Examples with JSONWebKeySet - org.gluu.oxauth.model.jwk.JSONWebKeySet

Example 1 with JSONWebKeySet

use of org.gluu.oxauth.model.jwk.JSONWebKeySet in project oxAuth by GluuFederation.

the class CrossEncryptionTest method nestedJWTProducedByGluu.

@Test
public void nestedJWTProducedByGluu() throws Exception {
    AppConfiguration appConfiguration = new AppConfiguration();
    List<JSONWebKey> keyArrayList = new ArrayList<JSONWebKey>();
    keyArrayList.add(getSenderWebKey());
    JSONWebKeySet keySet = new JSONWebKeySet();
    keySet.setKeys(keyArrayList);
    final JwtSigner jwtSigner = new JwtSigner(appConfiguration, keySet, SignatureAlgorithm.RS256, "audience", null, new AbstractCryptoProvider() {

        @Override
        public JSONObject generateKey(Algorithm algorithm, Long expirationTime, Use use) throws Exception {
            return null;
        }

        @Override
        public JSONObject generateKey(Algorithm algorithm, Long expirationTime, Use use, int keyLength) throws Exception {
            return null;
        }

        @Override
        public boolean containsKey(String keyId) {
            return false;
        }

        @Override
        public String sign(String signingInput, String keyId, String sharedSecret, SignatureAlgorithm signatureAlgorithm) throws Exception {
            RSAPrivateKey privateKey = ((RSAKey) JWK.parse(senderJwkJson)).toRSAPrivateKey();
            Signature signature = Signature.getInstance(signatureAlgorithm.getAlgorithm(), "BC");
            signature.initSign(privateKey);
            signature.update(signingInput.getBytes());
            return Base64Util.base64urlencode(signature.sign());
        }

        @Override
        public boolean verifySignature(String signingInput, String encodedSignature, String keyId, JSONObject jwks, String sharedSecret, SignatureAlgorithm signatureAlgorithm) throws Exception {
            return false;
        }

        @Override
        public boolean deleteKey(String keyId) throws Exception {
            return false;
        }

        @Override
        public PrivateKey getPrivateKey(String keyId) throws Exception {
            throw new UnsupportedOperationException("Method not implemented.");
        }
    });
    Jwt jwt = jwtSigner.newJwt();
    jwt.getClaims().setSubjectIdentifier("testing");
    jwt.getClaims().setIssuer("https:devgluu.saminet.local");
    jwt = jwtSigner.sign();
    RSAKey recipientPublicJWK = (RSAKey) (JWK.parse(recipientJwkJson));
    BlockEncryptionAlgorithm blockEncryptionAlgorithm = BlockEncryptionAlgorithm.A128GCM;
    KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.RSA_OAEP;
    Jwe jwe = new Jwe();
    jwe.getHeader().setType(JwtType.JWT);
    jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
    jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
    jwe.getHeader().setKeyId("1");
    jwe.setSignedJWTPayload(jwt);
    JweEncrypterImpl encrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, recipientPublicJWK.toPublicKey());
    String jweString = encrypter.encrypt(jwe).toString();
    decryptAndValidateSignatureWithGluu(jweString);
    decryptAndValidateSignatureWithNimbus(jweString);
}

Also used : RSAKey(com.nimbusds.jose.jwk.RSAKey) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) PrivateKey(java.security.PrivateKey) JSONWebKeySet(org.gluu.oxauth.model.jwk.JSONWebKeySet) ArrayList(java.util.ArrayList) SignatureAlgorithm(org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm) BlockEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm) JwtSigner(org.gluu.oxauth.model.token.JwtSigner) AppConfiguration(org.gluu.oxauth.model.configuration.AppConfiguration) Jwe(org.gluu.oxauth.model.jwe.Jwe) AbstractCryptoProvider(org.gluu.oxauth.model.crypto.AbstractCryptoProvider) Use(org.gluu.oxauth.model.jwk.Use) Jwt(org.gluu.oxauth.model.jwt.Jwt) SignatureAlgorithm(org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm) KeyEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm) Algorithm(org.gluu.oxauth.model.jwk.Algorithm) BlockEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm) JSONException(org.json.JSONException) ParseException(java.text.ParseException) InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException) IOException(java.io.IOException) InvalidJweException(org.gluu.oxauth.model.exception.InvalidJweException) JSONWebKey(org.gluu.oxauth.model.jwk.JSONWebKey) JSONObject(org.json.JSONObject) Signature(java.security.Signature) KeyEncryptionAlgorithm(org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm) JweEncrypterImpl(org.gluu.oxauth.model.jwe.JweEncrypterImpl) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) Test(org.testng.annotations.Test)

Example 2 with JSONWebKeySet

use of org.gluu.oxauth.model.jwk.JSONWebKeySet in project oxAuth by GluuFederation.

the class MTLSService method processMTLS.

public boolean processMTLS(HttpServletRequest httpRequest, HttpServletResponse httpResponse, FilterChain filterChain, Client client) throws Exception {
    log.debug("Trying to authenticate client {} via {} ...", client.getClientId(), client.getAuthenticationMethod());
    final String clientCertAsPem = httpRequest.getHeader("X-ClientCert");
    if (StringUtils.isBlank(clientCertAsPem)) {
        log.debug("Client certificate is missed in `X-ClientCert` header, client_id: {}.", client.getClientId());
        return false;
    }
    X509Certificate cert = CertUtils.x509CertificateFromPem(clientCertAsPem);
    if (cert == null) {
        log.debug("Failed to parse client certificate, client_id: {}.", client.getClientId());
        return false;
    }
    final String cn = CertUtils.getCN(cert);
    if (!cn.equals(client.getClientId())) {
        log.error("Client certificate CN does not match clientId. Reject call, CN: " + cn + ", clientId: " + client.getClientId());
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(errorResponseFactory.getErrorAsJson(TokenErrorResponseType.INVALID_CLIENT, httpRequest.getParameter("state"), "")).build());
    }
    if (client.getAuthenticationMethod() == AuthenticationMethod.TLS_CLIENT_AUTH) {
        final String subjectDn = client.getAttributes().getTlsClientAuthSubjectDn();
        if (StringUtils.isBlank(subjectDn)) {
            log.debug("SubjectDN is not set for client {} which is required to authenticate it via `tls_client_auth`.", client.getClientId());
            return false;
        }
        // we check only `subjectDn`, the PKI certificate validation is performed by apache/httpd
        if (CertUtils.equalsRdn(subjectDn, cert.getSubjectDN().getName())) {
            log.debug("Client {} authenticated via `tls_client_auth`.", client.getClientId());
            authenticatedSuccessfully(client, httpRequest);
            filterChain.doFilter(httpRequest, httpResponse);
            return true;
        }
    }
    if (client.getAuthenticationMethod() == AuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH) {
        // disable it
        final PublicKey publicKey = cert.getPublicKey();
        final byte[] encodedKey = publicKey.getEncoded();
        JSONObject jsonWebKeys = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks());
        if (jsonWebKeys == null) {
            log.debug("Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", client.getClientId(), client.getJwksUri(), client.getJwks());
            return false;
        }
        final JSONWebKeySet keySet = JSONWebKeySet.fromJSONObject(jsonWebKeys);
        for (JSONWebKey key : keySet.getKeys()) {
            if (ArrayUtils.isEquals(encodedKey, cryptoProvider.getPublicKey(key.getKid(), jsonWebKeys, null).getEncoded())) {
                log.debug("Client {} authenticated via `self_signed_tls_client_auth`, matched kid: {}.", client.getClientId(), key.getKid());
                authenticatedSuccessfully(client, httpRequest);
                filterChain.doFilter(httpRequest, httpResponse);
                return true;
            }
        }
    }
    return false;
}

Also used : JSONWebKey(org.gluu.oxauth.model.jwk.JSONWebKey) WebApplicationException(javax.ws.rs.WebApplicationException) JSONObject(org.json.JSONObject) JSONWebKeySet(org.gluu.oxauth.model.jwk.JSONWebKeySet) PublicKey(java.security.PublicKey) X509Certificate(java.security.cert.X509Certificate)

Example 3 with JSONWebKeySet

use of org.gluu.oxauth.model.jwk.JSONWebKeySet in project oxAuth by GluuFederation.

the class ConfSerialization method webKeysJsonDeserializer.

@Test
public void webKeysJsonDeserializer() throws IOException {
    final JSONWebKeySet obj = loadJson(new File(CONFIG_FOLDER + "oxauth-web-keys.json"), JSONWebKeySet.class);
    Assert.assertTrue(obj != null && obj.getKeys() != null && !obj.getKeys().isEmpty());
}

Also used : JSONWebKeySet(org.gluu.oxauth.model.jwk.JSONWebKeySet) File(java.io.File) Test(org.testng.annotations.Test)

Example 4 with JSONWebKeySet

use of org.gluu.oxauth.model.jwk.JSONWebKeySet in project oxAuth by GluuFederation.

the class JwkClient method exec.

/**
 * Executes the call to the REST Service requesting the JWK and processes
 * the response.
 *
 * @return The service response.
 */
public JwkResponse exec() {
    if (getRequest() == null) {
        setRequest(new JwkRequest());
    }
    // Prepare request parameters
    initClientRequest();
    Builder clientRequest = webTarget.request();
    applyCookies(clientRequest);
    if (getRequest().hasCredentials()) {
        String encodedCredentials = getRequest().getEncodedCredentials();
        clientRequest.header("Authorization", "Basic " + encodedCredentials);
    }
    clientRequest.accept(mediaType);
    // Call REST Service and handle response
    try {
        clientResponse = clientRequest.buildGet().invoke();
        int status = clientResponse.getStatus();
        setResponse(new JwkResponse(status));
        getResponse().setHeaders(clientResponse.getMetadata());
        String entity = clientResponse.readEntity(String.class);
        getResponse().setEntity(entity);
        if (StringUtils.isNotBlank(entity)) {
            JSONObject jsonObj = new JSONObject(entity);
            if (jsonObj.has(JSON_WEB_KEY_SET)) {
                JSONWebKeySet jwks = JSONWebKeySet.fromJSONObject(jsonObj);
                getResponse().setJwks(jwks);
            }
        }
    } catch (Exception e) {
        e.printStackTrace();
    } finally {
        closeConnection();
    }
    return getResponse();
}

Also used : JSONObject(org.json.JSONObject) JSONWebKeySet(org.gluu.oxauth.model.jwk.JSONWebKeySet) Builder(javax.ws.rs.client.Invocation.Builder)

Aggregations

JSONWebKeySet (org.gluu.oxauth.model.jwk.JSONWebKeySet)4 JSONObject (org.json.JSONObject)3 JSONWebKey (org.gluu.oxauth.model.jwk.JSONWebKey)2 Test (org.testng.annotations.Test)2 RSAKey (com.nimbusds.jose.jwk.RSAKey)1 File (java.io.File)1 IOException (java.io.IOException)1 PrivateKey (java.security.PrivateKey)1 PublicKey (java.security.PublicKey)1 Signature (java.security.Signature)1 X509Certificate (java.security.cert.X509Certificate)1 RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1 ParseException (java.text.ParseException)1 ArrayList (java.util.ArrayList)1 WebApplicationException (javax.ws.rs.WebApplicationException)1 Builder (javax.ws.rs.client.Invocation.Builder)1 AppConfiguration (org.gluu.oxauth.model.configuration.AppConfiguration)1 AbstractCryptoProvider (org.gluu.oxauth.model.crypto.AbstractCryptoProvider)1 BlockEncryptionAlgorithm (org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm)1 KeyEncryptionAlgorithm (org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm)1