@Override public Jwk call() throws Exception { return provider.get(keyId); } });
private JwkProvider traceJwkLookupsOf(JwkProvider provider) { return (String keyId) -> { try { log.info("Begin lookup for JWK with Kid={}", keyId); return provider.get(keyId); } finally { log.info("End lookup for JWK with Kid={}", keyId); } }; } }
@Override public RSAPublicKey getPublicKeyById(String keyId) { try { final PublicKey publicKey = jwkProvider.get(keyId).getPublicKey(); if (!(publicKey instanceof RSAPublicKey)) { throw new IllegalArgumentException(String.format("Key with ID '%s' was found in JWKS but is not a RSA-key.", keyId)); } return (RSAPublicKey) publicKey; } catch (JwkException e) { throw new IllegalArgumentException(String.format("Key with ID '%s' couldn't be fetched from JWKS.", keyId), e); } }
@SuppressWarnings("unchecked") private OpenIdMetadataKey findKey(String keyId) { try { Jwk jwk = this.cacheKeys.get(keyId); OpenIdMetadataKey key = new OpenIdMetadataKey(); key.key = (RSAPublicKey) jwk.getPublicKey(); key.endorsements = (List<String>) jwk.getAdditionalAttributes().get("endorsements"); return key; } catch (JwkException e) { String errorDescription = String.format("Failed to load keys: %s", e.getMessage()); LOGGER.log(Level.WARNING, errorDescription); } return null; } }
@SuppressWarnings("unchecked") private OpenIdMetadataKey findKey(String keyId) { try { Jwk jwk = cacheKeys.get(keyId); OpenIdMetadataKey key = new OpenIdMetadataKey(); key.key = (RSAPublicKey) jwk.getPublicKey(); key.endorsements = (List<String>) jwk.getAdditionalAttributes().get("endorsements"); return key; } catch (JwkException e) { String errorDescription = String.format("Failed to load keys: %s", e.getMessage()); LOGGER.log(Level.WARNING, errorDescription); } return null; } }
@Override public Jwk get(final String keyId) throws JwkException { if (!bucket.consume()) { throw new RateLimitReachedException(bucket.willLeakIn()); } return provider.get(keyId); }
LOGGER.debug(format("Checking issuer with KID [%s]", issuer.getKID())); Jwk jwk = jwkProvider.get(issuer.getKID()); byte[] publicKeyBytes = jwk.getPublicKey().getEncoded(); X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKeyBytes);
private void verifyJwt(JWT decoded) { try { Jwk jwk = jwkProvider.get(decoded.getKeyId()); // TODO check for Algorithm JWTVerifier verifier = JWT.require(Algorithm.RSA256((RSAKey) jwk.getPublicKey())).build(); verifier.verify(decoded.getToken()); } catch (Exception e) { e.printStackTrace(); throw new IllegalStateException("Bad token!"); } }
private synchronized PublicKey getJwtPublicKey(JwsHeader<?> header) { String kid = header.getKeyId(); if (header.getKeyId() == null) { LOG.warn( "'kid' is missing in the JWT token header. This is not possible to validate the token with OIDC provider keys"); throw new JwtException("'kid' is missing in the JWT token header."); } try { return jwkProvider.get(kid).getPublicKey(); } catch (JwkException e) { throw new JwtException( "Error during the retrieval of the public key during JWT token validation", e); } } }
@Test public void shouldCacheWhenIdMatchesDefaultMissingIdKey() throws Exception { when(fallback.get(eq(GuavaCachedJwkProvider.NULL_KID_KEY))).thenReturn(jwk); assertThat(provider.get(GuavaCachedJwkProvider.NULL_KID_KEY), equalTo(jwk)); verify(fallback).get(eq(GuavaCachedJwkProvider.NULL_KID_KEY)); verifyNoMoreInteractions(fallback); assertThat(provider.get(GuavaCachedJwkProvider.NULL_KID_KEY), equalTo(jwk)); }
@Test public void shouldFailToGetWhenBucketIsEmpty() throws Exception { when(bucket.consume()).thenReturn(false); expectedException.expect(RateLimitReachedException.class); when(fallback.get(eq(KID))).thenReturn(jwk); provider.get(KID); }
@Test public void shouldFailToGetSingleWhenNotExists() throws Exception { expectedException.expect(SigningKeyNotFoundException.class); when(fallback.get(anyString())).thenThrow(new SigningKeyNotFoundException("TEST!", null)); provider.get(KID); }