org.apache.cxf.rs.security.jose.jwk.JsonWebKeys Java Examples

@org.junit.Test
public void testGetJWKRSAPublicKey() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");

    String address = "https://localhost:" + JCACHE_SERVER.getPort() + "/services2/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                        "alice", "security", busFile.toString());
    client.accept("application/json");

    client.path("keys/");
    Response response = client.get();
    JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);

    assertEquals(1, jsonWebKeys.getKeys().size());

    JsonWebKey jsonWebKey = jsonWebKeys.getKeys().get(0);
    assertEquals(KeyType.RSA, jsonWebKey.getKeyType());
    assertEquals("2011-04-29", jsonWebKey.getKeyId());
    assertNotNull(jsonWebKey.getProperty("n"));
    assertNotNull(jsonWebKey.getProperty("e"));
    // Check we don't send the private key back
    checkPrivateKeyParametersNotPresent(jsonWebKeys);
}
 

@Test
public void testVerifyDualSignedDocument() throws Exception {
    JwsJsonConsumer consumer = new JwsJsonConsumer(DUAL_SIGNED_DOCUMENT);
    JsonWebKeys jwks = readKeySet("jwkPublicJsonConsumerSet.txt");

    List<JwsJsonSignatureEntry> sigEntries = consumer.getSignatureEntries();
    assertEquals(2, sigEntries.size());
    // 1st signature
    String firstKid = sigEntries.get(0).getKeyId();
    assertEquals(KID_OF_THE_FIRST_SIGNER, firstKid);
    JsonWebKey rsaKey = jwks.getKey(firstKid);
    assertNotNull(rsaKey);
    assertTrue(sigEntries.get(0).verifySignatureWith(rsaKey));
    // 2nd signature
    String secondKid = sigEntries.get(1).getKeyId();
    assertEquals(KID_OF_THE_SECOND_SIGNER, secondKid);
    JsonWebKey ecKey = jwks.getKey(secondKid);
    assertNotNull(ecKey);
    assertTrue(sigEntries.get(1).verifySignatureWith(ecKey));
}
 

@Test
public void testVerifySingleEntryInDualSignedDocument() throws Exception {
    JwsJsonConsumer consumer = new JwsJsonConsumer(DUAL_SIGNED_DOCUMENT);
    JsonWebKeys jwks = readKeySet("jwkPublicJsonConsumerSet.txt");

    List<JwsJsonSignatureEntry> sigEntries = consumer.getSignatureEntries();
    assertEquals(2, sigEntries.size());
    // 1st signature
    String firstKid = sigEntries.get(0).getKeyId();
    assertEquals(KID_OF_THE_FIRST_SIGNER, firstKid);
    JsonWebKey rsaKey = jwks.getKey(firstKid);
    assertNotNull(rsaKey);
    JwsSignatureVerifier jws = JwsUtils.getSignatureVerifier(rsaKey);
    assertTrue(consumer.verifySignatureWith(jws));
    List<JwsJsonSignatureEntry> remainingEntries =
        consumer.verifyAndGetNonValidated(Collections.singletonList(jws));
    assertEquals(1, remainingEntries.size());
    assertEquals(KID_OF_THE_SECOND_SIGNER, remainingEntries.get(0).getKeyId());

}
 

@Test
public void testLoadVerificationKeyWithCert() throws Exception {
    Properties p = new Properties();
    p.put(JoseConstants.RSSEC_KEY_STORE_FILE,
        "org/apache/cxf/rs/security/jose/jws/alice.jks");
    p.put(JoseConstants.RSSEC_KEY_STORE_PSWD, "password");
    p.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "alice");
    p.put(JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT, true);
    JsonWebKeys keySet = JwsUtils.loadPublicVerificationKeys(createMessage(), p, true);
    assertEquals(1, keySet.asMap().size());
    List<JsonWebKey> keys = keySet.getRsaKeys();
    assertEquals(1, keys.size());
    JsonWebKey key = keys.get(0);
    assertEquals(KeyType.RSA, key.getKeyType());
    assertEquals("alice", key.getKeyId());
    assertNotNull(key.getKeyProperty(JsonWebKey.RSA_PUBLIC_EXP));
    assertNotNull(key.getKeyProperty(JsonWebKey.RSA_MODULUS));
    assertNull(key.getKeyProperty(JsonWebKey.RSA_PRIVATE_EXP));
    List<String> chain = key.getX509Chain();
    assertNotNull(chain);
    assertEquals(2, chain.size());
}
 

@Test
public void testLoadVerificationKey() throws Exception {
    Properties p = new Properties();
    p.put(JoseConstants.RSSEC_KEY_STORE_FILE,
        "org/apache/cxf/rs/security/jose/jws/alice.jks");
    p.put(JoseConstants.RSSEC_KEY_STORE_PSWD, "password");
    p.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "alice");
    JsonWebKeys keySet = JwsUtils.loadPublicVerificationKeys(createMessage(), p, true);
    assertEquals(1, keySet.asMap().size());
    List<JsonWebKey> keys = keySet.getRsaKeys();
    assertEquals(1, keys.size());
    JsonWebKey key = keys.get(0);
    assertEquals(KeyType.RSA, key.getKeyType());
    assertEquals("alice", key.getKeyId());
    assertNotNull(key.getKeyProperty(JsonWebKey.RSA_PUBLIC_EXP));
    assertNotNull(key.getKeyProperty(JsonWebKey.RSA_MODULUS));
    assertNull(key.getKeyProperty(JsonWebKey.RSA_PRIVATE_EXP));
    assertNull(key.getX509Chain());
}
 

protected void consumeJsonJWE(String encryptedData, String plainText, JsonWebKeys keys) {

        // Decrypt

        // 1. Read data
        JweJsonConsumer jweConsumer = new JweJsonConsumer(encryptedData);
        jweConsumer.getRecipients().forEach(encryptionBlock -> {
            String kid = Crypto.findKeyId(jweConsumer, encryptionBlock);
            Assert.assertNotNull("Data does not contain kid header.", kid);

            // 2. Get Key
            JsonWebKey key = keys.getKey(kid);
            Assert.assertNotNull("Data encrypted with unknown key", key);

            // 3. Decrypt
            KeyAlgorithm keyAlgo = Crypto.findKeyAlgorithm(jweConsumer, encryptionBlock);
            ContentAlgorithm contentAlgo = Crypto.findContentAlgorithm(jweConsumer, encryptionBlock);
            Assert.assertNotNull("Encrypted data does not define algorithm used", contentAlgo);
            JweDecryptionProvider decryptor = getJweDecryptionProvider(key, keyAlgo, contentAlgo);
            JweDecryptionOutput output = jweConsumer.decryptWith(decryptor, encryptionBlock);

            // Validate plain text
            String payload = output.getContentText();
            Assert.assertEquals(plainText, payload);
        });
    }
 

@org.junit.Test
public void testGetJWKMultipleKeys() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");

    String address = "https://localhost:" + JCACHE_SERVER.getPort() + "/services6/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                        "alice", "security", busFile.toString());
    client.accept("application/json");

    client.path("keys/");
    Response response = client.get();
    JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);

    assertEquals(2, jsonWebKeys.getKeys().size());

    // Check we don't send the private key back
    checkPrivateKeyParametersNotPresent(jsonWebKeys);
}
 

@org.junit.Test
public void testGetJWKHMACExplicitlyAllowed() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");

    String address = "https://localhost:" + JCACHE_SERVER.getPort() + "/services5/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                        "alice", "security", busFile.toString());
    client.accept("application/json");

    client.path("keys/");
    Response response = client.get();
    JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);

    // Here we explicitly allow sending back secret keys
    assertEquals(1, jsonWebKeys.getKeys().size());
}
 

@org.junit.Test
public void testGetJWKHMAC() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");

    String address = "https://localhost:" + JCACHE_SERVER.getPort() + "/services4/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                        "alice", "security", busFile.toString());
    client.accept("application/json");

    client.path("keys/");
    Response response = client.get();
    JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);

    // We don't allow sending secret keys back from the key service by default
    assertNull(jsonWebKeys.getKeys());
}
 

@org.junit.Test
public void testGetJWKECPublicKey() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");

    String address = "https://localhost:" + JCACHE_SERVER.getPort() + "/services3/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                        "alice", "security", busFile.toString());
    client.accept("application/json");

    client.path("keys/");
    Response response = client.get();
    JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);

    assertEquals(1, jsonWebKeys.getKeys().size());

    JsonWebKey jsonWebKey = jsonWebKeys.getKeys().get(0);
    assertEquals(KeyType.EC, jsonWebKey.getKeyType());
    assertEquals("ECKey", jsonWebKey.getKeyId());
    assertNotNull(jsonWebKey.getProperty("x"));
    assertNotNull(jsonWebKey.getProperty("y"));
    // Check we don't send the private key back
    checkPrivateKeyParametersNotPresent(jsonWebKeys);
}
 

@org.junit.Test
public void testGetRSAPublicKey() throws Exception {
    URL busFile = OIDCFlowTest.class.getResource("client.xml");

    String address = "https://localhost:" + JCACHE_SERVER.getPort() + "/services/";
    WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
                                        "alice", "security", busFile.toString());
    client.accept("application/json");

    client.path("keys/");
    Response response = client.get();
    JsonWebKeys jsonWebKeys = response.readEntity(JsonWebKeys.class);

    assertEquals(1, jsonWebKeys.getKeys().size());

    JsonWebKey jsonWebKey = jsonWebKeys.getKeys().get(0);
    assertEquals(KeyType.RSA, jsonWebKey.getKeyType());
    assertEquals("alice", jsonWebKey.getKeyId());
    assertNotNull(jsonWebKey.getProperty("n"));
    assertNotNull(jsonWebKey.getProperty("e"));
    // Check we don't send the private key back
    checkPrivateKeyParametersNotPresent(jsonWebKeys);
}
 

protected void consumeCompactJWE(String encryptedData, String plainText, JsonWebKeys keys) {

        // Decrypt

        // 1. Read data to get key id (only need to do this if you don't know the key)
        JweCompactConsumer jweConsumer = new JweCompactConsumer(encryptedData);
        String kid = jweConsumer.getJweHeaders().getKeyId();

        Assert.assertNotNull("Data does not contain kid header.", kid);

        // 2. Get key
        JsonWebKey key = keys.getKey(kid);
        Assert.assertNotNull("Data encrypted with unknown key", key);

        // 3. decrypt
        JweDecryptionProvider decryptor = getJweDecryptionProvider(key,
            jweConsumer.getJweHeaders().getKeyEncryptionAlgorithm(),
            jweConsumer.getJweHeaders().getContentEncryptionAlgorithm());
        String decryptedText = decryptor.decrypt(encryptedData).getContentText();

        // Validate plain text
        Assert.assertEquals(plainText, decryptedText);
    }
 

protected void consumeJsonJWS(String signedData, String plainText, JsonWebKeys keys) {

        // Validate signature

        // 1. Read data
        JwsJsonConsumer jwsConsumer = new JwsJsonConsumer(signedData);
        jwsConsumer.getSignatureEntries().forEach(signature -> {
            String kid = signature.getKeyId();
            Assert.assertNotNull("Signature does not contain kid.", kid);

            // 2. Get Key
            JsonWebKey key = keys.getKey(kid);
            Assert.assertNotNull("Data signed with unknown key", key);

            // 3. Verify
            SignatureAlgorithm signAlgo = signature.getUnionHeader().getSignatureAlgorithm();
            Assert.assertNotNull("Signed data does not define algorithm used", signAlgo);
            JwsSignatureVerifier signatureVerifier = JwsUtils.getSignatureVerifier(key, signAlgo);
            Assert.assertTrue("Signature validation failed", jwsConsumer.verifySignatureWith(signatureVerifier));

            // Validate plain text
            Assert.assertEquals(plainText, signature.getDecodedJwsPayload());
        });
    }
 

protected void consumeCompactJWS(String signedData, String plainText, JsonWebKeys keys) {

        // Validate Signature

        // 1. Read data to get key id (only need to do this if you don't know the key)
        JwsCompactConsumer jwsConsumer = new JwsCompactConsumer(signedData);
        String kid = jwsConsumer.getJwsHeaders().getKeyId();

        Assert.assertNotNull("Data does not contain kid header.", kid);

        // 2. Get key
        JsonWebKey key = keys.getKey(kid);
        Assert.assertNotNull("Data signed with unknown key", key);

        // 3. Verify
        SignatureAlgorithm signAlgo = jwsConsumer.getJwsHeaders().getSignatureAlgorithm();
        Assert.assertNotNull("Signed data does not define algorithm used", signAlgo);
        JwsSignatureVerifier signatureVerifier = JwsUtils.getSignatureVerifier(key, signAlgo);
        Assert.assertTrue("Signature validation failed", jwsConsumer.verifySignatureWith(signatureVerifier));

        // Validate plain text
        Assert.assertEquals(plainText, jwsConsumer.getDecodedJwsPayload());
    }
 

public static JsonWebKeys loadPublicVerificationKeys(Message m, Properties props, boolean stripPrivateParameters) {
    String storeType = props.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE);
    if ("jwk".equals(storeType)) {
        List<JsonWebKey> jsonWebKeys = JwkUtils.loadJsonWebKeys(m, props, KeyOperation.SIGN, null);
        if (jsonWebKeys == null || jsonWebKeys.isEmpty()) {
            throw new JoseException("Error loading keys");
        }
        return new JsonWebKeys(stripPrivateParameters ? JwkUtils.stripPrivateParameters(jsonWebKeys) : jsonWebKeys);
    }
    X509Certificate[] certs = null;
    if (PropertyUtils.isTrue(props.get(JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT))) {
        certs = KeyManagementUtils.loadX509CertificateOrChain(m, props);
    }
    PublicKey key = certs != null && certs.length > 0
        ? certs[0].getPublicKey() : KeyManagementUtils.loadPublicKey(m, props);
    JsonWebKey jwk = JwkUtils.fromPublicKey(key, props, JoseConstants.RSSEC_SIGNATURE_ALGORITHM);
    jwk.setPublicKeyUse(PublicKeyUse.SIGN);
    if (certs != null) {
        jwk.setX509Chain(KeyManagementUtils.encodeX509CertificateChain(certs));
    }
    return new JsonWebKeys(jwk);
}
 

public void produceJWS(String keyType, String signatureAlgorithm, Serialization serialization, String plainText,
    String jwksJson) {
    JsonWebKeys keys = JwkUtils.readJwkSet(jwksJson);
    JsonWebKey key = getRequestedKeyType(keyType, keys).orElseThrow(IllegalArgumentException::new);

    // Sign
    JwsHeaders jwsHeaders = new JwsHeaders();
    jwsHeaders.setKeyId(key.getKeyId());
    jwsHeaders.setAlgorithm(signatureAlgorithm);
    switch (serialization) {
    case COMPACT:
        produceCompactJWS(plainText, key, jwsHeaders);
        break;
    case FLATTENED:
        produceJsonJWS(plainText, key, jwsHeaders, true);
        break;
    case JSON:
        produceJsonJWS(plainText, key, jwsHeaders, false);
        break;
    default:
        throw new IllegalArgumentException("Serialization not supported: " + serialization);
    }

}
 

public void produceJWE(String keyType, String keyEncryptionAlgorithm, String contentEncryptionAlgorithm,
    Serialization serialization, String plainText, String jwksJson) {
    JsonWebKeys keys = JwkUtils.readJwkSet(jwksJson);
    JsonWebKey key = getRequestedKeyType(keyType, keys).orElseThrow(IllegalArgumentException::new);

    // Encrypt
    switch (serialization) {
    case COMPACT:
        JweHeaders headers = new JweHeaders();
        headers.setKeyId(key.getKeyId());
        headers.setKeyEncryptionAlgorithm(KeyAlgorithm.getAlgorithm(keyEncryptionAlgorithm));
        headers.setContentEncryptionAlgorithm(ContentAlgorithm.getAlgorithm(contentEncryptionAlgorithm));
        produceCompactJWE(plainText, key, headers);
        break;
    case FLATTENED:
        produceJsonJWE(keyEncryptionAlgorithm, contentEncryptionAlgorithm, plainText, key, true);
        break;
    case JSON:
        produceJsonJWE(keyEncryptionAlgorithm, contentEncryptionAlgorithm, plainText, key, false);
        break;
    default: 
        throw new IllegalArgumentException("Serialization not supported: " + serialization);
    }

}
 

private void validatePrivateSet(JsonWebKeys jwks) throws Exception {
    List<JsonWebKey> keys = jwks.getKeys();
    assertEquals(2, keys.size());
    JsonWebKey ecKey = keys.get(0);
    assertEquals(7, ecKey.asMap().size());
    validatePrivateEcKey(ecKey);
    JsonWebKey rsaKey = keys.get(1);
    assertEquals(11, rsaKey.asMap().size());
    validatePrivateRsaKey(rsaKey);
}
 

public void consumeJWE(String encryptedData, String plainText, String jwks) {
    JsonWebKeys keys = JwkUtils.readJwkSet(jwks);
    if (encryptedData.startsWith("{")) {
        consumeJsonJWE(encryptedData, plainText, keys);
    } else {
        consumeCompactJWE(encryptedData, plainText, keys);
    }
}
 

public void consumeJWS(String signedData, String plainText, String jwks) {
    JsonWebKeys keys = JwkUtils.readJwkSet(jwks);
    if (signedData.startsWith("{")) {
        consumeJsonJWS(signedData, plainText, keys);
    } else {
        consumeCompactJWS(signedData, plainText, keys);
    }
}
 

@Test
public void testPublicSetAsList() throws Exception {
    JsonWebKeys jwks = readKeySet("cookbookPublicSet.txt");
    List<JsonWebKey> keys = jwks.getKeys();
    assertEquals(2, keys.size());
    JsonWebKey ecKey = keys.get(0);
    assertEquals(6, ecKey.asMap().size());
    validatePublicEcKey(ecKey);
    JsonWebKey rsaKey = keys.get(1);
    assertEquals(5, rsaKey.asMap().size());
    validatePublicRsaKey(rsaKey);
}
 

@Test
public void testPublicSetAsMap() throws Exception {
    JsonWebKeys jwks = readKeySet("cookbookPublicSet.txt");
    Map<KeyType, List<JsonWebKey>> keysMap = jwks.getKeyTypeMap();
    assertEquals(2, keysMap.size());
    List<JsonWebKey> rsaKeys = keysMap.get(KeyType.RSA);
    assertEquals(1, rsaKeys.size());
    assertEquals(5, rsaKeys.get(0).asMap().size());
    validatePublicRsaKey(rsaKeys.get(0));
    List<JsonWebKey> ecKeys = keysMap.get(KeyType.EC);
    assertEquals(1, ecKeys.size());
    assertEquals(6, ecKeys.get(0).asMap().size());
    validatePublicEcKey(ecKeys.get(0));
}
 

public JsonWebKeys get() throws AuthenticatorUnavailableException {
	String uri = getJwksUri();

	try (CloseableHttpClient httpClient = createHttpClient(null)) {

		HttpGet httpGet = new HttpGet(uri);

		RequestConfig requestConfig = RequestConfig.custom().setConnectionRequestTimeout(getRequestTimeoutMs())
				.setConnectTimeout(getRequestTimeoutMs()).setSocketTimeout(getRequestTimeoutMs()).build();

		httpGet.setConfig(requestConfig);

		try (CloseableHttpResponse response = httpClient.execute(httpGet)) {
			StatusLine statusLine = response.getStatusLine();

			if (statusLine.getStatusCode() < 200 || statusLine.getStatusCode() >= 300) {
				throw new AuthenticatorUnavailableException("Error while getting " + uri + ": " + statusLine);
			}

			HttpEntity httpEntity = response.getEntity();

			if (httpEntity == null) {
				throw new AuthenticatorUnavailableException(
						"Error while getting " + uri + ": Empty response entity");
			}

			JsonWebKeys keySet = JwkUtils.readJwkSet(httpEntity.getContent());

			return keySet;
		}
	} catch (IOException e) {
		throw new AuthenticatorUnavailableException("Error while getting " + uri + ": " + e, e);
	}

}
 

@Test
public void testSecretSetAsList() throws Exception {
    JsonWebKeys jwks = readKeySet("cookbookSecretSet.txt");
    List<JsonWebKey> keys = jwks.getKeys();
    assertEquals(2, keys.size());
    JsonWebKey signKey = keys.get(0);
    assertEquals(5, signKey.asMap().size());
    validateSecretSignKey(signKey);
    JsonWebKey encKey = keys.get(1);
    assertEquals(5, encKey.asMap().size());
    validateSecretEncKey(encKey);
}
 

@Test
public void testRSAv15Signature() throws Exception {
    JwsCompactProducer compactProducer = new JwsCompactProducer(PAYLOAD);
    compactProducer.getJwsHeaders().setSignatureAlgorithm(SignatureAlgorithm.RS256);
    compactProducer.getJwsHeaders().setKeyId(RSA_KID_VALUE);
    JsonMapObjectReaderWriter reader = new JsonMapObjectReaderWriter();
    assertEquals(reader.toJson(compactProducer.getJwsHeaders().asMap()), RSA_V1_5_SIGNATURE_PROTECTED_HEADER_JSON);
    assertEquals(compactProducer.getUnsignedEncodedJws(),
            RSA_V1_5_SIGNATURE_PROTECTED_HEADER + "." + ENCODED_PAYLOAD);
    JsonWebKeys jwks = readKeySet("cookbookPrivateSet.txt");
    List<JsonWebKey> keys = jwks.getKeys();
    JsonWebKey rsaKey = keys.get(1);
    compactProducer.signWith(rsaKey);
    assertEquals(compactProducer.getSignedEncodedJws(),
            RSA_V1_5_SIGNATURE_PROTECTED_HEADER + "." + ENCODED_PAYLOAD + "." + RSA_V1_5_SIGNATURE_VALUE);
    JwsCompactConsumer compactConsumer = new JwsCompactConsumer(compactProducer.getSignedEncodedJws());
    JsonWebKeys publicJwks = readKeySet("cookbookPublicSet.txt");
    List<JsonWebKey> publicKeys = publicJwks.getKeys();
    JsonWebKey rsaPublicKey = publicKeys.get(1);
    assertTrue(compactConsumer.verifySignatureWith(rsaPublicKey,
                                                   SignatureAlgorithm.RS256));

    JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD);
    assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
    assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
    JwsHeaders protectedHeader = new JwsHeaders();
    protectedHeader.setSignatureAlgorithm(SignatureAlgorithm.RS256);
    protectedHeader.setKeyId(RSA_KID_VALUE);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(rsaKey,
                                                        SignatureAlgorithm.RS256), protectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(), RSA_V1_5_JSON_GENERAL_SERIALIZATION);
    JwsJsonConsumer jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
    assertTrue(jsonConsumer.verifySignatureWith(rsaPublicKey, SignatureAlgorithm.RS256));

    jsonProducer = new JwsJsonProducer(PAYLOAD, true);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(rsaKey, SignatureAlgorithm.RS256), protectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(), RSA_V1_5_JSON_FLATTENED_SERIALIZATION);
    jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
    assertTrue(jsonConsumer.verifySignatureWith(rsaPublicKey, SignatureAlgorithm.RS256));
}
 

@Test
public void testECDSASignature() throws Exception {

    try {
        Cipher.getInstance(AlgorithmUtils.ES_SHA_512_JAVA);
    } catch (Throwable t) {
        Security.addProvider(new BouncyCastleProvider());
    }
    try {
        JwsCompactProducer compactProducer = new JwsCompactProducer(PAYLOAD);
        compactProducer.getJwsHeaders().setSignatureAlgorithm(SignatureAlgorithm.ES512);
        compactProducer.getJwsHeaders().setKeyId(ECDSA_KID_VALUE);
        JsonMapObjectReaderWriter reader = new JsonMapObjectReaderWriter();
        assertEquals(reader.toJson(compactProducer.getJwsHeaders().asMap()),
                     ECDSA_SIGNATURE_PROTECTED_HEADER_JSON);
        assertEquals(compactProducer.getUnsignedEncodedJws(),
                ECSDA_SIGNATURE_PROTECTED_HEADER + "." + ENCODED_PAYLOAD);
        JsonWebKeys jwks = readKeySet("cookbookPrivateSet.txt");
        List<JsonWebKey> keys = jwks.getKeys();
        JsonWebKey ecKey = keys.get(0);
        compactProducer.signWith(new EcDsaJwsSignatureProvider(JwkUtils.toECPrivateKey(ecKey),
                                                               SignatureAlgorithm.ES512));
        assertEquals(compactProducer.getUnsignedEncodedJws(),
                     ECSDA_SIGNATURE_PROTECTED_HEADER + "." + ENCODED_PAYLOAD);
        assertEquals(132, Base64UrlUtility.decode(compactProducer.getEncodedSignature()).length);

        JwsCompactConsumer compactConsumer = new JwsCompactConsumer(compactProducer.getSignedEncodedJws());
        JsonWebKeys publicJwks = readKeySet("cookbookPublicSet.txt");
        List<JsonWebKey> publicKeys = publicJwks.getKeys();
        JsonWebKey ecPublicKey = publicKeys.get(0);
        assertTrue(compactConsumer.verifySignatureWith(ecPublicKey, SignatureAlgorithm.ES512));
    } finally {
        Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
    }
}
 

@Test
public void testHMACSignature() throws Exception {
    JwsCompactProducer compactProducer = new JwsCompactProducer(PAYLOAD);
    compactProducer.getJwsHeaders().setSignatureAlgorithm(SignatureAlgorithm.HS256);
    compactProducer.getJwsHeaders().setKeyId(HMAC_KID_VALUE);
    JsonMapObjectReaderWriter reader = new JsonMapObjectReaderWriter();
    assertEquals(reader.toJson(compactProducer.getJwsHeaders().asMap()), HMAC_SIGNATURE_PROTECTED_HEADER_JSON);
    assertEquals(compactProducer.getUnsignedEncodedJws(),
            HMAC_SIGNATURE_PROTECTED_HEADER + "." + ENCODED_PAYLOAD);
    JsonWebKeys jwks = readKeySet("cookbookSecretSet.txt");
    List<JsonWebKey> keys = jwks.getKeys();
    JsonWebKey key = keys.get(0);
    compactProducer.signWith(key);
    assertEquals(compactProducer.getSignedEncodedJws(),
            HMAC_SIGNATURE_PROTECTED_HEADER + "." + ENCODED_PAYLOAD + "." + HMAC_SIGNATURE_VALUE);
    JwsCompactConsumer compactConsumer = new JwsCompactConsumer(compactProducer.getSignedEncodedJws());
    assertTrue(compactConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));

    JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD);
    assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
    assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
    JwsHeaders protectedHeader = new JwsHeaders();
    protectedHeader.setSignatureAlgorithm(SignatureAlgorithm.HS256);
    protectedHeader.setKeyId(HMAC_KID_VALUE);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(), HMAC_JSON_GENERAL_SERIALIZATION);
    JwsJsonConsumer jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));

    jsonProducer = new JwsJsonProducer(PAYLOAD, true);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(), HMAC_JSON_FLATTENED_SERIALIZATION);
    jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));
}
 

@SuppressWarnings("deprecation")
@Test
public void testDetachedHMACSignature() throws Exception {
    JwsCompactProducer compactProducer = new JwsCompactProducer(PAYLOAD, true);
    compactProducer.getJwsHeaders().setSignatureAlgorithm(SignatureAlgorithm.HS256);
    compactProducer.getJwsHeaders().setKeyId(HMAC_KID_VALUE);
    JsonMapObjectReaderWriter reader = new JsonMapObjectReaderWriter();
    assertEquals(reader.toJson(compactProducer.getJwsHeaders().asMap()), HMAC_SIGNATURE_PROTECTED_HEADER_JSON);
    assertEquals(compactProducer.getUnsignedEncodedJws(),
            HMAC_SIGNATURE_PROTECTED_HEADER + ".");
    JsonWebKeys jwks = readKeySet("cookbookSecretSet.txt");
    List<JsonWebKey> keys = jwks.getKeys();
    JsonWebKey key = keys.get(0);
    compactProducer.signWith(key);
    assertEquals(compactProducer.getSignedEncodedJws(), DETACHED_HMAC_JWS);
    JwsCompactConsumer compactConsumer =
            new JwsCompactConsumer(compactProducer.getSignedEncodedJws(), ENCODED_PAYLOAD);
    assertTrue(compactConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));

    JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD);
    assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
    assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
    JwsHeaders protectedHeader = new JwsHeaders();
    protectedHeader.setSignatureAlgorithm(SignatureAlgorithm.HS256);
    protectedHeader.setKeyId(HMAC_KID_VALUE);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(true), HMAC_DETACHED_JSON_GENERAL_SERIALIZATION);
    JwsJsonConsumer jsonConsumer =
            new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument(true), ENCODED_PAYLOAD);
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));

    jsonProducer = new JwsJsonProducer(PAYLOAD, true);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(true), HMAC_DETACHED_JSON_FLATTENED_SERIALIZATION);
    jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument(true), ENCODED_PAYLOAD);
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));
}
 

@Test
public void testDetachedHMACSignature2() throws Exception {
    JsonWebKeys jwks = readKeySet("cookbookSecretSet.txt");
    List<JsonWebKey> keys = jwks.getKeys();
    JsonWebKey key = keys.get(0);
    
    JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD, false, true);
    assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
    assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
    JwsHeaders protectedHeader = new JwsHeaders();
    protectedHeader.setSignatureAlgorithm(SignatureAlgorithm.HS256);
    protectedHeader.setKeyId(HMAC_KID_VALUE);
    
    String jwsJsonCompleteSequence = 
        jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader);
    assertEquals(jwsJsonCompleteSequence, HMAC_DETACHED_JSON_GENERAL_SERIALIZATION);
    JwsJsonConsumer jsonConsumer =
            new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument(), ENCODED_PAYLOAD);
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));

    jsonProducer = new JwsJsonProducer(PAYLOAD, true, true);
    String jwsJsonFlattenedSequence = 
        jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256), protectedHeader);
    assertEquals(jwsJsonFlattenedSequence, HMAC_DETACHED_JSON_FLATTENED_SERIALIZATION);
    jsonConsumer = new JwsJsonConsumer(jwsJsonFlattenedSequence, ENCODED_PAYLOAD);
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));
}
 

@Test
public void testProtectingSpecificHeaderFieldsSignature() throws Exception {
    JwsJsonProducer jsonProducer = new JwsJsonProducer(PAYLOAD);
    assertEquals(jsonProducer.getPlainPayload(), PAYLOAD);
    assertEquals(jsonProducer.getUnsignedEncodedPayload(), ENCODED_PAYLOAD);
    JwsHeaders protectedHeader = new JwsHeaders();
    protectedHeader.setSignatureAlgorithm(SignatureAlgorithm.HS256);
    JwsHeaders unprotectedHeader = new JwsHeaders();
    unprotectedHeader.setKeyId(HMAC_KID_VALUE);
    JsonWebKeys jwks = readKeySet("cookbookSecretSet.txt");
    List<JsonWebKey> keys = jwks.getKeys();
    JsonWebKey key = keys.get(0);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256),
            protectedHeader, unprotectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(),
            PROTECTING_SPECIFIC_HEADER_FIELDS_JSON_GENERAL_SERIALIZATION);
    JwsJsonConsumer jsonConsumer =
            new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));

    jsonProducer = new JwsJsonProducer(PAYLOAD, true);
    jsonProducer.signWith(JwsUtils.getSignatureProvider(key, SignatureAlgorithm.HS256),
            protectedHeader, unprotectedHeader);
    assertEquals(jsonProducer.getJwsJsonSignedDocument(),
            PROTECTING_SPECIFIC_HEADER_FIELDS_JSON_FLATTENED_SERIALIZATION);
    jsonConsumer = new JwsJsonConsumer(jsonProducer.getJwsJsonSignedDocument());
    assertTrue(jsonConsumer.verifySignatureWith(key, SignatureAlgorithm.HS256));
}