use of org.xdi.oxauth.model.jwe.JweEncrypterImpl in project oxAuth by GluuFederation.
the class JwtAuthorizationRequest method getEncodedJwt.
public String getEncodedJwt(JSONObject jwks) throws Exception {
String encodedJwt = null;
if (keyEncryptionAlgorithm != null && blockEncryptionAlgorithm != null) {
JweEncrypterImpl jweEncrypter;
if (cryptoProvider != null && jwks != null) {
PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jwks);
jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey);
} else {
jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, sharedKey.getBytes(Util.UTF8_STRING_ENCODING));
}
String header = headerToJSONObject().toString();
String encodedHeader = Base64Util.base64urlencode(header.getBytes(Util.UTF8_STRING_ENCODING));
String claims = payloadToJSONObject().toString();
String encodedClaims = Base64Util.base64urlencode(claims.getBytes(Util.UTF8_STRING_ENCODING));
byte[] contentMasterKey = new byte[blockEncryptionAlgorithm.getCmkLength() / 8];
SecureRandom random = new SecureRandom();
random.nextBytes(contentMasterKey);
String encodedEncryptedKey = jweEncrypter.generateEncryptedKey(contentMasterKey);
byte[] initializationVector = new byte[blockEncryptionAlgorithm.getInitVectorLength() / 8];
random.nextBytes(initializationVector);
String encodedInitializationVector = Base64Util.base64urlencode(initializationVector);
String additionalAuthenticatedData = encodedHeader + "." + encodedEncryptedKey + "." + encodedInitializationVector;
Pair<String, String> result = jweEncrypter.generateCipherTextAndIntegrityValue(contentMasterKey, initializationVector, additionalAuthenticatedData.getBytes(Util.UTF8_STRING_ENCODING), encodedClaims.getBytes(Util.UTF8_STRING_ENCODING));
String encodedCipherText = result.getFirst();
String encodedIntegrityValue = result.getSecond();
encodedJwt = encodedHeader + "." + encodedEncryptedKey + "." + encodedInitializationVector + "." + encodedCipherText + "." + encodedIntegrityValue;
} else {
if (cryptoProvider == null) {
throw new Exception("The Crypto Provider cannot be null.");
}
JSONObject headerJsonObject = headerToJSONObject();
JSONObject payloadJsonObject = payloadToJSONObject();
String headerString = headerJsonObject.toString();
String payloadString = payloadJsonObject.toString();
String encodedHeader = Base64Util.base64urlencode(headerString.getBytes(Util.UTF8_STRING_ENCODING));
String encodedPayload = Base64Util.base64urlencode(payloadString.getBytes(Util.UTF8_STRING_ENCODING));
String signingInput = encodedHeader + "." + encodedPayload;
String encodedSignature = cryptoProvider.sign(signingInput, keyId, sharedKey, signatureAlgorithm);
encodedJwt = encodedHeader + "." + encodedPayload + "." + encodedSignature;
}
return encodedJwt;
}
use of org.xdi.oxauth.model.jwe.JweEncrypterImpl in project oxAuth by GluuFederation.
the class EncryptionTest method cryptoTest5.
@Test
public void cryptoTest5() throws Exception {
showTitle("Test: alg = A256KW, enc = A256GCM");
// {"alg":"A256KW","enc":"A256GCM"}
String encodedHeader = "eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIn0";
String plainText = "The true sign of intelligence is not knowledge but imagination.";
byte[] cmk = new byte[BlockEncryptionAlgorithm.A256GCM.getCmkLength() / 8];
SecureRandom random = new SecureRandom();
random.nextBytes(cmk);
byte[] sharedSymmetricKey = Base64Util.unsignedToBytes(new int[] { 25, 172, 32, 130, 225, 114, 26, 181, 138, 106, 254, 192, 95, 133, 74, 82 });
// Encrypt
JweEncrypterImpl encrypter = new JweEncrypterImpl(KeyEncryptionAlgorithm.A256KW, BlockEncryptionAlgorithm.A256GCM, sharedSymmetricKey);
String encodedEncryptedKey = encrypter.generateEncryptedKey(cmk);
byte[] initVector = Base64Util.unsignedToBytes(new int[] { 253, 220, 80, 25, 166, 152, 178, 168, 97, 99, 67, 89 });
String encodedInitVector = Base64Util.base64urlencode(initVector);
assertEquals(encodedInitVector, "_dxQGaaYsqhhY0NZ");
String additionalAuthenticatedData = encodedHeader + "." + encodedEncryptedKey + "." + encodedInitVector;
Pair<String, String> cipherTextAndIntegrityValue = encrypter.generateCipherTextAndIntegrityValue(cmk, initVector, additionalAuthenticatedData.getBytes(Util.UTF8_STRING_ENCODING), plainText.getBytes(Util.UTF8_STRING_ENCODING));
String encodedCipherText = cipherTextAndIntegrityValue.getFirst();
String encodedAuthenticationTag = cipherTextAndIntegrityValue.getSecond();
String encodedJwe = encodedHeader + "." + encodedEncryptedKey + "." + encodedInitVector + "." + encodedCipherText + "." + encodedAuthenticationTag;
System.out.println("JWE: " + encodedJwe);
// Decrypt
JweDecrypterImpl decrypter = new JweDecrypterImpl(sharedSymmetricKey);
decrypter.setKeyEncryptionAlgorithm(KeyEncryptionAlgorithm.A256KW);
decrypter.setBlockEncryptionAlgorithm(BlockEncryptionAlgorithm.A256GCM);
byte[] encryptionKey = decrypter.decryptEncryptionKey(encodedEncryptedKey);
assertEquals(encryptionKey, cmk);
String decodedPlainText = decrypter.decryptCipherText(encodedCipherText, encryptionKey, initVector, Base64Util.base64urldecode(encodedAuthenticationTag), additionalAuthenticatedData.getBytes(Util.UTF8_STRING_ENCODING));
assertEquals(decodedPlainText, plainText);
}
use of org.xdi.oxauth.model.jwe.JweEncrypterImpl in project oxAuth by GluuFederation.
the class EncryptionTest method cryptoTest4.
@Test
public void cryptoTest4() throws Exception {
showTitle("Test: alg = A128KW, enc = A128GCM");
// {"alg":"A128KW","enc":"A128GCM"}
String encodedHeader = "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIn0";
String plainText = "The true sign of intelligence is not knowledge but imagination.";
byte[] cmk = Base64Util.unsignedToBytes(new int[] { 64, 154, 239, 170, 64, 40, 195, 99, 19, 84, 192, 142, 192, 238, 207, 217 });
byte[] sharedSymmetricKey = Base64Util.unsignedToBytes(new int[] { 25, 172, 32, 130, 225, 114, 26, 181, 138, 106, 254, 192, 95, 133, 74, 82 });
// Encrypt
JweEncrypterImpl encrypter = new JweEncrypterImpl(KeyEncryptionAlgorithm.A128KW, BlockEncryptionAlgorithm.A128GCM, sharedSymmetricKey);
String encodedEncryptedKey = encrypter.generateEncryptedKey(cmk);
assertEquals(encodedEncryptedKey, "pP_7AUDIQcgixVGPK9PwJr-htXV3RCxQ");
byte[] initVector = Base64Util.unsignedToBytes(new int[] { 253, 220, 80, 25, 166, 152, 178, 168, 97, 99, 67, 89 });
String encodedInitVector = Base64Util.base64urlencode(initVector);
assertEquals(encodedInitVector, "_dxQGaaYsqhhY0NZ");
String additionalAuthenticatedData = encodedHeader + "." + encodedEncryptedKey + "." + encodedInitVector;
Pair<String, String> cipherTextAndIntegrityValue = encrypter.generateCipherTextAndIntegrityValue(cmk, initVector, additionalAuthenticatedData.getBytes(Util.UTF8_STRING_ENCODING), plainText.getBytes(Util.UTF8_STRING_ENCODING));
String encodedCipherText = cipherTextAndIntegrityValue.getFirst();
String encodedAuthenticationTag = cipherTextAndIntegrityValue.getSecond();
assertEquals(encodedCipherText, "4wxZhLkQ-F2RVzWCX3M-aIpgbUd806VnymMVwQTiVOX-apDxJ1aUhKBoWOjkbVUHVlCGaqYYXMfSvJm72kXj");
assertEquals(encodedAuthenticationTag, "miNQayWUUQZnBDzOq6VxQw");
String encodedJwe = encodedHeader + "." + encodedEncryptedKey + "." + encodedInitVector + "." + encodedCipherText + "." + encodedAuthenticationTag;
System.out.println("JWE: " + encodedJwe);
// Decrypt
JweDecrypterImpl decrypter = new JweDecrypterImpl(sharedSymmetricKey);
decrypter.setKeyEncryptionAlgorithm(KeyEncryptionAlgorithm.A128KW);
decrypter.setBlockEncryptionAlgorithm(BlockEncryptionAlgorithm.A128GCM);
byte[] encryptionKey = decrypter.decryptEncryptionKey(encodedEncryptedKey);
assertEquals(encryptionKey, cmk);
String decodedPlainText = decrypter.decryptCipherText(encodedCipherText, encryptionKey, initVector, Base64Util.base64urldecode(encodedAuthenticationTag), additionalAuthenticatedData.getBytes(Util.UTF8_STRING_ENCODING));
assertEquals(decodedPlainText, plainText);
}
use of org.xdi.oxauth.model.jwe.JweEncrypterImpl in project oxAuth by GluuFederation.
the class IdTokenFactory method generateEncryptedIdToken.
public Jwe generateEncryptedIdToken(IAuthorizationGrant authorizationGrant, String nonce, AuthorizationCode authorizationCode, AccessToken accessToken, Set<String> scopes, boolean includeIdTokenClaims) throws Exception {
Jwe jwe = new Jwe();
// Header
KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.fromName(authorizationGrant.getClient().getIdTokenEncryptedResponseAlg());
BlockEncryptionAlgorithm blockEncryptionAlgorithm = BlockEncryptionAlgorithm.fromName(authorizationGrant.getClient().getIdTokenEncryptedResponseEnc());
jwe.getHeader().setType(JwtType.JWT);
jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
// Claims
jwe.getClaims().setIssuer(appConfiguration.getIssuer());
jwe.getClaims().setAudience(authorizationGrant.getClient().getClientId());
int lifeTime = appConfiguration.getIdTokenLifetime();
Calendar calendar = Calendar.getInstance();
Date issuedAt = calendar.getTime();
calendar.add(Calendar.SECOND, lifeTime);
Date expiration = calendar.getTime();
jwe.getClaims().setExpirationTime(expiration);
jwe.getClaims().setIssuedAt(issuedAt);
if (authorizationGrant.getAcrValues() != null) {
jwe.getClaims().setClaim(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, authorizationGrant.getAcrValues());
setAmrClaim(jwe, authorizationGrant.getAcrValues());
}
if (StringUtils.isNotBlank(nonce)) {
jwe.getClaims().setClaim(JwtClaimName.NONCE, nonce);
}
if (authorizationGrant.getAuthenticationTime() != null) {
jwe.getClaims().setClaim(JwtClaimName.AUTHENTICATION_TIME, authorizationGrant.getAuthenticationTime());
}
if (authorizationCode != null) {
String codeHash = authorizationCode.getHash(null);
jwe.getClaims().setClaim(JwtClaimName.CODE_HASH, codeHash);
}
if (accessToken != null) {
String accessTokenHash = accessToken.getHash(null);
jwe.getClaims().setClaim(JwtClaimName.ACCESS_TOKEN_HASH, accessTokenHash);
}
jwe.getClaims().setClaim(JwtClaimName.OX_OPENID_CONNECT_VERSION, appConfiguration.getOxOpenIdConnectVersion());
List<org.xdi.oxauth.model.common.Scope> dynamicScopes = Lists.newArrayList();
if (includeIdTokenClaims) {
for (String scopeName : scopes) {
org.xdi.oxauth.model.common.Scope scope = scopeService.getScopeByDisplayName(scopeName);
if (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType()) {
dynamicScopes.add(scope);
continue;
}
if (scope != null && scope.getOxAuthClaims() != null) {
for (String claimDn : scope.getOxAuthClaims()) {
GluuAttribute gluuAttribute = attributeService.getAttributeByDn(claimDn);
String claimName = gluuAttribute.getOxAuthClaimName();
String ldapName = gluuAttribute.getName();
String attributeValue;
if (StringUtils.isNotBlank(claimName) && StringUtils.isNotBlank(ldapName)) {
if (ldapName.equals("uid")) {
attributeValue = authorizationGrant.getUser().getUserId();
} else {
attributeValue = authorizationGrant.getUser().getAttribute(gluuAttribute.getName());
}
jwe.getClaims().setClaim(claimName, attributeValue);
}
}
}
}
}
if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getIdTokenMember() != null) {
for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getIdTokenMember().getClaims()) {
// ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
boolean optional = true;
GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
if (gluuAttribute != null) {
String ldapClaimName = gluuAttribute.getName();
Object attribute = authorizationGrant.getUser().getAttribute(ldapClaimName, optional);
if (attribute != null) {
if (attribute instanceof JSONArray) {
JSONArray jsonArray = (JSONArray) attribute;
List<String> values = new ArrayList<String>();
for (int i = 0; i < jsonArray.length(); i++) {
String value = jsonArray.optString(i);
if (value != null) {
values.add(value);
}
}
jwe.getClaims().setClaim(claim.getName(), values);
} else {
String value = (String) attribute;
jwe.getClaims().setClaim(claim.getName(), value);
}
}
}
}
}
// Check for Subject Identifier Type
if (authorizationGrant.getClient().getSubjectType() != null && SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
String sectorIdentifierUri;
if (StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri())) {
sectorIdentifierUri = authorizationGrant.getClient().getSectorIdentifierUri();
} else {
sectorIdentifierUri = authorizationGrant.getClient().getRedirectUris()[0];
}
String userInum = authorizationGrant.getUser().getAttribute("inum");
PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum, sectorIdentifierUri);
if (pairwiseIdentifier == null) {
pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
pairwiseIdentifier.setId(UUID.randomUUID().toString());
pairwiseIdentifier.setDn(pairwiseIdentifierService.getDnForPairwiseIdentifier(pairwiseIdentifier.getId(), userInum));
pairwiseIdentifierService.addPairwiseIdentifier(userInum, pairwiseIdentifier);
}
jwe.getClaims().setSubjectIdentifier(pairwiseIdentifier.getId());
} else {
String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
if (openidSubAttribute.equals("uid")) {
jwe.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getUserId());
} else {
jwe.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(openidSubAttribute));
}
}
if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwe, unmodifiableAuthorizationGrant);
externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
}
// Encryption
if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(authorizationGrant.getClient().getJwksUri());
AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration);
String keyId = cryptoProvider.getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), SignatureAlgorithm.RS256);
PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jsonWebKeys);
if (publicKey != null) {
JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey);
jwe = jweEncrypter.encrypt(jwe);
} else {
throw new InvalidJweException("The public key is not valid");
}
} else if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
try {
byte[] sharedSymmetricKey = clientService.decryptSecret(authorizationGrant.getClient().getClientSecret()).getBytes(Util.UTF8_STRING_ENCODING);
JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, sharedSymmetricKey);
jwe = jweEncrypter.encrypt(jwe);
} catch (UnsupportedEncodingException e) {
throw new InvalidJweException(e);
} catch (StringEncrypter.EncryptionException e) {
throw new InvalidJweException(e);
} catch (Exception e) {
throw new InvalidJweException(e);
}
}
return jwe;
}
use of org.xdi.oxauth.model.jwe.JweEncrypterImpl in project oxAuth by GluuFederation.
the class JwtState method getEncodedJwt.
public String getEncodedJwt(JSONObject jwks) throws Exception {
String encodedJwt = null;
if (keyEncryptionAlgorithm != null && blockEncryptionAlgorithm != null) {
JweEncrypterImpl jweEncrypter;
if (cryptoProvider != null && jwks != null) {
PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jwks);
jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey);
} else {
jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, sharedKey.getBytes(Util.UTF8_STRING_ENCODING));
}
String header = headerToJSONObject().toString();
String encodedHeader = Base64Util.base64urlencode(header.getBytes(Util.UTF8_STRING_ENCODING));
String claims = payloadToJSONObject().toString();
String encodedClaims = Base64Util.base64urlencode(claims.getBytes(Util.UTF8_STRING_ENCODING));
byte[] contentMasterKey = new byte[blockEncryptionAlgorithm.getCmkLength() / 8];
SecureRandom random = new SecureRandom();
random.nextBytes(contentMasterKey);
String encodedEncryptedKey = jweEncrypter.generateEncryptedKey(contentMasterKey);
byte[] initializationVector = new byte[blockEncryptionAlgorithm.getInitVectorLength() / 8];
random.nextBytes(initializationVector);
String encodedInitializationVector = Base64Util.base64urlencode(initializationVector);
String additionalAuthenticatedData = encodedHeader + "." + encodedEncryptedKey + "." + encodedInitializationVector;
Pair<String, String> result = jweEncrypter.generateCipherTextAndIntegrityValue(contentMasterKey, initializationVector, additionalAuthenticatedData.getBytes(Util.UTF8_STRING_ENCODING), encodedClaims.getBytes(Util.UTF8_STRING_ENCODING));
String encodedCipherText = result.getFirst();
String encodedIntegrityValue = result.getSecond();
encodedJwt = encodedHeader + "." + encodedEncryptedKey + "." + encodedInitializationVector + "." + encodedCipherText + "." + encodedIntegrityValue;
} else {
if (cryptoProvider == null) {
throw new Exception("The Crypto Provider cannot be null.");
}
JSONObject headerJsonObject = headerToJSONObject();
JSONObject payloadJsonObject = payloadToJSONObject();
String headerString = headerJsonObject.toString();
String payloadString = payloadJsonObject.toString();
String encodedHeader = Base64Util.base64urlencode(headerString.getBytes(Util.UTF8_STRING_ENCODING));
String encodedPayload = Base64Util.base64urlencode(payloadString.getBytes(Util.UTF8_STRING_ENCODING));
String signingInput = encodedHeader + "." + encodedPayload;
String encodedSignature = cryptoProvider.sign(signingInput, keyId, sharedKey, signatureAlgorithm);
encodedJwt = encodedHeader + "." + encodedPayload + "." + encodedSignature;
}
return encodedJwt;
}
Aggregations