Example 11 with ServiceApplicationException
use of org.sasanlabs.service.exception.ServiceApplicationException in project VulnerableApp by SasanLabs.
the class LibBasedJWTGenerator method getBase64EncodedHMACSignedToken.
/**
* Signs token using provided secretKey based on the provided algorithm. This method only
* handles signing of token using HS*(Hmac + Sha*) based algorithm <br>
*
* <p>Note: This method adds custom java based implementation of HS* algorithm and doesn't use
* any library like Nimbus+JOSE or JJWT and reason for this is, libraries are having validations
* related to Key sizes and they doesn't allow weak keys so for signing token using weak keys
* (for finding vulnerabilities in web applications that are using old implementations or custom
* implementations) is not possible therefore added this custom implementation for HS*
* algorithms.
*
* <p>
*
* @param token
* @param secretKey
* @param algorithm
* @return
* @throws JWTExtensionValidationException
* @throws UnsupportedEncodingException
*/
private String getBase64EncodedHMACSignedToken(byte[] token, byte[] secretKey, String algorithm) throws ServiceApplicationException, UnsupportedEncodingException {
try {
if (JWTUtils.JWT_HMAC_ALGO_TO_JAVA_ALGORITHM_MAPPING.containsKey(algorithm)) {
Mac hmacSHA = Mac.getInstance(JWTUtils.JWT_HMAC_ALGO_TO_JAVA_ALGORITHM_MAPPING.get(algorithm));
SecretKeySpec hmacSecretKey = new SecretKeySpec(secretKey, hmacSHA.getAlgorithm());
hmacSHA.init(hmacSecretKey);
byte[] tokenSignature = hmacSHA.doFinal(token);
String base64EncodedSignature = JWTUtils.getBase64UrlSafeWithoutPaddingEncodedString(tokenSignature);
return base64EncodedSignature;
} else {
throw new ServiceApplicationException(ExceptionStatusCodeEnum.SYSTEM_ERROR, algorithm + " is not a supported HMAC algorithm.");
}
} catch (InvalidKeyException | NoSuchAlgorithmException | IOException e) {
throw new ServiceApplicationException("Exception occurred while Signing token: " + JWTUtils.getString(token), e, ExceptionStatusCodeEnum.SYSTEM_ERROR);
}
}
Also used :
ServiceApplicationException(org.sasanlabs.service.exception.ServiceApplicationException)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
InvalidKeyException(java.security.InvalidKeyException)
Mac(javax.crypto.Mac)
Aggregations
ServiceApplicationException (org.sasanlabs.service.exception.ServiceApplicationException)11
UnsupportedEncodingException (java.io.UnsupportedEncodingException)6
JOSEException (com.nimbusds.jose.JOSEException)3
IOException (java.io.IOException)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
ParseException (java.text.ParseException)3
JSONObject (org.json.JSONObject)3
JWSVerifier (com.nimbusds.jose.JWSVerifier)2
RSASSAVerifier (com.nimbusds.jose.crypto.RSASSAVerifier)2
SignedJWT (com.nimbusds.jwt.SignedJWT)2
KeyFactory (java.security.KeyFactory)2
RSAPublicKey (java.security.interfaces.RSAPublicKey)2
InvalidKeySpecException (java.security.spec.InvalidKeySpecException)2
ECDSAVerifier (com.nimbusds.jose.crypto.ECDSAVerifier)1
Ed25519Verifier (com.nimbusds.jose.crypto.Ed25519Verifier)1
RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)1
ECKey (com.nimbusds.jose.jwk.ECKey)1
RSAKey (com.nimbusds.jose.jwk.RSAKey)1
InvalidKeyException (java.security.InvalidKeyException)1
RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1
