Current x509 and current KeyBundle - needs comments

jdahmubed · jdahmubed · commit 5f1e6cd5ac61 · 2017-12-12T17:10:35.000-08:00
diff --git a/AUTHORS.md b/AUTHORS.md
@@ -4,3 +4,4 @@
 ### of contributors, see the revision history in source control.
 
 Auth0 LLC, Google LLC
+
diff --git a/lib/build.gradle b/lib/build.gradle
@@ -37,6 +37,12 @@ dependencies {
     compile 'com.fasterxml.jackson.core:jackson-databind:2.9.2'
     compile 'commons-codec:commons-codec:1.11'
     compile 'com.google.code.gson:gson:2.8.2'
+    compile 'com.auth0:jwks-rsa:0.3.0'
+    compile 'com.nimbusds:nimbus-jose-jwt:2.19.1'
+    compile 'org.apache.httpcomponents:httpcore:4.4.1'
+    compile 'org.apache.httpcomponents:httpclient:4.5'
+    compile group: 'org.slf4j', name:'slf4j-api', version: '1.7.2'
+    compile group: 'com.googlecode.json-simple', name: 'json-simple', version: '1.1.1'
     testCompile 'org.bouncycastle:bcprov-jdk15on:1.58'
     testCompile 'junit:junit:4.12'
     testCompile 'net.jodah:concurrentunit:0.4.3'
diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/CryptoHelper.java b/lib/src/main/java/com/auth0/jwt/algorithms/CryptoHelper.java
@@ -34,7 +34,9 @@ byte[] createSignatureFor(String algorithm, byte[] secretBytes, byte[] contentBy
         mac.init(new SecretKeySpec(secretBytes, algorithm));
         return mac.doFinal(contentBytes);
     }
-
+//get back public key from x509 DER string
+    //use public key to verify (public key might be in pem format)
+    //pass
     boolean verifySignatureFor(String algorithm, PublicKey publicKey, byte[] contentBytes, byte[] signatureBytes) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
         final Signature s = Signature.getInstance(algorithm);
         s.initVerify(publicKey);
diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/ECDSAAlgorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/ECDSAAlgorithm.java
@@ -19,23 +19,43 @@
 
 package com.auth0.jwt.algorithms;
 
+import com.auth0.jwk.Jwk;
+import com.auth0.jwk.JwkProvider;
+import com.auth0.jwk.UrlJwkProvider;
 import com.auth0.jwt.creators.EncodeType;
 import com.auth0.jwt.exceptions.SignatureGenerationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
 import com.auth0.jwt.interfaces.DecodedJWT;
 import com.auth0.jwt.interfaces.ECDSAKeyProvider;
+import com.auth0.jwt.interfaces.Payload;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.crypto.RSASSASigner;
+import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jose.jwk.JWK;
+import net.minidev.json.JSONArray;
+import net.minidev.json.JSONObject;
+import net.minidev.json.parser.JSONParser;
 import org.apache.commons.codec.binary.Base32;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.codec.binary.StringUtils;
 
+import java.io.File;
+import java.io.FileReader;
+import java.net.URL;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.SignatureException;
+import java.security.*;
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.List;
 
 class ECDSAAlgorithm extends Algorithm {
 
@@ -80,10 +100,48 @@ public void verify(DecodedJWT jwt, EncodeType encodeType) throws Exception {
         }
 
         try {
-            ECPublicKey publicKey = keyProvider.getPublicKeyById(jwt.getKeyId());
+
+            //create a http request that gets back a response for the jwks uri and then once you get back the response,
+            //parse it to get back the x509 DER string and get the public key from that string
+            //from the public key of that string, pass it into verifySignatureFor()
+            PublicKey publicKey = null;
+            String kid = jwt.getKeyId();
+            String algorithm = jwt.getAlgorithm();
+            if(kid == null) {
+                publicKey = keyProvider.getPublicKeyById(kid);
+            } else if(algorithm.equals("RSA")){
+                //JwkProvider provider = new UrlJwkProvider("https://sandrino.auth0.com/.well-known/jwks.json");
+                JwkProvider provider = new UrlJwkProvider(new File("/Users/jdahmubed/documents/jwksRSA.json").toURI().toURL());//"file:///);
+                Jwk jwk = provider.get(kid);
+                publicKey = jwk.getPublicKey();
+            } /*else if(algorithm.contains("ES")) {
+               // JSONParser parser = new JSONParser();
+               // JSONArray a = (JSONArray) parser.parse(new FileReader("/Users/jdahmubed/documents/jwks.json"));
+
+                JsonObject gsonObject = new JsonObject();
+
+
+                JsonParser parser = new JsonParser();
+                JsonElement jsonElement = parser.parse(new FileReader("/Users/jdahmubed/documents/jwks.json"));
+                gsonObject = jsonElement.getAsJsonObject();
+
+                JSONObject jsonObject = new JSONObject();
+                for(String key : gsonObject.keySet()) {
+                    jsonObject.put(key, gsonObject.get(key));
+                }
+                jsonObject.put("alg", "ES256");
+                JWSHeader jwsHeader = JWSHeader.parse(jsonObject);
+
+                JWSHeader header = new JWSHeader(JWSAlgorithm.ES256);
+                header.setJWKURL(new File("/Users/jdahmubed/documents/jwks.json").toURI().toURL());
+                List<com.nimbusds.jose.util.Base64> list = header.getX509CertChain();
+                System.out.print(list);
+            }*/
+
             if (publicKey == null) {
                 throw new IllegalStateException("The given Public Key is null.");
             }
+            //pass in publicKey from x509 or the current key (look up)
             boolean valid = crypto.verifySignatureFor(getDescription(), publicKey, contentBytes, JOSEToDER(signatureBytes));
 
             if (!valid) {
@@ -241,6 +299,7 @@ static ECDSAKeyProvider providerForKeys(final ECPublicKey publicKey, final ECPri
         if (publicKey == null && privateKey == null) {
             throw new IllegalArgumentException("Both provided Keys cannot be null.");
         }
+
         return new ECDSAKeyProvider() {
             @Override
             public ECPublicKey getPublicKeyById(String keyId) {
diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java
@@ -90,6 +90,8 @@ public void verify(DecodedJWT jwt, EncodeType encodeType) throws Exception {
         }
 
         try {
+            //need to add fucntionality to pass in secret or pass in x509 public key
+            //jwks uri
             boolean valid = crypto.verifySignatureFor(getDescription(), secret, contentBytes, signatureBytes);
             if (!valid) {
                 throw new SignatureVerificationException(this);
diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/RSAAlgorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/RSAAlgorithm.java
@@ -19,7 +19,11 @@
 
 package com.auth0.jwt.algorithms;
 
+import com.auth0.jwk.Jwk;
+import com.auth0.jwk.JwkProvider;
+import com.auth0.jwk.UrlJwkProvider;
 import com.auth0.jwt.creators.EncodeType;
+import com.auth0.jwt.creators.JWTCreator;
 import com.auth0.jwt.exceptions.SignatureGenerationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
 import com.auth0.jwt.interfaces.DecodedJWT;
@@ -28,18 +32,24 @@
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.Hex;
 
+import java.io.*;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
 import java.security.SignatureException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
+import java.util.Arrays;
 
 class RSAAlgorithm extends Algorithm {
 
     private final RSAKeyProvider keyProvider;
     private final CryptoHelper crypto;
+    public static byte[] bytesAfterBeingDecoded;
 
     //Visible for testing
     RSAAlgorithm(CryptoHelper crypto, String id, String algorithm, RSAKeyProvider keyProvider) throws IllegalArgumentException {
@@ -70,14 +80,46 @@ public void verify(DecodedJWT jwt, EncodeType encodeType) throws Exception {
                 Base32 base32 = new Base32();
                 urlDecoded = URLDecoder.decode(signature, "UTF-8");
                 signatureBytes = base32.decode(urlDecoded);
+                System.out.println("signature bytes after being decoded: " + Arrays.toString(signatureBytes));
+                bytesAfterBeingDecoded = signatureBytes;
+                System.out.println("Are they equal? " + Arrays.equals(JWTCreator.bytesBeforeBeingDecoded, bytesAfterBeingDecoded));
                 break;
             case Base64:
                 signatureBytes = Base64.decodeBase64(signature);
+                System.out.println("signature bytes after being decoded: " + Arrays.toString(signatureBytes));
+                bytesAfterBeingDecoded = signatureBytes;
+                System.out.println("Are they equal? " + Arrays.equals(JWTCreator.bytesBeforeBeingDecoded, bytesAfterBeingDecoded));
                 break;
         }
 
         try {
-            RSAPublicKey publicKey = keyProvider.getPublicKeyById(jwt.getKeyId());
+            //RSAPublicKey publicKey = keyProvider.getPublicKeyById(jwt.getKeyId());
+            /*String kid = jwt.getKeyId();
+            JwkProvider provider = new UrlJwkProvider(new File("/Users/jdahmubed/documents/jwksRSA.json").toURI().toURL());
+            Jwk jwk = provider.get(kid);
+            PublicKey publicKey = jwk.getPublicKey();*/
+
+            String kid = jwt.getKeyId();
+            JwkProvider provider = new UrlJwkProvider(new File("/Users/jdahmubed/documents/jwksRSA.json").toURI().toURL());
+            Jwk jwk = provider.get(kid);
+            String cert = jwk.getCertificateChain().get(0);
+            try (Writer writer = new BufferedWriter(new OutputStreamWriter(
+                    new FileOutputStream("/Users/jdahmubed/workspace/javaOIDCMsgForCOMMENTS/lib/src/main/java/com/auth0/jwt/algorithms/jwks.cert"), "utf-8"))) {
+                writer.write("-----BEGIN CERTIFICATE-----");
+                writer.append("\n"+ cert + "\n");
+                writer.append("-----END CERTIFICATE-----");
+            }
+            CertificateFactory fact = CertificateFactory.getInstance("X.509");
+            FileInputStream is = new FileInputStream ("/Users/jdahmubed/workspace/javaOIDCMsgForCOMMENTS/lib/src/main/java/com/auth0/jwt/algorithms/jwks.cert");
+            X509Certificate cer = (X509Certificate) fact.generateCertificate(is);
+            PublicKey publicKey = cer.getPublicKey();
+
+/*
+            FileInputStream fin = new FileInputStream("/Users/jdahmubed/documents/jwksRSA.json");
+            CertificateFactory f = CertificateFactory.getInstance("X.509");
+            X509Certificate certificate = (X509Certificate)f.generateCertificate(fin);
+            PublicKey publicKey = certificate.getPublicKey();*/
+
             if (publicKey == null) {
                 throw new IllegalStateException("The given Public Key is null.");
             }
diff --git a/lib/src/main/java/com/auth0/jwt/creators/JWTCreator.java b/lib/src/main/java/com/auth0/jwt/creators/JWTCreator.java
@@ -39,9 +39,11 @@
 import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.logging.Logger;
 
 /**
  * The JWTCreator class holds the sign method to generate a complete JWT (with Signature) from a given Header and Payload content.
@@ -52,6 +54,7 @@ public final class JWTCreator {
     private final Algorithm algorithm;
     private final String headerJson;
     private final String payloadJson;
+    public static byte[] bytesBeforeBeingDecoded;
 
     private JWTCreator(Algorithm algorithm, Map<String, Object> headerClaims, Map<String, Object> payloadClaims) throws JWTCreationException {
         this.algorithm = algorithm;
@@ -424,31 +427,58 @@ private String signBase16Encoding() throws UnsupportedEncodingException {
 
     private String signBase32Encoding() throws UnsupportedEncodingException{
         Base32 base32 = new Base32();
+        System.out.println("headerJson: " + headerJson);
+        System.out.println("headerJson bytes: " + Arrays.toString(headerJson.getBytes()));
         String header = URLEncoder.encode(headerJson, "UTF-8");
         String payload = URLEncoder.encode(payloadJson, "UTF-8");
 
         byte[] bHeader = header.getBytes("UTF-8");
         String encodedHeader = base32.encodeAsString(bHeader);
 
+
+        System.out.println("header after base64 encoding: " + URLDecoder.decode(new String(base32.decode(encodedHeader))).getBytes());
+        System.out.println("header after base64 encoding bytes: " + Arrays.toString(URLDecoder.decode(new String(base32.decode(encodedHeader))).getBytes()));
+        System.out.println("header after base64 decoding: " + new String(URLDecoder.decode(new String(base32.decode(encodedHeader))).getBytes()));
+        System.out.println("header after base64 decoding bytes: " + Arrays.toString(URLDecoder.decode(new String(base32.decode(encodedHeader))).getBytes()));
+
+        System.out.println("Are they equal I? " + Arrays.equals(headerJson.getBytes(), URLDecoder.decode(new String(base32.decode(encodedHeader))).getBytes()));
+
         byte[] bPayload = payload.getBytes("UTF-8");
         String encodedPayload = base32.encodeAsString(bPayload);
+        System.out.println("payload after base64 encoding: " + encodedPayload);
+        System.out.println("payload after base64 encoding bytes: " + Arrays.toString(encodedPayload.getBytes()));
 
         String content = String.format("%s.%s", encodedHeader, encodedPayload);
         byte[] signatureBytes = algorithm.sign(content.getBytes(StandardCharsets.UTF_8));
+        System.out.println("signature bytes: " + Arrays.toString(signatureBytes));
         String signature = base32.encodeAsString(signatureBytes);
         String signatureFinal = URLEncoder.encode(signature, "UTF-8");
+        System.out.println("signature after base64 encoding bytes: " + Arrays.toString(signature.getBytes()));
+        bytesBeforeBeingDecoded = signatureBytes;
 
         return String.format("%s.%s", content, signatureFinal);
     }
 
     private String defaultSign() throws SignatureGenerationException {
+        System.out.println("headerJson: " + headerJson);
+        System.out.println("headerJson bytes: " + Arrays.toString(headerJson.getBytes()));
         String header = Base64.encodeBase64URLSafeString(headerJson.getBytes(StandardCharsets.UTF_8));
+        System.out.println("header after base64 encoding: " + header);
+        System.out.println("header after base64 encoding bytes: " + Arrays.toString(header.getBytes()));
+        System.out.println("header after base64 decoding: " + new String(Base64.decodeBase64(header)));
+        System.out.println("header after base64 decoding bytes: " + Arrays.toString(Base64.decodeBase64(header)));
+
+        System.out.println("Are they equal I? " + Arrays.equals(headerJson.getBytes(), Base64.decodeBase64(header)));
         String payload = Base64.encodeBase64URLSafeString(payloadJson.getBytes(StandardCharsets.UTF_8));
+        System.out.println("payload after base64 encoding: " + payload);
+        System.out.println("payload after base64 encoding bytes: " + Arrays.toString(payload.getBytes()));
         String content = String.format("%s.%s", header, payload);
 
         byte[] signatureBytes = algorithm.sign(content.getBytes(StandardCharsets.UTF_8));
+        System.out.println("signature bytes: " + Arrays.toString(signatureBytes));
         String signature = Base64.encodeBase64URLSafeString(signatureBytes);
-
+        System.out.println("signature after base64 encoding bytes: " + Arrays.toString(signature.getBytes()));
+        bytesBeforeBeingDecoded = signatureBytes;
         return String.format("%s.%s", content, signature);
     }
 }
diff --git a/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/ImportException.java b/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/ImportException.java
@@ -0,0 +1,7 @@
+package com.auth0.jwt.exceptions.oicmsg_exceptions;
+
+public class ImportException extends Exception {
+    public ImportException(String message) {
+        super(message);
+    }
+}
diff --git a/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/JWKException.java b/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/JWKException.java
@@ -0,0 +1,4 @@
+package com.auth0.jwt.exceptions.oicmsg_exceptions;
+
+public class JWKException extends Exception{
+}
diff --git a/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/KeyUsage.java b/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/KeyUsage.java
@@ -0,0 +1,4 @@
+package com.auth0.jwt.exceptions.oicmsg_exceptions;
+
+public enum KeyUsage {
+}
diff --git a/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/TypeError.java b/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/TypeError.java
@@ -0,0 +1,4 @@
+package com.auth0.jwt.exceptions.oicmsg_exceptions;
+
+public class TypeError extends Exception {
+}
diff --git a/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/UnknownKeyType.java b/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/UnknownKeyType.java
@@ -0,0 +1,7 @@
+package com.auth0.jwt.exceptions.oicmsg_exceptions;
+
+public class UnknownKeyType extends Exception{
+    public UnknownKeyType(String message) {
+        super(message);
+    }
+}
diff --git a/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/UpdateFailed.java b/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/UpdateFailed.java
@@ -0,0 +1,7 @@
+package com.auth0.jwt.exceptions.oicmsg_exceptions;
+
+public class UpdateFailed extends Exception{
+    public UpdateFailed(String message) {
+        super(message);
+    }
+}
diff --git a/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/ValueError.java b/lib/src/main/java/com/auth0/jwt/exceptions/oicmsg_exceptions/ValueError.java
@@ -0,0 +1,4 @@
+package com.auth0.jwt.exceptions.oicmsg_exceptions;
+
+public class ValueError extends Exception {
+}
diff --git a/lib/src/main/java/com/auth0/jwt/oicmsg/KeyBundle.java b/lib/src/main/java/com/auth0/jwt/oicmsg/KeyBundle.java
diff --git a/lib/src/test/java/com/auth0/jwt/algorithms/ECDSABouncyCastleProviderTests.java b/lib/src/test/java/com/auth0/jwt/algorithms/ECDSABouncyCastleProviderTests.java
diff --git a/lib/src/test/java/com/auth0/jwt/creators/JWTCreatorTest.java b/lib/src/test/java/com/auth0/jwt/creators/JWTCreatorTest.java

Original file line number	Diff line number	Diff line change
`@@ -4,3 +4,4 @@`
`4`	`4`	`### of contributors, see the revision history in source control.`
`5`	`5`
`6`	`6`	`Auth0 LLC, Google LLC`
	`7`	`+`
Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,8 @@ public void verify(DecodedJWT jwt, EncodeType encodeType) throws Exception {`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`try {`
	`93`	`+ //need to add fucntionality to pass in secret or pass in x509 public key`
	`94`	`+ //jwks uri`
`93`	`95`	`boolean valid = crypto.verifySignatureFor(getDescription(), secret, contentBytes, signatureBytes);`
`94`	`96`	`if (!valid) {`
`95`	`97`	`throw new SignatureVerificationException(this);`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +package com.auth0.jwt.exceptions.oicmsg_exceptions;
++
 +public class JWKException extends Exception{
 +}