Examples with JsonWebKey org.apache.cxf.rs.security.jose.jwk.JsonWebKey used on opensource projects

Example 21 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JweUtils method loadKeyEncryptionProvider.

public static KeyEncryptionProvider loadKeyEncryptionProvider(Properties props, Message m, JweHeaders headers) {
    KeyEncryptionProvider keyEncryptionProvider = null;
    KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null);
    if (KeyAlgorithm.DIRECT == keyAlgo) {
        keyEncryptionProvider = new DirectKeyEncryptionAlgorithm();
    } else if (keyAlgo != null && AlgorithmUtils.PBES_HS_SET.contains(keyAlgo.getJwaName())) {
        PrivateKeyPasswordProvider provider = KeyManagementUtils.loadPasswordProvider(m, props, KeyOperation.ENCRYPT);
        char[] password = provider != null ? provider.getPassword(props) : null;
        if (password == null) {
            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
        }
        int pbes2Count = MessageUtils.getContextualInteger(m, JoseConstants.RSSEC_ENCRYPTION_PBES2_COUNT, 4096);
        return new PbesHmacAesWrapKeyEncryptionAlgorithm(new String(password), pbes2Count, keyAlgo, false);
    } else {
        boolean includeCert = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_CERT);
        boolean includeCertSha1 = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_CERT_SHA1);
        boolean includeCertSha256 = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_CERT_SHA256);
        boolean includeKeyId = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_KEY_ID);
        if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
            JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.ENCRYPT);
            if (jwk != null) {
                keyAlgo = getKeyEncryptionAlgorithm(m, props, KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()), getDefaultKeyAlgorithm(jwk));
                keyEncryptionProvider = getKeyEncryptionProvider(jwk, keyAlgo);
                boolean includePublicKey = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_PUBLIC_KEY);
                if (includeCert) {
                    JwkUtils.includeCertChain(jwk, headers, keyAlgo.getJwaName());
                }
                if (includeCertSha1) {
                    KeyManagementUtils.setSha1DigestHeader(headers, m, props);
                } else if (includeCertSha256) {
                    KeyManagementUtils.setSha256DigestHeader(headers, m, props);
                }
                if (includePublicKey) {
                    JwkUtils.includePublicKey(jwk, headers, keyAlgo.getJwaName());
                }
                if (includeKeyId && jwk.getKeyId() != null) {
                    headers.setKeyId(jwk.getKeyId());
                }
            }
        } else {
            keyEncryptionProvider = getPublicKeyEncryptionProvider(KeyManagementUtils.loadPublicKey(m, props), props, keyAlgo);
            if (includeCert) {
                headers.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(m, props));
            }
            if (includeCertSha1) {
                KeyManagementUtils.setSha1DigestHeader(headers, m, props);
            } else if (includeCertSha256) {
                KeyManagementUtils.setSha256DigestHeader(headers, m, props);
            }
            if (includeKeyId && props.containsKey(JoseConstants.RSSEC_KEY_STORE_ALIAS)) {
                headers.setKeyId(props.getProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS));
            }
        }
    }
    if (keyEncryptionProvider == null) {
        throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
    }
    headers.setKeyEncryptionAlgorithm(keyEncryptionProvider.getAlgorithm());
    return keyEncryptionProvider;
}

Example 22 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JweUtils method loadEncryptionProvider.

public static JweEncryptionProvider loadEncryptionProvider(Properties props, Message m, JweHeaders headers) {
    KeyEncryptionProvider keyEncryptionProvider = loadKeyEncryptionProvider(props, m, headers);
    ContentAlgorithm contentAlgo = getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM);
    if (m != null) {
        m.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, contentAlgo.getJwaName());
    }
    ContentEncryptionProvider ctEncryptionProvider = null;
    if (KeyAlgorithm.DIRECT == keyEncryptionProvider.getAlgorithm()) {
        JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.ENCRYPT);
        if (jwk != null) {
            contentAlgo = getContentEncryptionAlgorithm(m, props, jwk.getAlgorithm() != null ? ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()) : null, contentAlgo);
            ctEncryptionProvider = getContentEncryptionProvider(jwk, contentAlgo);
        }
    }
    String compression = props.getProperty(JoseConstants.RSSEC_ENCRYPTION_ZIP_ALGORITHM);
    return createJweEncryptionProvider(keyEncryptionProvider, ctEncryptionProvider, contentAlgo, compression, headers);
}

Example 23 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JwsUtils method loadSignatureVerifier.

public static JwsSignatureVerifier loadSignatureVerifier(Message m, Properties props, JwsHeaders inHeaders) {
    JwsSignatureVerifier theVerifier = null;
    String inHeaderKid = null;
    if (inHeaders != null) {
        inHeaderKid = inHeaders.getKeyId();
        // TODO: optionally validate inHeaders.getAlgorithm against a property in props
        if (inHeaders.getHeader(JoseConstants.HEADER_JSON_WEB_KEY) != null) {
            JsonWebKey publicJwk = inHeaders.getJsonWebKey();
            if (inHeaderKid != null && !inHeaderKid.equals(publicJwk.getKeyId()) || !MessageUtils.getContextualBoolean(m, JoseConstants.RSSEC_ACCEPT_PUBLIC_KEY, false)) {
                throw new JwsException(JwsException.Error.INVALID_KEY);
            }
            return getSignatureVerifier(publicJwk, inHeaders.getSignatureAlgorithm());
        } else if (inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) {
            List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain());
            KeyManagementUtils.validateCertificateChain(props, chain);
            return getPublicKeySignatureVerifier(chain.get(0), inHeaders.getSignatureAlgorithm());
        } else if (inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) {
            X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), MessageDigestUtils.ALGO_SHA_1, m, props);
            if (foundCert != null) {
                return getPublicKeySignatureVerifier(foundCert, inHeaders.getSignatureAlgorithm());
            }
        } else if (inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT_SHA256) != null) {
            X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509ThumbprintSHA256(), MessageDigestUtils.ALGO_SHA_256, m, props);
            if (foundCert != null) {
                return getPublicKeySignatureVerifier(foundCert, inHeaders.getSignatureAlgorithm());
            }
        }
    }
    if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
        JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.VERIFY, inHeaderKid);
        if (jwk != null) {
            SignatureAlgorithm signatureAlgo = getSignatureAlgorithm(m, props, SignatureAlgorithm.getAlgorithm(jwk.getAlgorithm()), getDefaultKeyAlgorithm(jwk));
            theVerifier = getSignatureVerifier(jwk, signatureAlgo);
        }
    } else {
        SignatureAlgorithm signatureAlgo = getSignatureAlgorithm(m, props, null, null);
        if (signatureAlgo == SignatureAlgorithm.NONE && SignatureAlgorithm.NONE.getJwaName().equals(inHeaders.getAlgorithm())) {
            theVerifier = new NoneJwsSignatureVerifier();
        } else {
            X509Certificate[] certs = KeyManagementUtils.loadX509CertificateOrChain(m, props);
            if (certs != null && certs.length > 0) {
                theVerifier = getPublicKeySignatureVerifier(certs[0], signatureAlgo);
            }
        }
    }
    if (theVerifier == null) {
        LOG.warning("Verifier is not available");
        throw new JwsException(JwsException.Error.NO_VERIFIER);
    }
    return theVerifier;
}

Example 24 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JwkJoseCookBookTest method validatePrivateSet.

private void validatePrivateSet(JsonWebKeys jwks) throws Exception {
    List<JsonWebKey> keys = jwks.getKeys();
    assertEquals(2, keys.size());
    JsonWebKey ecKey = keys.get(0);
    assertEquals(7, ecKey.asMap().size());
    validatePrivateEcKey(ecKey);
    JsonWebKey rsaKey = keys.get(1);
    assertEquals(11, rsaKey.asMap().size());
    validatePrivateRsaKey(rsaKey);
}

Example 25 with JsonWebKey

use of org.apache.cxf.rs.security.jose.jwk.JsonWebKey in project cxf by apache.

the class JwkJoseCookBookTest method testPublicSetAsList.

@Test
public void testPublicSetAsList() throws Exception {
    JsonWebKeys jwks = readKeySet("cookbookPublicSet.txt");
    List<JsonWebKey> keys = jwks.getKeys();
    assertEquals(2, keys.size());
    JsonWebKey ecKey = keys.get(0);
    assertEquals(6, ecKey.asMap().size());
    validatePublicEcKey(ecKey);
    JsonWebKey rsaKey = keys.get(1);
    assertEquals(5, rsaKey.asMap().size());
    validatePublicRsaKey(rsaKey);
}