Example 1 with JSONWebKey
use of org.gluu.oxauth.model.jwk.JSONWebKey in project oxAuth by GluuFederation.
the class JwkRestWebServiceHttpTest method requestClientJwks.
@Parameters({ "clientJwksUri" })
@Test
public void requestClientJwks(final String clientJwksUri) throws Exception {
showTitle("requestJwks");
JwkClient jwkClient = new JwkClient(clientJwksUri);
JwkResponse response = jwkClient.exec();
showClient(jwkClient);
assertEquals(response.getStatus(), 200, "Unexpected response code: " + response.getEntity());
assertNotNull(response.getEntity(), "Unexpected result: entity is null");
assertNotNull(response.getJwks(), "Unexpected result: jwks is null");
assertNotNull(response.getJwks().getKeys(), "Unexpected result: keys is null");
assertTrue(response.getJwks().getKeys().size() > 0, "Unexpected result: keys is empty");
for (JSONWebKey JSONWebKey : response.getJwks().getKeys()) {
assertNotNull(JSONWebKey.getKid(), "Unexpected result: kid is null");
assertNotNull(JSONWebKey.getUse(), "Unexpected result: use is null");
assertNotNull(JSONWebKey.getAlg(), "Unexpected result: alg is null");
}
// assertEquals(response.getJwks().getKeys().size(), 11, "The list of keys are not all that could be supported.");
}
Also used :
JSONWebKey(org.gluu.oxauth.model.jwk.JSONWebKey)
JwkResponse(org.gluu.oxauth.client.JwkResponse)
JwkClient(org.gluu.oxauth.client.JwkClient)
Parameters(org.testng.annotations.Parameters)
BaseTest(org.gluu.oxauth.BaseTest)
Test(org.testng.annotations.Test)
Example 2 with JSONWebKey
use of org.gluu.oxauth.model.jwk.JSONWebKey in project oxAuth by GluuFederation.
the class JwkResponse method getKeys.
public List<JSONWebKey> getKeys(Algorithm algorithm) {
List<JSONWebKey> jsonWebKeys = new ArrayList<JSONWebKey>();
if (AlgorithmFamily.RSA.equals(algorithm.getFamily())) {
for (JSONWebKey jsonWebKey : jwks.getKeys()) {
if (jsonWebKey.getAlg().equals(algorithm)) {
jsonWebKeys.add(jsonWebKey);
}
}
} else if (AlgorithmFamily.EC.equals(algorithm.getFamily())) {
for (JSONWebKey jsonWebKey : jwks.getKeys()) {
if (jsonWebKey.getAlg().equals(algorithm)) {
jsonWebKeys.add(jsonWebKey);
}
}
}
Collections.sort(jsonWebKeys);
return jsonWebKeys;
}
Also used :
JSONWebKey(org.gluu.oxauth.model.jwk.JSONWebKey)
ArrayList(java.util.ArrayList)
Example 3 with JSONWebKey
use of org.gluu.oxauth.model.jwk.JSONWebKey in project oxAuth by GluuFederation.
the class CrossEncryptionTest method nestedJWTProducedByGluu.
@Test
public void nestedJWTProducedByGluu() throws Exception {
AppConfiguration appConfiguration = new AppConfiguration();
List<JSONWebKey> keyArrayList = new ArrayList<JSONWebKey>();
keyArrayList.add(getSenderWebKey());
JSONWebKeySet keySet = new JSONWebKeySet();
keySet.setKeys(keyArrayList);
final JwtSigner jwtSigner = new JwtSigner(appConfiguration, keySet, SignatureAlgorithm.RS256, "audience", null, new AbstractCryptoProvider() {
@Override
public JSONObject generateKey(Algorithm algorithm, Long expirationTime, Use use) throws Exception {
return null;
}
@Override
public JSONObject generateKey(Algorithm algorithm, Long expirationTime, Use use, int keyLength) throws Exception {
return null;
}
@Override
public boolean containsKey(String keyId) {
return false;
}
@Override
public String sign(String signingInput, String keyId, String sharedSecret, SignatureAlgorithm signatureAlgorithm) throws Exception {
RSAPrivateKey privateKey = ((RSAKey) JWK.parse(senderJwkJson)).toRSAPrivateKey();
Signature signature = Signature.getInstance(signatureAlgorithm.getAlgorithm(), "BC");
signature.initSign(privateKey);
signature.update(signingInput.getBytes());
return Base64Util.base64urlencode(signature.sign());
}
@Override
public boolean verifySignature(String signingInput, String encodedSignature, String keyId, JSONObject jwks, String sharedSecret, SignatureAlgorithm signatureAlgorithm) throws Exception {
return false;
}
@Override
public boolean deleteKey(String keyId) throws Exception {
return false;
}
@Override
public PrivateKey getPrivateKey(String keyId) throws Exception {
throw new UnsupportedOperationException("Method not implemented.");
}
});
Jwt jwt = jwtSigner.newJwt();
jwt.getClaims().setSubjectIdentifier("testing");
jwt.getClaims().setIssuer("https:devgluu.saminet.local");
jwt = jwtSigner.sign();
RSAKey recipientPublicJWK = (RSAKey) (JWK.parse(recipientJwkJson));
BlockEncryptionAlgorithm blockEncryptionAlgorithm = BlockEncryptionAlgorithm.A128GCM;
KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.RSA_OAEP;
Jwe jwe = new Jwe();
jwe.getHeader().setType(JwtType.JWT);
jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
jwe.getHeader().setKeyId("1");
jwe.setSignedJWTPayload(jwt);
JweEncrypterImpl encrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, recipientPublicJWK.toPublicKey());
String jweString = encrypter.encrypt(jwe).toString();
decryptAndValidateSignatureWithGluu(jweString);
decryptAndValidateSignatureWithNimbus(jweString);
}
Also used :
RSAKey(com.nimbusds.jose.jwk.RSAKey)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
PrivateKey(java.security.PrivateKey)
JSONWebKeySet(org.gluu.oxauth.model.jwk.JSONWebKeySet)
ArrayList(java.util.ArrayList)
SignatureAlgorithm(org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm)
BlockEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm)
JwtSigner(org.gluu.oxauth.model.token.JwtSigner)
AppConfiguration(org.gluu.oxauth.model.configuration.AppConfiguration)
Jwe(org.gluu.oxauth.model.jwe.Jwe)
AbstractCryptoProvider(org.gluu.oxauth.model.crypto.AbstractCryptoProvider)
Use(org.gluu.oxauth.model.jwk.Use)
Jwt(org.gluu.oxauth.model.jwt.Jwt)
SignatureAlgorithm(org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm)
KeyEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm)
Algorithm(org.gluu.oxauth.model.jwk.Algorithm)
BlockEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm)
JSONException(org.json.JSONException)
ParseException(java.text.ParseException)
InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException)
IOException(java.io.IOException)
InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException)
JSONWebKey(org.gluu.oxauth.model.jwk.JSONWebKey)
JSONObject(org.json.JSONObject)
Signature(java.security.Signature)
KeyEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm)
JweEncrypterImpl(org.gluu.oxauth.model.jwe.JweEncrypterImpl)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
Test(org.testng.annotations.Test)
Example 4 with JSONWebKey
use of org.gluu.oxauth.model.jwk.JSONWebKey in project oxAuth by GluuFederation.
the class JwkRestWebServiceHttpTest method requestJwks.
@Test
public void requestJwks() throws Exception {
showTitle("requestJwks");
JwkClient jwkClient = new JwkClient(jwksUri);
JwkResponse response = jwkClient.exec();
showClient(jwkClient);
assertEquals(response.getStatus(), 200, "Unexpected response code: " + response.getEntity());
assertNotNull(response.getEntity(), "Unexpected result: entity is null");
assertNotNull(response.getJwks(), "Unexpected result: jwks is null");
assertNotNull(response.getJwks().getKeys(), "Unexpected result: keys is null");
assertTrue(response.getJwks().getKeys().size() > 0, "Unexpected result: keys is empty");
for (JSONWebKey JSONWebKey : response.getJwks().getKeys()) {
assertNotNull(JSONWebKey.getKid(), "Unexpected result: kid is null");
assertNotNull(JSONWebKey.getUse(), "Unexpected result: use is null");
assertNotNull(JSONWebKey.getAlg(), "Unexpected result: alg is null");
}
// assertEquals(response.getJwks().getKeys().size(), 11, "The list of keys are not all that could be supported.");
}
Also used :
JSONWebKey(org.gluu.oxauth.model.jwk.JSONWebKey)
JwkResponse(org.gluu.oxauth.client.JwkResponse)
JwkClient(org.gluu.oxauth.client.JwkClient)
BaseTest(org.gluu.oxauth.BaseTest)
Test(org.testng.annotations.Test)
Example 5 with JSONWebKey
use of org.gluu.oxauth.model.jwk.JSONWebKey in project oxAuth by GluuFederation.
the class MTLSService method processMTLS.
public boolean processMTLS(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain filterChain, Client client) throws Exception {
log.debug("Trying to authenticate client {} via {} ...", client.getClientId(), client.getAuthenticationMethod());
final String clientCertAsPem = httpRequest.getHeader("X-ClientCert");
if (StringUtils.isBlank(clientCertAsPem)) {
log.debug("Client certificate is missed in `X-ClientCert` header, client_id: {}.", client.getClientId());
return false;
}
X509Certificate cert = CertUtils.x509CertificateFromPem(clientCertAsPem);
if (cert == null) {
log.debug("Failed to parse client certificate, client_id: {}.", client.getClientId());
return false;
}
final String cn = CertUtils.getCN(cert);
if (!cn.equals(client.getClientId())) {
log.error("Client certificate CN does not match clientId. Reject call, CN: " + cn + ", clientId: " + client.getClientId());
throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(errorResponseFactory.getErrorAsJson(TokenErrorResponseType.INVALID_CLIENT, httpRequest.getParameter("state"), "")).build());
}
if (client.getAuthenticationMethod() == AuthenticationMethod.TLS_CLIENT_AUTH) {
final String subjectDn = client.getAttributes().getTlsClientAuthSubjectDn();
if (StringUtils.isBlank(subjectDn)) {
log.debug("SubjectDN is not set for client {} which is required to authenticate it via `tls_client_auth`.", client.getClientId());
return false;
}
// we check only `subjectDn`, the PKI certificate validation is performed by apache/httpd
if (CertUtils.equalsRdn(subjectDn, cert.getSubjectDN().getName())) {
log.debug("Client {} authenticated via `tls_client_auth`.", client.getClientId());
authenticatedSuccessfully(client, httpRequest);
filterChain.doFilter(httpRequest, httpResponse);
return true;
}
}
if (client.getAuthenticationMethod() == AuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH) {
// disable it
final PublicKey publicKey = cert.getPublicKey();
final byte[] encodedKey = publicKey.getEncoded();
JSONObject jsonWebKeys = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks());
if (jsonWebKeys == null) {
log.debug("Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", client.getClientId(), client.getJwksUri(), client.getJwks());
return false;
}
final JSONWebKeySet keySet = JSONWebKeySet.fromJSONObject(jsonWebKeys);
for (JSONWebKey key : keySet.getKeys()) {
if (ArrayUtils.isEquals(encodedKey, cryptoProvider.getPublicKey(key.getKid(), jsonWebKeys, null).getEncoded())) {
log.debug("Client {} authenticated via `self_signed_tls_client_auth`, matched kid: {}.", client.getClientId(), key.getKid());
authenticatedSuccessfully(client, httpRequest);
filterChain.doFilter(httpRequest, httpResponse);
return true;
}
}
}
return false;
}
Also used :
JSONWebKey(org.gluu.oxauth.model.jwk.JSONWebKey)
WebApplicationException(javax.ws.rs.WebApplicationException)
JSONObject(org.json.JSONObject)
JSONWebKeySet(org.gluu.oxauth.model.jwk.JSONWebKeySet)
PublicKey(java.security.PublicKey)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
JSONWebKey (org.gluu.oxauth.model.jwk.JSONWebKey)6
Test (org.testng.annotations.Test)3
ArrayList (java.util.ArrayList)2
BaseTest (org.gluu.oxauth.BaseTest)2
JwkClient (org.gluu.oxauth.client.JwkClient)2
JwkResponse (org.gluu.oxauth.client.JwkResponse)2
JSONWebKeySet (org.gluu.oxauth.model.jwk.JSONWebKeySet)2
JSONObject (org.json.JSONObject)2
RSAKey (com.nimbusds.jose.jwk.RSAKey)1
IOException (java.io.IOException)1
PrivateKey (java.security.PrivateKey)1
PublicKey (java.security.PublicKey)1
Signature (java.security.Signature)1
X509Certificate (java.security.cert.X509Certificate)1
RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1
ParseException (java.text.ParseException)1
WebApplicationException (javax.ws.rs.WebApplicationException)1
AppConfiguration (org.gluu.oxauth.model.configuration.AppConfiguration)1
AbstractCryptoProvider (org.gluu.oxauth.model.crypto.AbstractCryptoProvider)1
PublicKey (org.gluu.oxauth.model.crypto.PublicKey)1
