Skip to content

Commit c73beb6

Browse files
ndr-brtndr-brt
authored
refactor: merge jwt-signer-spi into jwt-signer (#5657)
1 parent f1387ad commit c73beb6

26 files changed

Lines changed: 42 additions & 133 deletions

File tree

core/common/lib/crypto-common-lib/build.gradle.kts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ dependencies {
1919
api(project(":spi:common:keys-spi"))
2020
api(libs.nimbus.jwt) // nimbus classes are exposed on the API surface of CryptoConverter and DefaultJwsSignerProvider
2121
implementation(project(":spi:common:boot-spi"))
22-
implementation(project(":spi:common:jwt-signer-spi"))
22+
implementation(project(":spi:common:jwt-spi"))
2323

2424
// used for the Ed25519 Verifier in conjunction with OctetKeyPairs (OKP)
2525
runtimeOnly(libs.tink)

core/common/lib/crypto-common-lib/src/main/java/org/eclipse/edc/security/token/jwt/CryptoConverter.java

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -367,18 +367,6 @@ private static ECPublicKey generatePublicKeyFrom(ECPrivateKey priv) throws Inval
367367
return (ECPublicKey) KeyFactory.getInstance("EC").generatePublic(spec);
368368
}
369369

370-
/**
371-
* reverses an array in-place
372-
*/
373-
private static byte[] reverseArray(byte[] array) {
374-
for (var i = 0; i < array.length / 2; i++) {
375-
var temp = array[i];
376-
array[i] = array[array.length - 1 - i];
377-
array[array.length - 1 - i] = temp;
378-
}
379-
return array;
380-
}
381-
382370
private static Ed25519Verifier createEdDsaVerifier(PublicKey publicKey) throws JOSEException {
383371
var edKey = (EdECPublicKey) publicKey;
384372
var curve = getCurveAllowing(edKey, ALGORITHM_ED25519);

core/common/lib/crypto-common-lib/src/main/java/org/eclipse/edc/security/token/jwt/DefaultJwsSignerProvider.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
package org.eclipse.edc.security.token.jwt;
1616

1717
import com.nimbusds.jose.JWSSigner;
18-
import org.eclipse.edc.jwt.signer.spi.JwsSignerProvider;
18+
import org.eclipse.edc.jwt.spi.signer.JwsSignerProvider;
1919
import org.eclipse.edc.keys.spi.PrivateKeyResolver;
2020
import org.eclipse.edc.spi.result.Result;
2121

core/common/lib/token-lib/build.gradle.kts

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,6 @@ dependencies {
2121
api(project(":spi:common:keys-spi"))
2222
api(project(":spi:common:token-spi"))
2323
api(project(":spi:common:jwt-spi"))
24-
api(project(":spi:common:jwt-signer-spi"))
2524

2625
implementation(project(":core:common:lib:crypto-common-lib")) // for the CryptoConverter
2726
implementation(libs.nimbus.jwt)

core/common/lib/token-lib/src/main/java/org/eclipse/edc/token/JwtGenerationService.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
import com.nimbusds.jose.JWSSigner;
2222
import com.nimbusds.jwt.JWTClaimsSet;
2323
import com.nimbusds.jwt.SignedJWT;
24-
import org.eclipse.edc.jwt.signer.spi.JwsSignerProvider;
24+
import org.eclipse.edc.jwt.spi.signer.JwsSignerProvider;
2525
import org.eclipse.edc.security.token.jwt.CryptoConverter;
2626
import org.eclipse.edc.spi.EdcException;
2727
import org.eclipse.edc.spi.iam.TokenParameters;

core/common/lib/token-lib/src/main/java/org/eclipse/edc/token/TokenValidationServiceImpl.java

Lines changed: 24 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -39,18 +39,10 @@ public Result<ClaimToken> validate(TokenRepresentation tokenRepresentation, Publ
3939
var additional = tokenRepresentation.getAdditional();
4040
try {
4141
var signedJwt = SignedJWT.parse(token);
42-
var publicKeyId = signedJwt.getHeader().getKeyID();
4342

44-
var publicKeyResolutionResult = publicKeyResolver.resolveKey(publicKeyId);
45-
46-
if (publicKeyResolutionResult.failed()) {
47-
return publicKeyResolutionResult.mapFailure();
48-
}
49-
50-
var verifierCreationResult = CryptoConverter.createVerifierFor(publicKeyResolutionResult.getContent());
51-
52-
if (!signedJwt.verify(verifierCreationResult)) {
53-
return Result.failure("Token verification failed");
43+
var signatureVerification = verifySignature(signedJwt, publicKeyResolver);
44+
if (signatureVerification.failed()) {
45+
return signatureVerification.mapFailure();
5446
}
5547

5648
var tokenBuilder = ClaimToken.Builder.newInstance();
@@ -76,11 +68,30 @@ public Result<ClaimToken> validate(TokenRepresentation tokenRepresentation, Publ
7668

7769
return Result.success(claimToken);
7870

79-
} catch (JOSEException e) {
80-
return Result.failure(e.getMessage());
8171
} catch (ParseException e) {
8272
return Result.failure("Failed to decode token");
8373
}
8474
}
8575

76+
private Result<Void> verifySignature(SignedJWT jwt, PublicKeyResolver publicKeyResolver) {
77+
var publicKeyId = jwt.getHeader().getKeyID();
78+
var publicKeyResolutionResult = publicKeyResolver.resolveKey(publicKeyId);
79+
80+
if (publicKeyResolutionResult.failed()) {
81+
return publicKeyResolutionResult.mapFailure();
82+
}
83+
84+
var verifierCreationResult = CryptoConverter.createVerifierFor(publicKeyResolutionResult.getContent());
85+
86+
try {
87+
var result = jwt.verify(verifierCreationResult);
88+
if (result) {
89+
return Result.success();
90+
}
91+
return Result.failure("JWT signature not valid");
92+
} catch (JOSEException e) {
93+
return Result.failure("Cannot verify JWT signature: " + e.getMessage());
94+
}
95+
}
96+
8697
}

core/common/token-core/src/main/java/org/eclipse/edc/token/TokenServicesExtension.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414

1515
package org.eclipse.edc.token;
1616

17-
import org.eclipse.edc.jwt.signer.spi.JwsSignerProvider;
17+
import org.eclipse.edc.jwt.spi.signer.JwsSignerProvider;
1818
import org.eclipse.edc.jwt.validation.jti.JtiValidationStore;
1919
import org.eclipse.edc.keys.spi.PrivateKeyResolver;
2020
import org.eclipse.edc.runtime.metamodel.annotation.Extension;

core/common/token-core/src/test/java/org/eclipse/edc/jwt/TokenValidationServiceImplTest.java

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,6 @@
2525
import com.nimbusds.jwt.SignedJWT;
2626
import org.eclipse.edc.keys.spi.PublicKeyResolver;
2727
import org.eclipse.edc.spi.result.Result;
28-
import org.eclipse.edc.token.TokenValidationRulesRegistryImpl;
2928
import org.eclipse.edc.token.TokenValidationServiceImpl;
3029
import org.eclipse.edc.token.spi.TokenValidationRule;
3130
import org.eclipse.edc.token.spi.TokenValidationService;
@@ -62,7 +61,6 @@ public void setUp() throws JOSEException {
6261

6362
when(publicKeyResolver.resolveKey(any())).thenReturn(Result.failure("not found"));
6463
when(publicKeyResolver.resolveKey(eq(publicKeyId))).thenReturn(Result.success(publicKey));
65-
var rulesRegistry = new TokenValidationRulesRegistryImpl();
6664
tokenValidationService = new TokenValidationServiceImpl();
6765
}
6866

core/common/token-core/src/test/java/org/eclipse/edc/token/JwtGenerationServiceTest.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@
2424
import com.nimbusds.jose.jwk.gen.RSAKeyGenerator;
2525
import com.nimbusds.jose.util.Base64URL;
2626
import com.nimbusds.jwt.SignedJWT;
27-
import org.eclipse.edc.jwt.signer.spi.JwsSignerProvider;
27+
import org.eclipse.edc.jwt.spi.signer.JwsSignerProvider;
2828
import org.eclipse.edc.security.token.jwt.CryptoConverter;
2929
import org.eclipse.edc.spi.result.Result;
3030
import org.eclipse.edc.token.spi.TokenDecorator;

extensions/common/crypto/jwt-verifiable-credentials/src/test/java/org/eclipse/edc/verifiablecredentials/jwt/JwtPresentationVerifierTest.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -201,7 +201,7 @@ void verifyPresentation_oneVcIsInvalid() throws JOSEException {
201201
.audience(MY_OWN_DID)
202202
.build();
203203
var result = verifier.verify(vpJwt, context);
204-
assertThat(result).isFailed().detail().contains("Token verification failed");
204+
assertThat(result).isFailed().detail().contains("JWT signature not valid");
205205
}
206206

207207
@DisplayName("VP-JWT with a spoofed signature - expect a failure")
@@ -221,7 +221,7 @@ void verifyPresentation_vpJwtInvalid() throws JOSEException {
221221
.audience(MY_OWN_DID)
222222
.build();
223223
var result = verifier.verify(vpJwt, context);
224-
assertThat(result).isFailed().detail().contains("Token verification failed");
224+
assertThat(result).isFailed().detail().contains("JWT signature not valid");
225225
}
226226

227227
@DisplayName("VP-JWT with a missing claim - expect a failure")

0 commit comments

Comments
 (0)