use of org.keycloak.jose.jwe.enc.JWEEncryptionProvider in project keycloak by keycloak.
the class JWETest method testKeyEncryption_ContentEncryptionAesGcm.
private void testKeyEncryption_ContentEncryptionAesGcm(String jweAlgorithmName, String jweEncryptionName) throws Exception {
// generate key pair for KEK
KeyPair keyPair = KeyUtils.generateRsaKeyPair(2048);
JWEAlgorithmProvider jweAlgorithmProvider = new RsaKeyEncryptionJWEAlgorithmProvider(getJcaAlgorithmName(jweAlgorithmName));
JWEEncryptionProvider jweEncryptionProvider = new AesGcmJWEEncryptionProvider(jweEncryptionName);
JWEHeader jweHeader = new JWEHeader(jweAlgorithmName, jweEncryptionName, null);
JWE jwe = new JWE().header(jweHeader).content(PAYLOAD.getBytes(StandardCharsets.UTF_8));
jwe.getKeyStorage().setEncryptionKey(keyPair.getPublic());
String encodedContent = jwe.encodeJwe(jweAlgorithmProvider, jweEncryptionProvider);
System.out.println("Encoded content: " + encodedContent);
System.out.println("Encoded content length: " + encodedContent.length());
jwe = new JWE();
jwe.getKeyStorage().setDecryptionKey(keyPair.getPrivate());
jwe.verifyAndDecodeJwe(encodedContent, jweAlgorithmProvider, jweEncryptionProvider);
String decodedContent = new String(jwe.getContent(), StandardCharsets.UTF_8);
System.out.println("Decoded content: " + decodedContent);
System.out.println("Decoded content length: " + decodedContent.length());
Assert.assertEquals(PAYLOAD, decodedContent);
}
use of org.keycloak.jose.jwe.enc.JWEEncryptionProvider in project keycloak by keycloak.
the class DefaultTokenManager method getEncryptedToken.
private String getEncryptedToken(TokenCategory category, String encodedToken) {
String encryptedToken = null;
String algAlgorithm = cekManagementAlgorithm(category);
String encAlgorithm = encryptAlgorithm(category);
CekManagementProvider cekManagementProvider = session.getProvider(CekManagementProvider.class, algAlgorithm);
JWEAlgorithmProvider jweAlgorithmProvider = cekManagementProvider.jweAlgorithmProvider();
ContentEncryptionProvider contentEncryptionProvider = session.getProvider(ContentEncryptionProvider.class, encAlgorithm);
JWEEncryptionProvider jweEncryptionProvider = contentEncryptionProvider.jweEncryptionProvider();
ClientModel client = session.getContext().getClient();
KeyWrapper keyWrapper = PublicKeyStorageManager.getClientPublicKeyWrapper(session, client, JWK.Use.ENCRYPTION, algAlgorithm);
if (keyWrapper == null) {
throw new RuntimeException("can not get encryption KEK");
}
Key encryptionKek = keyWrapper.getPublicKey();
String encryptionKekId = keyWrapper.getKid();
try {
encryptedToken = TokenUtil.jweKeyEncryptionEncode(encryptionKek, encodedToken.getBytes("UTF-8"), algAlgorithm, encAlgorithm, encryptionKekId, jweAlgorithmProvider, jweEncryptionProvider);
} catch (JWEException | UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
return encryptedToken;
}
use of org.keycloak.jose.jwe.enc.JWEEncryptionProvider in project keycloak by keycloak.
the class AuthorizationTokenEncryptionTest method testAuthorizationTokenSignatureAndEncryption.
private void testAuthorizationTokenSignatureAndEncryption(String sigAlgorithm, String algAlgorithm, String encAlgorithm) {
ClientResource clientResource;
ClientRepresentation clientRep;
try {
// generate and register encryption key onto client
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.generateKeys(algAlgorithm);
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
// set authorization response signature algorithm and encryption algorithms
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationSignedResponseAlg(sigAlgorithm);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseAlg(algAlgorithm);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseEnc(encAlgorithm);
// use and set jwks_url
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
String jwksUrl = TestApplicationResourceUrls.clientJwksUri();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(jwksUrl);
clientResource.update(clientRep);
// get authorization response
oauth.responseMode("jwt");
oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
// parse JWE and JOSE Header
String jweStr = response.getResponse();
String[] parts = jweStr.split("\\.");
Assert.assertEquals(parts.length, 5);
// get decryption key
// not publickey , use privateKey
Map<String, String> keyPair = oidcClientEndpointsResource.getKeysAsPem();
PrivateKey decryptionKEK = PemUtils.decodePrivateKey(keyPair.get("privateKey"));
// verify and decrypt JWE
JWEAlgorithmProvider algorithmProvider = getJweAlgorithmProvider(algAlgorithm);
JWEEncryptionProvider encryptionProvider = getJweEncryptionProvider(encAlgorithm);
byte[] decodedString = TokenUtil.jweKeyEncryptionVerifyAndDecode(decryptionKEK, jweStr, algorithmProvider, encryptionProvider);
String authorizationTokenString = new String(decodedString, "UTF-8");
// a nested JWT (signed and encrypted JWT) needs to set "JWT" to its JOSE Header's "cty" field
JWEHeader jweHeader = (JWEHeader) getHeader(parts[0]);
Assert.assertEquals("JWT", jweHeader.getContentType());
// verify JWS
AuthorizationResponseToken authorizationToken = oauth.verifyAuthorizationResponseToken(authorizationTokenString);
Assert.assertEquals("test-app", authorizationToken.getAudience()[0]);
Assert.assertEquals("OpenIdConnect.AuthenticationProperties=2302984sdlk", authorizationToken.getOtherClaims().get("state"));
Assert.assertNotNull(authorizationToken.getOtherClaims().get("code"));
} catch (JWEException | UnsupportedEncodingException e) {
Assert.fail();
} finally {
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
// revert id token signature algorithm and encryption algorithms
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationSignedResponseAlg(Algorithm.RS256);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseAlg(null);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseEnc(null);
// revert jwks_url settings
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(false);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(null);
clientResource.update(clientRep);
}
}
use of org.keycloak.jose.jwe.enc.JWEEncryptionProvider in project keycloak by keycloak.
the class IdTokenEncryptionTest method testIdTokenSignatureAndEncryption.
private void testIdTokenSignatureAndEncryption(String sigAlgorithm, String algAlgorithm, String encAlgorithm) {
ClientResource clientResource = null;
ClientRepresentation clientRep = null;
try {
// generate and register encryption key onto client
TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
oidcClientEndpointsResource.generateKeys(algAlgorithm);
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
// set id token signature algorithm and encryption algorithms
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenSignedResponseAlg(sigAlgorithm);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseAlg(algAlgorithm);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseEnc(encAlgorithm);
// use and set jwks_url
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
String jwksUrl = TestApplicationResourceUrls.clientJwksUri();
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(jwksUrl);
clientResource.update(clientRep);
// get id token
OAuthClient.AuthorizationEndpointResponse response = oauth.doLogin("test-user@localhost", "password");
String code = response.getCode();
OAuthClient.AccessTokenResponse tokenResponse = oauth.doAccessTokenRequest(code, "password");
// parse JWE and JOSE Header
String jweStr = tokenResponse.getIdToken();
String[] parts = jweStr.split("\\.");
Assert.assertEquals(parts.length, 5);
// get decryption key
// not publickey , use privateKey
Map<String, String> keyPair = oidcClientEndpointsResource.getKeysAsPem();
PrivateKey decryptionKEK = PemUtils.decodePrivateKey(keyPair.get("privateKey"));
// a nested JWT (signed and encrypted JWT) needs to set "JWT" to its JOSE Header's "cty" field
JWEHeader jweHeader = (JWEHeader) getHeader(parts[0]);
Assert.assertEquals("JWT", jweHeader.getContentType());
// verify and decrypt JWE
JWEAlgorithmProvider algorithmProvider = getJweAlgorithmProvider(algAlgorithm);
JWEEncryptionProvider encryptionProvider = getJweEncryptionProvider(encAlgorithm);
byte[] decodedString = TokenUtil.jweKeyEncryptionVerifyAndDecode(decryptionKEK, jweStr, algorithmProvider, encryptionProvider);
String idTokenString = new String(decodedString, "UTF-8");
// verify JWS
IDToken idToken = oauth.verifyIDToken(idTokenString);
Assert.assertEquals("test-user@localhost", idToken.getPreferredUsername());
Assert.assertEquals("test-app", idToken.getIssuedFor());
} catch (JWEException | UnsupportedEncodingException e) {
Assert.fail();
} finally {
clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
clientRep = clientResource.toRepresentation();
// revert id token signature algorithm and encryption algorithms
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenSignedResponseAlg(Algorithm.RS256);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseAlg(null);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setIdTokenEncryptedResponseEnc(null);
// revert jwks_url settings
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(false);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(null);
clientResource.update(clientRep);
}
}
use of org.keycloak.jose.jwe.enc.JWEEncryptionProvider in project keycloak by keycloak.
the class JWETest method testKeyEncryption_ContentEncryptionAesHmacSha.
private void testKeyEncryption_ContentEncryptionAesHmacSha(String jweAlgorithmName, String jweEncryptionName) throws Exception {
// generate key pair for KEK
KeyPair keyPair = KeyUtils.generateRsaKeyPair(2048);
// generate CEK
final SecretKey aesKey = new SecretKeySpec(AES_128_KEY, "AES");
final SecretKey hmacKey = new SecretKeySpec(HMAC_SHA256_KEY, "HMACSHA2");
JWEAlgorithmProvider jweAlgorithmProvider = new RsaKeyEncryptionJWEAlgorithmProvider(getJcaAlgorithmName(jweAlgorithmName));
JWEEncryptionProvider jweEncryptionProvider = new AesCbcHmacShaJWEEncryptionProvider(jweEncryptionName);
JWEHeader jweHeader = new JWEHeader(jweAlgorithmName, jweEncryptionName, null);
JWE jwe = new JWE().header(jweHeader).content(PAYLOAD.getBytes(StandardCharsets.UTF_8));
jwe.getKeyStorage().setEncryptionKey(keyPair.getPublic());
jwe.getKeyStorage().setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION).setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
String encodedContent = jwe.encodeJwe(jweAlgorithmProvider, jweEncryptionProvider);
System.out.println("Encoded content: " + encodedContent);
System.out.println("Encoded content length: " + encodedContent.length());
jwe = new JWE();
jwe.getKeyStorage().setDecryptionKey(keyPair.getPrivate());
jwe.getKeyStorage().setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION).setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
jwe.verifyAndDecodeJwe(encodedContent, jweAlgorithmProvider, jweEncryptionProvider);
String decodedContent = new String(jwe.getContent(), StandardCharsets.UTF_8);
System.out.println("Decoded content: " + decodedContent);
System.out.println("Decoded content length: " + decodedContent.length());
Assert.assertEquals(PAYLOAD, decodedContent);
}
Aggregations