org.tomitribe.auth.signatures.Signer Maven / Gradle / Ivy
Show all versions of gravitee-policy-http-signature Show documentation
package org.tomitribe.auth.signatures;
import static java.util.Objects.requireNonNull;
import java.io.IOException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.util.Map;
import javax.crypto.Mac;
/**
* It is an intentional part of the design that the same Signer instance
* can be reused on several HTTP Messages in a multi-threaded fashion
*
*
* The supplied Signature instance will be used as the basis for all
* future signatures created from this Signer.
*
*
* Each call to 'sign' will emit a Signature with the same 'keyId',
* 'algorithm', 'headers' but a newly calculated 'signature'
*
*/
public class Signer {
private final Sign sign;
private final Signature signature;
private final Algorithm algorithm;
private final Provider provider;
public Signer(final Key key, final Signature signature) {
this(key, signature, null);
}
public Signer(final Key key, final Signature signature, final Provider provider) {
requireNonNull(key, "Key cannot be null");
this.signature = requireNonNull(signature, "Signature cannot be null");
this.algorithm = signature.getAlgorithm();
this.provider = provider;
if (java.security.Signature.class.equals(algorithm.getType())) {
this.sign = new Asymmetric(PrivateKey.class.cast(key));
} else if (Mac.class.equals(algorithm.getType())) {
this.sign = new Symmetric(key);
} else {
throw new UnsupportedAlgorithmException(
String.format("Unknown Algorithm type %s %s", algorithm.getPortableName(), algorithm.getType().getName())
);
}
// check that the JVM really knows the algorithm we are going to use
try {
sign.sign("validation".getBytes());
} catch (final RuntimeException e) {
throw (RuntimeException) e;
} catch (final Exception e) {
throw new IllegalStateException("Can't initialise the Signer using the provided algorithm and key", e);
}
}
/**
* Create and return a HTTP signature object configured with 'created' and 'expires' values.
* Useful if you want to recreate a Signature from configuration to validate another one.
*
* @param method The HTTP method.
* @param uri The path and query of the request target of the message.
* The value must already be encoded exactly as it will be sent in the
* request line of the HTTP message. No URL encoding is performed by this method.
* @param headers The HTTP headers.
* @param created the created timestamp
* @param expires the expires timestamp
*
* @return a Signature object containing the signed message.
*/
public Signature sign(final String method, final String uri, final Map headers, Long created, Long expires)
throws IOException {
final String signingString = createSigningString(method, uri, headers, created, expires);
final byte[] binarySignature = sign.sign(signingString.getBytes("UTF-8"));
final byte[] encoded = Base64.encodeBase64(binarySignature);
final String signedAndEncodedString = new String(encoded, "UTF-8");
return new Signature(
signature.getKeyId(),
signature.getSigningAlgorithm(),
signature.getAlgorithm(),
signature.getParameterSpec(),
signedAndEncodedString,
signature.getHeaders(),
null,
created,
expires
);
}
/**
* Create and return a HTTP signature object.
*
* @param method The HTTP method.
* @param uri The path and query of the request target of the message.
* The value must already be encoded exactly as it will be sent in the
* request line of the HTTP message. No URL encoding is performed by this method.
* @param headers The HTTP headers.
*
* @return a Signature object containing the signed message.
*/
public Signature sign(final String method, final String uri, final Map headers) throws IOException {
final long created = System.currentTimeMillis();
Long expires = signature.getSignatureMaxValidityMilliseconds();
if (expires != null) {
expires += created;
}
return sign(method, uri, headers, created, expires);
}
/**
* Create and return the string which is used as input for the cryptographic signature.
*
* @param method The HTTP method.
* @param uri The path and query of the request target of the message.
* The value must already be encoded exactly as it will be sent in the
* request line of the HTTP message. No URL encoding is performed by this method.
* @param headers The HTTP headers.
* @param created The time when the signature is created.
* @param expires The time when the signature expires.
* @return The signing string.
* @throws IOException when an exception occurs while creating the signing string.
*/
public String createSigningString(
final String method,
final String uri,
final Map headers,
final Long created,
final Long expires
) throws IOException {
return Signatures.createSigningString(signature.getHeaders(), method, uri, headers, created, expires);
}
/**
* Create and return the string which is used as input for the cryptographic signature.
*
* @param method The HTTP method.
* @param uri The URI path and query parameters.
* @param headers The HTTP headers.
* @return The signing string.
* @throws IOException when an exception occurs while creating the signing string.
*/
public String createSigningString(final String method, final String uri, final Map headers) throws IOException {
return Signatures.createSigningString(
signature.getHeaders(),
method,
uri,
headers,
signature.getSignatureCreationTimeMilliseconds(),
signature.getSignatureExpirationTimeMilliseconds()
);
}
private interface Sign {
byte[] sign(byte[] signingStringBytes);
}
private class Asymmetric implements Sign {
private final PrivateKey key;
private Asymmetric(final PrivateKey key) {
this.key = key;
}
@Override
public byte[] sign(final byte[] signingStringBytes) {
try {
final java.security.Signature instance = provider == null
? java.security.Signature.getInstance(algorithm.getJvmName())
: java.security.Signature.getInstance(algorithm.getJvmName(), provider);
if (signature.getParameterSpec() != null) {
instance.setParameter(signature.getParameterSpec());
}
instance.initSign(key);
instance.update(signingStringBytes);
return instance.sign();
} catch (final NoSuchAlgorithmException e) {
throw new UnsupportedAlgorithmException(algorithm.getJvmName());
} catch (final Exception e) {
throw new IllegalStateException(e);
}
}
}
private class Symmetric implements Sign {
private final Key key;
private Symmetric(final Key key) {
this.key = key;
}
@Override
public byte[] sign(final byte[] signingStringBytes) {
try {
final Mac mac = provider == null
? Mac.getInstance(algorithm.getJvmName())
: Mac.getInstance(algorithm.getJvmName(), provider);
mac.init(key);
return mac.doFinal(signingStringBytes);
} catch (final NoSuchAlgorithmException e) {
throw new UnsupportedAlgorithmException(algorithm.getJvmName());
} catch (final Exception e) {
throw new IllegalStateException(e);
}
}
}
}