Java Code Examples for org.apache.cxf.rs.security.jose.jwk.JsonWebKeys#getKey()
The following examples show how to use
org.apache.cxf.rs.security.jose.jwk.JsonWebKeys#getKey() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: ApacheCXFConsumer.java From cxf with Apache License 2.0 | 6 votes |
|
protected void consumeCompactJWS(String signedData, String plainText, JsonWebKeys keys) {
// Validate Signature
// 1. Read data to get key id (only need to do this if you don't know the key)
JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(signedData);
String kid = jwsConsumer.getJwsHeaders().getKeyId();
Assert.assertNotNull("Data does not contain kid header.", kid);
// 2. Get key
JsonWebKey key = keys.getKey(kid);
Assert.assertNotNull("Data signed with unknown key", key);
// 3. Verify
SignatureAlgorithm signAlgo = jwsConsumer.getJwsHeaders().getSignatureAlgorithm();
Assert.assertNotNull("Signed data does not define algorithm used", signAlgo);
JwsSignatureVerifier signatureVerifier = JwsUtils.getSignatureVerifier(key, signAlgo);
Assert.assertTrue("Signature validation failed", jwsConsumer.verifySignatureWith(signatureVerifier));
// Validate plain text
Assert.assertEquals(plainText, jwsConsumer.getDecodedJwsPayload());
}
Example 2
| Source File: ApacheCXFConsumer.java From cxf with Apache License 2.0 | 6 votes |
|
protected void consumeCompactJWE(String encryptedData, String plainText, JsonWebKeys keys) {
// Decrypt
// 1. Read data to get key id (only need to do this if you don't know the key)
JweCompactConsumer jweConsumer = new JweCompactConsumer(encryptedData);
String kid = jweConsumer.getJweHeaders().getKeyId();
Assert.assertNotNull("Data does not contain kid header.", kid);
// 2. Get key
JsonWebKey key = keys.getKey(kid);
Assert.assertNotNull("Data encrypted with unknown key", key);
// 3. decrypt
JweDecryptionProvider decryptor = getJweDecryptionProvider(key,
jweConsumer.getJweHeaders().getKeyEncryptionAlgorithm(),
jweConsumer.getJweHeaders().getContentEncryptionAlgorithm());
String decryptedText = decryptor.decrypt(encryptedData).getContentText();
// Validate plain text
Assert.assertEquals(plainText, decryptedText);
}
Example 3
| Source File: JwsJsonConsumerTest.java From cxf with Apache License 2.0 | 6 votes |
|
@Test
public void testVerifyDualSignedDocument() throws Exception {
JwsJsonConsumer consumer = new JwsJsonConsumer(DUAL_SIGNED_DOCUMENT);
JsonWebKeys jwks = readKeySet("jwkPublicJsonConsumerSet.txt");
List<JwsJsonSignatureEntry> sigEntries = consumer.getSignatureEntries();
assertEquals(2, sigEntries.size());
// 1st signature
String firstKid = sigEntries.get(0).getKeyId();
assertEquals(KID_OF_THE_FIRST_SIGNER, firstKid);
JsonWebKey rsaKey = jwks.getKey(firstKid);
assertNotNull(rsaKey);
assertTrue(sigEntries.get(0).verifySignatureWith(rsaKey));
// 2nd signature
String secondKid = sigEntries.get(1).getKeyId();
assertEquals(KID_OF_THE_SECOND_SIGNER, secondKid);
JsonWebKey ecKey = jwks.getKey(secondKid);
assertNotNull(ecKey);
assertTrue(sigEntries.get(1).verifySignatureWith(ecKey));
}
Example 4
| Source File: JwsJsonConsumerTest.java From cxf with Apache License 2.0 | 6 votes |
|
@Test
public void testVerifySingleEntryInDualSignedDocument() throws Exception {
JwsJsonConsumer consumer = new JwsJsonConsumer(DUAL_SIGNED_DOCUMENT);
JsonWebKeys jwks = readKeySet("jwkPublicJsonConsumerSet.txt");
List<JwsJsonSignatureEntry> sigEntries = consumer.getSignatureEntries();
assertEquals(2, sigEntries.size());
// 1st signature
String firstKid = sigEntries.get(0).getKeyId();
assertEquals(KID_OF_THE_FIRST_SIGNER, firstKid);
JsonWebKey rsaKey = jwks.getKey(firstKid);
assertNotNull(rsaKey);
JwsSignatureVerifier jws = JwsUtils.getSignatureVerifier(rsaKey);
assertTrue(consumer.verifySignatureWith(jws));
List<JwsJsonSignatureEntry> remainingEntries =
consumer.verifyAndGetNonValidated(Collections.singletonList(jws));
assertEquals(1, remainingEntries.size());
assertEquals(KID_OF_THE_SECOND_SIGNER, remainingEntries.get(0).getKeyId());
}
Example 5
| Source File: DefaultJoseImpl.java From thorntail with Apache License 2.0 | 5 votes |
|
private JsonWebKey loadJsonWebKey(String kid) {
JsonWebKeys jwkSet = JwkUtils.readJwkSet(config.inlinedKeystoreJwkSet());
JsonWebKey jwkKey = jwkSet.getKey(kid);
if (jwkKey == null) {
throw new JoseException("JWK key is not available");
}
return jwkKey;
}
Example 6
| Source File: OidcClaimsValidator.java From cxf with Apache License 2.0 | 4 votes |
|
@Override
protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) {
JsonWebKey key = null;
if (supportSelfIssuedProvider && SELF_ISSUED_ISSUER.equals(jwt.getClaim("issuer"))) {
String publicKeyJson = (String)jwt.getClaim("sub_jwk");
if (publicKeyJson != null) {
JsonWebKey publicKey = JwkUtils.readJwkKey(publicKeyJson);
String thumbprint = JwkUtils.getThumbprint(publicKey);
if (thumbprint.equals(jwt.getClaim("sub"))) {
key = publicKey;
}
}
if (key == null) {
throw new SecurityException("Self-issued JWK key is invalid or not available");
}
} else {
String keyId = jwt.getJwsHeaders().getKeyId();
key = keyId != null ? keyMap.get(keyId) : null;
if (key == null && jwkSetClient != null) {
JsonWebKeys keys = jwkSetClient.get(JsonWebKeys.class);
if (keyId != null) {
key = keys.getKey(keyId);
} else if (keys.getKeys().size() == 1) {
key = keys.getKeys().get(0);
}
//jwkSetClient returns the most up-to-date keys
keyMap.clear();
keyMap.putAll(keys.getKeyIdMap());
}
}
JwsSignatureVerifier theJwsVerifier = null;
if (key != null) {
theJwsVerifier = JwsUtils.getSignatureVerifier(key, jwt.getJwsHeaders().getSignatureAlgorithm());
} else {
theJwsVerifier = super.getInitializedSignatureVerifier(jwt.getJwsHeaders());
}
if (theJwsVerifier == null) {
throw new SecurityException("JWS Verifier is not available");
}
return theJwsVerifier;
}
Example 7
| Source File: TrustedIdpOIDCProtocolHandler.java From cxf-fediz with Apache License 2.0 | 4 votes |
|
private boolean validateSignature(TrustedIdp trustedIdp, JwsJwtCompactConsumer jwtConsumer)
throws CertificateException, WSSecurityException, ProcessingException, IOException {
// Validate the Signature
String sigAlgo = getProperty(trustedIdp, SIGNATURE_ALGORITHM);
if (sigAlgo == null || sigAlgo.isEmpty()) {
sigAlgo = "RS256";
}
JwtToken jwt = jwtConsumer.getJwtToken();
String jwksUri = getProperty(trustedIdp, JWKS_URI);
JsonWebKey verifyingKey = null;
if (jwksUri != null && jwt.getJwsHeaders() != null
&& jwt.getJwsHeaders().containsHeader(JoseConstants.HEADER_KEY_ID)) {
String kid = (String)jwt.getJwsHeaders().getHeader(JoseConstants.HEADER_KEY_ID);
LOG.debug("Attemping to retrieve key id {} from uri {}", kid, jwksUri);
List<Object> jsonKeyProviders = new ArrayList<>();
jsonKeyProviders.add(new JsonWebKeysProvider());
WebClient client =
WebClient.create(jwksUri, jsonKeyProviders, "cxf-tls.xml");
client.accept("application/json");
ClientConfiguration config = WebClient.getConfig(client);
if (LOG.isDebugEnabled()) {
config.getOutInterceptors().add(new LoggingOutInterceptor());
config.getInInterceptors().add(new LoggingInInterceptor());
}
Response response = client.get();
JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);
if (jsonWebKeys != null) {
verifyingKey = jsonWebKeys.getKey(kid);
}
}
if (verifyingKey != null) {
return jwtConsumer.verifySignatureWith(verifyingKey, SignatureAlgorithm.getAlgorithm(sigAlgo));
}
X509Certificate validatingCert = CertsUtils.parseX509Certificate(trustedIdp.getCertificate());
if (validatingCert != null) {
return jwtConsumer.verifySignatureWith(validatingCert, SignatureAlgorithm.getAlgorithm(sigAlgo));
}
LOG.warn("No key supplied to verify the signature of the IdToken");
return false;
}
