org.jose4j.jwk.JsonWebKey Java Examples

static PublicKey getKeyFromJsonWebKeys(String kid, List<JsonWebKey> keys, SignatureAlgorithm algo) {
    if (kid != null) {
        for (JsonWebKey currentJwk : keys) {
            if (kid.equals(currentJwk.getKeyId())
                    && (currentJwk.getAlgorithm() == null || algo.getAlgorithm().equals(currentJwk.getAlgorithm()))) {
                return PublicJsonWebKey.class.cast(currentJwk).getPublicKey();
            }
        }
    }
    // if JWK set contains a single JWK only then try to use it
    // but only if 'kid' is not set in both the token and this JWK
    if (keys.size() == 1 && (kid == null || keys.get(0).getKeyId() == null)
            && (keys.get(0).getAlgorithm() == null || algo.getAlgorithm().equals(keys.get(0).getAlgorithm()))) {
        return PublicJsonWebKey.class.cast(keys.get(0)).getPublicKey();
    }
    return null;
}
 

@Test
public void encOnlyWithIntegrityIssues() throws Exception
{
    String jwt = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..zWNzKpA-QA0BboVl02nz-A.oSy4V6cQ6EnuIMyazDCqc9jEZMC7k8LwLKkrC12Pf-wpFRyDtQjGdIZ_Ndq9JMAnrCbx0bgFSxjKISbXbcnHiA.QsGX3JhHP1Pwy4zQ8Ha9FQ";
    JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk("{\"kty\":\"oct\",\"k\":\"30WEMkbhwHPBkg_fIfm_4GuzIz5pPZB7_BSfI3dHbbQ\"}");
    DecryptionKeyResolver decryptionKeyResolver = new JwksDecryptionKeyResolver(Collections.singletonList(jsonWebKey));
    JwtConsumer consumer = new JwtConsumerBuilder()
            .setDecryptionKeyResolver(decryptionKeyResolver)
            .setEvaluationTime(NumericDate.fromSeconds(1420230888))
            .setExpectedAudience("me")
            .setExpectedIssuer("me")
            .setRequireExpirationTime()
            .setDisableRequireSignature()
            .build();

    JwtClaims jwtClaims = consumer.processToClaims(jwt);
    Assert.assertThat("value", equalTo(jwtClaims.getStringClaimValue("name")));

    // change some things and make sure it fails
    jwt = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..zWNzKpA-QA0BboVl02nz-A.eyJpc3MiOiJtZSIsImF1ZCI6Im1lIiwiZXhwIjoxNDIwMjMxNjA2LCJuYW1lIjoidmFsdWUifQ.QsGX3JhHP1Pwy4zQ8Ha9FQ";
    SimpleJwtConsumerTestHelp.expectProcessingFailure(jwt, consumer);

    jwt = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..zWNzKpA-QA0BboVl02nz-A.u1D7JCpDFeRl69G1L-h3IRrmcOXiWLnhr23ugO2kkDqKVNcO1YQ4Xvl9Sag4aYOnkqUbqe6Wdz8KK3d9q178tA.QsGX3JhHP1Pwy4zQ8Ha9FQ";
    SimpleJwtConsumerTestHelp.expectProcessingFailure(jwt, consumer);
}
 

@Test (expected = InvalidJwtSignatureException.class)
public void jwtBadSig() throws Exception
{
    String jwt = "eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9." +
            "eyJpc3MiOiJqb2UiLAogImV4cCI6MTkwMDgxOTM4MCwKICJodHRwOi8vZXhhbXBsZS5jb20vaXNfcm9vdCI6dHJ1ZX0." +
            "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk";
    String jwk = "{\"kty\":\"oct\",\"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}";

    JwtConsumer consumer = new JwtConsumerBuilder()
            .setVerificationKey(JsonWebKey.Factory.newJwk(jwk).getKey())
            .setEvaluationTime(NumericDate.fromSeconds(1900000380))
            .setExpectedIssuer("joe")
            .setRequireExpirationTime()
            .build();
    consumer.process(jwt);
}
 

/**
 * Loads the signer-keypair.jwk resource that was generated using https://mkjwk.org
 * and returns the private key
 *
 * @return the private key from the key pair
 */
static PrivateKey loadPrivateKey() throws Exception {
    String jwk = TokenUtils.readResource("/signer-keypair.jwk");
    RsaJsonWebKey rsaJsonWebKey = (RsaJsonWebKey) JsonWebKey.Factory.newJwk(jwk);
    RSAPublicKey pk = rsaJsonWebKey.getRsaPublicKey();
    String e = new String(Base64.getUrlEncoder().withoutPadding().encode(pk.getPublicExponent().toByteArray()));
    byte[] nbytes = pk.getModulus().toByteArray();
    if(nbytes[0] == 0 && nbytes.length > 1) {
        byte[] tmp = new byte[nbytes.length-1];
        System.arraycopy(nbytes, 1, tmp, 0, tmp.length);
        nbytes = tmp;
    }
    String n = new String(Base64.getUrlEncoder().withoutPadding().encode(nbytes));
    System.out.printf("e: %s\n", e);
    System.out.printf("n: %s\n", n);
    n = BigEndianBigInteger.toBase64Url(pk.getModulus());
    System.out.printf("n: %s\n", n);
    return rsaJsonWebKey.getRsaPrivateKey();
}
 

public void testJwBadZipValueConsume() throws JoseException
{
    String cs = "eyJ6aXAiOiJiYWQiLCJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.." +
            "ZZZ0nR5f80ikJtaPot4RpQ." +
            "BlDAYKzn9oLH1fhZcR60ZKye7UHslg7s0h7s1ecNZ5A1Df1pq2pBWUwdRKjJRxJAEFbDFoXTFYjV-cLCCE2Uxw." +
            "zasDvsZ3U4YkTDgIUchjiA";

    JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk("{\"kty\":\"oct\",\"k\":\"q1qm8z2sLFt_CPqwpLuGm-fX6ZKQKnukPHpoJOeykCw\"}");

    JsonWebEncryption jwe = new JsonWebEncryption();
    jwe.setKey(jsonWebKey.getKey());
    jwe.setCompactSerialization(cs);

    try
    {
        String plaintextString = jwe.getPlaintextString();
        fail("Should fail with invalid zip header value but gave: " + plaintextString);
    }
    catch (InvalidAlgorithmException e)
    {
        // just see if the exception message says something about the header name
        assertTrue(e.getMessage().contains(HeaderParameterNames.ZIP));
    }

}
 

@Test
public void testLoadHttpsJwksMathchingKid() throws Exception {
    JWTAuthContextInfo contextInfo = new JWTAuthContextInfo("https://github.com/my_key.jwks", "issuer");
    contextInfo.setJwksRefreshInterval(10);

    KeyLocationResolver keyLocationResolver = new KeyLocationResolver(contextInfo) {
        protected HttpsJwks initializeHttpsJwks() {
            return httpsJwks;
        }
    };
    RsaJsonWebKey jwk = new RsaJsonWebKey(key);
    jwk.setKeyId("1");
    when(httpsJwks.getJsonWebKeys()).thenReturn(Collections.singletonList(jwk));
    keyLocationResolver = Mockito.spy(keyLocationResolver);
    when(signature.getHeaders()).thenReturn(headers);
    when(headers.getStringHeaderValue(JsonWebKey.KEY_ID_PARAMETER)).thenReturn("1");

    assertEquals(key, keyLocationResolver.resolveKey(signature, emptyList()));
    assertNull(keyLocationResolver.verificationKey);
}
 

@Test
public void testJweExampleA3() throws JoseException
{
    // http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-14#appendix-A.3
    String jweCsFromAppdxA3 = "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0." +
            "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ." +
            "AxY8DCtDaGlsbGljb3RoZQ." +
            "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY." +
            "U0m_YmjN04DJvceFICbCVQ";

    JsonWebEncryption jwe = new JsonWebEncryption();
    JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk("\n" +
            "{\"kty\":\"oct\",\n" +
            " \"k\":\"GawgguFyGrWKav7AX4VKUg\"\n" +
            "}");

    jwe.setCompactSerialization(jweCsFromAppdxA3);
    jwe.setKey(new AesKey(jsonWebKey.getKey().getEncoded()));

    String plaintextString = jwe.getPlaintextString();

    assertEquals("Live long and prosper.", plaintextString);
}
 

@Before
@SuppressWarnings({"unchecked"})
public void setUp() throws Exception {
  super.setUp();
  k1 = new KeyHolder("k1");
  k2 = new KeyHolder("k2");
  k3 = new KeyHolder("k3");
  k4 = new KeyHolder("k4");
  k5 = new KeyHolder("k5");

  when(firstJwkList.getJsonWebKeys()).thenReturn(asList(k1.getJwk(), k2.getJwk()));
  doAnswer(invocation -> {
    keysToReturnFromSecondJwk = (List<JsonWebKey>) refreshSequenceForSecondJwk.next();
    System.out.println("Refresh called, next to return is " + keysToReturnFromSecondJwk);
    return null;
  }).when(secondJwkList).refresh();
  when(secondJwkList.getJsonWebKeys()).then(inv -> {
    if (keysToReturnFromSecondJwk == null)
      keysToReturnFromSecondJwk = (List<JsonWebKey>) refreshSequenceForSecondJwk.next();
    return keysToReturnFromSecondJwk;
  });
  when(httpsJwksFactory.createList(anyList())).thenReturn(asList(firstJwkList, secondJwkList));

  JWTIssuerConfig issuerConfig = new JWTIssuerConfig("primary").setIss("foo").setJwksUrl(asList("url1", "url2"));
  JWTIssuerConfig.setHttpsJwksFactory(httpsJwksFactory);
  resolver = new JWTVerificationkeyResolver(Arrays.asList(issuerConfig), true);

  assumeWorkingMockito();
}
 

@Test
public void testRoundTripJwkHeader() throws JoseException
{
    Headers headers = new Headers();

    String ephemeralJwkJson = "\n{\"kty\":\"EC\",\n" +
            " \"crv\":\"P-256\",\n" +
            " \"x\":\"gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0\",\n" +
            " \"y\":\"SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps\",\n" +
            " \"d\":\"0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo\"\n" +
            "}";
    PublicJsonWebKey ephemeralJwk = PublicJsonWebKey.Factory.newPublicJwk(ephemeralJwkJson);

    String name = "jwk";
    headers.setJwkHeaderValue(name, ephemeralJwk);

    JsonWebKey jwk = headers.getJwkHeaderValue(name);

    assertThat(ephemeralJwk.getKey(), is(equalTo(jwk.getKey())));

    String encodedHeader = headers.getEncodedHeader();

    Headers parsedHeaders = new Headers();
    parsedHeaders.setEncodedHeader(encodedHeader);

    JsonWebKey jwkFromParsed = parsedHeaders.getJwkHeaderValue(name);
    assertThat(ephemeralJwk.getKey(), is(equalTo(jwkFromParsed.getKey())));
}
 

private static boolean isMatchingJwkAvailable(List<JsonWebKey> keys, String kid) {
    if (kid != null) {
        for (JsonWebKey currentJwk : keys) {
            if (kid.equals(currentJwk.getKeyId())) {
                return true;
            }
        }
    }
    return false;
}
 

public Key manageForDecrypt(Key managementKey, byte[] encryptedKey, ContentEncryptionKeyDescriptor cekDesc, Headers headers,  ProviderContext providerContext) throws JoseException
{
    String keyFactoryProvider = providerContext.getGeneralProviderContext().getKeyFactoryProvider();
    JsonWebKey ephemeralJwk = headers.getPublicJwkHeaderValue(HeaderParameterNames.EPHEMERAL_PUBLIC_KEY, keyFactoryProvider);
    ephemeralJwk.getKey();
    byte[] z = generateEcdhSecret((PrivateKey) managementKey, (PublicKey)ephemeralJwk.getKey(), providerContext);
    byte[] derivedKey = kdf(cekDesc, headers, z, providerContext);
    String cekAlg = cekDesc.getContentEncryptionKeyAlgorithm();
    return new SecretKeySpec(derivedKey, cekAlg);
}
 

public void testSignExample() throws JoseException
{
    JsonWebSignature jws = new JsonWebSignature();
    jws.setPayload(PAYLOAD);

    JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk(JWK);
    jws.setKey(jsonWebKey.getKey());
    jws.getHeaders().setFullHeaderAsJsonString("{\"typ\":\"JWT\",\r\n \"alg\":\"HS256\"}");

    String compactSerialization = jws.getCompactSerialization();

    assertEquals("example jws value doesn't match calculated compact serialization", JWS, compactSerialization);
}
 

static Key getPublicOrSecretEncryptingKey(JsonWebKey currentJwk) {
    List<String> keyOps = currentJwk.getKeyOps();
    if (keyOps == null || keyOps.contains("encryption")) {
        if ("oct".equals(currentJwk.getKeyType())) {
            return OctetSequenceJsonWebKey.class.cast(currentJwk).getKey();
        } else {
            return PublicJsonWebKey.class.cast(currentJwk).getPublicKey();
        }
    }
    return null;
}
 

@Test
public void testLoadHttpsJwksNonMathchingKidAndRefresh() throws Exception {
    JWTAuthContextInfo contextInfo = new JWTAuthContextInfo("https://github.com/my_key.jwks", "issuer");
    contextInfo.setJwksRefreshInterval(10);

    KeyLocationResolver keyLocationResolver = new KeyLocationResolver(contextInfo) {
        protected HttpsJwks initializeHttpsJwks() {
            return httpsJwks;
        }
    };
    // token 'kid' is '1'
    when(signature.getHeaders()).thenReturn(headers);
    when(headers.getStringHeaderValue(JsonWebKey.KEY_ID_PARAMETER)).thenReturn("1");

    final RsaJsonWebKey jwk = new RsaJsonWebKey(key);

    // Return JWK Set with a non-matching JWK with 'kid' set to '2' 
    jwk.setKeyId("2");
    when(httpsJwks.getJsonWebKeys()).thenReturn(Collections.singletonList(jwk));

    // Refresh JWK Set and get a matching JWK with 'kid' set to '1'
    doAnswer((i) -> {
        jwk.setKeyId("1");
        return null;
    }).when(httpsJwks).refresh();

    keyLocationResolver = Mockito.spy(keyLocationResolver);
    assertEquals(key, keyLocationResolver.resolveKey(signature, emptyList()));
    assertNull(keyLocationResolver.verificationKey);
}
 

static Key getPrivateOrSecretSigningKey(JsonWebKey currentJwk) {
    List<String> keyOps = currentJwk.getKeyOps();
    if (keyOps == null || keyOps.contains("sign")) {
        if ("oct".equals(currentJwk.getKeyType())) {
            return OctetSequenceJsonWebKey.class.cast(currentJwk).getKey();
        } else {
            return PublicJsonWebKey.class.cast(currentJwk).getPrivateKey();
        }
    }
    return null;
}
 

static Key getEncryptionKeyFromJwkSet(String kid, List<JsonWebKey> keys) {
    if (kid != null) {
        for (JsonWebKey currentJwk : keys) {
            if (kid.equals(currentJwk.getKeyId())) {
                return getPublicOrSecretEncryptingKey(currentJwk);
            }
        }
    }
    // if JWK set contains a single JWK only then try to use it
    // but only if 'kid' is not set in both the token and this JWK
    if (keys.size() == 1 && (kid == null || keys.get(0).getKeyId() == null)) {
        return getPublicOrSecretEncryptingKey(keys.get(0));
    }
    return null;
}
 

@Override
protected void validateToken(String token, URL jwksURL, String issuer, int expGracePeriodSecs) throws Exception {
    JwtConsumerBuilder builder = new JwtConsumerBuilder()
        .setRequireExpirationTime()
        .setRequireSubject()
        .setSkipDefaultAudienceValidation()
        .setExpectedIssuer(issuer)
        .setJwsAlgorithmConstraints(
            new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST,
                                     AlgorithmIdentifiers.RSA_USING_SHA256));

    HttpsJwks keySource = new HttpsJwks(jwksURL.toExternalForm());
    List<JsonWebKey> keys = keySource.getJsonWebKeys();
    JsonWebKey key = keys.get(0);
    if(key instanceof PublicJsonWebKey) {
        PublicJsonWebKey publicJsonWebKey = (PublicJsonWebKey) key;
        PublicKey pk = publicJsonWebKey.getPublicKey();
        byte[] encoded = pk.getEncoded();
        String pem = Base64.getEncoder().encodeToString(encoded);
        System.out.printf("pk.pem: %s\n", pem);
    }
    builder.setVerificationKeyResolver(new HttpsJwksVerificationKeyResolver(keySource));

    if (expGracePeriodSecs > 0) {
        builder.setAllowedClockSkewInSeconds(expGracePeriodSecs);
    }
    else {
        builder.setEvaluationTime(NumericDate.fromSeconds(0));
    }

    JwtConsumer jwtConsumer = builder.build();
    JwtContext jwtContext = jwtConsumer.process(token);
    String type = jwtContext.getJoseObjects().get(0).getHeader("typ");
    //  Validate the JWT and process it to the Claims
    jwtConsumer.processContext(jwtContext);

}
 

@Test
public void testOnNewKey() throws Exception
{
    JsonWebKey jwk = JsonWebKey.Factory.newJwk("{\"kty\":\"oct\",\"k\":\"9el2Km2s5LHVQqUCWIdvwMsclQqQc6CwObMnCpCC8jY\"}");

    JsonWebSignature jws = new JsonWebSignature();
    jws.setCompactSerialization("eyJhbGciOiJIUzI1NiJ9.c2lnaA.2yUt5UtfsRK1pnN0KTTv7gzHTxwDqDz2OkFSqlbQ40A");
    jws.setKey(new HmacKey(new byte[32]));
    Assert.assertThat(false, CoreMatchers.equalTo(jws.verifySignature()));

    // sigh, setting a new key should now clear the little internal signature result cache...
    jws.setKey(jwk.getKey());
    Assert.assertThat(true, CoreMatchers.equalTo(jws.verifySignature()));

    jws.setKey(new HmacKey(ByteUtil.randomBytes(32)));
    Assert.assertThat(false, CoreMatchers.equalTo(jws.verifySignature()));

    jws.setKey(null);
    try
    {
        jws.verifySignature();
    }
    catch (JoseException e)
    {
        // expected
    }
}
 

public void testVerifyExample() throws JoseException
{
    JsonWebSignature jws = new JsonWebSignature();
    jws.setCompactSerialization(JWS);
    JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk(JWK);
    jws.setKey(jsonWebKey.getKey());
    assertTrue("signature (HMAC) should validate", jws.verifySignature());
    assertEquals(PAYLOAD, jws.getPayload());
}
 

@Override
public boolean isAvailable()
{
    // The Sun/Oracle provider in Java 7 apparently has a defect and can’t do MGF1 with SHA-256 .
    // An exception like "java.security.InvalidKeyException: Wrapping failed ... caused by
    // javax.crypto.BadPaddingException: java.security.DigestException: Length must be at least 32 for SHA-256digests”
    // is thrown from the wrap method on the “RSA/ECB/OAEPWithSHA-256AndMGF1Padding” Cipher initialized with an
    // OAEPParameterSpec using MGF1ParameterSpec.SHA256. So actually trying it to see if it works seems like
    // the most reliable way to check for availability. Which isn’t real pretty. But hey, what can you do?
    try
    {
        JsonWebKey jwk = JsonWebKey.Factory.newJwk(
            "{\"kty\":\"RSA\"," +
            "\"n\":\"sXchDaQebHnPiGvyDOAT4saGEUetSyo9MKLOoWFsueri23bOdgWp4Dy1Wl" +
            "UzewbgBHod5pcM9H95GQRV3JDXboIRROSBigeC5yjU1hGzHHyXss8UDpre" +
            "cbAYxknTcQkhslANGRUZmdTOQ5qTRsLAt6BTYuyvVRdhS8exSZEy_c4gs_" +
            "7svlJJQ4H9_NxsiIoLwAEk7-Q3UXERGYw_75IDrGA84-lA_-Ct4eTlXHBI" +
            "Y2EaV7t7LjJaynVJCpkv4LKjTTAumiGUIuQhrNhZLuF_RJLqHpM2kgWFLU" +
            "7-VTdL1VbC2tejvcI2BlMkEpk1BzBZI0KQB0GaDWFLN-aEAw3vRw\"," +
            "\"e\":\"AQAB\"}");
        ContentEncryptionKeyDescriptor cekDesc = new ContentEncryptionKeyDescriptor(16, AesKey.ALGORITHM);
        ContentEncryptionKeys contentEncryptionKeys = manageForEncrypt(jwk.getKey(), cekDesc, null, null, new ProviderContext());
        return contentEncryptionKeys != null;
    }
    catch (JoseException e)
    {
        log.debug(getAlgorithmIdentifier() + " is not available due to " + ExceptionHelp.toStringWithCauses(e));
        return false;
    }
}
 

public void testKey11to12() throws Exception
{
    // draft 12 used a JWK encoding of the key where previously it was octet sequences
    // and this is just a sanity check that it didn't change and my stuff sees them as the same
    // may want to redo some of the ExampleRsaKeyFromJws to just use the JWK serialization at some point
    // if private key support is added
    String jwkJson = "     {\"kty\":\"RSA\",\n" +
            "      \"n\":\"ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddx\n" +
            "           HmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMs\n" +
            "           D1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSH\n" +
            "           SXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdV\n" +
            "           MTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8\n" +
            "           NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ\",\n" +
            "      \"e\":\"AQAB\",\n" +
            "      \"d\":\"Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97I\n" +
            "           jlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0\n" +
            "           BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn\n" +
            "           439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYT\n" +
            "           CBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLh\n" +
            "           BOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ\"\n" +
            "     }";
    Map<String, Object> parsed = JsonUtil.parseJson(jwkJson);
    JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk(parsed);
    assertTrue(jsonWebKey.getKey().equals(ExampleRsaKeyFromJws.PUBLIC_KEY));
    String d = (String)parsed.get("d");
    Base64Url base64Url = new Base64Url();
    byte[] privateExp = base64Url.base64UrlDecode(d);
    assertTrue(Arrays.equals(ExampleRsaKeyFromJws.D_SIGNED_BYTES, privateExp));
}
 

public void testVerifyExampleFromDraft14() throws JoseException
    {
        // http://www.ietf.org/mail-archive/web/jose/current/msg03018.html
        String jwsCs = "eyJhbGciOiJFUzUxMiJ9" +
                "." +
//                "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt" +
//                "cGxlLmNvbS9pc19yb290Ijp0cnVlfQ" +
                "UGF5bG9hZA" +
                "." +
                "AdwMgeerwtHoh-l192l60hp9wAHZFVJbLfD_UxMi70cwnZOYaRI1bKPWROc-mZZq" +
                "wqT2SI-KGDKB34XO0aw_7XdtAG8GaSwFKdCAPZgoXD2YBJZCPEX3xKpRwcdOO8Kp" +
                "EHwJjyqOgzDO7iKvU8vcnwNrmxYbSW9ERBXukOXolLzeO_Jn";

        String jwkJson = "     {\"kty\":\"EC\",\n" +
                "      \"crv\":\"P-521\",\n" +
                "      \"x\":\"AekpBQ8ST8a8VcfVOTNl353vSrDCLLJXmPk06wTjxrrjcBpXp5EOnYG_\n" +
                "           NjFZ6OvLFV1jSfS9tsz4qUxcWceqwQGk\",\n" +
                "      \"y\":\"ADSmRA43Z1DSNx_RvcLI87cdL07l6jQyyBXMoxVg_l2Th-x3S1WDhjDl\n" +
                "           y79ajL4Kkd0AZMaZmh9ubmf63e3kyMj2\",\n" +
                "      \"d\":\"AY5pb7A0UFiB3RELSD64fTLOSV_jazdF7fLYyuTw8lOfRhWg6Y6rUrPA\n" +
                "           xerEzgdRhajnu0ferB0d53vM9mE15j2C\"\n" +
                "     }";

        JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson);

        JsonWebSignature jws = new JsonWebSignature();
        jws.setCompactSerialization(jwsCs);
        jws.setKey(jwk.getKey());
        String payload = jws.getPayload();
        System.out.println(payload);
        assertTrue("signature should validate", jws.verifySignature());
    }
 

private void check(String jwkJson, String cs) throws JoseException
{
    JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson);
    JsonWebSignature jws = new JsonWebSignature();
    jws.setCompactSerialization(cs);
    jws.setKey(jwk.getKey());
    Assert.assertTrue(jws.verifySignature());
}
 

public void testJweExample() throws JoseException
{
    // Test the AES key wrap part of Example JWE using AES Key Wrap and AES_128_CBC_HMAC_SHA_256 from
    // http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-14#appendix-A.3

    int[] cekInts = {4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106,
            206, 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156,
            44, 207};
    byte[] cekBytes = ByteUtil.convertUnsignedToSignedTwosComp(cekInts);

    JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk("\n" +
            "     {\"kty\":\"oct\",\n" +
            "      \"k\":\"GawgguFyGrWKav7AX4VKUg\"\n" +
            "     }");
    AesKey managementKey = new AesKey(jsonWebKey.getKey().getEncoded());

    WrappingKeyManagementAlgorithm wrappingKeyManagementAlgorithm = new AesKeyWrapManagementAlgorithm.Aes128();

    ContentEncryptionAlgorithm contentEncryptionAlgorithm = new AesCbcHmacSha2ContentEncryptionAlgorithm.Aes128CbcHmacSha256();
    ContentEncryptionKeyDescriptor cekDesc = contentEncryptionAlgorithm.getContentEncryptionKeyDescriptor();

    ContentEncryptionKeys contentEncryptionKeys = wrappingKeyManagementAlgorithm.manageForEnc(managementKey, cekDesc, cekBytes, ProviderContextTest.EMPTY_CONTEXT);

    String encodedEncryptedKeyFromExample ="6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ";

    Base64Url u = new Base64Url();
    String encodedWrapped = u.base64UrlEncode(contentEncryptionKeys.getEncryptedKey());

    assertEquals(encodedEncryptedKeyFromExample, encodedWrapped);

    byte[] encryptedKey = u.base64UrlDecode(encodedEncryptedKeyFromExample);

    Key key = wrappingKeyManagementAlgorithm.manageForDecrypt(managementKey, encryptedKey, cekDesc, null, ProviderContextTest.EMPTY_CONTEXT);

    assertTrue(Arrays.equals(cekBytes, key.getEncoded()));
}
 

@Test (expected = InvalidAlgorithmException.class)
public void testBlackListAlg() throws JoseException
{
    String jwecs = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..LpJAcwq3RzCs-zPRQzT-jg.IO0ZwAhWnSF05dslZwaBKcHYOAKlSpt_l7Dl5ABrUS0.0KfkxQTFqTQjzfJIm8MNjg";
    JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk("{\"kty\":\"oct\",\"k\":\"I95jRMEyRvD0t3LRgL1GSWTgkX5jznuhX4mce9bYV_A\"}");

    JsonWebEncryption jwe = new JsonWebEncryption();
    jwe.setAlgorithmConstraints(new AlgorithmConstraints(BLACKLIST, DIRECT));
    jwe.setCompactSerialization(jwecs);
    jwe.setKey(jsonWebKey.getKey());
    jwe.getPayload();
}
 

@Test (expected = InvalidAlgorithmException.class)
public void testBlackListEncAlg() throws JoseException
{
    String jwecs = "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..LpJAcwq3RzCs-zPRQzT-jg.IO0ZwAhWnSF05dslZwaBKcHYOAKlSpt_l7Dl5ABrUS0.0KfkxQTFqTQjzfJIm8MNjg";
    JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk("{\"kty\":\"oct\",\"k\":\"I95jRMEyRvD0t3LRgL1GSWTgkX5jznuhX4mce9bYV_A\"}");

    JsonWebEncryption jwe = new JsonWebEncryption();
    jwe.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(BLACKLIST, AES_128_CBC_HMAC_SHA_256));
    jwe.setCompactSerialization(jwecs);
    jwe.setKey(jsonWebKey.getKey());
    jwe.getPayload();
}
 

public ExecutionResult execute(MessageContext msgCtxt, ExecutionContext exeCtxt)
{
    try {
        msgCtxt.removeVariable(varName("error"));
        String plaintext = getPlainText(msgCtxt);
        String secretKey = getSecretKey(msgCtxt);
        String algorithm = getAlgorithm(msgCtxt);
        String b64Key = Base64.encodeBase64String(secretKey.getBytes("UTF-8"));

        String jwkJson = "{\"kty\":\"oct\",\"k\":\""+ b64Key + "\"}";
        JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson);

        JsonWebEncryption jwe = new JsonWebEncryption();
        jwe.setPlaintext(plaintext);
        jwe.setEncryptionMethodHeaderParameter(algorithm);
        jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW);
        jwe.setKey(jwk.getKey());
        // do the encryption
        String compactSerialization = jwe.getCompactSerialization();
        msgCtxt.setVariable(varName("jwe"), compactSerialization);
    }
    catch (Exception e) {
        //e.printStackTrace();
        msgCtxt.setVariable(varName("error"), "Exception " + e.toString());
        msgCtxt.setVariable(varName("stacktrace"), ExceptionUtils.getStackTrace(e));
        return ExecutionResult.ABORT;
    }
    return ExecutionResult.SUCCESS;
}
 

private RsaJsonWebKey loadOrGenerateKey() throws FileNotFoundException, JoseException, IOException {
    try (final BufferedReader reader = Files.newBufferedReader(Paths.get(KEY_FILE_PATH))) {
        return (RsaJsonWebKey) JsonWebKey.Factory.newJwk(reader.readLine());
    } catch (IOException | JoseException e) {
        RsaJsonWebKey key = generateNewKey();
        logger.debug("Created JWT signature key in {}", KEY_FILE_PATH);
        return key;
    }
}
 

/**
 * Prepare json web token key.
 *
 * @param secret the secret
 * @return the key
 */
private Key prepareJsonWebTokenKey(final String secret) {
    try {
        final Map<String, Object> keys = new HashMap<>(2);
        keys.put("kty", "oct");
        keys.put("k", secret);
        final JsonWebKey jwk = JsonWebKey.Factory.newJwk(keys);
        return jwk.getKey();
    } catch (final Exception e) {
        throw new IllegalArgumentException(e.getMessage(), e);
    }
}
 

public List<JsonWebKey> getPublicKeys() {
    return publicKeys.entrySet().stream().map(key -> {
        try {
            final JsonWebKey jsonWebKey = JsonWebKey.Factory.newJwk(key.getValue());
            jsonWebKey.setKeyId(key.getKey());
            return jsonWebKey;
        } catch (final JoseException e) {
            logger.warning(e.getMessage());
            return null;
        }
    }).collect(Collectors.toList());
}