Search in sources :

Example 26 with RSAPublicKey

use of org.gluu.oxauth.model.crypto.signature.RSAPublicKey in project oxAuth by GluuFederation.

the class DeviceAuthzFlowHttpTest method verifyIdToken.

private void verifyIdToken(String idToken) throws InvalidJwtException, UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
    Jwt jwt = Jwt.parse(idToken);
    assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
    assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
    assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER));
    assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.AUDIENCE));
    assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.EXPIRATION_TIME));
    assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUED_AT));
    assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
    assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.OX_OPENID_CONNECT_VERSION));
    RSAPublicKey publicKey = JwkClient.getRSAPublicKey(jwksUri, jwt.getHeader().getClaimAsString(JwtHeaderName.KEY_ID), clientEngine(true));
    RSASigner rsaSigner = new RSASigner(SignatureAlgorithm.RS256, publicKey);
    assertTrue(rsaSigner.validate(jwt));
}
Also used : RSAPublicKey(org.gluu.oxauth.model.crypto.signature.RSAPublicKey) Jwt(org.gluu.oxauth.model.jwt.Jwt) RSASigner(org.gluu.oxauth.model.jws.RSASigner)

Example 27 with RSAPublicKey

use of org.gluu.oxauth.model.crypto.signature.RSAPublicKey in project oxAuth by GluuFederation.

the class ValidateIdTokenHashesTest method validateIdTokenHashes.

@Parameters({ "userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri" })
@Test
public void validateIdTokenHashes(final String userId, final String userSecret, final String redirectUris, final String redirectUri, final String sectorIdentifierUri) throws Exception {
    showTitle("authorizationCodeFlow");
    List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.TOKEN, ResponseType.ID_TOKEN);
    List<String> scopes = Arrays.asList("openid", "profile", "address", "email", "phone", "user_name");
    // 1. Register client
    RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app", StringUtils.spaceSeparatedToList(redirectUris));
    registerRequest.setResponseTypes(responseTypes);
    registerRequest.setScope(scopes);
    registerRequest.setSubjectType(SubjectType.PAIRWISE);
    registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
    RegisterClient registerClient = new RegisterClient(registrationEndpoint);
    registerClient.setRequest(registerRequest);
    RegisterResponse registerResponse = registerClient.exec();
    showClient(registerClient);
    assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
    assertNotNull(registerResponse.getClientId());
    assertNotNull(registerResponse.getClientSecret());
    assertNotNull(registerResponse.getRegistrationAccessToken());
    assertNotNull(registerResponse.getClientIdIssuedAt());
    assertNotNull(registerResponse.getClientSecretExpiresAt());
    String clientId = registerResponse.getClientId();
    String clientSecret = registerResponse.getClientSecret();
    // 2. Request authorization and receive the authorization code.
    String nonce = UUID.randomUUID().toString();
    String stateParam = UUID.randomUUID().toString();
    AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
    authorizationRequest.setState(stateParam);
    AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint, authorizationRequest, userId, userSecret);
    assertNotNull(authorizationResponse.getLocation(), "The location is null");
    assertNotNull(authorizationResponse.getCode(), "The authorization code is null");
    assertNotNull(authorizationResponse.getScope(), "The scope is null");
    assertNotNull(authorizationResponse.getState(), "The state is null");
    assertEquals(authorizationResponse.getState(), stateParam);
    String scope = authorizationResponse.getScope();
    String authorizationCode = authorizationResponse.getCode();
    String accessToken = authorizationResponse.getAccessToken();
    String idToken = authorizationResponse.getIdToken();
    String state = authorizationResponse.getState();
    // 3. Validate id_token
    Jwt jwt = Jwt.parse(idToken);
    Asserter.assertIdToken(jwt);
    RSAPublicKey publicKey = JwkClient.getRSAPublicKey(jwksUri, jwt.getHeader().getClaimAsString(JwtHeaderName.KEY_ID));
    RSASigner rsaSigner = new RSASigner(SignatureAlgorithm.RS256, publicKey);
    assertTrue(rsaSigner.validate(jwt));
    assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.CODE_HASH));
    assertTrue(rsaSigner.validateAuthorizationCode(authorizationCode, jwt));
    assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ACCESS_TOKEN_HASH));
    assertTrue(rsaSigner.validateAccessToken(accessToken, jwt));
    assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.STATE_HASH));
    assertTrue(rsaSigner.validateState(state, jwt));
    // 4. Request access token using the authorization code.
    TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
    tokenRequest.setCode(authorizationCode);
    tokenRequest.setRedirectUri(redirectUri);
    tokenRequest.setAuthUsername(clientId);
    tokenRequest.setAuthPassword(clientSecret);
    tokenRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_BASIC);
    TokenClient tokenClient1 = new TokenClient(tokenEndpoint);
    tokenClient1.setRequest(tokenRequest);
    TokenResponse tokenResponse1 = tokenClient1.exec();
    showClient(tokenClient1);
    assertEquals(tokenResponse1.getStatus(), 200, "Unexpected response code: " + tokenResponse1.getStatus());
    assertNotNull(tokenResponse1.getEntity(), "The entity is null");
    assertNotNull(tokenResponse1.getAccessToken(), "The access token is null");
    assertNotNull(tokenResponse1.getExpiresIn(), "The expires in value is null");
    assertNotNull(tokenResponse1.getTokenType(), "The token type is null");
    assertNotNull(tokenResponse1.getRefreshToken(), "The refresh token is null");
    String refreshToken = tokenResponse1.getRefreshToken();
    String idToken2 = tokenResponse1.getIdToken();
    String accessToken2 = tokenResponse1.getAccessToken();
    // 5. Validate id_token
    Jwt jwt2 = Jwt.parse(idToken2);
    Asserter.assertIdToken(jwt2);
    RSAPublicKey publicKey2 = JwkClient.getRSAPublicKey(jwksUri, jwt2.getHeader().getClaimAsString(JwtHeaderName.KEY_ID));
    RSASigner rsaSigner2 = new RSASigner(SignatureAlgorithm.RS256, publicKey2);
    assertTrue(rsaSigner2.validate(jwt2));
    assertNotNull(jwt2.getClaims().getClaimAsString(JwtClaimName.ACCESS_TOKEN_HASH));
    assertTrue(rsaSigner2.validateAccessToken(accessToken2, jwt2));
    assertNull(jwt2.getClaims().getClaimAsString(JwtClaimName.STATE_HASH));
    // 6. Request new access token using the refresh token.
    TokenClient tokenClient2 = new TokenClient(tokenEndpoint);
    TokenResponse tokenResponse2 = tokenClient2.execRefreshToken(scope, refreshToken, clientId, clientSecret);
    showClient(tokenClient2);
    assertEquals(tokenResponse2.getStatus(), 200, "Unexpected response code: " + tokenResponse2.getStatus());
    assertNotNull(tokenResponse2.getEntity(), "The entity is null");
    assertNotNull(tokenResponse2.getAccessToken(), "The access token is null");
    assertNotNull(tokenResponse2.getTokenType(), "The token type is null");
    assertNotNull(tokenResponse2.getRefreshToken(), "The refresh token is null");
    assertNotNull(tokenResponse2.getScope(), "The scope is null");
    String accessToken3 = tokenResponse2.getAccessToken();
    // 7. Request user info
    UserInfoClient userInfoClient = new UserInfoClient(userInfoEndpoint);
    UserInfoResponse userInfoResponse = userInfoClient.execUserInfo(accessToken3);
    showClient(userInfoClient);
    assertEquals(userInfoResponse.getStatus(), 200, "Unexpected response code: " + userInfoResponse.getStatus());
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.SUBJECT_IDENTIFIER));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.BIRTHDATE));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.FAMILY_NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.GENDER));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.GIVEN_NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.MIDDLE_NAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.NICKNAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.PICTURE));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.PREFERRED_USERNAME));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.PROFILE));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.WEBSITE));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.EMAIL));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.EMAIL_VERIFIED));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.PHONE_NUMBER));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.PHONE_NUMBER_VERIFIED));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.ADDRESS));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.LOCALE));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.ZONEINFO));
    assertNotNull(userInfoResponse.getClaim(JwtClaimName.USER_NAME));
    assertNull(userInfoResponse.getClaim("org_name"));
    assertNull(userInfoResponse.getClaim("work_phone"));
}
Also used : RegisterRequest(org.gluu.oxauth.client.RegisterRequest) AuthorizationRequest(org.gluu.oxauth.client.AuthorizationRequest) Jwt(org.gluu.oxauth.model.jwt.Jwt) UserInfoClient(org.gluu.oxauth.client.UserInfoClient) ResponseType(org.gluu.oxauth.model.common.ResponseType) AuthorizationResponse(org.gluu.oxauth.client.AuthorizationResponse) RegisterResponse(org.gluu.oxauth.client.RegisterResponse) RSAPublicKey(org.gluu.oxauth.model.crypto.signature.RSAPublicKey) TokenResponse(org.gluu.oxauth.client.TokenResponse) RegisterClient(org.gluu.oxauth.client.RegisterClient) RSASigner(org.gluu.oxauth.model.jws.RSASigner) TokenRequest(org.gluu.oxauth.client.TokenRequest) UserInfoResponse(org.gluu.oxauth.client.UserInfoResponse) TokenClient(org.gluu.oxauth.client.TokenClient) Parameters(org.testng.annotations.Parameters) BaseTest(org.gluu.oxauth.BaseTest) Test(org.testng.annotations.Test)

Example 28 with RSAPublicKey

use of org.gluu.oxauth.model.crypto.signature.RSAPublicKey in project oxAuth by GluuFederation.

the class Certificate method getPublicKey.

public PublicKey getPublicKey() {
    PublicKey publicKey = null;
    if (x509Certificate != null && x509Certificate.getPublicKey() instanceof BCRSAPublicKey) {
        BCRSAPublicKey jcersaPublicKey = (BCRSAPublicKey) x509Certificate.getPublicKey();
        publicKey = new RSAPublicKey(jcersaPublicKey.getModulus(), jcersaPublicKey.getPublicExponent());
    } else if (x509Certificate != null && x509Certificate.getPublicKey() instanceof BCECPublicKey) {
        BCECPublicKey jceecPublicKey = (BCECPublicKey) x509Certificate.getPublicKey();
        publicKey = new ECDSAPublicKey(signatureAlgorithm, jceecPublicKey.getQ().getXCoord().toBigInteger(), jceecPublicKey.getQ().getYCoord().toBigInteger());
    }
    return publicKey;
}
Also used : RSAPublicKey(org.gluu.oxauth.model.crypto.signature.RSAPublicKey) BCRSAPublicKey(org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPublicKey) BCECPublicKey(org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey) RSAPublicKey(org.gluu.oxauth.model.crypto.signature.RSAPublicKey) BCRSAPublicKey(org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPublicKey) BCECPublicKey(org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey) ECDSAPublicKey(org.gluu.oxauth.model.crypto.signature.ECDSAPublicKey) BCRSAPublicKey(org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPublicKey) ECDSAPublicKey(org.gluu.oxauth.model.crypto.signature.ECDSAPublicKey)

Example 29 with RSAPublicKey

use of org.gluu.oxauth.model.crypto.signature.RSAPublicKey in project oxAuth by GluuFederation.

the class SignatureTest method generateRS512Keys.

@Test
public void generateRS512Keys() throws Exception {
    showTitle("TEST: generateRS512Keys");
    KeyFactory<RSAPrivateKey, RSAPublicKey> keyFactory = new RSAKeyFactory(SignatureAlgorithm.RS512, "CN=Test CA Certificate");
    Key<RSAPrivateKey, RSAPublicKey> key = keyFactory.getKey();
    RSAPrivateKey privateKey = key.getPrivateKey();
    RSAPublicKey publicKey = key.getPublicKey();
    Certificate certificate = key.getCertificate();
    System.out.println(key);
    String signingInput = "Hello World!";
    RSASigner rsaSigner1 = new RSASigner(SignatureAlgorithm.RS512, privateKey);
    String signature = rsaSigner1.generateSignature(signingInput);
    RSASigner rsaSigner2 = new RSASigner(SignatureAlgorithm.RS512, publicKey);
    assertTrue(rsaSigner2.validateSignature(signingInput, signature));
    RSASigner rsaSigner3 = new RSASigner(SignatureAlgorithm.RS512, certificate);
    assertTrue(rsaSigner3.validateSignature(signingInput, signature));
}
Also used : RSAKeyFactory(org.gluu.oxauth.model.crypto.signature.RSAKeyFactory) RSAPublicKey(org.gluu.oxauth.model.crypto.signature.RSAPublicKey) RSASigner(org.gluu.oxauth.model.jws.RSASigner) RSAPrivateKey(org.gluu.oxauth.model.crypto.signature.RSAPrivateKey) Certificate(org.gluu.oxauth.model.crypto.Certificate) BaseTest(org.gluu.oxauth.BaseTest) Test(org.testng.annotations.Test)

Example 30 with RSAPublicKey

use of org.gluu.oxauth.model.crypto.signature.RSAPublicKey in project oxAuth by GluuFederation.

the class SignatureTest method generateRS256Keys.

@Test
public void generateRS256Keys() throws Exception {
    showTitle("TEST: generateRS256Keys");
    KeyFactory<RSAPrivateKey, RSAPublicKey> keyFactory = new RSAKeyFactory(SignatureAlgorithm.RS256, "CN=Test CA Certificate");
    Key<RSAPrivateKey, RSAPublicKey> key = keyFactory.getKey();
    RSAPrivateKey privateKey = key.getPrivateKey();
    RSAPublicKey publicKey = key.getPublicKey();
    Certificate certificate = key.getCertificate();
    System.out.println(key);
    String signingInput = "Hello World!";
    RSASigner rsaSigner1 = new RSASigner(SignatureAlgorithm.RS256, privateKey);
    String signature = rsaSigner1.generateSignature(signingInput);
    RSASigner rsaSigner2 = new RSASigner(SignatureAlgorithm.RS256, publicKey);
    assertTrue(rsaSigner2.validateSignature(signingInput, signature));
    RSASigner rsaSigner3 = new RSASigner(SignatureAlgorithm.RS256, certificate);
    assertTrue(rsaSigner3.validateSignature(signingInput, signature));
}
Also used : RSAKeyFactory(org.gluu.oxauth.model.crypto.signature.RSAKeyFactory) RSAPublicKey(org.gluu.oxauth.model.crypto.signature.RSAPublicKey) RSASigner(org.gluu.oxauth.model.jws.RSASigner) RSAPrivateKey(org.gluu.oxauth.model.crypto.signature.RSAPrivateKey) Certificate(org.gluu.oxauth.model.crypto.Certificate) BaseTest(org.gluu.oxauth.BaseTest) Test(org.testng.annotations.Test)

Aggregations

RSAPublicKey (org.gluu.oxauth.model.crypto.signature.RSAPublicKey)107 RSASigner (org.gluu.oxauth.model.jws.RSASigner)101 Jwt (org.gluu.oxauth.model.jwt.Jwt)97 BaseTest (org.gluu.oxauth.BaseTest)93 Test (org.testng.annotations.Test)93 AuthorizationResponse (org.gluu.oxauth.client.AuthorizationResponse)92 RegisterResponse (org.gluu.oxauth.client.RegisterResponse)90 ResponseType (org.gluu.oxauth.model.common.ResponseType)90 Parameters (org.testng.annotations.Parameters)89 AuthorizationRequest (org.gluu.oxauth.client.AuthorizationRequest)86 RegisterClient (org.gluu.oxauth.client.RegisterClient)83 RegisterRequest (org.gluu.oxauth.client.RegisterRequest)83 AuthorizeClient (org.gluu.oxauth.client.AuthorizeClient)53 UserInfoClient (org.gluu.oxauth.client.UserInfoClient)49 UserInfoResponse (org.gluu.oxauth.client.UserInfoResponse)49 JwtAuthorizationRequest (org.gluu.oxauth.client.model.authorize.JwtAuthorizationRequest)40 OxAuthCryptoProvider (org.gluu.oxauth.model.crypto.OxAuthCryptoProvider)25 TokenClient (org.gluu.oxauth.client.TokenClient)24 TokenResponse (org.gluu.oxauth.client.TokenResponse)24 Claim (org.gluu.oxauth.client.model.authorize.Claim)24