public List<JsonWebKey> selectList(JsonWebEncryption jwe, Collection<JsonWebKey> keys) throws JoseException { SimpleJwkFilter filter = SelectorSupport.filterForInboundEncrypted(jwe); return filter.filter(keys); } }
public static SimpleJwkFilter filterForInboundSigned(JsonWebSignature jws) throws JoseException { SimpleJwkFilter filter = commonFilterForInbound(jws); filter.setUse(Use.SIGNATURE, SimpleJwkFilter.OMITTED_OKAY); filter.setKeyOperations(VERIFY_OPS, SimpleJwkFilter.OMITTED_OKAY); return filter; }
private static SimpleJwkFilter commonFilterForInbound(JsonWebStructure jwx) throws JoseException { SimpleJwkFilter filter = new SimpleJwkFilter(); String kid = jwx.getKeyIdHeaderValue(); if (kid != null) { filter.setKid(kid, SimpleJwkFilter.VALUE_REQUIRED); } String x5t = jwx.getX509CertSha1ThumbprintHeaderValue(); String x5tS256 = jwx.getX509CertSha256ThumbprintHeaderValue(); filter.setAllowFallbackDeriveFromX5cForX5Thumbs(true); if (x5t != null) { filter.setX5t(x5t, SimpleJwkFilter.OMITTED_OKAY); } if (x5tS256 != null) { filter.setX5tS256(x5tS256, SimpleJwkFilter.OMITTED_OKAY); } String keyType = jwx.getAlgorithmNoConstraintCheck().getKeyType(); filter.setKty(keyType); return filter; }
public List<JsonWebKey> filter(Collection<JsonWebKey> jsonWebKeys) { List<JsonWebKey> filtered = new LinkedList<>(); for (JsonWebKey jwk : jsonWebKeys) { boolean match = isMatch(kid, jwk.getKeyId()); match &= isMatch(kty, jwk.getKeyType()); match &= isMatch(use, jwk.getUse()); match &= isMatch(alg, jwk.getAlgorithm()); String[] thumbs = getThumbs(jwk, allowThumbsFallbackDeriveFromX5c); match &= isMatch(x5t, thumbs[0]); match &= isMatch(x5tS256, thumbs[1]); match &= isMatch(crv, getCrv(jwk)); match &= keyOps == null || keyOps.meetsCriteria(jwk.getKeyOps()); if (match) { filtered.add(jwk); } } return filtered; }
public List<JsonWebKey> selectList(JsonWebSignature jws, Collection<JsonWebKey> keys) throws JoseException { SimpleJwkFilter filter = SelectorSupport.filterForInboundSigned(jws); List<JsonWebKey> filtered = filter.filter(keys); if (hasMoreThanOne(filtered)) { filter.setAlg(jws.getAlgorithmHeaderValue(), SimpleJwkFilter.OMITTED_OKAY); filtered = filter.filter(filtered); } if (hasMoreThanOne(filtered) && EllipticCurveJsonWebKey.KEY_TYPE.equals(jws.getKeyType())) { JsonWebSignatureAlgorithm algorithm = jws.getAlgorithmNoConstraintCheck(); EcdsaUsingShaAlgorithm ecdsaAlgorithm = (EcdsaUsingShaAlgorithm) algorithm; filter.setCrv(ecdsaAlgorithm.getCurveName(), SimpleJwkFilter.OMITTED_OKAY); filtered = filter.filter(filtered); } return filtered; // todo -> if >1, try even harder... maybe. But are there actually realistic cases where this will happen? }
public static SimpleJwkFilter filterForInboundEncrypted(JsonWebEncryption jwe) throws JoseException { SimpleJwkFilter filter = commonFilterForInbound(jwe); filter.setUse(Use.ENCRYPTION, SimpleJwkFilter.OMITTED_OKAY); filter.setKeyOperations(DECRYPT_OPS, SimpleJwkFilter.OMITTED_OKAY); return filter; }