private Jws<Claims> parseTokenFromBase64EncodedString(final String base64EncodedToken) throws JwtException { try { return Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() { @Override public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) { final String identity = claims.getSubject(); // Get the key based on the key id in the claims final String keyId = claims.get(KEY_ID_CLAIM, String.class); final Key key = keyService.getKey(keyId); // Ensure we were able to find a key that was previously issued by this key service for this user if (key == null || key.getKey() == null) { throw new UnsupportedJwtException("Unable to determine signing key for " + identity + " [kid: " + keyId + "]"); } return key.getKey().getBytes(StandardCharsets.UTF_8); } }).parseClaimsJws(base64EncodedToken); } catch (final MalformedJwtException | UnsupportedJwtException | SignatureException | ExpiredJwtException | IllegalArgumentException e) { // TODO: Exercise all exceptions to ensure none leak key material to logs final String errorMessage = "Unable to validate the access token."; throw new JwtException(errorMessage, e); } }
static private String signClaims(Claims claims) { // Header Map<String, Object> header = new HashMap<>(); header.put(Header.TYPE, Header.JWT_TYPE); header.put(JwsHeader.ALGORITHM, signatureAlgorithm); // Signature key Key key = new SecretKeySpec(getSecretKey(), signatureAlgorithm.getJcaName()); String ret = Jwts.builder(). setHeader(header). setClaims(claims). signWith(signatureAlgorithm, key). compact(); return ret; }
public String CreateAssertionToken() { Date now = new Date(); // no need to have a long-lived token (clock skew should be accounted for on the server-side) Date expires = new Date(now.getTime() + 10000 /* 10 seconds */); return Jwts.builder() .setHeaderParam("typ", "JWT") .setHeaderParam(JwsHeader.X509_CERT_SHA1_THUMBPRINT, thumbprint) .setHeaderParam(JwsHeader.KEY_ID, thumbprint) .setIssuer(clientId) .setSubject(clientId) .setAudience(tokenEndpointUri) .setId(UUID.randomUUID().toString()) .setIssuedAt(now) .setNotBefore(now) .setExpiration(expires) .signWith(SignatureAlgorithm.RS256, key) .compact(); }
@SuppressWarnings("serial") protected String getRegistrationRequest(final KeyPair userKey, final String nonce, final String agreement, final String[] contacts) { return Jwts.builder() .setHeaderParam(NONCE_KEY, nonce) .setHeaderParam(JwsHeader.JSON_WEB_KEY, JWKUtils.getWebKey(userKey.getPublic())) .setClaims(new TreeMap<String, Object>(){{ put(RESOURCE_KEY, RESOURCE_NEW_REG); if (contacts != null && contacts.length > 0){ put(CONTACT_KEY, contacts); } if (agreement != null){ put(AGREEMENT_KEY, agreement); } }}) .signWith(getJWSSignatureAlgorithm(), userKey.getPrivate()) .compact(); }
private static Claims getBody(String jwt) { return Jwts.parser() .setSigningKeyResolver(new SigningKeyResolverAdapter() { @Override public Key resolveSigningKey(JwsHeader header, Claims claims) { String subject = claims.getSubject(); if (subject == null || subject.isEmpty()) throw new MissingClaimException(header, claims, "Subject is not provided in JWT."); if (!userToKeyMap.containsKey(subject)) throw new SignatureException("Signing key is not reqistred for the subject."); return userToKeyMap.get(subject); }}) .parseClaimsJws(jwt) .getBody(); }
private String generateJwt() throws GeneralSecurityException { PrivateKey privateKey = SecurityKeyUtils.parseRSAPrivateKey(TEST_PRIVATE_KEY); Map<String, String> userInfo = buildUserInfo(); return Jwts.builder() .setHeaderParam(JwsHeader.TYPE, JwsHeader.JWT_TYPE) .claim(Claims.ISSUER, "Symphony Communication Services LLC.") .claim(Claims.SUBJECT, "symphony-user-id") .claim(Claims.AUDIENCE, "app-id") .claim("user", userInfo) .claim(Claims.EXPIRATION, System.currentTimeMillis() + 10000) .signWith(SignatureAlgorithm.RS512, privateKey) .compact(); }
private String generateUnsignedJwt() throws GeneralSecurityException { Map<String, String> userInfo = buildUserInfo(); return Jwts.builder() .setHeaderParam(JwsHeader.TYPE, JwsHeader.JWT_TYPE) .claim(Claims.ISSUER, "Symphony Communication Services LLC.") .claim(Claims.SUBJECT, "symphony-user-id") .claim(Claims.AUDIENCE, "app-id") .claim("user", userInfo) .claim(Claims.EXPIRATION, System.currentTimeMillis() + 10000) .compact(); }
@Override public Key resolveSigningKey(JwsHeader header, Claims claims) { Key result = delegate.resolveSigningKey(header, claims); if (result == null) { result = this.fallbackKey; } return result; }
@Override public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) { final SignatureAlgorithm inputAlgorithm = SignatureAlgorithm.forName(header.getAlgorithm()); if (!this.requiredAlgorithm.equals(inputAlgorithm)) { throw new UnsupportedJwtException("Invalid algorithm"); } return signatureKey; }
/** * Gets the value of the <em>exp</em> claim of a JWT. * * @param token The token. * @return The expiration. * @throws NullPointerException if the token is {@code null}. * @throws IllegalArgumentException if the given token contains no <em>exp</em> claim. */ public static final Date getExpiration(final String token) { if (token == null) { throw new NullPointerException("token must not be null"); } final AtomicReference<Date> result = new AtomicReference<>(); try { Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() { @SuppressWarnings("rawtypes") @Override public Key resolveSigningKey(JwsHeader header, Claims claims) { Date exp = claims.getExpiration(); if (exp != null) { result.set(exp); } return DUMMY_KEY; } }).parse(token); } catch (JwtException e) { // expected since we do not know the signing key } if (result.get() == null) { throw new IllegalArgumentException("token contains no exp claim"); } else { return result.get(); } }
@SuppressWarnings("serial") protected String getAuthorizationRequest(final KeyPair userKey, final String nextNonce, final String domain) { return Jwts.builder() .setHeaderParam(NONCE_KEY, nextNonce) .setHeaderParam(JwsHeader.JSON_WEB_KEY, JWKUtils.getWebKey(userKey.getPublic())) .setClaims(new TreeMap<String, Object>(){{ put(RESOURCE_KEY, RESOURCE_NEW_AUTHZ); put(IDENTIFIER_KEY, new TreeMap<String, Object>(){{ put(IDENTIFIER_TYPE_KEY, IDENTIFIER_TYPE_DNS); put(IDENTIFIER_VALUE_KEY, domain); }}); }}) .signWith(getJWSSignatureAlgorithm(), userKey.getPrivate()) .compact(); }
@SuppressWarnings("serial") protected String getNewCertificateRequest(final KeyPair userKey, final String nonce, final PKCS10CertificationRequest csr) throws IOException { return Jwts.builder() .setHeaderParam(NONCE_KEY, nonce) .setHeaderParam(JwsHeader.JSON_WEB_KEY, JWKUtils.getWebKey(userKey.getPublic())) .setClaims(new TreeMap<String, Object>(){{ put(RESOURCE_KEY, RESOURCE_NEW_CERT); put(CSR_KEY, TextCodec.BASE64URL.encode(csr.getEncoded())); }}) .signWith(getJWSSignatureAlgorithm(), userKey.getPrivate()) .compact(); }
@SuppressWarnings("serial") protected String getHTTP01ChallengeRequest(final KeyPair userKey, final String token, final String nonce) { return Jwts.builder() .setHeaderParam(NONCE_KEY, nonce) .setHeaderParam(JwsHeader.JSON_WEB_KEY, JWKUtils.getWebKey(userKey.getPublic())) .setClaims(new TreeMap<String, Object>(){{ put(RESOURCE_KEY, RESOURCE_CHALLENGE); put(CHALLENGE_TYPE_KEY, CHALLENGE_TYPE_HTTP_01); put(CHALLENGE_TLS_KEY, true); put(CHALLENGE_KEY_AUTHORIZATION_KEY, getHTTP01ChallengeContent(userKey, token)); put(CHALLENGE_TOKEN_KEY, token); }}) .signWith(getJWSSignatureAlgorithm(), userKey.getPrivate()) .compact(); }
@SuppressWarnings("serial") protected String getUpdateRegistrationRequest(final KeyPair userKey, final String nonce, final String agreement, final String[] contacts) { return Jwts.builder() .setHeaderParam(NONCE_KEY, nonce) .setHeaderParam(JwsHeader.JSON_WEB_KEY, JWKUtils.getWebKey(userKey.getPublic())) .setClaims(new TreeMap<String, Object>(){{ put(RESOURCE_KEY, RESOURCE_UPDATE_REGISTRATION); if (contacts != null && contacts.length > 0){ put(CONTACT_KEY, contacts); } put(AGREEMENT_KEY, agreement); }}) .signWith(getJWSSignatureAlgorithm(), userKey.getPrivate()) .compact(); }
public DefaultJws(JwsHeader header, B body, String signature) { this.header = header; this.body = body; this.signature = signature; }
@Override public JwsHeader getHeader() { return this.header; }
@Override public JwsHeader setAlgorithm(String alg) { setValue(ALGORITHM, alg); return this; }
@Override public JwsHeader setKeyId(String kid) { setValue(KEY_ID, kid); return this; }
