Search in sources :

Example 1 with InvalidJweException

use of org.gluu.oxauth.model.exception.InvalidJweException in project oxAuth by GluuFederation.

the class JweEncrypterImpl method encrypt.

@Override
public Jwe encrypt(Jwe jwe) throws InvalidJweException {
    try {
        JWEEncrypter encrypter = createJweEncrypter();
        if (jwe.getSignedJWTPayload() != null) {
            jwe.getHeader().setContentType(JwtType.JWT);
        }
        JWEObject jweObject = new JWEObject(JWEHeader.parse(jwe.getHeader().toJsonObject().toString()), createPayload(jwe));
        jweObject.encrypt(encrypter);
        String encryptedJwe = jweObject.serialize();
        String[] jweParts = encryptedJwe.split("\\.");
        if (jweParts.length != 5) {
            throw new InvalidJwtException("Invalid JWS format.");
        }
        String encodedHeader = jweParts[0];
        String encodedEncryptedKey = jweParts[1];
        String encodedInitializationVector = jweParts[2];
        String encodedCipherText = jweParts[3];
        String encodedIntegrityValue = jweParts[4];
        jwe.setEncodedHeader(encodedHeader);
        jwe.setEncodedEncryptedKey(encodedEncryptedKey);
        jwe.setEncodedInitializationVector(encodedInitializationVector);
        jwe.setEncodedCiphertext(encodedCipherText);
        jwe.setEncodedIntegrityValue(encodedIntegrityValue);
        jwe.setHeader(new JwtHeader(encodedHeader));
        return jwe;
    } catch (Exception e) {
        throw new InvalidJweException(e);
    }
}
Also used : InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException) JwtHeader(org.gluu.oxauth.model.jwt.JwtHeader) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException) ParseException(java.text.ParseException) InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException)

Example 2 with InvalidJweException

use of org.gluu.oxauth.model.exception.InvalidJweException in project oxAuth by GluuFederation.

the class JwrService method encryptJwe.

private Jwe encryptJwe(Jwe jwe, Client client) throws Exception {
    if (appConfiguration.getUseNestedJwtDuringEncryption()) {
        JwtSigner jwtSigner = JwtSigner.newJwtSigner(appConfiguration, webKeysConfiguration, client);
        Jwt jwt = jwtSigner.newJwt();
        jwt.setClaims(jwe.getClaims());
        jwe.setSignedJWTPayload(signJwt(jwt, client));
    }
    KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.fromName(jwe.getHeader().getClaimAsString(ALGORITHM));
    final BlockEncryptionAlgorithm encryptionMethod = jwe.getHeader().getEncryptionMethod();
    if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
        JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
        String keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), Algorithm.fromString(keyEncryptionAlgorithm.getName()), Use.ENCRYPTION);
        PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jsonWebKeys, null);
        jwe.getHeader().setKeyId(keyId);
        if (publicKey == null) {
            throw new InvalidJweException("The public key is not valid");
        }
        JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, encryptionMethod, publicKey);
        return jweEncrypter.encrypt(jwe);
    }
    if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
        byte[] sharedSymmetricKey = clientService.decryptSecret(client.getClientSecret()).getBytes(StandardCharsets.UTF_8);
        JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, encryptionMethod, sharedSymmetricKey);
        return jweEncrypter.encrypt(jwe);
    }
    throw new IllegalArgumentException("Unsupported encryption algorithm: " + keyEncryptionAlgorithm);
}
Also used : ServerCryptoProvider(org.gluu.oxauth.service.ServerCryptoProvider) Jwt(org.gluu.oxauth.model.jwt.Jwt) PublicKey(java.security.PublicKey) BlockEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm) JSONObject(org.json.JSONObject) KeyEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm) JweEncrypterImpl(org.gluu.oxauth.model.jwe.JweEncrypterImpl) JweEncrypter(org.gluu.oxauth.model.jwe.JweEncrypter) InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException)

Example 3 with InvalidJweException

use of org.gluu.oxauth.model.exception.InvalidJweException in project oxAuth by GluuFederation.

the class JweDecrypterImpl method decrypt.

@Override
public Jwe decrypt(String encryptedJwe) throws InvalidJweException {
    try {
        String[] jweParts = encryptedJwe.split("\\.");
        if (jweParts.length != 5) {
            throw new InvalidJwtException("Invalid JWS format.");
        }
        String encodedHeader = jweParts[0];
        String encodedEncryptedKey = jweParts[1];
        String encodedInitializationVector = jweParts[2];
        String encodedCipherText = jweParts[3];
        String encodedIntegrityValue = jweParts[4];
        Jwe jwe = new Jwe();
        jwe.setEncodedHeader(encodedHeader);
        jwe.setEncodedEncryptedKey(encodedEncryptedKey);
        jwe.setEncodedInitializationVector(encodedInitializationVector);
        jwe.setEncodedCiphertext(encodedCipherText);
        jwe.setEncodedIntegrityValue(encodedIntegrityValue);
        jwe.setHeader(new JwtHeader(encodedHeader));
        EncryptedJWT encryptedJwt = EncryptedJWT.parse(encryptedJwe);
        setKeyEncryptionAlgorithm(KeyEncryptionAlgorithm.fromName(jwe.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM)));
        setBlockEncryptionAlgorithm(BlockEncryptionAlgorithm.fromName(jwe.getHeader().getClaimAsString(JwtHeaderName.ENCRYPTION_METHOD)));
        final KeyEncryptionAlgorithm keyEncryptionAlgorithm = getKeyEncryptionAlgorithm();
        Key encriptionKey = null;
        if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5 || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP) {
            encriptionKey = privateKey;
        } else if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
            if (sharedSymmetricKey == null) {
                throw new InvalidJweException("The shared symmetric key is null");
            }
            int keyLength = 16;
            if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
                keyLength = 32;
            }
            if (sharedSymmetricKey.length != keyLength) {
                MessageDigest sha = MessageDigest.getInstance("SHA-256");
                sharedSymmetricKey = sha.digest(sharedSymmetricKey);
                sharedSymmetricKey = Arrays.copyOf(sharedSymmetricKey, keyLength);
            }
            encriptionKey = new SecretKeySpec(sharedSymmetricKey, 0, sharedSymmetricKey.length, "AES");
        } else {
            throw new InvalidJweException("The key encryption algorithm is not supported");
        }
        JWEDecrypter decrypter = DECRYPTER_FACTORY.createJWEDecrypter(encryptedJwt.getHeader(), encriptionKey);
        decrypter.getJCAContext().setProvider(SecurityProviderUtility.getInstance());
        encryptedJwt.decrypt(decrypter);
        final SignedJWT signedJWT = encryptedJwt.getPayload().toSignedJWT();
        if (signedJWT != null) {
            final Jwt jwt = Jwt.parse(signedJWT.serialize());
            jwe.setSignedJWTPayload(jwt);
            jwe.setClaims(jwt != null ? jwt.getClaims() : null);
        } else {
            final String base64encodedPayload = encryptedJwt.getPayload().toString();
            jwe.setClaims(new JwtClaims(base64encodedPayload));
        }
        return jwe;
    } catch (Exception e) {
        throw new InvalidJweException(e);
    }
}
Also used : InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException) JwtClaims(org.gluu.oxauth.model.jwt.JwtClaims) Jwt(org.gluu.oxauth.model.jwt.Jwt) SignedJWT(com.nimbusds.jwt.SignedJWT) InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException) InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException) JWEDecrypter(com.nimbusds.jose.JWEDecrypter) JwtHeader(org.gluu.oxauth.model.jwt.JwtHeader) SecretKeySpec(javax.crypto.spec.SecretKeySpec) KeyEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm) MessageDigest(java.security.MessageDigest) EncryptedJWT(com.nimbusds.jwt.EncryptedJWT) Key(java.security.Key) PrivateKey(java.security.PrivateKey) RSAPrivateKey(org.gluu.oxauth.model.crypto.signature.RSAPrivateKey) InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException)

Example 4 with InvalidJweException

use of org.gluu.oxauth.model.exception.InvalidJweException in project oxAuth by GluuFederation.

the class UserInfoRestWebServiceImpl method getJweResponse.

public String getJweResponse(KeyEncryptionAlgorithm keyEncryptionAlgorithm, BlockEncryptionAlgorithm blockEncryptionAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws Exception {
    log.trace("Building JWE reponse with next scopes {0} for user {1} and user custom attributes {0}", scopes, user.getUserId(), user.getCustomAttributes());
    Jwe jwe = new Jwe();
    // Header
    jwe.getHeader().setType(JwtType.JWT);
    jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
    jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
    // Claims
    jwe.setClaims(createJwtClaims(user, authorizationGrant, scopes));
    // Encryption
    if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
        JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(authorizationGrant.getClient().getJwksUri());
        String keyId = new ServerCryptoProvider(cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), Algorithm.fromString(keyEncryptionAlgorithm.getName()), Use.ENCRYPTION);
        PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jsonWebKeys, null);
        if (publicKey != null) {
            JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey);
            jwe = jweEncrypter.encrypt(jwe);
        } else {
            throw new InvalidJweException("The public key is not valid");
        }
    } else if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
        try {
            byte[] sharedSymmetricKey = clientService.decryptSecret(authorizationGrant.getClient().getClientSecret()).getBytes(Util.UTF8_STRING_ENCODING);
            JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, sharedSymmetricKey);
            jwe = jweEncrypter.encrypt(jwe);
        } catch (Exception e) {
            throw new InvalidJweException(e);
        }
    }
    return jwe.toString();
}
Also used : JSONObject(org.json.JSONObject) PublicKey(java.security.PublicKey) Jwe(org.gluu.oxauth.model.jwe.Jwe) JweEncrypterImpl(org.gluu.oxauth.model.jwe.JweEncrypterImpl) JweEncrypter(org.gluu.oxauth.model.jwe.JweEncrypter) EntryPersistenceException(org.gluu.persist.exception.EntryPersistenceException) InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException) InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException)

Aggregations

InvalidJweException (org.gluu.oxauth.model.exception.InvalidJweException)4 PublicKey (java.security.PublicKey)2 KeyEncryptionAlgorithm (org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm)2 InvalidJwtException (org.gluu.oxauth.model.exception.InvalidJwtException)2 JweEncrypter (org.gluu.oxauth.model.jwe.JweEncrypter)2 JweEncrypterImpl (org.gluu.oxauth.model.jwe.JweEncrypterImpl)2 Jwt (org.gluu.oxauth.model.jwt.Jwt)2 JwtHeader (org.gluu.oxauth.model.jwt.JwtHeader)2 JSONObject (org.json.JSONObject)2 JWEDecrypter (com.nimbusds.jose.JWEDecrypter)1 EncryptedJWT (com.nimbusds.jwt.EncryptedJWT)1 SignedJWT (com.nimbusds.jwt.SignedJWT)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1 Key (java.security.Key)1 MessageDigest (java.security.MessageDigest)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 PrivateKey (java.security.PrivateKey)1 ParseException (java.text.ParseException)1 SecretKeySpec (javax.crypto.spec.SecretKeySpec)1 BlockEncryptionAlgorithm (org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm)1