use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class AuthIdHelper method verifyAuthId.
/**
* Verifies the signature of the JWT, to ensure the JWT is valid.
*
* @param realmDN The DN for the realm being authenticated against.
* @param authId The authentication id JWT.
*/
public void verifyAuthId(String realmDN, String authId) throws RestAuthException {
SecretKey key = getSigningKey(realmDN);
try {
final SigningHandler signingHandler = signingManager.newHmacSigningHandler(key.getEncoded());
boolean verified = jwtBuilderFactory.reconstruct(authId, SignedJwt.class).verify(signingHandler);
if (!verified) {
throw new RestAuthException(ResourceException.BAD_REQUEST, "AuthId JWT Signature not valid");
}
} catch (JwtRuntimeException e) {
throw new RestAuthException(ResourceException.BAD_REQUEST, "Failed to parse JWT, " + e.getLocalizedMessage(), e);
}
}
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class AuthIdHelperTest method shouldVerifyAuthIdAndFail.
@Test
public void shouldVerifyAuthIdAndFail() throws SignatureException, SSOException, SMSException {
//Given
SignedJwt signedJwt = mock(SignedJwt.class);
PublicKey publicKey = mock(PublicKey.class);
SigningHandler signingHandler = mock(SigningHandler.class);
given(jwtBuilderFactory.reconstruct("AUTH_ID", SignedJwt.class)).willReturn(signedJwt);
given(signedJwt.verify(signingHandler)).willReturn(false);
mockGetSigningKey("REALM_DN", false);
//When
boolean exceptionCaught = false;
try {
authIdHelper.verifyAuthId("REALM_DN", "AUTH_ID");
fail();
} catch (RestAuthException e) {
exceptionCaught = true;
}
//Then
verify(jwtBuilderFactory).reconstruct("AUTH_ID", SignedJwt.class);
verify(signedJwt).verify(Matchers.<SigningHandler>anyObject());
assertTrue(exceptionCaught);
}
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class OpenIdConnectToken method sign.
/**
* Signs the OpenId Connect token.
*
* @return A SignedJwt
* @throws SignatureException If an error occurs with the signing of the OpenId Connect token.
*/
public SignedJwt sign() throws SignatureException {
final JwsAlgorithm jwsAlgorithm = JwsAlgorithm.valueOf(algorithm);
if (jwsAlgorithm == null) {
logger.error("Unable to find jws algorithm for: " + algorithm);
throw new SignatureException();
}
final SigningHandler signingHandler;
if (JwsAlgorithmType.RSA.equals(jwsAlgorithm.getAlgorithmType())) {
signingHandler = new SigningManager().newRsaSigningHandler(keyPair.getPrivate());
} else {
signingHandler = new SigningManager().newHmacSigningHandler(clientSecret);
}
JwsHeaderBuilder builder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(asMap()).build();
if (kid != null) {
builder.kid(kid);
}
return builder.done().claims(claimsSet).asJwt();
}
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class JwtSnapshotTokenHandlerFactory method configureJwtTokenHandler.
private SnapshotTokenHandler configureJwtTokenHandler(JwtTokenHandlerConfig config) {
SigningManager signingManager = new SigningManager();
SigningHandler signingHandler = signingManager.newHmacSigningHandler(config.getSharedKey());
KeyPair keyPair = provider.getKeyPair(config.getKeyPairAlgorithm(), config.getKeyPairSize());
return new JwtTokenHandler(config.getJweAlgorithm(), config.getEncryptionMethod(), keyPair, config.getJwsAlgorithm(), signingHandler, config.getTokenLifeTimeInSeconds());
}
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class IdTokenClaimGathererTest method mockIdToken.
private void mockIdToken(boolean isValid) {
given(jwsHeader.getAlgorithm()).willReturn(JwsAlgorithm.HS256);
given(idToken.getHeader()).willReturn(jwsHeader);
SigningHandler signingHandler = mock(SigningHandler.class);
given(signingManager.newHmacSigningHandler(any(byte[].class))).willReturn(signingHandler);
given(idToken.verify(signingHandler)).willReturn(isValid);
}
Aggregations