Example 6 with AbstractCryptoProvider
use of org.xdi.oxauth.model.crypto.AbstractCryptoProvider in project oxAuth by GluuFederation.
the class ClientAssertion method load.
private boolean load(AppConfiguration appConfiguration, String clientId, ClientAssertionType clientAssertionType, String encodedAssertion) throws Exception {
boolean result;
if (clientAssertionType == ClientAssertionType.JWT_BEARER) {
if (StringUtils.isNotBlank(encodedAssertion)) {
jwt = Jwt.parse(encodedAssertion);
// TODO: Store jti this value to check for duplicates
// Validate clientId
String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER);
String subject = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
List<String> audience = jwt.getClaims().getClaimAsStringList(JwtClaimName.AUDIENCE);
Date expirationTime = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
//SignatureAlgorithm algorithm = SignatureAlgorithm.fromName(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
if ((clientId == null && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && issuer.equals(subject)) || (StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && clientId.equals(issuer) && issuer.equals(subject))) {
// Validate audience
String tokenUrl = appConfiguration.getTokenEndpoint();
if (audience != null && audience.contains(tokenUrl)) {
// Validate expiration
if (expirationTime.after(new Date())) {
ClientService clientService = CdiUtil.bean(ClientService.class);
Client client = clientService.getClient(subject);
// Validate client
if (client != null) {
JwtType jwtType = JwtType.fromString(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
AuthenticationMethod authenticationMethod = client.getAuthenticationMethod();
SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getAlgorithm();
if (jwtType == null && signatureAlgorithm != null) {
jwtType = signatureAlgorithm.getJwtType();
}
if (jwtType != null && signatureAlgorithm != null && signatureAlgorithm.getFamily() != null && ((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && signatureAlgorithm.getFamily().equals("HMAC")) || (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (signatureAlgorithm.getFamily().equals("RSA") || signatureAlgorithm.getFamily().equals("EC"))))) {
clientSecret = clientService.decryptSecret(client.getClientSecret());
// Validate the crypto segment
String keyId = jwt.getHeader().getKeyId();
JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks());
String sharedSecret = clientService.decryptSecret(client.getClientSecret());
AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration);
boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), keyId, jwks, sharedSecret, signatureAlgorithm);
if (validSignature) {
result = true;
} else {
throw new InvalidJwtException("Invalid cryptographic segment");
}
} else {
throw new InvalidJwtException("Invalid authentication method");
}
} else {
throw new InvalidJwtException("Invalid client");
}
} else {
throw new InvalidJwtException("JWT has expired");
}
} else {
throw new InvalidJwtException("Invalid audience: " + audience + ", tokenUrl: " + tokenUrl);
}
} else {
throw new InvalidJwtException("Invalid clientId");
}
} else {
throw new InvalidJwtException("The Client Assertion is null or empty");
}
} else {
throw new InvalidJwtException("Invalid Client Assertion Type");
}
return result;
}
Also used :
InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException)
JSONObject(org.codehaus.jettison.json.JSONObject)
ClientService(org.xdi.oxauth.service.ClientService)
JwtType(org.xdi.oxauth.model.jwt.JwtType)
SignatureAlgorithm(org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm)
AbstractCryptoProvider(org.xdi.oxauth.model.crypto.AbstractCryptoProvider)
AuthenticationMethod(org.xdi.oxauth.model.common.AuthenticationMethod)
Client(org.xdi.oxauth.model.registration.Client)
Date(java.util.Date)
Example 7 with AbstractCryptoProvider
use of org.xdi.oxauth.model.crypto.AbstractCryptoProvider in project oxAuth by GluuFederation.
the class UserInfoRestWebServiceImpl method getJweResponse.
public String getJweResponse(KeyEncryptionAlgorithm keyEncryptionAlgorithm, BlockEncryptionAlgorithm blockEncryptionAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws Exception {
Jwe jwe = new Jwe();
// Header
jwe.getHeader().setType(JwtType.JWT);
jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
// Claims
List<Scope> dynamicScopes = new ArrayList<Scope>();
for (String scopeName : scopes) {
Scope scope = scopeService.getScopeByDisplayName(scopeName);
if (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType()) {
dynamicScopes.add(scope);
continue;
}
if (scope.getOxAuthClaims() != null) {
for (String claimDn : scope.getOxAuthClaims()) {
GluuAttribute gluuAttribute = attributeService.getAttributeByDn(claimDn);
String claimName = gluuAttribute.getOxAuthClaimName();
String ldapName = gluuAttribute.getName();
String attributeValue = null;
if (StringUtils.isNotBlank(claimName) && StringUtils.isNotBlank(ldapName)) {
if (ldapName.equals("uid")) {
attributeValue = user.getUserId();
} else {
attributeValue = user.getAttribute(gluuAttribute.getName());
}
jwe.getClaims().setClaim(claimName, attributeValue);
}
}
}
}
if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
// ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
boolean optional = true;
GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
if (gluuAttribute != null) {
String ldapClaimName = gluuAttribute.getName();
Object attribute = user.getAttribute(ldapClaimName, optional);
if (attribute != null) {
if (attribute instanceof JSONArray) {
JSONArray jsonArray = (JSONArray) attribute;
List<String> values = new ArrayList<String>();
for (int i = 0; i < jsonArray.length(); i++) {
String value = jsonArray.optString(i);
if (value != null) {
values.add(value);
}
}
jwe.getClaims().setClaim(claim.getName(), values);
} else {
String value = (String) attribute;
jwe.getClaims().setClaim(claim.getName(), value);
}
}
}
}
}
// Check for Subject Identifier Type
if (authorizationGrant.getClient().getSubjectType() != null && SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
String sectorIdentifierUri = null;
if (StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri())) {
sectorIdentifierUri = authorizationGrant.getClient().getSectorIdentifierUri();
} else {
sectorIdentifierUri = authorizationGrant.getClient().getRedirectUris()[0];
}
String userInum = authorizationGrant.getUser().getAttribute("inum");
PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum, sectorIdentifierUri);
if (pairwiseIdentifier == null) {
pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
pairwiseIdentifier.setId(UUID.randomUUID().toString());
pairwiseIdentifier.setDn(pairwiseIdentifierService.getDnForPairwiseIdentifier(pairwiseIdentifier.getId(), userInum));
pairwiseIdentifierService.addPairwiseIdentifier(userInum, pairwiseIdentifier);
}
jwe.getClaims().setSubjectIdentifier(pairwiseIdentifier.getId());
} else {
String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
jwe.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(openidSubAttribute));
}
if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwe, unmodifiableAuthorizationGrant);
externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
}
// Encryption
if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(authorizationGrant.getClient().getJwksUri());
AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration);
String keyId = cryptoProvider.getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), SignatureAlgorithm.RS256);
PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jsonWebKeys);
if (publicKey != null) {
JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey);
jwe = jweEncrypter.encrypt(jwe);
} else {
throw new InvalidJweException("The public key is not valid");
}
} else if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
try {
byte[] sharedSymmetricKey = clientService.decryptSecret(authorizationGrant.getClient().getClientSecret()).getBytes(Util.UTF8_STRING_ENCODING);
JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, sharedSymmetricKey);
jwe = jweEncrypter.encrypt(jwe);
} catch (UnsupportedEncodingException e) {
throw new InvalidJweException(e);
} catch (StringEncrypter.EncryptionException e) {
throw new InvalidJweException(e);
} catch (Exception e) {
throw new InvalidJweException(e);
}
}
return jwe.toString();
}
Also used :
PublicKey(java.security.PublicKey)
JSONArray(org.codehaus.jettison.json.JSONArray)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
DynamicScopeExternalContext(org.xdi.oxauth.service.external.context.DynamicScopeExternalContext)
InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException)
SignatureException(java.security.SignatureException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InvalidClaimException(org.xdi.oxauth.model.exception.InvalidClaimException)
EntryPersistenceException(org.gluu.site.ldap.persistence.exception.EntryPersistenceException)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
GluuAttribute(org.xdi.model.GluuAttribute)
PairwiseIdentifier(org.xdi.oxauth.model.ldap.PairwiseIdentifier)
JSONObject(org.codehaus.jettison.json.JSONObject)
Jwe(org.xdi.oxauth.model.jwe.Jwe)
JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject)
JSONObject(org.codehaus.jettison.json.JSONObject)
AbstractCryptoProvider(org.xdi.oxauth.model.crypto.AbstractCryptoProvider)
JweEncrypterImpl(org.xdi.oxauth.model.jwe.JweEncrypterImpl)
Claim(org.xdi.oxauth.model.authorize.Claim)
JweEncrypter(org.xdi.oxauth.model.jwe.JweEncrypter)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
Aggregations
AbstractCryptoProvider (org.xdi.oxauth.model.crypto.AbstractCryptoProvider)7
JSONObject (org.codehaus.jettison.json.JSONObject)6
JSONArray (org.codehaus.jettison.json.JSONArray)4
GluuAttribute (org.xdi.model.GluuAttribute)3
Claim (org.xdi.oxauth.model.authorize.Claim)3
JwtSubClaimObject (org.xdi.oxauth.model.jwt.JwtSubClaimObject)3
PairwiseIdentifier (org.xdi.oxauth.model.ldap.PairwiseIdentifier)3
DynamicScopeExternalContext (org.xdi.oxauth.service.external.context.DynamicScopeExternalContext)3
UnsupportedEncodingException (java.io.UnsupportedEncodingException)2
PublicKey (java.security.PublicKey)2
InvalidJweException (org.xdi.oxauth.model.exception.InvalidJweException)2
InvalidJwtException (org.xdi.oxauth.model.exception.InvalidJwtException)2
Jwe (org.xdi.oxauth.model.jwe.Jwe)2
JweEncrypter (org.xdi.oxauth.model.jwe.JweEncrypter)2
JweEncrypterImpl (org.xdi.oxauth.model.jwe.JweEncrypterImpl)2
ClientService (org.xdi.oxauth.service.ClientService)2
SignatureException (java.security.SignatureException)1
Date (java.util.Date)1
GregorianCalendar (java.util.GregorianCalendar)1
EntryPersistenceException (org.gluu.site.ldap.persistence.exception.EntryPersistenceException)1
