Example 6 with AbstractCryptoProvider
use of org.gluu.oxauth.model.crypto.AbstractCryptoProvider in project oxAuth by GluuFederation.
the class CrossEncryptionTest method nestedJWTProducedByGluu.
@Test
public void nestedJWTProducedByGluu() throws Exception {
AppConfiguration appConfiguration = new AppConfiguration();
List<JSONWebKey> keyArrayList = new ArrayList<JSONWebKey>();
keyArrayList.add(getSenderWebKey());
JSONWebKeySet keySet = new JSONWebKeySet();
keySet.setKeys(keyArrayList);
final JwtSigner jwtSigner = new JwtSigner(appConfiguration, keySet, SignatureAlgorithm.RS256, "audience", null, new AbstractCryptoProvider() {
@Override
public JSONObject generateKey(Algorithm algorithm, Long expirationTime, Use use) throws Exception {
return null;
}
@Override
public JSONObject generateKey(Algorithm algorithm, Long expirationTime, Use use, int keyLength) throws Exception {
return null;
}
@Override
public boolean containsKey(String keyId) {
return false;
}
@Override
public String sign(String signingInput, String keyId, String sharedSecret, SignatureAlgorithm signatureAlgorithm) throws Exception {
RSAPrivateKey privateKey = ((RSAKey) JWK.parse(senderJwkJson)).toRSAPrivateKey();
Signature signature = Signature.getInstance(signatureAlgorithm.getAlgorithm(), "BC");
signature.initSign(privateKey);
signature.update(signingInput.getBytes());
return Base64Util.base64urlencode(signature.sign());
}
@Override
public boolean verifySignature(String signingInput, String encodedSignature, String keyId, JSONObject jwks, String sharedSecret, SignatureAlgorithm signatureAlgorithm) throws Exception {
return false;
}
@Override
public boolean deleteKey(String keyId) throws Exception {
return false;
}
@Override
public PrivateKey getPrivateKey(String keyId) throws Exception {
throw new UnsupportedOperationException("Method not implemented.");
}
});
Jwt jwt = jwtSigner.newJwt();
jwt.getClaims().setSubjectIdentifier("testing");
jwt.getClaims().setIssuer("https:devgluu.saminet.local");
jwt = jwtSigner.sign();
RSAKey recipientPublicJWK = (RSAKey) (JWK.parse(recipientJwkJson));
BlockEncryptionAlgorithm blockEncryptionAlgorithm = BlockEncryptionAlgorithm.A128GCM;
KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.RSA_OAEP;
Jwe jwe = new Jwe();
jwe.getHeader().setType(JwtType.JWT);
jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
jwe.getHeader().setKeyId("1");
jwe.setSignedJWTPayload(jwt);
JweEncrypterImpl encrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, recipientPublicJWK.toPublicKey());
String jweString = encrypter.encrypt(jwe).toString();
decryptAndValidateSignatureWithGluu(jweString);
decryptAndValidateSignatureWithNimbus(jweString);
}
Also used :
RSAKey(com.nimbusds.jose.jwk.RSAKey)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
PrivateKey(java.security.PrivateKey)
JSONWebKeySet(org.gluu.oxauth.model.jwk.JSONWebKeySet)
ArrayList(java.util.ArrayList)
SignatureAlgorithm(org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm)
BlockEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm)
JwtSigner(org.gluu.oxauth.model.token.JwtSigner)
AppConfiguration(org.gluu.oxauth.model.configuration.AppConfiguration)
Jwe(org.gluu.oxauth.model.jwe.Jwe)
AbstractCryptoProvider(org.gluu.oxauth.model.crypto.AbstractCryptoProvider)
Use(org.gluu.oxauth.model.jwk.Use)
Jwt(org.gluu.oxauth.model.jwt.Jwt)
SignatureAlgorithm(org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm)
KeyEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm)
Algorithm(org.gluu.oxauth.model.jwk.Algorithm)
BlockEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm)
JSONException(org.json.JSONException)
ParseException(java.text.ParseException)
InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException)
IOException(java.io.IOException)
InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException)
JSONWebKey(org.gluu.oxauth.model.jwk.JSONWebKey)
JSONObject(org.json.JSONObject)
Signature(java.security.Signature)
KeyEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm)
JweEncrypterImpl(org.gluu.oxauth.model.jwe.JweEncrypterImpl)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
Test(org.testng.annotations.Test)
Example 7 with AbstractCryptoProvider
use of org.gluu.oxauth.model.crypto.AbstractCryptoProvider in project oxAuth by GluuFederation.
the class CryptoProviderProviderFactory method getCryptoProvider.
@Produces
@ApplicationScoped
public AbstractCryptoProvider getCryptoProvider() throws Exception {
log.debug("Started to create crypto provider");
WebKeyStorage webKeyStorage = appConfiguration.getWebKeysStorage();
if (webKeyStorage == null) {
throw new RuntimeException("Failed to initialize cryptoProvider, cryptoProviderType is not specified!");
}
AbstractCryptoProvider cryptoProvider = org.gluu.oxauth.model.crypto.CryptoProviderFactory.getCryptoProvider(appConfiguration);
if (cryptoProvider == null) {
throw new RuntimeException("Failed to initialize cryptoProvider, cryptoProviderType is unsupported: " + webKeyStorage);
}
return cryptoProvider;
}
Also used :
WebKeyStorage(org.gluu.oxauth.model.common.WebKeyStorage)
AbstractCryptoProvider(org.gluu.oxauth.model.crypto.AbstractCryptoProvider)
Produces(javax.enterprise.inject.Produces)
ApplicationScoped(javax.enterprise.context.ApplicationScoped)
Example 8 with AbstractCryptoProvider
use of org.gluu.oxauth.model.crypto.AbstractCryptoProvider in project oxAuth by GluuFederation.
the class IndividualClaimsRequestsTest method requestClaimsIndividuallyRequestObjectSigningAlgNoneUserInfoSignedResponseJson.
@Parameters({ "userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri" })
@Test
public void requestClaimsIndividuallyRequestObjectSigningAlgNoneUserInfoSignedResponseJson(final String userId, final String userSecret, final String redirectUris, final String redirectUri, final String sectorIdentifierUri) throws Exception {
showTitle("requestClaimsIndividuallyRequestObjectSigningAlgNoneUserInfoSignedResponseJson");
List<ResponseType> responseTypes = Arrays.asList(ResponseType.TOKEN, ResponseType.ID_TOKEN);
// 1. Register client
RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app", StringUtils.spaceSeparatedToList(redirectUris));
registerRequest.setResponseTypes(responseTypes);
registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
registerRequest.setRequestObjectSigningAlg(SignatureAlgorithm.NONE);
registerRequest.setIdTokenSignedResponseAlg(SignatureAlgorithm.NONE);
registerRequest.setClaims(Arrays.asList(JwtClaimName.NAME, JwtClaimName.NICKNAME, JwtClaimName.GIVEN_NAME, JwtClaimName.FAMILY_NAME, JwtClaimName.PICTURE, JwtClaimName.ZONEINFO, JwtClaimName.LOCALE, JwtClaimName.ADDRESS_STREET_ADDRESS, JwtClaimName.ADDRESS_LOCALITY, JwtClaimName.ADDRESS_REGION, JwtClaimName.ADDRESS_POSTAL_CODE, JwtClaimName.ADDRESS_COUNTRY));
RegisterClient registerClient = newRegisterClient(registerRequest);
RegisterResponse registerResponse = registerClient.exec();
showClient(registerClient);
assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
assertNotNull(registerResponse.getClientId());
assertNotNull(registerResponse.getClientSecret());
assertNotNull(registerResponse.getRegistrationAccessToken());
assertNotNull(registerResponse.getClientIdIssuedAt());
assertNotNull(registerResponse.getClientSecretExpiresAt());
String clientId = registerResponse.getClientId();
String clientSecret = registerResponse.getClientSecret();
// 2. Request authorization
AbstractCryptoProvider cryptoProvider = createCryptoProviderWithAllowedNone();
List<String> scopes = Arrays.asList("openid", "clientinfo");
String nonce = UUID.randomUUID().toString();
String state = UUID.randomUUID().toString();
AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
authorizationRequest.setState(state);
JwtAuthorizationRequest jwtAuthorizationRequest = new JwtAuthorizationRequest(authorizationRequest, SignatureAlgorithm.NONE, clientSecret, cryptoProvider);
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.NAME, ClaimValue.createNull()));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.NICKNAME, ClaimValue.createEssential(false)));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.GIVEN_NAME, ClaimValue.createEssential(false)));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.FAMILY_NAME, ClaimValue.createEssential(false)));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.EMAIL, ClaimValue.createNull()));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.EMAIL_VERIFIED, ClaimValue.createNull()));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.PICTURE, ClaimValue.createEssential(false)));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.ZONEINFO, ClaimValue.createNull()));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.LOCALE, ClaimValue.createNull()));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.ADDRESS_STREET_ADDRESS, ClaimValue.createNull()));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.ADDRESS_LOCALITY, ClaimValue.createNull()));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.ADDRESS_REGION, ClaimValue.createNull()));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.ADDRESS_POSTAL_CODE, ClaimValue.createNull()));
jwtAuthorizationRequest.addUserInfoClaim(new Claim(JwtClaimName.ADDRESS_COUNTRY, ClaimValue.createNull()));
jwtAuthorizationRequest.addIdTokenClaim(new Claim(JwtClaimName.AUTHENTICATION_TIME, ClaimValue.createNull()));
jwtAuthorizationRequest.addIdTokenClaim(new Claim(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, ClaimValue.createValueList(new String[] { ACR_VALUE })));
jwtAuthorizationRequest.addIdTokenClaim(new Claim(JwtClaimName.NAME, ClaimValue.createEssential(true)));
jwtAuthorizationRequest.addIdTokenClaim(new Claim(JwtClaimName.NICKNAME, ClaimValue.createEssential(false)));
jwtAuthorizationRequest.addIdTokenClaim(new Claim(JwtClaimName.GIVEN_NAME, ClaimValue.createEssential(false)));
jwtAuthorizationRequest.addIdTokenClaim(new Claim(JwtClaimName.FAMILY_NAME, ClaimValue.createEssential(false)));
jwtAuthorizationRequest.addIdTokenClaim(new Claim(JwtClaimName.EMAIL, ClaimValue.createNull()));
jwtAuthorizationRequest.addIdTokenClaim(new Claim(JwtClaimName.EMAIL_VERIFIED, ClaimValue.createNull()));
jwtAuthorizationRequest.getIdTokenMember().setMaxAge(86400);
String authJwt = jwtAuthorizationRequest.getEncodedJwt();
authorizationRequest.setRequest(authJwt);
AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint, authorizationRequest, userId, userSecret);
assertNotNull(authorizationResponse.getLocation(), "The location is null");
assertNotNull(authorizationResponse.getAccessToken(), "The accessToken is null");
assertNotNull(authorizationResponse.getTokenType(), "The tokenType is null");
assertNotNull(authorizationResponse.getIdToken(), "The idToken is null");
assertNotNull(authorizationResponse.getState(), "The state is null");
String idToken = authorizationResponse.getIdToken();
String accessToken = authorizationResponse.getAccessToken();
// 3. Validate id_token
Jwt jwt = Jwt.parse(idToken);
assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.AUDIENCE));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.EXPIRATION_TIME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUED_AT));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ACCESS_TOKEN_HASH));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.AUTHENTICATION_TIME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.NAME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.NICKNAME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.GIVEN_NAME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.FAMILY_NAME));
assertNull(jwt.getClaims().getClaimAsString(JwtClaimName.EMAIL));
assertNull(jwt.getClaims().getClaimAsString(JwtClaimName.EMAIL_VERIFIED));
PlainTextSignature signer = new PlainTextSignature();
assertTrue(signer.validate(jwt));
// 4. Request user info
UserInfoClient userInfoClient = new UserInfoClient(userInfoEndpoint);
UserInfoResponse userInfoResponse = userInfoClient.execUserInfo(accessToken);
showClient(userInfoClient);
assertEquals(userInfoResponse.getStatus(), 200, "Unexpected response code: " + userInfoResponse.getStatus());
assertNotNull(userInfoResponse.getClaim(JwtClaimName.SUBJECT_IDENTIFIER));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.NAME));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.NICKNAME));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.GIVEN_NAME));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.FAMILY_NAME));
assertNull(userInfoResponse.getClaim(JwtClaimName.EMAIL));
assertNull(userInfoResponse.getClaim(JwtClaimName.EMAIL_VERIFIED));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.PICTURE));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.ZONEINFO));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.LOCALE));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.ADDRESS_STREET_ADDRESS));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.ADDRESS_LOCALITY));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.ADDRESS_REGION));
assertNotNull(userInfoResponse.getClaim(JwtClaimName.ADDRESS_COUNTRY));
}
Also used :
RegisterRequest(org.gluu.oxauth.client.RegisterRequest)
JwtAuthorizationRequest(org.gluu.oxauth.client.model.authorize.JwtAuthorizationRequest)
AuthorizationRequest(org.gluu.oxauth.client.AuthorizationRequest)
Jwt(org.gluu.oxauth.model.jwt.Jwt)
PlainTextSignature(org.gluu.oxauth.model.jws.PlainTextSignature)
UserInfoClient(org.gluu.oxauth.client.UserInfoClient)
ResponseType(org.gluu.oxauth.model.common.ResponseType)
AuthorizationResponse(org.gluu.oxauth.client.AuthorizationResponse)
RegisterResponse(org.gluu.oxauth.client.RegisterResponse)
RegisterClient(org.gluu.oxauth.client.RegisterClient)
JwtAuthorizationRequest(org.gluu.oxauth.client.model.authorize.JwtAuthorizationRequest)
AbstractCryptoProvider(org.gluu.oxauth.model.crypto.AbstractCryptoProvider)
UserInfoResponse(org.gluu.oxauth.client.UserInfoResponse)
Claim(org.gluu.oxauth.client.model.authorize.Claim)
Parameters(org.testng.annotations.Parameters)
BaseTest(org.gluu.oxauth.BaseTest)
Test(org.testng.annotations.Test)
Example 9 with AbstractCryptoProvider
use of org.gluu.oxauth.model.crypto.AbstractCryptoProvider in project oxAuth by GluuFederation.
the class SubjectIdentifierGenerator method generatePairwiseSubjectIdentifier.
public static String generatePairwiseSubjectIdentifier(String sectorIdentifier, String localAccountId, String key, String salt, AppConfiguration configuration) throws Exception {
AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(configuration);
String signingInput = sectorIdentifier + localAccountId + salt;
return cryptoProvider.sign(signingInput, null, key, SignatureAlgorithm.HS256);
}
Also used :
AbstractCryptoProvider(org.gluu.oxauth.model.crypto.AbstractCryptoProvider)
Example 10 with AbstractCryptoProvider
use of org.gluu.oxauth.model.crypto.AbstractCryptoProvider in project oxAuth by GluuFederation.
the class ConfigurationFactory method generateWebKeys.
private void generateWebKeys() {
log.info("Failed to load JWKS. Attempting to generate new JWKS...");
String newWebKeys = null;
try {
final AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(getAppConfiguration());
// Generate new JWKS
JSONObject jsonObject = AbstractCryptoProvider.generateJwks(cryptoProvider, getAppConfiguration());
newWebKeys = jsonObject.toString();
// Attempt to load new JWKS
jwks = ServerUtil.createJsonMapper().readValue(newWebKeys, WebKeysConfiguration.class);
// Store new JWKS in LDAP
Conf conf = loadConfigurationFromLdap();
conf.setWebKeys(jwks);
long nextRevision = conf.getRevision() + 1;
conf.setRevision(nextRevision);
final PersistenceEntryManager ldapManager = persistenceEntryManagerInstance.get();
ldapManager.merge(conf);
log.info("Generated new JWKS successfully.");
log.trace("JWKS keys: " + conf.getWebKeys().getKeys().stream().map(JSONWebKey::getKid).collect(Collectors.toList()));
log.trace("KeyStore keys: " + cryptoProvider.getKeys());
} catch (Exception ex2) {
log.error("Failed to re-generate JWKS keys", ex2);
}
}
Also used :
PersistenceEntryManager(org.gluu.persist.PersistenceEntryManager)
JSONObject(org.json.JSONObject)
AbstractCryptoProvider(org.gluu.oxauth.model.crypto.AbstractCryptoProvider)
BasePersistenceException(org.gluu.persist.exception.BasePersistenceException)
ConfigurationException(org.gluu.exception.ConfigurationException)
Aggregations
AbstractCryptoProvider (org.gluu.oxauth.model.crypto.AbstractCryptoProvider)12
Test (org.testng.annotations.Test)7
BaseTest (org.gluu.oxauth.BaseTest)6
Jwt (org.gluu.oxauth.model.jwt.Jwt)6
AuthorizationRequest (org.gluu.oxauth.client.AuthorizationRequest)5
AuthorizationResponse (org.gluu.oxauth.client.AuthorizationResponse)5
RegisterClient (org.gluu.oxauth.client.RegisterClient)5
RegisterRequest (org.gluu.oxauth.client.RegisterRequest)5
RegisterResponse (org.gluu.oxauth.client.RegisterResponse)5
ResponseType (org.gluu.oxauth.model.common.ResponseType)5
Parameters (org.testng.annotations.Parameters)5
UserInfoClient (org.gluu.oxauth.client.UserInfoClient)4
UserInfoResponse (org.gluu.oxauth.client.UserInfoResponse)4
Claim (org.gluu.oxauth.client.model.authorize.Claim)4
JwtAuthorizationRequest (org.gluu.oxauth.client.model.authorize.JwtAuthorizationRequest)4
PlainTextSignature (org.gluu.oxauth.model.jws.PlainTextSignature)3
JSONObject (org.json.JSONObject)3
IOException (java.io.IOException)2
ConfigurationException (org.gluu.exception.ConfigurationException)2
AuthorizeClient (org.gluu.oxauth.client.AuthorizeClient)2
