io.jsonwebtoken.security.SignatureException Java Examples

@Override
public boolean isValid(byte[] data, byte[] signature) {
    Signature sig = createSignatureInstance();
    PublicKey publicKey = (PublicKey) key;
    try {
        int expectedSize = getSignatureByteArrayLength(alg);
        /**
         *
         * If the expected size is not valid for JOSE, fall back to ASN.1 DER signature.
         * This fallback is for backwards compatibility ONLY (to support tokens generated by previous versions of jjwt)
         * and backwards compatibility will possibly be removed in a future version of this library.
         *
         * **/
        byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : EllipticCurveProvider.transcodeSignatureToDER(signature);
        return doVerify(sig, publicKey, data, derSignature);
    } catch (Exception e) {
        String msg = "Unable to verify Elliptic Curve signature using configured ECPublicKey. " + e.getMessage();
        throw new SignatureException(msg, e);
    }
}
 

@Override
public boolean isValid(byte[] data, byte[] signature) {
    if (key instanceof PublicKey) {
        Signature sig = createSignatureInstance();
        PublicKey publicKey = (PublicKey) key;
        try {
            return doVerify(sig, publicKey, data, signature);
        } catch (Exception e) {
            String msg = "Unable to verify RSA signature using configured PublicKey. " + e.getMessage();
            throw new SignatureException(msg, e);
        }
    } else {
        Assert.notNull(this.SIGNER, "RSA Signer instance cannot be null.  This is a bug.  Please report it.");
        byte[] computed = this.SIGNER.sign(data);
        return MessageDigest.isEqual(computed, signature);
    }
}
 

/**
 * 从token中获取claim
 *
 * @param token token
 * @return claim
 */
public Claims getClaimsFromToken(String token) {
    try {
        return Jwts.parser()
                .setSigningKey(this.reactiveLightSecurityProperties.getJwt().getSecret().getBytes())
                .parseClaimsJws(token)
                .getBody();

    } catch (ExpiredJwtException | UnsupportedJwtException | MalformedJwtException | SignatureException | IllegalArgumentException e) {
        log.error("token解析错误", e);
        throw new LightSecurityException(HttpStatus.UNAUTHORIZED, "Token invalided.", e);
    }
}
 

protected Signature createSignatureInstance() {
    try {
        return getSignatureInstance();
    } catch (NoSuchAlgorithmException e) {
        String msg = "Unavailable " + alg.getFamilyName() + " Signature algorithm '" + alg.getJcaName() + "'.";
        if (!alg.isJdkStandard() && !isBouncyCastleAvailable()) {
            msg += " This is not a standard JDK algorithm. Try including BouncyCastle in the runtime classpath.";
        }
        throw new SignatureException(msg, e);
    }
}
 

protected byte[] doSign(byte[] data) throws InvalidKeyException, java.security.SignatureException, JwtException {
    PrivateKey privateKey = (PrivateKey)key;
    Signature sig = createSignatureInstance();
    sig.initSign(privateKey);
    sig.update(data);
    return transcodeSignatureToConcat(sig.sign(), getSignatureByteArrayLength(alg));
}
 

protected byte[] doSign(byte[] data) throws InvalidKeyException, java.security.SignatureException {
    PrivateKey privateKey = (PrivateKey)key;
    Signature sig = createSignatureInstance();
    sig.initSign(privateKey);
    sig.update(data);
    return sig.sign();
}
 

protected void setParameter(Signature sig, PSSParameterSpec spec) {
    try {
        doSetParameter(sig, spec);
    } catch (InvalidAlgorithmParameterException e) {
        String msg = "Unsupported RSASSA-PSS parameter '" + spec + "': " + e.getMessage();
        throw new SignatureException(msg, e);
    }
}
 

/**
 * 从token中获取claim
 *
 * @param token token
 * @return claim
 */
public Claims getClaimsFromToken(String token) {
    try {
        return Jwts.parser()
                .setSigningKey(this.lightSecurityProperties.getJwt().getSecret().getBytes())
                .parseClaimsJws(token)
                .getBody();

    } catch (ExpiredJwtException | UnsupportedJwtException | MalformedJwtException | SignatureException | IllegalArgumentException e) {
        log.error("token解析错误", e);
        throw new LightSecurityException("Token invalided.", e);
    }
}
 

private SignatureAlgorithm getPublicKeyAlgType(ServiceConfiguration conf) throws IllegalArgumentException {
    if (conf.getProperty(CONF_TOKEN_PUBLIC_ALG) != null
            && StringUtils.isNotBlank((String) conf.getProperty(CONF_TOKEN_PUBLIC_ALG))) {
        String alg = (String) conf.getProperty(CONF_TOKEN_PUBLIC_ALG);
        try {
            return SignatureAlgorithm.forName(alg);
        } catch (SignatureException ex) {
            throw new IllegalArgumentException("invalid algorithm provided " + alg, ex);
        }
    } else {
        return SignatureAlgorithm.RS256;
    }
}
 

@Override
public Jwt parse(String jwt) throws ExpiredJwtException, MalformedJwtException, SignatureException, IllegalArgumentException {
    return this.jwtParser.parse(jwt);
}
 

@Override
public <T> T parse(String jwt, JwtHandler<T> handler) throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException {
    return this.jwtParser.parse(jwt, handler);
}
 

@Override
public Jwt<Header, String> parsePlaintextJwt(String plaintextJwt) throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException {
    return this.jwtParser.parsePlaintextJwt(plaintextJwt);
}
 

@Override
public Jwt<Header, Claims> parseClaimsJwt(String claimsJwt) throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException {
    return this.jwtParser.parseClaimsJwt(claimsJwt);
}
 

@Override
public Jws<String> parsePlaintextJws(String plaintextJws) throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException {
    return this.jwtParser.parsePlaintextJws(plaintextJws);
}
 

@Override
public Jws<Claims> parseClaimsJws(String claimsJws) throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException {
    return this.jwtParser.parseClaimsJws(claimsJws);
}
 

protected boolean doVerify(Signature sig, PublicKey publicKey, byte[] data, byte[] signature)
    throws InvalidKeyException, java.security.SignatureException {
    sig.initVerify(publicKey);
    sig.update(data);
    return sig.verify(signature);
}
 

protected boolean doVerify(Signature sig, PublicKey publicKey, byte[] data, byte[] signature)
    throws InvalidKeyException, java.security.SignatureException {
    sig.initVerify(publicKey);
    sig.update(data);
    return sig.verify(signature);
}
 

/**
 * Parses the specified compact serialized JWT string based on the builder's current configuration state and
 * returns
 * the resulting unsigned plaintext JWT instance.
 * <p>
 * <p>This is a convenience method that is usable if you are confident that the compact string argument reflects an
 * unsigned Claims JWT. An unsigned Claims JWT has a {@link Claims} body and it is not cryptographically
 * signed.</p>
 * <p>
 * <p><b>If the compact string presented does not reflect an unsigned Claims JWT, an
 * {@link UnsupportedJwtException} will be thrown.</b></p>
 *
 * @param claimsJwt a compact serialized unsigned Claims JWT string.
 * @return the {@link Jwt Jwt} instance that reflects the specified compact JWT string.
 * @throws UnsupportedJwtException  if the {@code claimsJwt} argument does not represent an unsigned Claims JWT
 * @throws MalformedJwtException    if the {@code claimsJwt} string is not a valid JWT
 * @throws SignatureException       if the {@code claimsJwt} string is actually a JWS and signature validation
 *                                  fails
 * @throws ExpiredJwtException      if the specified JWT is a Claims JWT and the Claims has an expiration time
 *                                  before the time this method is invoked.
 * @throws IllegalArgumentException if the {@code claimsJwt} string is {@code null} or empty or only whitespace
 * @see #parsePlaintextJwt(String)
 * @see #parsePlaintextJws(String)
 * @see #parseClaimsJws(String)
 * @see #parse(String, JwtHandler)
 * @see #parse(String)
 * @since 0.2
 */
Jwt<Header, Claims> parseClaimsJwt(String claimsJwt)
    throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
 

/**
 * Parses the specified compact serialized JWT string based on the builder's current configuration state and
 * returns the resulting JWT or JWS instance.
 * <p>
 * <p>This method returns a JWT or JWS based on the parsed string.  Because it may be cumbersome to determine if it
 * is a JWT or JWS, or if the body/payload is a Claims or String with {@code instanceof} checks, the
 * {@link #parse(String, JwtHandler) parse(String,JwtHandler)} method allows for a type-safe callback approach that
 * may help reduce code or instanceof checks.</p>
 *
 * @param jwt the compact serialized JWT to parse
 * @return the specified compact serialized JWT string based on the builder's current configuration state.
 * @throws MalformedJwtException    if the specified JWT was incorrectly constructed (and therefore invalid).
 *                                  Invalid
 *                                  JWTs should not be trusted and should be discarded.
 * @throws SignatureException       if a JWS signature was discovered, but could not be verified.  JWTs that fail
 *                                  signature validation should not be trusted and should be discarded.
 * @throws ExpiredJwtException      if the specified JWT is a Claims JWT and the Claims has an expiration time
 *                                  before the time this method is invoked.
 * @throws IllegalArgumentException if the specified string is {@code null} or empty or only whitespace.
 * @see #parse(String, JwtHandler)
 * @see #parsePlaintextJwt(String)
 * @see #parseClaimsJwt(String)
 * @see #parsePlaintextJws(String)
 * @see #parseClaimsJws(String)
 */
Jwt parse(String jwt) throws ExpiredJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
 

/**
 * Parses the specified compact serialized JWT string based on the builder's current configuration state and
 * invokes the specified {@code handler} with the resulting JWT or JWS instance.
 * <p>
 * <p>If you are confident of the format of the JWT before parsing, you can create an anonymous subclass using the
 * {@link io.jsonwebtoken.JwtHandlerAdapter JwtHandlerAdapter} and override only the methods you know are relevant
 * for your use case(s), for example:</p>
 * <p>
 * <pre>
 * String compactJwt = request.getParameter("jwt"); //we are confident this is a signed JWS
 *
 * String subject = Jwts.parser().setSigningKey(key).parse(compactJwt, new JwtHandlerAdapter&lt;String&gt;() {
 *     &#64;Override
 *     public String onClaimsJws(Jws&lt;Claims&gt; jws) {
 *         return jws.getBody().getSubject();
 *     }
 * });
 * </pre>
 * <p>
 * <p>If you know the JWT string can be only one type of JWT, then it is even easier to invoke one of the
 * following convenience methods instead of this one:</p>
 * <p>
 * <ul>
 * <li>{@link #parsePlaintextJwt(String)}</li>
 * <li>{@link #parseClaimsJwt(String)}</li>
 * <li>{@link #parsePlaintextJws(String)}</li>
 * <li>{@link #parseClaimsJws(String)}</li>
 * </ul>
 *
 * @param jwt the compact serialized JWT to parse
 * @return the result returned by the {@code JwtHandler}
 * @throws MalformedJwtException    if the specified JWT was incorrectly constructed (and therefore invalid).
 *                                  Invalid JWTs should not be trusted and should be discarded.
 * @throws SignatureException       if a JWS signature was discovered, but could not be verified.  JWTs that fail
 *                                  signature validation should not be trusted and should be discarded.
 * @throws ExpiredJwtException      if the specified JWT is a Claims JWT and the Claims has an expiration time
 *                                  before the time this method is invoked.
 * @throws IllegalArgumentException if the specified string is {@code null} or empty or only whitespace, or if the
 *                                  {@code handler} is {@code null}.
 * @see #parsePlaintextJwt(String)
 * @see #parseClaimsJwt(String)
 * @see #parsePlaintextJws(String)
 * @see #parseClaimsJws(String)
 * @see #parse(String)
 * @since 0.2
 */
<T> T parse(String jwt, JwtHandler<T> handler)
    throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
 

/**
 * Parses the specified compact serialized JWT string based on the builder's current configuration state and
 * returns
 * the resulting unsigned plaintext JWT instance.
 * <p>
 * <p>This is a convenience method that is usable if you are confident that the compact string argument reflects an
 * unsigned plaintext JWT. An unsigned plaintext JWT has a String (non-JSON) body payload and it is not
 * cryptographically signed.</p>
 * <p>
 * <p><b>If the compact string presented does not reflect an unsigned plaintext JWT with non-JSON string body,
 * an {@link UnsupportedJwtException} will be thrown.</b></p>
 *
 * @param plaintextJwt a compact serialized unsigned plaintext JWT string.
 * @return the {@link Jwt Jwt} instance that reflects the specified compact JWT string.
 * @throws UnsupportedJwtException  if the {@code plaintextJwt} argument does not represent an unsigned plaintext
 *                                  JWT
 * @throws MalformedJwtException    if the {@code plaintextJwt} string is not a valid JWT
 * @throws SignatureException       if the {@code plaintextJwt} string is actually a JWS and signature validation
 *                                  fails
 * @throws IllegalArgumentException if the {@code plaintextJwt} string is {@code null} or empty or only whitespace
 * @see #parseClaimsJwt(String)
 * @see #parsePlaintextJws(String)
 * @see #parseClaimsJws(String)
 * @see #parse(String, JwtHandler)
 * @see #parse(String)
 * @since 0.2
 */
Jwt<Header, String> parsePlaintextJwt(String plaintextJwt)
    throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
 

/**
 * Parses the specified compact serialized JWS string based on the builder's current configuration state and
 * returns
 * the resulting plaintext JWS instance.
 * <p>
 * <p>This is a convenience method that is usable if you are confident that the compact string argument reflects a
 * plaintext JWS. A plaintext JWS is a JWT with a String (non-JSON) body (payload) that has been
 * cryptographically signed.</p>
 * <p>
 * <p><b>If the compact string presented does not reflect a plaintext JWS, an {@link UnsupportedJwtException}
 * will be thrown.</b></p>
 *
 * @param plaintextJws a compact serialized JWS string.
 * @return the {@link Jws Jws} instance that reflects the specified compact JWS string.
 * @throws UnsupportedJwtException  if the {@code plaintextJws} argument does not represent an plaintext JWS
 * @throws MalformedJwtException    if the {@code plaintextJws} string is not a valid JWS
 * @throws SignatureException       if the {@code plaintextJws} JWS signature validation fails
 * @throws IllegalArgumentException if the {@code plaintextJws} string is {@code null} or empty or only whitespace
 * @see #parsePlaintextJwt(String)
 * @see #parseClaimsJwt(String)
 * @see #parseClaimsJws(String)
 * @see #parse(String, JwtHandler)
 * @see #parse(String)
 * @since 0.2
 */
Jws<String> parsePlaintextJws(String plaintextJws)
    throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
 

/**
 * Parses the specified compact serialized JWS string based on the builder's current configuration state and
 * returns
 * the resulting Claims JWS instance.
 * <p>
 * <p>This is a convenience method that is usable if you are confident that the compact string argument reflects a
 * Claims JWS. A Claims JWS is a JWT with a {@link Claims} body that has been cryptographically signed.</p>
 * <p>
 * <p><b>If the compact string presented does not reflect a Claims JWS, an {@link UnsupportedJwtException} will be
 * thrown.</b></p>
 *
 * @param claimsJws a compact serialized Claims JWS string.
 * @return the {@link Jws Jws} instance that reflects the specified compact Claims JWS string.
 * @throws UnsupportedJwtException  if the {@code claimsJws} argument does not represent an Claims JWS
 * @throws MalformedJwtException    if the {@code claimsJws} string is not a valid JWS
 * @throws SignatureException       if the {@code claimsJws} JWS signature validation fails
 * @throws ExpiredJwtException      if the specified JWT is a Claims JWT and the Claims has an expiration time
 *                                  before the time this method is invoked.
 * @throws IllegalArgumentException if the {@code claimsJws} string is {@code null} or empty or only whitespace
 * @see #parsePlaintextJwt(String)
 * @see #parseClaimsJwt(String)
 * @see #parsePlaintextJws(String)
 * @see #parse(String, JwtHandler)
 * @see #parse(String)
 * @since 0.2
 */
Jws<Claims> parseClaimsJws(String claimsJws)
    throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
 

byte[] sign(byte[] data) throws SignatureException;