/** * Called to load the JWKs from the jwksURI * @return possibly empty list of JWK objects */ public List<JsonWebKey> loadJsonWebKeys() { synchronized (this) { if (jwksUri == null) { return Collections.emptyList(); } if (httpsJwks == null) { httpsJwks = new HttpsJwks(jwksUri); httpsJwks.setDefaultCacheDuration(jwksRefreshInterval.longValue() * 60L); } } try { return httpsJwks.getJsonWebKeys().stream() .filter(jsonWebKey -> "sig".equals(jsonWebKey.getUse())) // only signing keys are relevant .filter(jsonWebKey -> "RS256".equals(jsonWebKey.getAlgorithm())) // MP-JWT dictates RS256 only .collect(Collectors.toList()); } catch (IOException e) { throw new IllegalStateException(String.format("Unable to fetch JWKS from %s.", jwksUri), e); } catch (JoseException e) { throw new IllegalStateException(String.format("Unable to parse JWKS from %s.", jwksUri), e); } }
/** * Analyzes the key used in the {@link JsonWebKey}, and returns the key algorithm * identifier for {@link JsonWebSignature}. * * @param jwk * {@link JsonWebKey} to analyze * @return algorithm identifier * @throws IllegalArgumentException * there is no corresponding algorithm identifier for the key */ public static String keyAlgorithm(JsonWebKey jwk) { if (jwk instanceof EllipticCurveJsonWebKey) { EllipticCurveJsonWebKey ecjwk = (EllipticCurveJsonWebKey) jwk; switch (ecjwk.getCurveName()) { case "P-256": return AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256; case "P-384": return AlgorithmIdentifiers.ECDSA_USING_P384_CURVE_AND_SHA384; case "P-521": return AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512; default: throw new IllegalArgumentException("Unknown EC name " + ecjwk.getCurveName()); } } else if (jwk instanceof RsaJsonWebKey) { return AlgorithmIdentifiers.RSA_USING_SHA256; } else { throw new IllegalArgumentException("Unknown algorithm " + jwk.getAlgorithm()); } }
public List<JsonWebKey> findJsonWebKeys(String keyId, String keyType, String use, String algorithm) { List<JsonWebKey> found = new ArrayList<JsonWebKey>(); for (JsonWebKey jwk : keys) { boolean isMeetsCriteria = true; if (keyId != null) { isMeetsCriteria = keyId.equals(jwk.getKeyId()); } if (use != null) { isMeetsCriteria &= use.equals(jwk.getUse()); } if (keyType != null) { isMeetsCriteria &= keyType.equals(jwk.getKeyType()); } if (algorithm != null) { isMeetsCriteria &= algorithm.equals(jwk.getAlgorithm()); } if (isMeetsCriteria) { found.add(jwk); } } return found; }
/** * Analyzes the key used in the {@link JsonWebKey}, and returns the key algorithm * identifier for {@link JsonWebSignature}. * * @param jwk * {@link JsonWebKey} to analyze * @return algorithm identifier * @throws IllegalArgumentException * there is no corresponding algorithm identifier for the key */ public static String keyAlgorithm(JsonWebKey jwk) { if (jwk instanceof EllipticCurveJsonWebKey) { EllipticCurveJsonWebKey ecjwk = (EllipticCurveJsonWebKey) jwk; switch (ecjwk.getCurveName()) { case "P-256": return AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256; case "P-384": return AlgorithmIdentifiers.ECDSA_USING_P384_CURVE_AND_SHA384; case "P-521": return AlgorithmIdentifiers.ECDSA_USING_P521_CURVE_AND_SHA512; default: throw new IllegalArgumentException("Unknown EC name " + ecjwk.getCurveName()); } } else if (jwk instanceof RsaJsonWebKey) { return AlgorithmIdentifiers.RSA_USING_SHA256; } else { throw new IllegalArgumentException("Unknown algorithm " + jwk.getAlgorithm()); } }
public Map<String, Object> toParams(OutputControlLevel outputLevel) { Map<String, Object> params = new LinkedHashMap<String, Object>(); params.put(KEY_TYPE_PARAMETER, getKeyType()); putIfNotNull(KEY_ID_PARAMETER, getKeyId(), params); putIfNotNull(USE_PARAMETER, getUse(), params); putIfNotNull(KEY_OPERATIONS, keyOps, params); putIfNotNull(ALGORITHM_PARAMETER, getAlgorithm(), params); fillTypeSpecificParams(params, outputLevel); params.putAll(otherParameters); return params; }
public List<JsonWebKey> filter(Collection<JsonWebKey> jsonWebKeys) { List<JsonWebKey> filtered = new LinkedList<>(); for (JsonWebKey jwk : jsonWebKeys) { boolean match = isMatch(kid, jwk.getKeyId()); match &= isMatch(kty, jwk.getKeyType()); match &= isMatch(use, jwk.getUse()); match &= isMatch(alg, jwk.getAlgorithm()); String[] thumbs = getThumbs(jwk, allowThumbsFallbackDeriveFromX5c); match &= isMatch(x5t, thumbs[0]); match &= isMatch(x5tS256, thumbs[1]); match &= isMatch(crv, getCrv(jwk)); match &= keyOps == null || keyOps.meetsCriteria(jwk.getKeyOps()); if (match) { filtered.add(jwk); } } return filtered; }