Example 16 with JwsHeaders
use of org.apache.cxf.rs.security.jose.jws.JwsHeaders in project cxf by apache.
the class JwsJoseCookBookTest method testProtectingSpecificHeaderFieldsSignature.
@Test
public void testProtectingSpecificHeaderFieldsSignature() throws Exception {
JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD);
assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
JwsHeaders protectedHeader = new JwsHeaders();
protectedHeader.setSignatureAlgorithm(SignatureAlgorithm.HS256);
JwsHeaders unprotectedHeader = new JwsHeaders();
unprotectedHeader.setKeyId(HMAC_KID_VALUE);
JsonWebKeys jwks = readKeySet("cookbookSecretSet.txt");
List<JsonWebKey> keys = jwks.getKeys();
JsonWebKey key = keys.get(0);
jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader, unprotectedHeader);
assertEquals(jsonProducer.getJwsJsonSignedDocument(), PROTECTING_SPECIFIC_HEADER_FIELDS_JSON_GENERAL_SERIALIZATION);
JwsJsonConsumer jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));
jsonProducer = new JwsJsonProducer(PAYLOAD, true);
jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader, unprotectedHeader);
assertEquals(jsonProducer.getJwsJsonSignedDocument(), PROTECTING_SPECIFIC_HEADER_FIELDS_JSON_FLATTENED_SERIALIZATION);
jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));
}
Also used :
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JsonWebKeys(org.apache.cxf.rs.security.jose.jwk.JsonWebKeys)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
JwsJsonProducer(org.apache.cxf.rs.security.jose.jws.JwsJsonProducer)
JwsJsonConsumer(org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer)
Test(org.junit.Test)
Example 17 with JwsHeaders
use of org.apache.cxf.rs.security.jose.jws.JwsHeaders in project cxf by apache.
the class JwsJoseCookBookTest method testRSAv15Signature.
@Test
public void testRSAv15Signature() throws Exception {
JwsCompactProducer compactProducer = new JwsCompactProducer(PAYLOAD);
compactProducer.getJwsHeaders().setSignatureAlgorithm(SignatureAlgorithm.RS256);
compactProducer.getJwsHeaders().setKeyId(RSA_KID_VALUE);
JsonMapObjectReaderWriter reader = new JsonMapObjectReaderWriter();
assertEquals(reader.toJson(compactProducer.getJwsHeaders().asMap()), RSA_V1_5_SIGNATURE_PROTECTED_HEADER_JSON);
assertEquals(compactProducer.getUnsignedEncodedJws(), RSA_V1_5_SIGNATURE_PROTECTED_HEADER + "." + ENCODED_PAYLOAD);
JsonWebKeys jwks = readKeySet("cookbookPrivateSet.txt");
List<JsonWebKey> keys = jwks.getKeys();
JsonWebKey rsaKey = keys.get(1);
compactProducer.signWith(rsaKey);
assertEquals(compactProducer.getSignedEncodedJws(), RSA_V1_5_SIGNATURE_PROTECTED_HEADER + "." + ENCODED_PAYLOAD + "." + RSA_V1_5_SIGNATURE_VALUE);
JwsCompactConsumer compactConsumer = new JwsCompactConsumer(compactProducer.getSignedEncodedJws());
JsonWebKeys publicJwks = readKeySet("cookbookPublicSet.txt");
List<JsonWebKey> publicKeys = publicJwks.getKeys();
JsonWebKey rsaPublicKey = publicKeys.get(1);
assertTrue(compactConsumer.verifySignatureWith(rsaPublicKey, SignatureAlgorithm.RS256));
JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD);
assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
JwsHeaders protectedHeader = new JwsHeaders();
protectedHeader.setSignatureAlgorithm(SignatureAlgorithm.RS256);
protectedHeader.setKeyId(RSA_KID_VALUE);
jsonProducer.signWith(JwsUtils.getSignatureProvider(rsaKey, SignatureAlgorithm.RS256), protectedHeader);
assertEquals(jsonProducer.getJwsJsonSignedDocument(), RSA_V1_5_JSON_GENERAL_SERIALIZATION);
JwsJsonConsumer jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
assertTrue(jsonConsumer.verifySignatureWith(rsaPublicKey, SignatureAlgorithm.RS256));
jsonProducer = new JwsJsonProducer(PAYLOAD, true);
jsonProducer.signWith(JwsUtils.getSignatureProvider(rsaKey, SignatureAlgorithm.RS256), protectedHeader);
assertEquals(jsonProducer.getJwsJsonSignedDocument(), RSA_V1_5_JSON_FLATTENED_SERIALIZATION);
jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
assertTrue(jsonConsumer.verifySignatureWith(rsaPublicKey, SignatureAlgorithm.RS256));
}
Also used :
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JwsCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer)
JwsCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsCompactProducer)
JsonWebKeys(org.apache.cxf.rs.security.jose.jwk.JsonWebKeys)
JsonMapObjectReaderWriter(org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
JwsJsonProducer(org.apache.cxf.rs.security.jose.jws.JwsJsonProducer)
JwsJsonConsumer(org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer)
Test(org.junit.Test)
Example 18 with JwsHeaders
use of org.apache.cxf.rs.security.jose.jws.JwsHeaders in project cxf by apache.
the class JwsJwksJwtAccessTokenValidatorTest method testGetInitializedSignatureVerifier.
@Test
public void testGetInitializedSignatureVerifier() {
final JsonWebKey jwk = new JsonWebKey();
jwk.setKeyId("anyKid");
jwk.setPublicKeyUse(PublicKeyUse.ENCRYPT);
final JsonWebKey jwk1 = new JsonWebKey();
jwk1.setKeyId("kid1");
final JsonWebKey jwk2 = new JsonWebKey();
jwk2.setKeyId("kid2");
jwk2.setPublicKeyUse(PublicKeyUse.SIGN);
final JsonWebKey jwk3 = new JsonWebKey();
jwk3.setKeyId("kid3");
jwk3.setPublicKeyUse(PublicKeyUse.SIGN);
final JwsJwksJwtAccessTokenValidator validator = new JwsJwksJwtAccessTokenValidator() {
int invokeCnt;
@Override
JsonWebKeys getJsonWebKeys() {
++invokeCnt;
if (invokeCnt == 1) {
return new JsonWebKeys(Arrays.asList(jwk, jwk1, jwk2));
} else if (invokeCnt == 2) {
return new JsonWebKeys(Arrays.asList(jwk, jwk1, jwk3));
}
throw new IllegalStateException();
}
};
validator.setJwksURL("https://any.url");
validator.getInitializedSignatureVerifier(new JwsHeaders(jwk2.getKeyId()));
assertEquals(new HashSet<>(Arrays.asList(jwk1.getKeyId(), jwk2.getKeyId())), validator.jsonWebKeys.keySet());
// rotate keys
validator.getInitializedSignatureVerifier(new JwsHeaders(jwk3.getKeyId()));
assertEquals(new HashSet<>(Arrays.asList(jwk1.getKeyId(), jwk3.getKeyId())), validator.jsonWebKeys.keySet());
}
Also used :
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JsonWebKeys(org.apache.cxf.rs.security.jose.jwk.JsonWebKeys)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
Test(org.junit.Test)
Example 19 with JwsHeaders
use of org.apache.cxf.rs.security.jose.jws.JwsHeaders in project cxf by apache.
the class JwtBearerGrantHandler method createAccessToken.
@Override
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException {
String assertion = params.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM);
if (assertion == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
try {
JwsJwtCompactConsumer jwsReader = getJwsReader(assertion);
JwtToken jwtToken = jwsReader.getJwtToken();
validateSignature(new JwsHeaders(jwtToken.getJwsHeaders()), jwsReader.getUnsignedEncodedSequence(), jwsReader.getDecodedSignature());
validateClaims(client, jwtToken.getClaims());
UserSubject grantSubject = new UserSubject(jwtToken.getClaims().getSubject());
return doCreateAccessToken(client, grantSubject, Constants.JWT_BEARER_GRANT, OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)));
} catch (OAuthServiceException ex) {
throw ex;
} catch (Exception ex) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex);
}
}
Also used :
JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
Example 20 with JwsHeaders
use of org.apache.cxf.rs.security.jose.jws.JwsHeaders in project cxf by apache.
the class JwsWriterInterceptor method aroundWriteTo.
@Override
public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException {
if (ctx.getEntity() == null) {
ctx.proceed();
return;
}
JwsHeaders headers = new JwsHeaders();
JwsSignatureProvider sigProvider = getInitializedSigProvider(headers);
setContentTypeIfNeeded(headers, ctx);
if (!encodePayload) {
headers.setPayloadEncodingStatus(false);
}
protectHttpHeadersIfNeeded(ctx, headers);
OutputStream actualOs = ctx.getOutputStream();
if (useJwsOutputStream) {
JwsSignature jwsSignature = sigProvider.createJwsSignature(headers);
JoseUtils.traceHeaders(headers);
JwsOutputStream jwsStream = new JwsOutputStream(actualOs, jwsSignature, true);
byte[] headerBytes = StringUtils.toBytesUTF8(writer.toJson(headers));
Base64UrlUtility.encodeAndStream(headerBytes, 0, headerBytes.length, jwsStream);
jwsStream.write(new byte[] { '.' });
Base64UrlOutputStream base64Stream = null;
if (encodePayload) {
base64Stream = new Base64UrlOutputStream(jwsStream);
ctx.setOutputStream(base64Stream);
} else {
ctx.setOutputStream(jwsStream);
}
ctx.proceed();
setJoseMediaType(ctx);
if (base64Stream != null) {
base64Stream.flush();
}
jwsStream.flush();
} else {
CachedOutputStream cos = new CachedOutputStream();
ctx.setOutputStream(cos);
ctx.proceed();
JwsCompactProducer p = new JwsCompactProducer(headers, new String(cos.getBytes(), StandardCharsets.UTF_8));
setJoseMediaType(ctx);
writeJws(p, sigProvider, actualOs);
}
}
Also used :
JwsOutputStream(org.apache.cxf.rs.security.jose.jws.JwsOutputStream)
JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders)
JwsSignature(org.apache.cxf.rs.security.jose.jws.JwsSignature)
Base64UrlOutputStream(org.apache.cxf.common.util.Base64UrlOutputStream)
JwsOutputStream(org.apache.cxf.rs.security.jose.jws.JwsOutputStream)
OutputStream(java.io.OutputStream)
CachedOutputStream(org.apache.cxf.io.CachedOutputStream)
JwsCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsCompactProducer)
Base64UrlOutputStream(org.apache.cxf.common.util.Base64UrlOutputStream)
JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)
CachedOutputStream(org.apache.cxf.io.CachedOutputStream)
Aggregations
JwsHeaders (org.apache.cxf.rs.security.jose.jws.JwsHeaders)42
JwsJwtCompactProducer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer)25
JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)22
JwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)20
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)20
Date (java.util.Date)16
Calendar (java.util.Calendar)11
JsonWebKey (org.apache.cxf.rs.security.jose.jwk.JsonWebKey)10
JsonWebKeys (org.apache.cxf.rs.security.jose.jwk.JsonWebKeys)10
HmacJwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.HmacJwsSignatureProvider)10
NoneJwsSignatureProvider (org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider)10
SyncopeClient (org.apache.syncope.client.lib.SyncopeClient)10
Test (org.junit.jupiter.api.Test)10
JwsJsonProducer (org.apache.cxf.rs.security.jose.jws.JwsJsonProducer)9
Test (org.junit.Test)9
AccessControlException (java.security.AccessControlException)8
WebClient (org.apache.cxf.jaxrs.client.WebClient)8
JwsJsonConsumer (org.apache.cxf.rs.security.jose.jws.JwsJsonConsumer)8
Properties (java.util.Properties)7
Response (javax.ws.rs.core.Response)7
