Upgraded to nimbus 4.2, closes mitreid-connect#934

Author: jricher

openid-connect-client/src/main/java/org/mitre/openid/connect/client/NamedAdminAuthoritiesMapper.java

@@ -31,7 +31,7 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 import com.nimbusds.jwt.JWT;
-import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
+import com.nimbusds.jwt.JWTClaimsSet;
 
 /**
  * 
@@ -56,7 +56,7 @@ public Collection<? extends GrantedAuthority> mapAuthorities(JWT idToken, UserIn
 
 Set<GrantedAuthority> out = new HashSet<>();
 try {
-ReadOnlyJWTClaimsSet claims = idToken.getJWTClaimsSet();
+JWTClaimsSet claims = idToken.getJWTClaimsSet();
 
 SubjectIssuerGrantedAuthority authority = new SubjectIssuerGrantedAuthority(claims.getSubject(), claims.getIssuer());
 out.add(authority);

openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java

@@ -16,6 +16,10 @@
  *******************************************************************************/
 package org.mitre.openid.connect.client;
 
+import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.PRIVATE_KEY;
+import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_BASIC;
+import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_JWT;
+
 import java.io.IOException;
 import java.math.BigInteger;
 import java.net.URI;
@@ -75,13 +79,8 @@
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.JWTParser;
 import com.nimbusds.jwt.PlainJWT;
-import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 
-import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.PRIVATE_KEY;
-import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_BASIC;
-import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_JWT;
-
 /**
  * OpenID Connect Authentication Filter class
  * 
@@ -374,25 +373,25 @@ protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOE
 throw new AuthenticationServiceException("Couldn't find required signer service for use with private key auth.");
 }
 
-JWTClaimsSet claimsSet = new JWTClaimsSet();
+JWTClaimsSet.Builder claimsSet = new JWTClaimsSet.Builder();
 
-claimsSet.setIssuer(clientConfig.getClientId());
-claimsSet.setSubject(clientConfig.getClientId());
-claimsSet.setAudience(Lists.newArrayList(serverConfig.getTokenEndpointUri()));
-claimsSet.setJWTID(UUID.randomUUID().toString());
+claimsSet.issuer(clientConfig.getClientId());
+claimsSet.subject(clientConfig.getClientId());
+claimsSet.audience(Lists.newArrayList(serverConfig.getTokenEndpointUri()));
+claimsSet.jwtID(UUID.randomUUID().toString());
 
 // TODO: make this configurable
 Date exp = new Date(System.currentTimeMillis() + (60 * 1000)); // auth good for 60 seconds
-claimsSet.setExpirationTime(exp);
+claimsSet.expirationTime(exp);
 
 Date now = new Date(System.currentTimeMillis());
-claimsSet.setIssueTime(now);
-claimsSet.setNotBeforeTime(now);
+claimsSet.issueTime(now);
+claimsSet.notBeforeTime(now);
 
 JWSHeader header = new JWSHeader(alg, null, null, null, null, null, null, null, null, null,
 signer.getDefaultSignerKeyId(),
 null, null);
-SignedJWT jwt = new SignedJWT(header, claimsSet);
+SignedJWT jwt = new SignedJWT(header, claimsSet.build());
 
 signer.signJwt(jwt, alg);
 
@@ -472,7 +471,7 @@ protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOE
 JWT idToken = JWTParser.parse(idTokenValue);
 
 // validate our ID Token over a number of tests
-ReadOnlyJWTClaimsSet idClaims = idToken.getJWTClaimsSet();
+JWTClaimsSet idClaims = idToken.getJWTClaimsSet();
 
 // check the signature
 JWTSigningAndValidationService jwtValidator = null;

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java

@@ -58,33 +58,33 @@ public class EncryptedAuthRequestUrlBuilder implements AuthRequestUrlBuilder {
 public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig, String redirectUri, String nonce, String state, Map<String, String> options, String loginHint) {
 
 // create our signed JWT for the request object
-JWTClaimsSet claims = new JWTClaimsSet();
+JWTClaimsSet.Builder claims = new JWTClaimsSet.Builder();
 
 //set parameters to JwtClaims
-claims.setClaim("response_type", "code");
-claims.setClaim("client_id", clientConfig.getClientId());
-claims.setClaim("scope", Joiner.on(" ").join(clientConfig.getScope()));
+claims.claim("response_type", "code");
+claims.claim("client_id", clientConfig.getClientId());
+claims.claim("scope", Joiner.on(" ").join(clientConfig.getScope()));
 
 // build our redirect URI
-claims.setClaim("redirect_uri", redirectUri);
+claims.claim("redirect_uri", redirectUri);
 
 // this comes back in the id token
-claims.setClaim("nonce", nonce);
+claims.claim("nonce", nonce);
 
 // this comes back in the auth request return
-claims.setClaim("state", state);
+claims.claim("state", state);
 
 // Optional parameters
 for (Entry<String, String> option : options.entrySet()) {
-claims.setClaim(option.getKey(), option.getValue());
+claims.claim(option.getKey(), option.getValue());
 }
 
 // if there's a login hint, send it
 if (!Strings.isNullOrEmpty(loginHint)) {
-claims.setClaim("login_hint", loginHint);
+claims.claim("login_hint", loginHint);
 }
 
-EncryptedJWT jwt = new EncryptedJWT(new JWEHeader(alg, enc), claims);
+EncryptedJWT jwt = new EncryptedJWT(new JWEHeader(alg, enc), claims.build());
 
 JWTEncryptionAndDecryptionService encryptor = encrypterService.getEncrypter(serverConfig.getJwksUri());
 

openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java

@@ -52,38 +52,38 @@ public class SignedAuthRequestUrlBuilder implements AuthRequestUrlBuilder {
 public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredClient clientConfig, String redirectUri, String nonce, String state, Map<String, String> options, String loginHint) {
 
 // create our signed JWT for the request object
-JWTClaimsSet claims = new JWTClaimsSet();
+JWTClaimsSet.Builder claims = new JWTClaimsSet.Builder();
 
 //set parameters to JwtClaims
-claims.setClaim("response_type", "code");
-claims.setClaim("client_id", clientConfig.getClientId());
-claims.setClaim("scope", Joiner.on(" ").join(clientConfig.getScope()));
+claims.claim("response_type", "code");
+claims.claim("client_id", clientConfig.getClientId());
+claims.claim("scope", Joiner.on(" ").join(clientConfig.getScope()));
 
 // build our redirect URI
-claims.setClaim("redirect_uri", redirectUri);
+claims.claim("redirect_uri", redirectUri);
 
 // this comes back in the id token
-claims.setClaim("nonce", nonce);
+claims.claim("nonce", nonce);
 
 // this comes back in the auth request return
-claims.setClaim("state", state);
+claims.claim("state", state);
 
 // Optional parameters
 for (Entry<String, String> option : options.entrySet()) {
-claims.setClaim(option.getKey(), option.getValue());
+claims.claim(option.getKey(), option.getValue());
 }
 
 // if there's a login hint, send it
 if (!Strings.isNullOrEmpty(loginHint)) {
-claims.setClaim("login_hint", loginHint);
+claims.claim("login_hint", loginHint);
 }
 
 JWSAlgorithm alg = clientConfig.getRequestObjectSigningAlg();
 if (alg == null) {
 alg = signingAndValidationService.getDefaultSigningAlgorithm();
 }
 
-SignedJWT jwt = new SignedJWT(new JWSHeader(alg), claims);
+SignedJWT jwt = new SignedJWT(new JWSHeader(alg), claims.build());
 
 signingAndValidationService.signJwt(jwt, alg);
 

openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java

@@ -43,7 +43,7 @@
 import com.nimbusds.jose.jwk.KeyUse;
 import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.util.Base64URL;
-import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
+import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
 
 import static org.junit.Assert.assertEquals;
@@ -130,7 +130,7 @@ public void buildAuthRequestUrl() {
 
 UriComponents components = builder.build();
 String jwtString = components.getQueryParams().get("request").get(0);
-ReadOnlyJWTClaimsSet claims = null;
+JWTClaimsSet claims = null;
 
 try {
 SignedJWT jwt = SignedJWT.parse(jwtString);
@@ -169,7 +169,7 @@ public void buildAuthRequestUrl_withLoginHint() {
 
 UriComponents components = builder.build();
 String jwtString = components.getQueryParams().get("request").get(0);
-ReadOnlyJWTClaimsSet claims = null;
+JWTClaimsSet claims = null;
 
 try {
 SignedJWT jwt = SignedJWT.parse(jwtString);

openid-connect-common/src/main/java/org/mitre/jwt/encryption/service/impl/DefaultJWTEncryptionAndDecryptionService.java

@@ -272,11 +272,11 @@ public Collection<JWEAlgorithm> getAllEncryptionAlgsSupported() {
 Set<JWEAlgorithm> algs = new HashSet<>();
 
 for (JWEEncrypter encrypter : encrypters.values()) {
-algs.addAll(encrypter.supportedAlgorithms());
+algs.addAll(encrypter.supportedJWEAlgorithms());
 }
 
 for (JWEDecrypter decrypter : decrypters.values()) {
-algs.addAll(decrypter.supportedAlgorithms());
+algs.addAll(decrypter.supportedJWEAlgorithms());
 }
 
 return algs;

openid-connect-common/src/main/java/org/mitre/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.java

@@ -17,6 +17,8 @@
 package org.mitre.jwt.signer.service.impl;
 
 import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Collection;
 import java.util.HashMap;
@@ -160,41 +162,45 @@ private void buildSignersAndVerifiers() throws NoSuchAlgorithmException, Invalid
 String id = jwkEntry.getKey();
 JWK jwk = jwkEntry.getValue();
 
-if (jwk instanceof RSAKey) {
-// build RSA signers & verifiers
-
-if (jwk.isPrivate()) { // only add the signer if there's a private key
-RSASSASigner signer = new RSASSASigner(((RSAKey) jwk).toRSAPrivateKey());
-signers.put(id, signer);
-}
-
-RSASSAVerifier verifier = new RSASSAVerifier(((RSAKey) jwk).toRSAPublicKey());
-verifiers.put(id, verifier);
-
-} else if (jwk instanceof ECKey) {
-// build EC signers & verifiers
-
-if (jwk.isPrivate()) {
-ECDSASigner signer = new ECDSASigner(((ECKey) jwk).getD().decodeToBigInteger());
-signers.put(id, signer);
-}
-
-ECDSAVerifier verifier = new ECDSAVerifier(((ECKey) jwk).getX().decodeToBigInteger(), ((ECKey) jwk).getY().decodeToBigInteger());
-verifiers.put(id, verifier);
-
-} else if (jwk instanceof OctetSequenceKey) {
-// build HMAC signers & verifiers
-
-if (jwk.isPrivate()) { // technically redundant check because all HMAC keys are private
-MACSigner signer = new MACSigner(((OctetSequenceKey) jwk).toByteArray());
-signers.put(id, signer);
+try {
+if (jwk instanceof RSAKey) {
+// build RSA signers & verifiers
+
+if (jwk.isPrivate()) { // only add the signer if there's a private key
+RSASSASigner signer = new RSASSASigner((RSAKey) jwk);
+signers.put(id, signer);
+}
+
+RSASSAVerifier verifier = new RSASSAVerifier((RSAKey) jwk);
+verifiers.put(id, verifier);
+
+} else if (jwk instanceof ECKey) {
+// build EC signers & verifiers
+
+if (jwk.isPrivate()) {
+ECDSASigner signer = new ECDSASigner((ECKey) jwk);
+signers.put(id, signer);
+}
+
+ECDSAVerifier verifier = new ECDSAVerifier((ECKey) jwk);
+verifiers.put(id, verifier);
+
+} else if (jwk instanceof OctetSequenceKey) {
+// build HMAC signers & verifiers
+
+if (jwk.isPrivate()) { // technically redundant check because all HMAC keys are private
+MACSigner signer = new MACSigner((OctetSequenceKey) jwk);
+signers.put(id, signer);
+}
+
+MACVerifier verifier = new MACVerifier((OctetSequenceKey) jwk);
+verifiers.put(id, verifier);
+
+} else {
+logger.warn("Unknown key type: " + jwk);
 }
-
-MACVerifier verifier = new MACVerifier(((OctetSequenceKey) jwk).toByteArray());
-verifiers.put(id, verifier);
-
-} else {
-logger.warn("Unknown key type: " + jwk);
+} catch (JOSEException e) {
+logger.warn("Exception loading signer/verifier", e);
 }
 }
 
@@ -230,7 +236,7 @@ public void signJwt(SignedJWT jwt, JWSAlgorithm alg) {
 JWSSigner signer = null;
 
 for (JWSSigner s : signers.values()) {
-if (s.supportedAlgorithms().contains(alg)) {
+if (s.supportedJWSAlgorithms().contains(alg)) {
 signer = s;
 break;
 }
@@ -292,11 +298,11 @@ public Collection<JWSAlgorithm> getAllSigningAlgsSupported() {
 Set<JWSAlgorithm> algs = new HashSet<>();
 
 for (JWSSigner signer : signers.values()) {
-algs.addAll(signer.supportedAlgorithms());
+algs.addAll(signer.supportedJWSAlgorithms());
 }
 
 for (JWSVerifier verifier : verifiers.values()) {
-algs.addAll(verifier.supportedAlgorithms());
+algs.addAll(verifier.supportedJWSAlgorithms());
 }
 
 return algs;

openid-connect-common/src/test/java/org/mitre/jwt/encryption/service/impl/TestDefaultJWTEncryptionAndDecryptionService.java

@@ -42,7 +42,6 @@
 import com.nimbusds.jose.util.JSONObjectUtils;
 import com.nimbusds.jwt.EncryptedJWT;
 import com.nimbusds.jwt.JWTClaimsSet;
-import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
 
 import static org.hamcrest.CoreMatchers.nullValue;
 
@@ -63,7 +62,7 @@ public class TestDefaultJWTEncryptionAndDecryptionService {
 
 private String issuer = "www.example.net";
 private String subject = "example_user";
-private JWTClaimsSet claimsSet = new JWTClaimsSet();
+private JWTClaimsSet claimsSet = null;
 
 // Example data taken from Mike Jones's draft-ietf-jose-json-web-encryption-14 appendix examples
 private String compactSerializedJwe = "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ." +
@@ -152,8 +151,10 @@ public void prepare() throws NoSuchAlgorithmException, InvalidKeySpecException,
 service_3 = new DefaultJWTEncryptionAndDecryptionService(keys_3);
 service_4 = new DefaultJWTEncryptionAndDecryptionService(keys_4);
 
-claimsSet.setIssuer(issuer);
-claimsSet.setSubject(subject);
+claimsSet = new JWTClaimsSet.Builder()
+.issuer(issuer)
+.subject(subject)
+.build();
 
 // Key Store
 
@@ -203,7 +204,7 @@ public void encryptThenDecrypt_RSA() throws ParseException {
 assertThat(encryptedJwt.getJWTClaimsSet(), nullValue());
 service.decryptJwt(encryptedJwt);
 
-ReadOnlyJWTClaimsSet resultClaims = encryptedJwt.getJWTClaimsSet();
+JWTClaimsSet resultClaims = encryptedJwt.getJWTClaimsSet();
 
 assertEquals(claimsSet.getIssuer(), resultClaims.getIssuer());
 assertEquals(claimsSet.getSubject(), resultClaims.getSubject());
@@ -231,7 +232,7 @@ public void encryptThenDecrypt_nullID() throws ParseException {
 assertThat(encryptedJwt.getJWTClaimsSet(), nullValue());
 service.decryptJwt(encryptedJwt);
 
-ReadOnlyJWTClaimsSet resultClaims = encryptedJwt.getJWTClaimsSet();
+JWTClaimsSet resultClaims = encryptedJwt.getJWTClaimsSet();
 
 assertEquals(claimsSet.getIssuer(), resultClaims.getIssuer());
 assertEquals(claimsSet.getSubject(), resultClaims.getSubject());