/** * Creates a new unsecured (plain) JSON Web Token (JWT) with a default * {@link com.nimbusds.jose.PlainHeader} and the specified claims * set. * * @param claimsSet The JWT claims set. Must not be {@code null}. */ public PlainJWT(final JWTClaimsSet claimsSet) { super(new Payload(claimsSet.toJSONObject())); }
/** * Creates a new unsecured (plain) JSON Web Token (JWT) with the * specified header and claims set. * * @param header The unsecured header. Must not be {@code null}. * @param claimsSet The JWT claims set. Must not be {@code null}. */ public PlainJWT(final PlainHeader header, final JWTClaimsSet claimsSet) { super(header, new Payload(claimsSet.toJSONObject())); }
/** * Creates a new to-be-encrypted JSON Web Token (JWT) with the specified * header and claims set. The initial state will be * {@link com.nimbusds.jose.JWEObject.State#UNENCRYPTED unencrypted}. * * @param header The JWE header. Must not be {@code null}. * @param claimsSet The JWT claims set. Must not be {@code null}. */ public EncryptedJWT(final JWEHeader header, final JWTClaimsSet claimsSet) { super(header, new Payload(claimsSet.toJSONObject())); }
/** * Creates a new to-be-signed JSON Web Token (JWT) with the specified * header and claims set. The initial state will be * {@link com.nimbusds.jose.JWSObject.State#UNSIGNED unsigned}. * * @param header The JWS header. Must not be {@code null}. * @param claimsSet The JWT claims set. Must not be {@code null}. */ public SignedJWT(final JWSHeader header, final JWTClaimsSet claimsSet) { super(header, new Payload(claimsSet.toJSONObject())); }
private String encrypt(String plain, byte[] key) { Builder headerBuilder = new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A128GCM); JWEObject jweObj = new JWEObject(headerBuilder.build(), new Payload(plain)); try { jweObj.encrypt(new DirectEncrypter(key)); } catch (JOSEException e) { throw new IllegalStateException(e); } return jweObj.serialize(); }
public static JWSObject newJWSObject(JWTUser user) throws JOSEException { JWSSigner signer = new MACSigner(JWT.SHARED_SECRET); JWSObject jwsObject = new JWSObject(new JWSHeader(JWSAlgorithm.HS256), new Payload(user)); jwsObject.sign(signer); return jwsObject; }
protected Payload createPayload(String aud, String subject, Long expirationMillis, Map<String, Object> claimMap) { JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder(); builder //.issueTime(new Date()) .expirationTime(new Date(System.currentTimeMillis() + expirationMillis)) .audience(aud) .subject(subject) .claim(LEMON_IAT, System.currentTimeMillis()); claimMap.forEach(builder::claim); JWTClaimsSet claims = builder.build(); return new Payload(claims.toJSONObject()); }
private String generateUserMainSecret(UserModel userModel, String secretAttrName, byte[] secretEncryptionPasswordPBKDF2) { String userMainSecretPlain = RandomStringUtils.randomGraph(16); Builder headerBuilder = new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A128GCM); JWEObject jweObj = new JWEObject(headerBuilder.build(), new Payload(userMainSecretPlain)); try { jweObj.encrypt(new DirectEncrypter(secretEncryptionPasswordPBKDF2)); } catch (JOSEException e) { throw new IllegalStateException(e); } String customSecretAttr = jweObj.serialize(); userModel.setAttribute(secretAttrName, Arrays.asList(customSecretAttr)); return userMainSecretPlain; }
@Override public Optional<EncryptedData> encryptData(byte[] data, String password) { try { Payload payload = new Payload(data); SecretKey key = getSecretKey(password); JWEHeader header = new JWEHeader(ALGORITHM, METHOD); JWEObject jweObject = new JWEObject(header, payload); JWEEncrypter encrypter = new AESEncrypter(key.getEncoded()); jweObject.encrypt(encrypter); String encryptedData = jweObject.serialize(); return Optional.of(new EncryptedData(encryptedData.getBytes())); } catch (GeneralSecurityException | JOSEException e) { log.error("Error encryption data: {}", e); } return Optional.empty(); }
@Override public Optional<EncryptedData> encryptData(byte[] data, String password) { try { Payload payload = new Payload(data); SecretKey key = getSecretKey(password); JWEHeader header = new JWEHeader(ALGORITHM, METHOD); JWEObject jweObject = new JWEObject(header, payload); JWEEncrypter encrypter = new AESEncrypter(key.getEncoded()); jweObject.encrypt(encrypter); String encryptedData = jweObject.serialize(); return Optional.of(new EncryptedData(encryptedData.getBytes())); } catch (GeneralSecurityException | JOSEException e) { log.error("Error encryption data: {}", e); } return Optional.empty(); }
JWSObject generateJwsObject(String payload) { JWSHeader header = new JWSHeader.Builder(algorithm) .type(new JOSEObjectType(JWT)) .build(); // Create JWS object JWSObject jwsObject = new JWSObject(header, new Payload(payload)); try { jwsObject.sign(signer); } catch (JOSEException e) { throw new JwtSigningException(e); } return jwsObject; } }
@VisibleForTesting JWSObject generateJwsObject(String payload) { JWSHeader header = new JWSHeader.Builder(algorithm) .type(new JOSEObjectType(JWT)) .build(); // Create JWS object JWSObject jwsObject = new JWSObject(header, new Payload(payload)); try { jwsObject.sign(signer); } catch (JOSEException e) { throw new JwtSigningException(e); } return jwsObject; } }
public String encrypt(String plainText) { Payload payload = new Payload(plainText); JWEObject jweObject = new JWEObject(header, payload); try { jweObject.encrypt(jweEncrypter); } catch (JOSEException e) { throw new EncryptionException(e); } return jweObject.serialize(); } }
public static String serialize(JWTClaimsSet claimsSet, byte[] key) { try { // Create HMAC signer JWSSigner signer = new MACSigner(key); SignedJWT signedJWT = new SignedJWT(HEADER, claimsSet); // Apply the HMAC signedJWT.sign(signer); // Create JWE object with signed JWT as payload JWEObject jweObject = new JWEObject( JWE_HEADER, new Payload(signedJWT)); // Perform encryption jweObject.encrypt(new DirectEncrypter(key)); // Serialise to JWE compact form String jweString = jweObject.serialize(); return jweString; } catch (JOSEException e) { throw new IllegalStateException(e); } }
public String sign(final boolean internalOnly, final JWTClaimsSet claimsSet, final ActivableAndExpirable internalKey, final ActivableAndExpirable externalKey, final boolean isRefreshToken) { final ProfileOAuth2 profile = this.profile.getProfile(); final String inner = super.signJWT(new Payload(claimsSet.toJSONObject()), profile.getInternalKeyAlgorithm(), internalKey, isRefreshToken, Jwt.CTY.DEFAULT.getValue()); // no need to wrap if both keys are equals - this is the case for internal clients who are going to set both to internal key // obviously the JWT algorithm will reject the token if it is used to get in as the internal key isn't in the permitted keys if (internalOnly || externalKey == null || internalKey.equals(externalKey)) { LOGGER.fine(Oauth2Codes.PLAIN_INNER_TOKEN_2, "Return plain inner token with JTI {0}, internal-key={1}, external-key={2}", claimsSet.getJWTID(), internalKey, externalKey); return inner; } return super.signJWT(new Payload(Base64URL.encode(inner)), profile.getExternalKeyAlgorithm(), externalKey, isRefreshToken, Jwt.CTY.WRAPPED.getValue()); } }
default String createToken(Object userId) { try { JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder(); builder.issuer(getIssuer()); builder.subject(userId.toString()); builder.issueTime(new Date()); builder.notBeforeTime(new Date()); builder.expirationTime(new Date(new Date().getTime() + getExpirationDate())); builder.jwtID(UUID.randomUUID().toString()); JWTClaimsSet claimsSet = builder.build(); JWSHeader header = new JWSHeader(JWSAlgorithm.HS256); Payload payload = new Payload(claimsSet.toJSONObject()); JWSObject jwsObject = new JWSObject(header, payload); JWSSigner signer = new MACSigner(getSharedKey()); jwsObject.sign(signer); return jwsObject.serialize(); } catch (JOSEException ex) { return null; } }
public String serialize(IdentityReference reference) throws Exception { // Create HMAC signer JWSSigner signer = new MACSigner(secretKey.getEncoded()); // Prepare JWT with claims set JWTClaimsSet claimsSet = new JWTClaimsSet.Builder() .subject(reference.getReference()) .issuer(reference.getSource()) .build(); SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claimsSet); // Apply the HMAC protection signedJWT.sign(signer); // Create JWE object with signed JWT as payload JWEObject jweObject = new JWEObject( new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A256GCM) .contentType("JWT") // required to signal nested JWT .build(), new Payload(signedJWT)); // Perform encryption jweObject.encrypt(new DirectEncrypter(secretKey.getEncoded())); // Serialize to compact form return new String(Base64.getEncoder().encode(jweObject.serialize().getBytes())); }
public String encrypt(JWK jwk, String rawSecret) throws SecretEncryptionException { JWEEncrypter jweEncrypter; jweEncrypter = JWEEncryptedSelector.getEncrypter(jwk, null, null); Payload payload = new Payload(rawSecret); // JWE encrypt secret. JWEObject jweObj; try { jweObj = new JWEObject(getHeader(jwk), payload); jweObj.encrypt(jweEncrypter); } catch (JOSEException e) { throw new SecretEncryptionException(e); } return jweObj.serialize(); }
public String sign(final boolean internalOnlyClient, final JWTClaimsSet claimsSet, final ActivableAndExpirable internalKey, final ActivableAndExpirable externalKey, final boolean isRefreshToken) { final ProfileMetaData.ProfileOAuth2 profile = this.profile.getProfile(); final String inner = super.signJWT(new Payload(claimsSet.toJSONObject()), profile.getInternalKeyAlgorithm(), internalKey, isRefreshToken, Jwt.CTY.DEFAULT.getValue()); // no need to wrap if both keys are equals - this is the case for internal clients who are going to set both to internal key // obviously the JWT algorithm will reject the token if it is used to get in as the internal key isn't in the permitted keys if (internalOnlyClient || externalKey == null || internalKey.equals(externalKey)) { LOGGER.fine(Oauth2Codes.PLAIN_INNER_TOKEN_1, "Return plain inner token with JTI {0}, internal-private-key={1}, external-private-key={2}", claimsSet.getJWTID(), internalKey, externalKey); return inner; } // add inner token of the internal JWT token as a claim in the tag-internal section final JSONObject tagInternal = (JSONObject) claimsSet.getClaim("tag-internal"); tagInternal.put("inner-jwt", inner); return super.signJWT(new Payload(claimsSet.toJSONObject()), profile.getExternalKeyAlgorithm(), externalKey, isRefreshToken, Jwt.CTY.EMBEDDED.getValue()); } }
@VisibleForTesting JWSObject getSignedJwsObject(Jwt jwt, PrivateKey privateKey) throws UnsupportedAlgorithmException { SigningAlgorithm algorithm = jwt.getHeader().getAlgorithm(); JWSHeader header = new JWSHeader.Builder(JWSAlgorithm.parse(algorithm.name())) // fails if algorithm is None .keyID(jwt.getHeader().getKeyId()) .build(); Payload payload = new Payload(toJsonPayload(jwt.getClaims())); JWSObject jwsObject = new JWSObject(header, payload); try { jwsObject.sign(getSigner(algorithm, privateKey)); } catch (JOSEException e) { logger.error("Unexpected error when signing JWT token", e); throw new SigningException(); } return jwsObject; }