Example 11 with SigningHandler
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class AuthIdHelper method verifyAuthId.
/**
* Verifies the signature of the JWT, to ensure the JWT is valid.
*
* @param realmDN The DN for the realm being authenticated against.
* @param authId The authentication id JWT.
*/
public void verifyAuthId(String realmDN, String authId) throws RestAuthException {
SecretKey key = getSigningKey(realmDN);
try {
final SigningHandler signingHandler = signingManager.newHmacSigningHandler(key.getEncoded());
boolean verified = jwtBuilderFactory.reconstruct(authId, SignedJwt.class).verify(signingHandler);
if (!verified) {
throw new RestAuthException(ResourceException.BAD_REQUEST, "AuthId JWT Signature not valid");
}
} catch (JwtRuntimeException e) {
throw new RestAuthException(ResourceException.BAD_REQUEST, "Failed to parse JWT, " + e.getLocalizedMessage(), e);
}
}
Also used :
RestAuthException(org.forgerock.openam.core.rest.authn.exceptions.RestAuthException)
SecretKey(javax.crypto.SecretKey)
JwtRuntimeException(org.forgerock.json.jose.exceptions.JwtRuntimeException)
SignedJwt(org.forgerock.json.jose.jws.SignedJwt)
SigningHandler(org.forgerock.json.jose.jws.handlers.SigningHandler)
Example 12 with SigningHandler
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImpl method asymmetricSign.
private SignedJwt asymmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, KeyPair keyPair, OpenIdConnectTokenPublicKeyReferenceType publicKeyReferenceType) throws TokenCreationException {
if (!JwsAlgorithmType.RSA.equals(jwsAlgorithm.getAlgorithmType())) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not RSA but " + jwsAlgorithm.getAlgorithmType());
}
final SigningHandler signingHandler = new SigningManager().newRsaSigningHandler(keyPair.getPrivate());
JwsHeaderBuilder jwsHeaderBuilder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
RSAPublicKey rsaPublicKey;
try {
rsaPublicKey = (RSAPublicKey) keyPair.getPublic();
} catch (ClassCastException e) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Could not sign jwt with algorithm " + jwsAlgorithm + " because the PublicKey not of type RSAPublicKey but rather " + (keyPair.getPublic() != null ? keyPair.getPublic().getClass().getCanonicalName() : null));
}
handleKeyIdentification(jwsHeaderBuilder, publicKeyReferenceType, rsaPublicKey, jwsAlgorithm);
return jwsHeaderBuilder.done().claims(claimsSet).asJwt();
}
Also used :
JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
JwsHeaderBuilder(org.forgerock.json.jose.builders.JwsHeaderBuilder)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
SigningHandler(org.forgerock.json.jose.jws.handlers.SigningHandler)
SigningManager(org.forgerock.json.jose.jws.SigningManager)
Example 13 with SigningHandler
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImpl method symmetricSign.
private SignedJwt symmetricSign(STSOpenIdConnectToken openIdConnectToken, JwsAlgorithm jwsAlgorithm, byte[] clientSecret) throws TokenCreationException {
if (!JwsAlgorithmType.HMAC.equals(jwsAlgorithm.getAlgorithmType())) {
throw new TokenCreationException(ResourceException.BAD_REQUEST, "Exception in " + "OpenIdConnectTokenGenerationImpl#symmetricSign: algorithm type not HMAC but " + jwsAlgorithm.getAlgorithmType());
}
final SigningHandler signingHandler = new SigningManager().newHmacSigningHandler(clientSecret);
JwsHeaderBuilder builder = jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm);
JwtClaimsSet claimsSet = jwtBuilderFactory.claims().claims(openIdConnectToken.asMap()).build();
return builder.done().claims(claimsSet).asJwt();
}
Also used :
JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet)
JwsHeaderBuilder(org.forgerock.json.jose.builders.JwsHeaderBuilder)
TokenCreationException(org.forgerock.openam.sts.TokenCreationException)
SigningHandler(org.forgerock.json.jose.jws.handlers.SigningHandler)
SigningManager(org.forgerock.json.jose.jws.SigningManager)
Example 14 with SigningHandler
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class PolicyRequestTest method getJwtSubject.
private Jwt getJwtSubject(final String subjectName) {
JwsHeader header = new JwsHeader(Collections.<String, Object>emptyMap());
JwtClaimsSet claims = new JwtClaimsSet();
claims.setSubject(subjectName);
SigningHandler handler = new NOPSigningHandler();
return new SignedJwt(header, claims, handler);
}
Also used :
JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet)
JwsHeader(org.forgerock.json.jose.jws.JwsHeader)
NOPSigningHandler(org.forgerock.json.jose.jws.handlers.NOPSigningHandler)
SignedJwt(org.forgerock.json.jose.jws.SignedJwt)
NOPSigningHandler(org.forgerock.json.jose.jws.handlers.NOPSigningHandler)
SigningHandler(org.forgerock.json.jose.jws.handlers.SigningHandler)
Example 15 with SigningHandler
use of org.forgerock.json.jose.jws.handlers.SigningHandler in project OpenAM by OpenRock.
the class OAuth2JwtTest method expirationTimeSetInPastJWTShouldBeInvalid.
@Test
public void expirationTimeSetInPastJWTShouldBeInvalid() {
JwsHeader header = new JwsHeader(Collections.<String, Object>emptyMap());
JwtClaimsSet claims = getJwtClaimsSet(VALID_NOT_BEFORE_TIME, INVALID_EXPIRATION_TIME);
SigningHandler handler = new NOPSigningHandler();
OAuth2Jwt oAuth2Jwt = getOAuth2Jwt(header, claims, handler);
assertTrue(!oAuth2Jwt.isValid(handler));
}
Also used :
JwtClaimsSet(org.forgerock.json.jose.jwt.JwtClaimsSet)
JwsHeader(org.forgerock.json.jose.jws.JwsHeader)
NOPSigningHandler(org.forgerock.json.jose.jws.handlers.NOPSigningHandler)
SigningHandler(org.forgerock.json.jose.jws.handlers.SigningHandler)
NOPSigningHandler(org.forgerock.json.jose.jws.handlers.NOPSigningHandler)
Test(org.testng.annotations.Test)
Aggregations
SigningHandler (org.forgerock.json.jose.jws.handlers.SigningHandler)16
JwtClaimsSet (org.forgerock.json.jose.jwt.JwtClaimsSet)11
JwsHeader (org.forgerock.json.jose.jws.JwsHeader)7
NOPSigningHandler (org.forgerock.json.jose.jws.handlers.NOPSigningHandler)7
Test (org.testng.annotations.Test)7
SigningManager (org.forgerock.json.jose.jws.SigningManager)4
JwsHeaderBuilder (org.forgerock.json.jose.builders.JwsHeaderBuilder)3
SignedJwt (org.forgerock.json.jose.jws.SignedJwt)3
JwsAlgorithm (org.forgerock.json.jose.jws.JwsAlgorithm)2
RestAuthException (org.forgerock.openam.core.rest.authn.exceptions.RestAuthException)2
TokenCreationException (org.forgerock.openam.sts.TokenCreationException)2
BigInteger (java.math.BigInteger)1
KeyPair (java.security.KeyPair)1
PublicKey (java.security.PublicKey)1
SignatureException (java.security.SignatureException)1
RSAPublicKey (java.security.interfaces.RSAPublicKey)1
SecretKey (javax.crypto.SecretKey)1
JwtRuntimeException (org.forgerock.json.jose.exceptions.JwtRuntimeException)1
JwtTokenHandler (org.forgerock.selfservice.stages.tokenhandlers.JwtTokenHandler)1
