Example 1 with AlgorithmConstraints
use of org.jose4j.jwa.AlgorithmConstraints in project wildfly-swarm by wildfly-swarm.
the class DefaultJWTCallerPrincipalFactory method parse.
@Override
public JWTCallerPrincipal parse(final String token, final JWTAuthContextInfo authContextInfo) throws ParseException {
JWTCallerPrincipal principal = null;
try {
JwtConsumerBuilder builder = new JwtConsumerBuilder().setRequireExpirationTime().setRequireSubject().setSkipDefaultAudienceValidation().setExpectedIssuer(authContextInfo.getIssuedBy()).setVerificationKey(authContextInfo.getSignerKey()).setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, AlgorithmIdentifiers.RSA_USING_SHA256));
if (authContextInfo.getExpGracePeriodSecs() > 0) {
builder.setAllowedClockSkewInSeconds(authContextInfo.getExpGracePeriodSecs());
} else {
builder.setEvaluationTime(NumericDate.fromSeconds(0));
}
JwtConsumer jwtConsumer = builder.build();
JwtContext jwtContext = jwtConsumer.process(token);
String type = jwtContext.getJoseObjects().get(0).getHeader("typ");
// Validate the JWT and process it to the Claims
jwtConsumer.processContext(jwtContext);
JwtClaims claimsSet = jwtContext.getJwtClaims();
// We have to determine the unique name to use as the principal name. It comes from upn, preferred_username, sub in that order
String principalName = claimsSet.getClaimValue("upn", String.class);
if (principalName == null) {
principalName = claimsSet.getClaimValue("preferred_username", String.class);
if (principalName == null) {
principalName = claimsSet.getSubject();
}
}
claimsSet.setClaim(Claims.raw_token.name(), token);
principal = new DefaultJWTCallerPrincipal(token, type, claimsSet, principalName);
} catch (InvalidJwtException e) {
throw new ParseException("Failed to verify token", e);
} catch (MalformedClaimException e) {
throw new ParseException("Failed to verify token claims", e);
}
return principal;
}
Also used :
InvalidJwtException(org.jose4j.jwt.consumer.InvalidJwtException)
MalformedClaimException(org.jose4j.jwt.MalformedClaimException)
JwtClaims(org.jose4j.jwt.JwtClaims)
JwtConsumerBuilder(org.jose4j.jwt.consumer.JwtConsumerBuilder)
JwtConsumer(org.jose4j.jwt.consumer.JwtConsumer)
JwtContext(org.jose4j.jwt.consumer.JwtContext)
AlgorithmConstraints(org.jose4j.jwa.AlgorithmConstraints)
Example 2 with AlgorithmConstraints
use of org.jose4j.jwa.AlgorithmConstraints in project open-ecard by ecsec.
the class ChipGateway method getPin.
@Nullable
private char[] getPin(@Nullable String encryptedPin) throws RemotePinException {
if (ChipGatewayProperties.isRemotePinAllowed() && encryptedPin != null) {
if (pinKey != null) {
try {
// decrypt PIN
JsonWebEncryption jwe = new JsonWebEncryption();
// specify algorithmic constraints
AlgorithmConstraints algConstraints = new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, KeyManagementAlgorithmIdentifiers.DIRECT);
jwe.setAlgorithmConstraints(algConstraints);
AlgorithmConstraints encConstraints = new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256, ContentEncryptionAlgorithmIdentifiers.AES_192_CBC_HMAC_SHA_384, ContentEncryptionAlgorithmIdentifiers.AES_256_CBC_HMAC_SHA_512, ContentEncryptionAlgorithmIdentifiers.AES_128_GCM, ContentEncryptionAlgorithmIdentifiers.AES_192_GCM, ContentEncryptionAlgorithmIdentifiers.AES_256_GCM);
jwe.setContentEncryptionAlgorithmConstraints(encConstraints);
// perform decryption
jwe.setCompactSerialization(encryptedPin);
jwe.setKey(pinKey.getKey());
byte[] pinBytes = jwe.getPlaintextBytes();
// check if PIN is a sane value
char[] pin;
if (pinBytes == null || pinBytes.length == 0) {
String msg = "No or empty PIN received from ChipGateway server, despite a key being present.";
LOG.warn(msg);
pin = null;
} else {
CharBuffer charBuf = StandardCharsets.UTF_8.decode(ByteBuffer.wrap(pinBytes));
pin = new char[charBuf.remaining()];
charBuf.get(pin);
if (charBuf.hasArray()) {
Arrays.fill(charBuf.array(), ' ');
}
}
return pin;
} catch (JoseException ex) {
throw new RemotePinException("Error decrypting PIN.", ex);
}
} else {
// PIN sent but no key provided, raise error for the server
throw new RemotePinException("Encrypted PIN received, but no key for decryption is available.");
}
} else {
// no pin sent, let user supply the pin
return null;
}
}
Also used :
RemotePinException(org.openecard.addons.cg.ex.RemotePinException)
JoseException(org.jose4j.lang.JoseException)
CharBuffer(java.nio.CharBuffer)
JsonWebEncryption(org.jose4j.jwe.JsonWebEncryption)
AlgorithmConstraints(org.jose4j.jwa.AlgorithmConstraints)
Nullable(javax.annotation.Nullable)
Aggregations
AlgorithmConstraints (org.jose4j.jwa.AlgorithmConstraints)2
CharBuffer (java.nio.CharBuffer)1
Nullable (javax.annotation.Nullable)1
JsonWebEncryption (org.jose4j.jwe.JsonWebEncryption)1
JwtClaims (org.jose4j.jwt.JwtClaims)1
MalformedClaimException (org.jose4j.jwt.MalformedClaimException)1
InvalidJwtException (org.jose4j.jwt.consumer.InvalidJwtException)1
JwtConsumer (org.jose4j.jwt.consumer.JwtConsumer)1
JwtConsumerBuilder (org.jose4j.jwt.consumer.JwtConsumerBuilder)1
JwtContext (org.jose4j.jwt.consumer.JwtContext)1
JoseException (org.jose4j.lang.JoseException)1
RemotePinException (org.openecard.addons.cg.ex.RemotePinException)1
