + "3KKT6w";
    JweDecryptionProvider jweIn = JweUtils.createJweDecryptionProvider(privateKey, KeyAlgorithm.ECDH_ES_A128KW, ContentAlgorithm.A128CBC_HS256);
    try {
        jweIn.decrypt(maliciousJWE1);
        fail("Decryption should have failed due to invalid curve");
    } catch (JweException e) {
    // continue
    }
    // ========================= attacking point #2 with order 2447 ======================
    // The malicious JWE contains a public key with order 2447
    String maliciousJWE2 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRU" + "MiLCJ4IjoiWE9YR1" + "E5XzZRQ3ZCZzN1OHZDSS1VZEJ2SUNBRWNOTkJyZnFkN3RHN29RNCIsInkiOiJoUW9XTm90bk56S2x3aUNuZUprTElxRG5UTnc3SXNkQ" + "kM1M1ZVcVZ" + "qVkpjIiwiY3J2IjoiUC0yNTYifX0.UGb3hX3ePAvtFB9TCdWsNkFTv9QWxSr3MpYNiSBdW630uRXRBT3sxw.6VpU84oMob16DxOR98Y" + "TRw.y1Uslv" + "tkoWdl9HpugfP0rSAkTw1xhm_LbK1iRXzGdpYqNwIG5VU33UBpKAtKFBoA1Kk_sYtfnHYAvn-aes4FTg.UZPN8h7FcvA5MIOq-Pkj8A";
    JweDecryptionProvider jweIn2 = JweUtils.createJweDecryptionProvider(privateKey, KeyAlgorithm.ECDH_ES_A128KW, ContentAlgorithm.A128CBC_HS256);
    try {
        jweIn2.decrypt(maliciousJWE2);
        fail("Decryption should have failed due to invalid curve");
    } catch (JweException e) {
    // expected
    }
}

Example 13 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JoseHeaders method getJsonWebKey.

public JsonWebKey getJsonWebKey(String headerName) {
    Object jsonWebKey = getHeader(headerName);
    if (jsonWebKey == null || jsonWebKey instanceof JsonWebKey) {
        return (JsonWebKey) jsonWebKey;
    }
    Map<String, Object> map = CastUtils.cast((Map<?, ?>) jsonWebKey);
    return new JsonWebKey(map);
}

Example 14 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class AbstractJweJsonWriterProvider method getInitializedEncryptionProviders.

protected List<JweEncryptionProvider> getInitializedEncryptionProviders(List<String> propLocs, JweHeaders sharedProtectedHeaders, List<JweHeaders> perRecipientUnprotectedHeaders) {
    if (encProviders != null) {
        return encProviders;
    }
    // The task is to have a single ContentEncryptionProvider instance,
    // configured to generate CEK only once, paired with all the loaded
    // KeyEncryptionProviders to have JweEncryptionProviders initialized
    Message m = JAXRSUtils.getCurrentMessage();
    // Load all the properties
    List<Properties> propsList = new ArrayList<Properties>(propLocs.size());
    for (int i = 0; i < propLocs.size(); i++) {
        propsList.add(JweUtils.loadJweProperties(m, propLocs.get(i)));
    }
    ContentAlgorithm ctAlgo = null;
    // This set is to find out how many key encryption algorithms are used
    // If only one then save it in the shared protected headers as opposed to
    // per-recipient specific not protected ones
    Set<KeyAlgorithm> keyAlgos = new HashSet<KeyAlgorithm>();
    List<KeyEncryptionProvider> keyProviders = new LinkedList<KeyEncryptionProvider>();
    for (int i = 0; i < propLocs.size(); i++) {
        Properties props = propsList.get(i);
        ContentAlgorithm currentCtAlgo = JweUtils.getContentEncryptionAlgorithm(m, props, ContentAlgorithm.A128GCM);
        if (ctAlgo == null) {
            ctAlgo = currentCtAlgo;
        } else if (currentCtAlgo != null && !ctAlgo.equals(currentCtAlgo)) {
            // ctAlgo must be the same for all the recipients
            throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
        }
        JweHeaders perRecipientUnprotectedHeader = perRecipientUnprotectedHeaders.get(i);
        KeyEncryptionProvider keyEncryptionProvider = JweUtils.loadKeyEncryptionProvider(props, m, perRecipientUnprotectedHeader);
        if (keyEncryptionProvider.getAlgorithm() == KeyAlgorithm.DIRECT && propLocs.size() > 1) {
            throw new JweException(JweException.Error.INVALID_JSON_JWE);
        }
        keyProviders.add(keyEncryptionProvider);
        keyAlgos.add(perRecipientUnprotectedHeader.getKeyEncryptionAlgorithm());
    }
    if (ctAlgo == null) {
        throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
    }
    sharedProtectedHeaders.setContentEncryptionAlgorithm(ctAlgo);
    List<JweEncryptionProvider> theEncProviders = new LinkedList<JweEncryptionProvider>();
    if (keyProviders.size() == 1 && keyProviders.get(0).getAlgorithm() == KeyAlgorithm.DIRECT) {
        JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, propsList.get(0), KeyOperation.ENCRYPT);
        if (jwk != null) {
            ContentEncryptionProvider ctProvider = JweUtils.getContentEncryptionProvider(jwk, ctAlgo);
            JweEncryptionProvider encProvider = new JweEncryption(keyProviders.get(0), ctProvider);
            theEncProviders.add(encProvider);
        }
    } else {
        ContentEncryptionProvider ctProvider = JweUtils.getContentEncryptionProvider(ctAlgo, true);
        for (int i = 0; i < keyProviders.size(); i++) {
            JweEncryptionProvider encProvider = new JweEncryption(keyProviders.get(0), ctProvider);
            theEncProviders.add(encProvider);
        }
    }
    if (keyAlgos.size() == 1) {
        sharedProtectedHeaders.setKeyEncryptionAlgorithm(keyAlgos.iterator().next());
        for (int i = 0; i < perRecipientUnprotectedHeaders.size(); i++) {
            perRecipientUnprotectedHeaders.get(i).removeProperty(JoseConstants.JWE_HEADER_KEY_ENC_ALGORITHM);
        }
    }
    return theEncProviders;
}

Example 15 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class BookStore method getRecipientText.

private String getRecipientText(JweJsonConsumer consumer, String recipientPropLoc, String recipientKid) {
    Message message = JAXRSUtils.getCurrentMessage();
    Properties recipientProps = JweUtils.loadJweProperties(message, recipientPropLoc);
    JsonWebKey recipientKey = JwkUtils.loadJwkSet(message, recipientProps, null).getKey(recipientKid);
    ContentAlgorithm contentEncryptionAlgorithm = JweUtils.getContentEncryptionAlgorithm(recipientProps);
    JweDecryptionProvider jweRecipient = JweUtils.createJweDecryptionProvider(recipientKey, contentEncryptionAlgorithm);
    JweDecryptionOutput jweRecipientOutput = consumer.decryptWith(jweRecipient, Collections.singletonMap("kid", recipientKid));
    return jweRecipientOutput.getContentText();
}