All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.github.vindell.jwt.token.SignedWithEdAndEncryptedWithRsaJWTRepository Maven / Gradle / Ivy

The newest version!
/*
 * Copyright (c) 2018, vindell (https://github.com/vindell).
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy of
 * the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations under
 * the License.
 */
package com.github.vindell.jwt.token;

import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;

import com.github.vindell.jwt.JwtPayload;
import com.github.vindell.jwt.exception.IncorrectJwtException;
import com.github.vindell.jwt.exception.InvalidJwtToken;
import com.github.vindell.jwt.exception.JwtException;
import com.github.vindell.jwt.time.JwtTimeProvider;
import com.github.vindell.jwt.utils.NimbusdsUtils;
import com.github.vindell.jwt.verifier.ExtendedEd25519Verifier;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEEncrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.Ed25519Signer;
import com.nimbusds.jose.crypto.Ed25519Verifier;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.jwk.OctetKeyPair;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;

/**
 *  JSON Web Token (JWT) with Ed signature and RSA encryption 
 * 

https://www.connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-eddsa

*

https://www.connect2id.com/products/nimbus-jose-jwt/examples/jwt-with-rsa-encryption

*

https://www.connect2id.com/products/nimbus-jose-jwt/examples/signed-and-encrypted-jwt

*/ public class SignedWithEdAndEncryptedWithRsaJWTRepository implements JwtKeyPairRepository { private JwtTimeProvider timeProvider = JwtTimeProvider.DEFAULT_TIME_PROVIDER; /** * Issue JSON Web Token (JWT) * @author :vindell * @param signingKey : Signing key * @param secretKey : Encryption key * @param jwtId : Jwt Id * @param subject : Jwt Subject * @param issuer : Jwt Issuer * @param audience : Jwt Audience * @param roles : The Roles * @param permissions : The Perms * @param algorithm : Supported algorithm: Ed25519 * @param period : Jwt Expiration Cycle * @return JSON Web Token (JWT) * @throws JwtException When Authentication Exception */ @Override public String issueJwt(OctetKeyPair signingKey, RSAKey secretKey, String jwtId, String subject, String issuer, String audience, String roles, String permissions, String algorithm, long period) throws JwtException { Map claims = new HashMap(); claims.put("roles", roles); claims.put("perms", permissions); return this.issueJwt(signingKey, secretKey, jwtId, subject, issuer, audience, claims, algorithm, period); } /** * Issue JSON Web Token (JWT) * @author :vindell * @param signingKey : Signing key * @param secretKey : Encryption key * @param jwtId : Jwt Id * @param subject : Jwt Subject * @param issuer : Jwt Issuer * @param audience : Jwt Audience * @param claims : Jwt Claims * @param algorithm : Supported algorithm: Ed25519 * @param period : Jwt Expiration Cycle * @return JSON Web Token (JWT) * @throws JwtException When Authentication Exception */ @Override public String issueJwt(OctetKeyPair signingKey, RSAKey secretKey, String jwtId, String subject, String issuer, String audience, Map claims, String algorithm, long period) throws JwtException { try { //-------------------- Step 1:Get ClaimsSet -------------------- // Prepare JWT with claims set JWTClaimsSet.Builder builder = NimbusdsUtils.claimsSet(jwtId, subject, issuer, audience, claims, period); // 签发时间 long currentTimeMillis = this.getTimeProvider().now(); Date now = new Date(currentTimeMillis); builder.issueTime(now); // 有效期起始时间 builder.notBeforeTime(now); // Token过期时间 if (period >= 0) { // 有效时间 Date expiration = new Date(currentTimeMillis + period ); builder.expirationTime(expiration); } JWTClaimsSet claimsSet = builder.build(); //-------------------- Step 2:EdDSA Signature -------------------- // Request JWS Header with EdDSA JWSAlgorithm JWSHeader jwsHeader = new JWSHeader.Builder(JWSAlgorithm.EdDSA).keyID(signingKey.getKeyID()).build(); SignedJWT signedJWT = new SignedJWT(jwsHeader, claimsSet); // Create the EdDSA signer JWSSigner signer = new Ed25519Signer(signingKey); // Compute the EC signature signedJWT.sign(signer); //-------------------- Step 3:RSA Encrypt ---------------------- // Request JWT encrypted with RSA-OAEP-256 and 256-bit AES/GCM JWEHeader jweHeader = new JWEHeader(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A256GCM); // Create JWE object with signed JWT as payload JWEObject jweObject = new JWEObject( jweHeader, new Payload(signedJWT)); // Create an encrypter with the specified public RSA key JWEEncrypter encrypter = new RSAEncrypter(secretKey.toPublicJWK()); // Do the actual encryption jweObject.encrypt(encrypter); // Serialise to JWE compact form return jweObject.serialize(); } catch (IllegalStateException e) { throw new IncorrectJwtException(e); } catch (KeyLengthException e) { throw new IncorrectJwtException(e); } catch (JOSEException e) { throw new IncorrectJwtException(e); } } /** * Verify the validity of JWT * @author : vindell * @param signingKey : *

If the jws was signed with a SecretKey, the same SecretKey should be specified on the JwtParser.

*

If the jws was signed with a PrivateKey, that key's corresponding PublicKey (not the PrivateKey) should be specified on the JwtParser.

* @param secretKey : *

If the jws was encrypted with a SecretKey, the same SecretKey should be specified on the JwtParser.

*

If the jws was encrypted with a PrivateKey, that key's corresponding PublicKey (not the PrivateKey) should be specified on the JwtParser.

* @param token : JSON Web Token (JWT) * @param checkExpiry : If Check validity. * @return If Validity * @throws JwtException When Authentication Exception */ @Override public boolean verify(OctetKeyPair signingKey, RSAKey secretKey, String token, boolean checkExpiry) throws JwtException { try { //-------------------- Step 1:RSA Decrypt ---------------------- // Parse the JWE string JWEObject jweObject = JWEObject.parse(token); // Decrypt with private key jweObject.decrypt(new RSADecrypter(secretKey)); // Extract payload SignedJWT signedJWT = jweObject.getPayload().toSignedJWT(); //-------------------- Step 2:EdDSA Verify -------------------- // Create Ed25519 verifier JWSVerifier verifier = checkExpiry ? new ExtendedEd25519Verifier(signingKey.toPublicJWK(), signedJWT.getJWTClaimsSet(), this.getTimeProvider()) : new Ed25519Verifier(signingKey.toPublicJWK()); // Retrieve / verify the JWT claims according to the app requirements return signedJWT.verify(verifier); } catch (IllegalStateException e) { throw new IncorrectJwtException(e); } catch (NumberFormatException e) { throw new IncorrectJwtException(e); } catch (ParseException e) { throw new IncorrectJwtException(e); } catch (JOSEException e) { throw new InvalidJwtToken(e); } } /** * Parser JSON Web Token (JWT) * @author :vindell * @param signingKey : *

If the jws was signed with a SecretKey, the same SecretKey should be specified on the JwtParser.

*

If the jws was signed with a PrivateKey, that key's corresponding PublicKey (not the PrivateKey) should be specified on the JwtParser.

* @param secretKey : *

If the jws was encrypted with a SecretKey, the same SecretKey should be specified on the JwtParser.

*

If the jws was encrypted with a PrivateKey, that key's corresponding PublicKey (not the PrivateKey) should be specified on the JwtParser.

* @param token : JSON Web Token (JWT) * @param checkExpiry : If Check validity. * @return JwtPlayload {@link JwtPayload} * @throws JwtException When Authentication Exception */ @Override public JwtPayload getPlayload(OctetKeyPair signingKey, RSAKey secretKey, String token, boolean checkExpiry) throws JwtException { try { //-------------------- Step 1:RSA Decrypt ---------------------- // Parse the JWE string JWEObject jweObject = JWEObject.parse(token); // Decrypt with private key jweObject.decrypt(new RSADecrypter(secretKey)); // Extract payload SignedJWT signedJWT = jweObject.getPayload().toSignedJWT(); //-------------------- Step 2:EdDSA Verify -------------------- // Create Ed25519 verifier JWSVerifier verifier = checkExpiry ? new ExtendedEd25519Verifier(signingKey.toPublicJWK(), signedJWT.getJWTClaimsSet(), this.getTimeProvider()) : new Ed25519Verifier(signingKey.toPublicJWK()); // Retrieve / verify the JWT claims according to the app requirements if(!signedJWT.verify(verifier)) { throw new JwtException(String.format("Invalid JSON Web Token (JWT) : %s", token)); } //-------------------- Step 3:Gets The Claims --------------- // Retrieve JWT claims return NimbusdsUtils.payload(signedJWT.getJWTClaimsSet()); } catch (IllegalStateException e) { throw new IncorrectJwtException(e); } catch (NumberFormatException e) { throw new IncorrectJwtException(e); } catch (ParseException e) { throw new IncorrectJwtException(e); } catch (JOSEException e) { throw new InvalidJwtToken(e); } } public JwtTimeProvider getTimeProvider() { return timeProvider; } public void setTimeProvider(JwtTimeProvider timeProvider) { this.timeProvider = timeProvider; } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy