Search in sources :

Example 16 with PemReader

use of org.bouncycastle.util.io.pem.PemReader in project dcos-commons by mesosphere.

the class SchedulerConfig method getDcosAuthTokenProvider.

/**
 * Returns a token provider which may be used to retrieve DC/OS JWT auth tokens, or throws an exception if the local
 * environment doesn't provide the needed information (e.g. on a DC/OS Open cluster)
 */
public TokenProvider getDcosAuthTokenProvider() throws IOException {
    JSONObject serviceAccountObject = new JSONObject(envStore.getRequired(SIDECHANNEL_AUTH_ENV_NAME));
    PemReader pemReader = new PemReader(new StringReader(serviceAccountObject.getString("private_key")));
    try {
        RSAPrivateKey privateKey = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(pemReader.readPemObject().getContent()));
        RSAPublicKey publicKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(privateKey.getModulus(), privateKey.getPrivateExponent()));
        ServiceAccountIAMTokenClient serviceAccountIAMTokenProvider = new ServiceAccountIAMTokenClient(new DcosHttpExecutor(new DcosHttpClientBuilder().setDefaultConnectionTimeout(DEFAULT_AUTH_TOKEN_REFRESH_TIMEOUT_S).setRedirectStrategy(new LaxRedirectStrategy())), serviceAccountObject.getString("uid"), Algorithm.RSA256(publicKey, privateKey));
        Duration authTokenRefreshThreshold = Duration.ofSeconds(envStore.getOptionalInt(AUTH_TOKEN_REFRESH_THRESHOLD_S_ENV, DEFAULT_AUTH_TOKEN_REFRESH_THRESHOLD_S));
        return new CachedTokenProvider(serviceAccountIAMTokenProvider, authTokenRefreshThreshold);
    } catch (InvalidKeySpecException e) {
        throw new IllegalArgumentException(e);
    } catch (NoSuchAlgorithmException e) {
        throw new IllegalStateException(e);
    } finally {
        pemReader.close();
    }
}
Also used : DcosHttpClientBuilder(com.mesosphere.sdk.dcos.DcosHttpClientBuilder) CachedTokenProvider(com.mesosphere.sdk.dcos.auth.CachedTokenProvider) Duration(java.time.Duration) RSAPublicKeySpec(java.security.spec.RSAPublicKeySpec) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) PemReader(org.bouncycastle.util.io.pem.PemReader) DcosHttpExecutor(com.mesosphere.sdk.dcos.DcosHttpExecutor) JSONObject(org.json.JSONObject) RSAPublicKey(java.security.interfaces.RSAPublicKey) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec) StringReader(java.io.StringReader) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) LaxRedirectStrategy(org.apache.http.impl.client.LaxRedirectStrategy) ServiceAccountIAMTokenClient(com.mesosphere.sdk.dcos.clients.ServiceAccountIAMTokenClient)

Example 17 with PemReader

use of org.bouncycastle.util.io.pem.PemReader in project cas by apereo.

the class PublicKeyFactoryBean method readPemPublicKey.

/**
 * Read pem public key.
 *
 * @return the public key
 * @throws Exception the exception
 */
protected PublicKey readPemPublicKey() throws Exception {
    try (val reader = new PemReader(new InputStreamReader(this.resource.getInputStream(), StandardCharsets.UTF_8))) {
        val pemObject = reader.readPemObject();
        if (pemObject != null) {
            val content = pemObject.getContent();
            val pubSpec = new X509EncodedKeySpec(content);
            val factory = KeyFactory.getInstance(this.algorithm);
            return factory.generatePublic(pubSpec);
        }
    }
    return null;
}
Also used : lombok.val(lombok.val) PemReader(org.bouncycastle.util.io.pem.PemReader) InputStreamReader(java.io.InputStreamReader) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)

Example 18 with PemReader

use of org.bouncycastle.util.io.pem.PemReader in project athenz by yahoo.

the class DefaultOAuthJwtAccessTokenTest method initialize.

@BeforeMethod
public void initialize() throws Exception {
    PublicKey pub = null;
    try (PemReader reader = new PemReader(new FileReader(this.getClass().getClassLoader().getResource("jwt_public.key").getFile()))) {
        pub = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(reader.readPemObject().getContent()));
    }
    this.parser = Jwts.parserBuilder().setSigningKey(pub).setAllowedClockSkewSeconds(60).build();
}
Also used : PemReader(org.bouncycastle.util.io.pem.PemReader) PublicKey(java.security.PublicKey) FileReader(java.io.FileReader) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) BeforeMethod(org.testng.annotations.BeforeMethod)

Example 19 with PemReader

use of org.bouncycastle.util.io.pem.PemReader in project athenz by yahoo.

the class KeyStoreJwkKeyResolverTest method testResolveSigningKey.

@Test
public void testResolveSigningKey() throws Exception {
    // mocks
    KeyStore keyStoreMock = Mockito.spy(baseKeyStore);
    SigningKeyResolver jwksResolverMock = Mockito.spy(basejwksResolver);
    // instance
    KeyStoreJwkKeyResolver resolver = new KeyStoreJwkKeyResolver(null, "file:///", null);
    Field keyStoreField = resolver.getClass().getDeclaredField("keyStore");
    keyStoreField.setAccessible(true);
    Field providerField = resolver.getClass().getDeclaredField("jwksResolver");
    providerField.setAccessible(true);
    providerField.set(resolver, jwksResolverMock);
    // args
    DefaultJwsHeader jwsHeader = new DefaultJwsHeader();
    DefaultClaims claims = new DefaultClaims();
    // 1. null key store, find in JWKS
    PublicKey pk11 = Mockito.spy(basePublicKey);
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk11);
    jwsHeader.setKeyId("11");
    claims.setIssuer(null);
    assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk11);
    // set key store mock
    keyStoreField.set(resolver, keyStoreMock);
    // 2. invalid issuer, find in JWKS
    PublicKey pk21 = Mockito.spy(basePublicKey);
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk21);
    jwsHeader.setKeyId("21");
    claims.setIssuer(null);
    assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk21);
    PublicKey pk22 = Mockito.spy(basePublicKey);
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk22);
    jwsHeader.setKeyId("22");
    claims.setIssuer("");
    assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk22);
    PublicKey pk23 = Mockito.spy(basePublicKey);
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk23);
    jwsHeader.setKeyId("23");
    claims.setIssuer("domain23-----service23");
    assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk23);
    // 2. invalid domain, find in JWKS
    PublicKey pk24 = Mockito.spy(basePublicKey);
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk24);
    jwsHeader.setKeyId("24");
    claims.setIssuer("domain24.service24");
    assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk24);
    // 3. found in key store, skip JWKS
    PublicKey pk31 = null;
    try (PemReader reader = new PemReader(new FileReader(this.classLoader.getResource("jwt_public.key").getFile()))) {
        pk31 = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(reader.readPemObject().getContent()));
    }
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk31);
    Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service31", "31")).thenReturn("-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy3c3TEePZZPaxqNU2xV4\nortsXrw1EXTNQj2QUgL8UOPaQS0lbHJtD1cbcCFnzfXRXTOGqh8l+XWTRIOlt4yU\n+mEhgR0/JKILTPwmS0fj3D1PT6IjZShuNyd4USVdcjfCRBRb9ExIptJyeTTUu0Uu\njWNEcGOWAkUZcsonmiEz7bIMVkGy5uYnWGbsKP51Zf/PFMb96RcHeE0ZUitIB4YK\n1bgHLyAEBJIka5mRC/jWq/mlq3jiP5RaVWbzQiJbrjuYWd1Vps/xnrABx6/4Ft/M\n0AnSQN0SYjc/nWT1yGPpCwtWmWUU5NNHd+w6TdgOjdu00wownwblovtEYED+rncb\n913qfBM98kNHyj357BSzlvhiwEH5Ayo9DTnx1j9HuJGZXzymVypuQXLu/tkHMEt+\nc4kytKJNi6MLiauy9xtXGLXgOvZUM8V0Z27Z6CTfCzWZ0nwnEWDdH+NJyusL6pJg\nEGUBh6E9fdJInV7YOCF+P9/19imPHrZ0blTXK1TDfKS/pCLOXO/OmmH+p+UxQ77O\npeP5wlt5Jem0ErSisl/Qxhh1OtJcLwFdA7uC7rOTMrSEGLO++5+CatsXj7BEK2l+\n3As8fJEkoWXd1+4KOUMfV/fnT/z6U8+bcsYn0nvWPl8XuMbwNWjqHYgqhl1RLA7M\n17HCydWCF50HI2XojtGgRN0CAwEAAQ==\n-----END PUBLIC KEY-----\n");
    jwsHeader.setKeyId("31");
    claims.setIssuer("sys.auth.service31");
    assertEquals(resolver.resolveSigningKey(jwsHeader, claims), pk31);
    // 3. NOT found in key store, find in JWKS
    PublicKey pk32 = Mockito.spy(basePublicKey);
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk32);
    Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service32", "32")).thenReturn(null);
    jwsHeader.setKeyId("32");
    claims.setIssuer("sys.auth.service32");
    assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk32);
    // 3. found in key store but public key invalid, find in JWKS
    PublicKey pk33 = Mockito.spy(basePublicKey);
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk33);
    Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service33", "33")).thenReturn("");
    jwsHeader.setKeyId("33");
    claims.setIssuer("sys.auth.service33");
    assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk33);
    PublicKey pk34 = Mockito.spy(basePublicKey);
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(pk34);
    Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service34", "34")).thenReturn("-----BEGIN PUBLIC KEY-----\ninvalid\n-----END PUBLIC KEY-----\n");
    jwsHeader.setKeyId("34");
    claims.setIssuer("sys.auth.service34");
    assertSame(resolver.resolveSigningKey(jwsHeader, claims), pk34);
    // 4. both NOT found
    jwsHeader.setKeyId("41");
    claims.setIssuer("sys.auth.service41");
    Mockito.when(jwksResolverMock.resolveSigningKey(jwsHeader, claims)).thenReturn(null);
    Mockito.when(keyStoreMock.getPublicKey("sys.auth", "service41", "41")).thenReturn(null);
    assertNull(resolver.resolveSigningKey(jwsHeader, claims));
    // 5. skip, empty key ID
    jwsHeader.setKeyId(null);
    claims.setIssuer(null);
    assertNull(resolver.resolveSigningKey(jwsHeader, claims));
    jwsHeader.setKeyId("");
    claims.setIssuer(null);
    assertNull(resolver.resolveSigningKey(jwsHeader, claims));
}
Also used : Field(java.lang.reflect.Field) PemReader(org.bouncycastle.util.io.pem.PemReader) SigningKeyResolver(io.jsonwebtoken.SigningKeyResolver) DefaultJwsHeader(io.jsonwebtoken.impl.DefaultJwsHeader) PublicKey(java.security.PublicKey) FileReader(java.io.FileReader) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) DefaultClaims(io.jsonwebtoken.impl.DefaultClaims) KeyStore(com.yahoo.athenz.auth.KeyStore) Test(org.testng.annotations.Test)

Example 20 with PemReader

use of org.bouncycastle.util.io.pem.PemReader in project gocd by gocd.

the class EncryptionHelper method getRSAPublicKeyFrom.

private static PublicKey getRSAPublicKeyFrom(String content) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
    PemReader reader = new PemReader(new StringReader(content));
    EncodedKeySpec spec = new X509EncodedKeySpec(reader.readPemObject().getContent());
    return KeyFactory.getInstance("RSA").generatePublic(spec);
}
Also used : PemReader(org.bouncycastle.util.io.pem.PemReader) StringReader(java.io.StringReader) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) EncodedKeySpec(java.security.spec.EncodedKeySpec) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec)

Aggregations

PemReader (org.bouncycastle.util.io.pem.PemReader)31 StringReader (java.io.StringReader)20 PemObject (org.bouncycastle.util.io.pem.PemObject)20 IOException (java.io.IOException)13 ByteArrayInputStream (java.io.ByteArrayInputStream)10 X509Certificate (java.security.cert.X509Certificate)10 PKCS8EncodedKeySpec (java.security.spec.PKCS8EncodedKeySpec)9 KeyFactory (java.security.KeyFactory)6 CertificateException (java.security.cert.CertificateException)6 CertificateFactory (java.security.cert.CertificateFactory)6 FileReader (java.io.FileReader)5 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5 Certificate (java.security.cert.Certificate)5 X509EncodedKeySpec (java.security.spec.X509EncodedKeySpec)5 ArrayList (java.util.ArrayList)5 InputStreamReader (java.io.InputStreamReader)4 PrivateKey (java.security.PrivateKey)4 InvalidKeySpecException (java.security.spec.InvalidKeySpecException)4 PublicKey (java.security.PublicKey)3 BouncyCastleProvider (org.bouncycastle.jce.provider.BouncyCastleProvider)3