JWSAlgorithm alg = signedJwt.getHeader().getAlgorithm();
JWSAlgorithm alg = jws.getHeader().getAlgorithm();
Preconditions.checkNotNull(jwsHeader.getAlgorithm()); Preconditions.checkNotNull(jwsHeader.getKeyID()); ECPublicKey publicKey = getKey(jwsHeader.getKeyID(), jwsHeader.getAlgorithm().getName());
String receivedSigAlg = jwtToken.getHeader().getAlgorithm().getName();
/** * Ensures the specified JWS signer supports the algorithm of this JWS * object. * * @throws JOSEException If the JWS algorithm is not supported. */ private void ensureJWSSignerSupport(final JWSSigner signer) throws JOSEException { if (! signer.supportedJWSAlgorithms().contains(getHeader().getAlgorithm())) { throw new JOSEException("The \"" + getHeader().getAlgorithm() + "\" algorithm is not allowed or supported by the JWS signer: Supported algorithms: " + signer.supportedJWSAlgorithms()); } }
private void validateRequiredHeaders(JWSObject jwsObject) throws MissingRequiredHeaderException { if (jwsObject.getHeader().getAlgorithm() == null || jwsObject.getHeader().getAlgorithm() == Algorithm.NONE) { throw new MissingRequiredHeaderException(Header.ALGORITHM); } if (jwsObject.getHeader().getKeyID() == null) { throw new MissingRequiredHeaderException(Header.KEY_ID); } }
@Override public Base64URL sign(final JWSHeader header, final byte[] signingInput) throws JOSEException { final int minRequiredLength = getMinRequiredSecretLength(header.getAlgorithm()); if (getSecret().length < ByteUtils.byteLength(minRequiredLength)) { throw new KeyLengthException("The secret length for " + header.getAlgorithm() + " must be at least " + minRequiredLength + " bits"); } String jcaAlg = getJCAAlgorithmName(header.getAlgorithm()); byte[] hmac = HMAC.compute(jcaAlg, getSecret(), signingInput, getJCAContext().getProvider()); return Base64URL.encode(hmac); } }
/** * Creates a JWK matcher for the expected JWS algorithm and the * specified JWS header. * * @param jwsHeader The JWS header. Must not be {@code null}. * * @return The JWK matcher, {@code null} if none could be created. */ protected JWKMatcher createJWKMatcher(final JWSHeader jwsHeader) { if (! getExpectedJWSAlgorithm().equals(jwsHeader.getAlgorithm())) { // Unexpected JWS alg return null; } else { return JWKMatcher.forJWSHeader(jwsHeader); } }
@Override public List<Key> selectJWSKeys(final JWSHeader jwsHeader, final C context) throws KeySourceException { if (! jwsAlg.equals(jwsHeader.getAlgorithm())) { // Unexpected JWS alg return Collections.emptyList(); } JWKMatcher jwkMatcher = createJWKMatcher(jwsHeader); if (jwkMatcher == null) { return Collections.emptyList(); } List<JWK> jwkMatches = getJWKSource().get(new JWKSelector(jwkMatcher), context); List<Key> sanitizedKeyList = new LinkedList<>(); for (Key key: KeyConverter.toJavaKeys(jwkMatches)) { if (key instanceof PublicKey || key instanceof SecretKey) { sanitizedKeyList.add(key); } // skip asymmetric private keys } return sanitizedKeyList; } }
@Override public Base64URL sign(final JWSHeader header, final byte[] signingInput) throws JOSEException { // Check alg field in header final JWSAlgorithm alg = header.getAlgorithm(); if (! JWSAlgorithm.EdDSA.equals(alg)) { throw new JOSEException("Ed25519Signer requires alg=EdDSA in JWSHeader"); } final byte[] jwsSignature; try { jwsSignature = tinkSigner.sign(signingInput); } catch (GeneralSecurityException e) { throw new JOSEException(e.getMessage(), e); } return Base64URL.encode(jwsSignature); } }
@Override public Base64URL sign(final JWSHeader header, final byte[] signingInput) throws JOSEException { Signature signer = RSASSA.getSignerAndVerifier(header.getAlgorithm(), getJCAContext().getProvider()); try { signer.initSign(privateKey); signer.update(signingInput); return Base64URL.encode(signer.sign()); } catch (InvalidKeyException e) { throw new JOSEException("Invalid private RSA key: " + e.getMessage(), e); } catch (SignatureException e) { throw new JOSEException("RSA signature exception: " + e.getMessage(), e); } } }
@Override public boolean verify(final JWSHeader header, final byte[] signedContent, final Base64URL signature) throws JOSEException { if (! critPolicy.headerPasses(header)) { return false; } final Signature verifier = RSASSA.getSignerAndVerifier(header.getAlgorithm(), getJCAContext().getProvider()); try { verifier.initVerify(publicKey); } catch (InvalidKeyException e) { throw new JOSEException("Invalid public RSA key: " + e.getMessage(), e); } try { verifier.update(signedContent); return verifier.verify(signature.decode()); } catch (SignatureException e) { return false; } } }
@Override public Base64URL sign(final JWSHeader header, final byte[] signingInput) throws JOSEException { final JWSAlgorithm alg = header.getAlgorithm(); if (! supportedJWSAlgorithms().contains(alg)) { throw new JOSEException(AlgorithmSupportMessage.unsupportedJWSAlgorithm(alg, supportedJWSAlgorithms())); } // DER-encoded signature, according to JCA spec // (sequence of two integers - R + S) final byte[] jcaSignature; try { Signature dsa = ECDSA.getSignerAndVerifier(alg, getJCAContext().getProvider()); dsa.initSign(privateKey, getJCAContext().getSecureRandom()); dsa.update(signingInput); jcaSignature = dsa.sign(); } catch (InvalidKeyException | SignatureException e) { throw new JOSEException(e.getMessage(), e); } final int rsByteArrayLength = ECDSA.getSignatureByteArrayLength(header.getAlgorithm()); final byte[] jwsSignature = ECDSA.transcodeSignatureToConcat(jcaSignature, rsByteArrayLength); return Base64URL.encode(jwsSignature); } }
@Override public boolean verify(final JWSHeader header, final byte[] signedContent, final Base64URL signature) throws JOSEException { // Check alg field in header final JWSAlgorithm alg = header.getAlgorithm(); if (! JWSAlgorithm.EdDSA.equals(alg)) { throw new JOSEException("Ed25519Verifier requires alg=EdDSA in JWSHeader"); } // Check for unrecognized "crit" properties if (! critPolicy.headerPasses(header)) { return false; } final byte[] jwsSignature = signature.decode(); try { tinkVerifier.verify(jwsSignature, signedContent); return true; } catch (GeneralSecurityException e) { return false; } } }
public UserPrincipal buildUserPrincipal(String idToken) throws ParseException, JOSEException, BadJOSEException { final JWSObject jwsObject = JWSObject.parse(idToken); final ConfigurableJWTProcessor<SecurityContext> validator = getAadJwtTokenValidator(jwsObject.getHeader().getAlgorithm()); final JWTClaimsSet jwtClaimsSet = validator.process(idToken, null); final JWTClaimsSetVerifier<SecurityContext> verifier = validator.getJWTClaimsSetVerifier(); verifier.verify(jwtClaimsSet, null); return new UserPrincipal(jwsObject, jwtClaimsSet); }
public UserPrincipal buildUserPrincipal(String idToken) throws ParseException, JOSEException, BadJOSEException { final JWSObject jwsObject = JWSObject.parse(idToken); final ConfigurableJWTProcessor<SecurityContext> validator = getAadJwtTokenValidator(jwsObject.getHeader().getAlgorithm()); final JWTClaimsSet jwtClaimsSet = validator.process(idToken, null); final JWTClaimsSetVerifier<SecurityContext> verifier = validator.getJWTClaimsSetVerifier(); verifier.verify(jwtClaimsSet, null); return new UserPrincipal(jwsObject, jwtClaimsSet); }
@Override public boolean verify(final JWSHeader header, final byte[] signedContent, final Base64URL signature) throws JOSEException { if (! critPolicy.headerPasses(header)) { return false; } String jcaAlg = getJCAAlgorithmName(header.getAlgorithm()); byte[] expectedHMAC = HMAC.compute(jcaAlg, getSecret(), signedContent, getJCAContext().getProvider()); return ConstantTimeUtils.areEqual(expectedHMAC, signature.decode()); } }
public SimpleUnverifiedJwt parse(String jwt) throws JwtParseException { JWSObject jwsObject = parseJWSObject(jwt); try { JWTClaimsSet claims = JWTClaimsSet.parse(jwsObject.getPayload().toJSONObject()); return new SimpleUnverifiedJwt(jwsObject.getHeader().getAlgorithm().getName(), claims.getIssuer(), claims.getSubject(), jwsObject.getPayload().toString()); } catch (ParseException e) { throw new JwtParseException(e); } }
/** * Creates a new JWS header builder with the parameters from * the specified header. * * @param jwsHeader The JWS header to use. Must not not be * {@code null}. */ public Builder(final JWSHeader jwsHeader) { this(jwsHeader.getAlgorithm()); typ = jwsHeader.getType(); cty = jwsHeader.getContentType(); crit = jwsHeader.getCriticalParams(); jku = jwsHeader.getJWKURL(); jwk = jwsHeader.getJWK(); x5u = jwsHeader.getX509CertURL(); x5t = jwsHeader.getX509CertThumbprint(); x5t256 = jwsHeader.getX509CertSHA256Thumbprint(); x5c = jwsHeader.getX509CertChain(); kid = jwsHeader.getKeyID(); customParams = jwsHeader.getCustomParams(); }
/** * Deep copy constructor. * * @param jwsHeader The JWS header to copy. Must not be {@code null}. */ public JWSHeader(final JWSHeader jwsHeader) { this( jwsHeader.getAlgorithm(), jwsHeader.getType(), jwsHeader.getContentType(), jwsHeader.getCriticalParams(), jwsHeader.getJWKURL(), jwsHeader.getJWK(), jwsHeader.getX509CertURL(), jwsHeader.getX509CertThumbprint(), jwsHeader.getX509CertSHA256Thumbprint(), jwsHeader.getX509CertChain(), jwsHeader.getKeyID(), jwsHeader.getCustomParams(), jwsHeader.getParsedBase64URL() ); }