Example 1 with JarValidationException
use of uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException in project di-ipv-cri-uk-passport-back by alphagov.
the class JarValidator method validateMaxAllowedJarTtl.
private void validateMaxAllowedJarTtl(JWTClaimsSet claimsSet) throws JarValidationException {
String maxAllowedTtl = configurationService.getMaxClientAuthTokenTtl();
LocalDateTime maximumExpirationTime = LocalDateTime.now().plusSeconds(Long.parseLong(maxAllowedTtl));
LocalDateTime expirationTime = LocalDateTime.ofInstant(claimsSet.getExpirationTime().toInstant(), ZoneOffset.UTC);
if (expirationTime.isAfter(maximumExpirationTime)) {
LOGGER.error("Client JWT expiry date is too far in the future");
throw new JarValidationException(OAuth2Error.INVALID_GRANT.setDescription("The client JWT expiry date has surpassed the maximum allowed ttl value"));
}
}
Also used :
LocalDateTime(java.time.LocalDateTime)
JarValidationException(uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException)
Example 2 with JarValidationException
use of uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException in project di-ipv-cri-uk-passport-back by alphagov.
the class JarValidator method validateSignature.
private void validateSignature(SignedJWT signedJWT, String clientId) throws JarValidationException {
try {
SignedJWT concatSignatureJwt;
if (JwtHelper.signatureIsDerFormat(signedJWT)) {
concatSignatureJwt = JwtHelper.transcodeSignature(signedJWT);
} else {
concatSignatureJwt = signedJWT;
}
boolean valid = concatSignatureJwt.verify(new ECDSAVerifier(configurationService.getClientSigningPublicJwk(clientId)));
if (!valid) {
LOGGER.error("JWT signature validation failed");
throw new JarValidationException(OAuth2Error.INVALID_REQUEST_OBJECT.setDescription("JWT signature validation failed"));
}
} catch (JOSEException | ParseException e) {
LOGGER.error("Failed to parse JWT when attempting signature validation");
throw new JarValidationException(OAuth2Error.INVALID_REQUEST_OBJECT.setDescription("Failed to parse JWT when attempting signature validation"));
}
}
Also used :
ECDSAVerifier(com.nimbusds.jose.crypto.ECDSAVerifier)
SignedJWT(com.nimbusds.jwt.SignedJWT)
ParseException(java.text.ParseException)
JOSEException(com.nimbusds.jose.JOSEException)
JarValidationException(uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException)
Example 3 with JarValidationException
use of uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException in project di-ipv-cri-uk-passport-back by alphagov.
the class JarValidatorTest method shouldFailValidationChecksOnInvalidPublicJwk.
@Test
void shouldFailValidationChecksOnInvalidPublicJwk() throws NoSuchAlgorithmException, InvalidKeySpecException, JOSEException, ParseException {
when(configurationService.getClientSigningPublicJwk(anyString())).thenThrow(new ParseException("test-error", 0));
SignedJWT signedJWT = generateJWT(getValidClaimsSetValues());
try {
jarValidator.validateRequestJwt(signedJWT, clientIdClaim);
fail();
} catch (JarValidationException e) {
ErrorObject errorObject = e.getErrorObject();
assertEquals(OAuth2Error.INVALID_REQUEST_OBJECT.getHTTPStatusCode(), errorObject.getHTTPStatusCode());
assertEquals(OAuth2Error.INVALID_REQUEST_OBJECT.getCode(), errorObject.getCode());
assertEquals("Failed to parse JWT when attempting signature validation", errorObject.getDescription());
}
}
Also used :
ErrorObject(com.nimbusds.oauth2.sdk.ErrorObject)
ParseException(java.text.ParseException)
SignedJWT(com.nimbusds.jwt.SignedJWT)
JarValidationException(uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException)
Test(org.junit.jupiter.api.Test)
Example 4 with JarValidationException
use of uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException in project di-ipv-cri-uk-passport-back by alphagov.
the class JarValidatorTest method shouldThrowExceptionIfDecrptionFails.
@Test
void shouldThrowExceptionIfDecrptionFails() throws ParseException {
String jweObjectString = "eyJ0eXAiOiJKV0UiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.ZpVOfw61XyBBgsR4CRNRMn2oj_S65pMJO-iaEHpR6QrPcIuD4ysZexolo28vsZyZNR-kfVdw_5CjQanwMS-yw3U3nSUvXUrTs3uco-FSXulIeDYTRbBtQuDyvBMVoos6DyIfC6eBj30GMe5g6DF5KJ1Q0eXQdF0kyM9olg76uYAUqZ5rW52rC_SOHb5_tMj7UbO2IViIStdzLgVfgnJr7Ms4bvG0C8-mk4Otd7m2Km2-DNyGaNuFQSKclAGu7Zgg-qDyhH4V1Z6WUHt79TuG4TxseUr-6oaFFVD23JYSBy7Aypt0321ycq13qcN-PBiOWtumeW5-_CQuHLaPuOc4-w.RO9IB2KcS2hD3dWlKXSreQ.93Ntu3e0vNSYv4hoMwZ3Aw.YRvWo4bwsP_l7dL_29imGg";
try {
jarValidator.decryptJWE(JWEObject.parse(jweObjectString));
fail("Should throw a SharedAttributesValidationException");
} catch (JarValidationException e) {
assertEquals(OAuth2Error.INVALID_REQUEST_OBJECT.getCode(), e.getErrorObject().getCode());
}
}
Also used :
ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString)
JarValidationException(uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException)
Test(org.junit.jupiter.api.Test)
Example 5 with JarValidationException
use of uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException in project di-ipv-cri-uk-passport-back by alphagov.
the class JarValidatorTest method shouldFailValidationChecksOnMissingRequiredClaim.
@Test
void shouldFailValidationChecksOnMissingRequiredClaim() throws NoSuchAlgorithmException, InvalidKeySpecException, JOSEException, ParseException {
when(configurationService.getClientSigningPublicJwk(anyString())).thenReturn(ECKey.parse(EC_PUBLIC_JWK_1));
when(configurationService.getAudienceForClients()).thenReturn(audienceClaim);
when(configurationService.getClientIssuer(anyString())).thenReturn(issuerClaim);
ECDSASigner signer = new ECDSASigner(getPrivateKey());
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder().claim(JWTClaimNames.AUDIENCE, audienceClaim).build();
SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.ES256).type(JOSEObjectType.JWT).build(), claimsSet);
signedJWT.sign(signer);
try {
jarValidator.validateRequestJwt(signedJWT, clientIdClaim);
fail();
} catch (JarValidationException e) {
ErrorObject errorObject = e.getErrorObject();
assertEquals(OAuth2Error.INVALID_GRANT.getHTTPStatusCode(), errorObject.getHTTPStatusCode());
assertEquals(OAuth2Error.INVALID_GRANT.getCode(), errorObject.getCode());
assertEquals("JWT missing required claims: [exp, iat, iss, nbf, response_type, sub]", errorObject.getDescription());
}
}
Also used :
ECDSASigner(com.nimbusds.jose.crypto.ECDSASigner)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
ErrorObject(com.nimbusds.oauth2.sdk.ErrorObject)
SignedJWT(com.nimbusds.jwt.SignedJWT)
JWSHeader(com.nimbusds.jose.JWSHeader)
JarValidationException(uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException)
Test(org.junit.jupiter.api.Test)
Aggregations
JarValidationException (uk.gov.di.ipv.cri.passport.library.exceptions.JarValidationException)21
SignedJWT (com.nimbusds.jwt.SignedJWT)16
Test (org.junit.jupiter.api.Test)16
ErrorObject (com.nimbusds.oauth2.sdk.ErrorObject)14
ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)9
JWEObject (com.nimbusds.jose.JWEObject)7
ParseException (java.text.ParseException)5
JWSHeader (com.nimbusds.jose.JWSHeader)2
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)2
APIGatewayProxyRequestEvent (com.amazonaws.services.lambda.runtime.events.APIGatewayProxyRequestEvent)1
JOSEException (com.nimbusds.jose.JOSEException)1
ECDSASigner (com.nimbusds.jose.crypto.ECDSASigner)1
ECDSAVerifier (com.nimbusds.jose.crypto.ECDSAVerifier)1
RSASSASigner (com.nimbusds.jose.crypto.RSASSASigner)1
BadJWTException (com.nimbusds.jwt.proc.BadJWTException)1
DefaultJWTClaimsVerifier (com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier)1
URI (java.net.URI)1
LocalDateTime (java.time.LocalDateTime)1
HashMap (java.util.HashMap)1
JarResponse (uk.gov.di.ipv.cri.passport.library.domain.JarResponse)1
