use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class AuthIdHelper method verifyAuthId.
/**
* Verifies the signature of the JWT, to ensure the JWT is valid.
*
* @param realmDN The DN for the realm being authenticated against.
* @param authId The authentication id JWT.
*/
public void verifyAuthId(String realmDN, String authId) throws RestAuthException {
SecretKey key = getSigningKey(realmDN);
try {
final SigningHandler signingHandler = signingManager.newHmacSigningHandler(key.getEncoded());
boolean verified = jwtBuilderFactory.reconstruct(authId, SignedJwt.class).verify(signingHandler);
if (!verified) {
throw new RestAuthException(ResourceException.BAD_REQUEST, "AuthId JWT Signature not valid");
}
} catch (JwtRuntimeException e) {
throw new RestAuthException(ResourceException.BAD_REQUEST, "Failed to parse JWT, " + e.getLocalizedMessage(), e);
}
}
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImpl method asymmetricSign.
private SignedJwt asymmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, KeyPair keyPair, OpenIdConnectTokenPublicKeyReferenceType publicKeyReferenceType) throws TokenCreationException {
if (!JwsAlgorithmType.RSA.equals(jwsAlgorithm.getAlgorithmType())) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not RSA but " + jwsAlgorithm.getAlgorithmType());
}
final SigningHandler signingHandler = new SigningManager().newRsaSigningHandler(keyPair.getPrivate());
JwsHeaderBuilder jwsHeaderBuilder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
RSAPublicKey rsaPublicKey;
try {
rsaPublicKey = (RSAPublicKey) keyPair.getPublic();
} catch (ClassCastException e) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Could not sign jwt with algorithm " + jwsAlgorithm + " because the PublicKey not of type RSAPublicKey but rather " + (keyPair.getPublic() != null ? keyPair.getPublic().getClass().getCanonicalName() : null));
}
handleKeyIdentification(jwsHeaderBuilder, publicKeyReferenceType, rsaPublicKey, jwsAlgorithm);
return jwsHeaderBuilder.done().claims(claimsSet).asJwt();
}
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImpl method symmetricSign.
private SignedJwt symmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, byte[] clientSecret) throws TokenCreationException {
if (!JwsAlgorithmType.HMAC.equals(jwsAlgorithm.getAlgorithmType())) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not HMAC but " + jwsAlgorithm.getAlgorithmType());
}
final SigningHandler signingHandler = new SigningManager().newHmacSigningHandler(clientSecret);
JwsHeaderBuilder builder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
return builder.done().claims(claimsSet).asJwt();
}
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class PolicyRequestTest method getJwtSubject.
private Jwt getJwtSubject(final String subjectName) {
JwsHeader header = new JwsHeader(Collections.<String, Object>emptyMap());
JwtClaimsSet claims = new JwtClaimsSet();
claims.setSubject(subjectName);
SigningHandler handler = new NOPSigningHandler();
return new SignedJwt(header, claims, handler);
}
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class OAuth2JwtTest method expirationTimeSetInPastJWTShouldBeInvalid.
@Test
public void expirationTimeSetInPastJWTShouldBeInvalid() {
JwsHeader header = new JwsHeader(Collections.<String, Object>emptyMap());
JwtClaimsSet claims = getJwtClaimsSet(VALID_NOT_BEFORE_TIME, INVALID_EXPIRATION_TIME);
SigningHandler handler = new NOPSigningHandler();
OAuth2Jwt oAuth2Jwt = getOAuth2Jwt(header, claims, handler);
assertTrue(!oAuth2Jwt.isValid(handler));
}
Aggregations