@Override public Key getPrivateKey() { return ((PublicJsonWebKey) key).getPrivateKey(); } }
void checkForBareKeyCertMismatch() { X509Certificate leafCertificate = getLeafCertificate(); boolean certAndBareKeyMismatch = leafCertificate != null && !leafCertificate.getPublicKey().equals(getPublicKey()); if (certAndBareKeyMismatch) { throw new IllegalArgumentException( "The key in the first certificate MUST match the bare public key " + "represented by other members of the JWK. Public key = " + getPublicKey() + " cert = " + leafCertificate); } }
public void setCertificateChain(List<X509Certificate> certificateChain) { checkForBareKeyCertMismatch(); this.certificateChain = certificateChain; }
protected void fillTypeSpecificParams(Map<String,Object> params, OutputControlLevel outputLevel) { fillPublicTypeSpecificParams(params); if (certificateChain != null) { X509Util x509Util = new X509Util(); List<String> x5cStrings = new ArrayList<String>(certificateChain.size()); for (X509Certificate cert : certificateChain) { String b64EncodedDer = x509Util.toBase64(cert); x5cStrings.add(b64EncodedDer); } params.put(X509_CERTIFICATE_CHAIN_PARAMETER, x5cStrings); } putIfNotNull(X509_THUMBPRINT_PARAMETER, x5t, params); putIfNotNull(X509_SHA256_THUMBPRINT_PARAMETER, x5tS256, params); putIfNotNull(X509_URL_PARAMETER, x5u, params); if (writeOutPrivateKeyToJson || outputLevel == OutputControlLevel.INCLUDE_PRIVATE) { fillPrivateTypeSpecificParams(params); } }
/** * Configure json web signature for id token signing. * * @param svc the svc * @param jws the jws * @param jsonWebKey the json web key * @return the json web signature */ protected JsonWebSignature configureJsonWebSignatureForIdTokenSigning(final OAuthRegisteredService svc, final JsonWebSignature jws, final PublicJsonWebKey jsonWebKey) { LOGGER.debug("Service [{}] is set to sign id tokens", svc); jws.setKey(jsonWebKey.getPrivateKey()); jws.setAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE); if (StringUtils.isNotBlank(jsonWebKey.getKeyId())) { jws.setKeyIdHeaderValue(jsonWebKey.getKeyId()); } LOGGER.debug("Signing id token with key id header value [{}]", jws.getKeyIdHeaderValue()); jws.setAlgorithmHeaderValue(getJsonWebKeySigningAlgorithm(svc)); LOGGER.debug("Signing id token with algorithm [{}]", jws.getAlgorithmHeaderValue()); return jws; }
@Override @SneakyThrows public JwtClaims validate(final String token) { val jsonWebKey = getSigningKey(); if (jsonWebKey.getPublicKey() == null) { throw new IllegalArgumentException("JSON web key used to validate the id token signature has no associated public key"); } val jwt = EncodingUtils.verifyJwsSignature(jsonWebKey.getPublicKey(), token); val result = new String(jwt, StandardCharsets.UTF_8); val claims = JwtClaims.parse(result); LOGGER.debug("Validated claims as [{}]", claims); if (StringUtils.isBlank(claims.getIssuer())) { throw new IllegalArgumentException("Claims do not container an issuer"); } if (claims.getIssuer().equalsIgnoreCase(this.issuer)) { throw new IllegalArgumentException("Issuer assigned to claims does not match " + this.issuer); } if (StringUtils.isBlank(claims.getStringClaimValue(OAuth20Constants.CLIENT_ID))) { throw new IllegalArgumentException("Claims do not contain a client id claim"); } return claims; }
/** * Returns the authorization string. * <p> * The default is {@code token + '.' + base64url(jwkThumbprint)}. Subclasses may * override this method if a different algorithm is used. */ public String getAuthorization() { try { PublicKey pk = getLogin().getKeyPair().getPublic(); PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(pk); return getToken() + '.' + base64UrlEncode(jwk.calculateThumbprint("SHA-256")); } catch (JoseException ex) { throw new AcmeProtocolException("Cannot compute key thumbprint", ex); } }
/** * Returns the authorization string. * <p> * The default is {@code token + '.' + base64url(jwkThumbprint)}. Subclasses may * override this method if a different algorithm is used. */ public String getAuthorization() { try { PublicKey pk = getLogin().getKeyPair().getPublic(); PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(pk); return getToken() + '.' + base64UrlEncode(jwk.calculateThumbprint("SHA-256")); } catch (JoseException ex) { throw new AcmeProtocolException("Cannot compute key thumbprint", ex); } }
return publicJsonWebKey.getPrivateKey();
ContentEncryptionKeys manageForEncrypt(Key managementKey, ContentEncryptionKeyDescriptor cekDesc, Headers headers, PublicJsonWebKey ephemeralJwk, ProviderContext providerContext) throws JoseException { headers.setJwkHeaderValue(HeaderParameterNames.EPHEMERAL_PUBLIC_KEY, ephemeralJwk); byte[] z = generateEcdhSecret(ephemeralJwk.getPrivateKey(), (PublicKey) managementKey, providerContext); byte[] derivedKey = kdf(cekDesc, headers, z, providerContext); return new ContentEncryptionKeys(derivedKey, null); }
public boolean testDecryptWithJose4J(String jwe) { try { PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(recipientJwkJson); JsonWebEncryption receiverJwe = new JsonWebEncryption(); AlgorithmConstraints algConstraints = new AlgorithmConstraints(ConstraintType.WHITELIST, KeyManagementAlgorithmIdentifiers.RSA_OAEP); receiverJwe.setAlgorithmConstraints(algConstraints); AlgorithmConstraints encConstraints = new AlgorithmConstraints(ConstraintType.WHITELIST, ContentEncryptionAlgorithmIdentifiers.AES_128_GCM); receiverJwe.setContentEncryptionAlgorithmConstraints(encConstraints); receiverJwe.setKey(jwk.getPrivateKey()); receiverJwe.setCompactSerialization(jwe); final String decryptedPayload = new String(Base64Util.base64urldecode(receiverJwe.getPlaintextString())); System.out.println("Jose4j decrypt succeed: " + decryptedPayload); if (decryptedPayload.equals(PAYLOAD)) { return true; } } catch (Exception e) { System.out.println("Jose4j decrypt failed: " + e.getMessage()); e.printStackTrace(); } return false; }