Examples with SignatureVerifier org.springframework.security.jwt.crypto.sign.SignatureVerifier used on opensource projects

Example 1 with SignatureVerifier

use of org.springframework.security.jwt.crypto.sign.SignatureVerifier in project spring-security-oauth by spring-projects.

the class JwkDefinitionSourceTest method getVerifierWhenModulusMostSignificantBitIs1ThenVerifierStillVerifyContentSignature.

// gh-1010
@Test
public void getVerifierWhenModulusMostSignificantBitIs1ThenVerifierStillVerifyContentSignature() throws Exception {
    String jwkSetUrl = JwkDefinitionSourceTest.class.getResource("jwk-set.json").toString();
    JwkDefinitionSource jwkDefinitionSource = new JwkDefinitionSource(jwkSetUrl);
    SignatureVerifier verifier = jwkDefinitionSource.getVerifier("_Ci3-VfV_N0YAG22NQOgOUpFBDDcDe_rJxpu5JK702o");
    String token = this.readToken("token.jwt");
    int secondPeriodIndex = token.indexOf('.', token.indexOf('.') + 1);
    String contentString = token.substring(0, secondPeriodIndex);
    byte[] content = contentString.getBytes(Charsets.UTF_8);
    String signatureString = token.substring(secondPeriodIndex + 1);
    byte[] signature = Codecs.b64UrlDecode(signatureString);
    verifier.verify(content, signature);
}

Example 2 with SignatureVerifier

use of org.springframework.security.jwt.crypto.sign.SignatureVerifier in project spring-security-oauth by spring-projects.

the class JwkDefinitionSource method getVerifier.

/**
	 * Returns the {@link SignatureVerifier} matching the provided keyId ("kid").
	 *
	 * @param keyId the Key ID ("kid")
	 * @return the matching {@link SignatureVerifier} or null if not found
	 */
SignatureVerifier getVerifier(String keyId) {
    SignatureVerifier result = null;
    JwkDefinition jwkDefinition = this.getDefinitionLoadIfNecessary(keyId);
    if (jwkDefinition != null) {
        result = this.jwkDefinitions.get(keyId).getSignatureVerifier();
    }
    return result;
}

Example 3 with SignatureVerifier

use of org.springframework.security.jwt.crypto.sign.SignatureVerifier in project spring-security-oauth by spring-projects.

the class JwtAccessTokenConverter method afterPropertiesSet.

public void afterPropertiesSet() throws Exception {
    if (verifier != null) {
        // Assume signer also set independently if needed
        return;
    }
    SignatureVerifier verifier = new MacSigner(verifierKey);
    try {
        verifier = new RsaVerifier(verifierKey);
    } catch (Exception e) {
        logger.warn("Unable to create an RSA verifier from verifierKey (ignoreable if using MAC)");
    }
    // Check the signing and verification keys match
    if (signer instanceof RsaSigner) {
        byte[] test = "test".getBytes();
        try {
            verifier.verify(test, signer.sign(test));
            logger.info("Signing and verification RSA keys match");
        } catch (InvalidSignatureException e) {
            logger.error("Signing and verification RSA keys do not match");
        }
    } else if (verifier instanceof MacSigner) {
        // Avoid a race condition where setters are called in the wrong order. Use of
        // == is intentional.
        Assert.state(this.signingKey == this.verifierKey, "For MAC signing you do not need to specify the verifier key separately, and if you do it must match the signing key");
    }
    this.verifier = verifier;
}

Example 4 with SignatureVerifier

use of org.springframework.security.jwt.crypto.sign.SignatureVerifier in project spring-security-oauth by spring-projects.

the class JwkVerifyingJwtAccessTokenConverter method decode.

/**
	 * Decodes and validates the supplied JWT followed by signature verification
	 * before returning the Claims from the JWT Payload.
	 *
	 * @param token the JSON Web Token
	 * @return a <code>Map</code> of the JWT Claims
	 * @throws JwkException if the JWT is invalid or if the JWS could not be verified
	 */
@Override
protected Map<String, Object> decode(String token) {
    Map<String, String> headers = this.jwtHeaderConverter.convert(token);
    // Validate "kid" header
    String keyIdHeader = headers.get(KEY_ID);
    if (keyIdHeader == null) {
        throw new InvalidTokenException("Invalid JWT/JWS: " + KEY_ID + " is a required JOSE Header");
    }
    JwkDefinition jwkDefinition = this.jwkDefinitionSource.getDefinitionLoadIfNecessary(keyIdHeader);
    if (jwkDefinition == null) {
        throw new InvalidTokenException("Invalid JOSE Header " + KEY_ID + " (" + keyIdHeader + ")");
    }
    // Validate "alg" header
    String algorithmHeader = headers.get(ALGORITHM);
    if (algorithmHeader == null) {
        throw new InvalidTokenException("Invalid JWT/JWS: " + ALGORITHM + " is a required JOSE Header");
    }
    if (!algorithmHeader.equals(jwkDefinition.getAlgorithm().headerParamValue())) {
        throw new InvalidTokenException("Invalid JOSE Header " + ALGORITHM + " (" + algorithmHeader + ")" + " does not match algorithm associated to JWK with " + KEY_ID + " (" + keyIdHeader + ")");
    }
    // Verify signature
    SignatureVerifier verifier = this.jwkDefinitionSource.getVerifier(keyIdHeader);
    Jwt jwt = JwtHelper.decode(token);
    jwt.verifySignature(verifier);
    Map<String, Object> claims = this.jsonParser.parseMap(jwt.getClaims());
    if (claims.containsKey(EXP) && claims.get(EXP) instanceof Integer) {
        Integer expiryInt = (Integer) claims.get(EXP);
        claims.put(EXP, new Long(expiryInt));
    }
    return claims;
}