1fa0161164
Closes gh-215
392 lines
12 KiB
Java
392 lines
12 KiB
Java
/*
|
|
* Copyright 2020-2021 the original author or authors.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* https://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
package org.springframework.security.oauth2.jwt;
|
|
|
|
import java.net.URL;
|
|
import java.util.Collections;
|
|
import java.util.HashMap;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
import java.util.Set;
|
|
import java.util.function.Consumer;
|
|
|
|
import org.springframework.security.oauth2.core.converter.ClaimConversionService;
|
|
import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
|
|
import org.springframework.util.Assert;
|
|
|
|
/**
|
|
* The JOSE header is a JSON object representing the header parameters of a JSON Web Token,
|
|
* whether the JWT is a JWS or JWE, that describe the cryptographic operations applied to the JWT
|
|
* and optionally, additional properties of the JWT.
|
|
*
|
|
* @author Anoop Garlapati
|
|
* @author Joe Grandja
|
|
* @since 0.0.1
|
|
* @see Jwt
|
|
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519#section-5">JWT JOSE Header</a>
|
|
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515#section-4">JWS JOSE Header</a>
|
|
* @see <a target="_blank" href="https://tools.ietf.org/html/rfc7516#section-4">JWE JOSE Header</a>
|
|
*/
|
|
public final class JoseHeader {
|
|
private final Map<String, Object> headers;
|
|
|
|
private JoseHeader(Map<String, Object> headers) {
|
|
this.headers = Collections.unmodifiableMap(new HashMap<>(headers));
|
|
}
|
|
|
|
/**
|
|
* Returns the {@link JwsAlgorithm JWS algorithm} used to digitally sign the JWS.
|
|
*
|
|
* @return the JWS algorithm
|
|
*/
|
|
public JwsAlgorithm getJwsAlgorithm() {
|
|
return getHeader(JoseHeaderNames.ALG);
|
|
}
|
|
|
|
/**
|
|
* Returns the JWK Set URL that refers to the resource of a set of JSON-encoded public keys,
|
|
* one of which corresponds to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @return the JWK Set URL
|
|
*/
|
|
public URL getJwkSetUri() {
|
|
return getHeader(JoseHeaderNames.JKU);
|
|
}
|
|
|
|
/**
|
|
* Returns the JSON Web Key which is the public key that corresponds to the key
|
|
* used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @return the JSON Web Key
|
|
*/
|
|
public Map<String, Object> getJwk() {
|
|
return getHeader(JoseHeaderNames.JWK);
|
|
}
|
|
|
|
/**
|
|
* Returns the key ID that is a hint indicating which key was used to secure the JWS or JWE.
|
|
*
|
|
* @return the key ID
|
|
*/
|
|
public String getKeyId() {
|
|
return getHeader(JoseHeaderNames.KID);
|
|
}
|
|
|
|
/**
|
|
* Returns the X.509 URL that refers to the resource for the X.509 public key certificate
|
|
* or certificate chain corresponding to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @return the X.509 URL
|
|
*/
|
|
public URL getX509Uri() {
|
|
return getHeader(JoseHeaderNames.X5U);
|
|
}
|
|
|
|
/**
|
|
* Returns the X.509 certificate chain that contains the X.509 public key certificate
|
|
* or certificate chain corresponding to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @return the X.509 certificate chain
|
|
*/
|
|
public List<String> getX509CertificateChain() {
|
|
return getHeader(JoseHeaderNames.X5C);
|
|
}
|
|
|
|
/**
|
|
* Returns the X.509 certificate SHA-1 thumbprint that is a base64url-encoded SHA-1 thumbprint (a.k.a. digest)
|
|
* of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @return the X.509 certificate SHA-1 thumbprint
|
|
*/
|
|
public String getX509SHA1Thumbprint() {
|
|
return getHeader(JoseHeaderNames.X5T);
|
|
}
|
|
|
|
/**
|
|
* Returns the X.509 certificate SHA-256 thumbprint that is a base64url-encoded SHA-256 thumbprint (a.k.a. digest)
|
|
* of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @return the X.509 certificate SHA-256 thumbprint
|
|
*/
|
|
public String getX509SHA256Thumbprint() {
|
|
return getHeader(JoseHeaderNames.X5T_S256);
|
|
}
|
|
|
|
/**
|
|
* Returns the critical headers that indicates which extensions to the JWS/JWE/JWA specifications
|
|
* are being used that MUST be understood and processed.
|
|
*
|
|
* @return the critical headers
|
|
*/
|
|
public Set<String> getCritical() {
|
|
return getHeader(JoseHeaderNames.CRIT);
|
|
}
|
|
|
|
/**
|
|
* Returns the type header that declares the media type of the JWS/JWE.
|
|
*
|
|
* @return the type header
|
|
*/
|
|
public String getType() {
|
|
return getHeader(JoseHeaderNames.TYP);
|
|
}
|
|
|
|
/**
|
|
* Returns the content type header that declares the media type of the secured content (the payload).
|
|
*
|
|
* @return the content type header
|
|
*/
|
|
public String getContentType() {
|
|
return getHeader(JoseHeaderNames.CTY);
|
|
}
|
|
|
|
/**
|
|
* Returns the headers.
|
|
*
|
|
* @return the headers
|
|
*/
|
|
public Map<String, Object> getHeaders() {
|
|
return this.headers;
|
|
}
|
|
|
|
/**
|
|
* Returns the header value.
|
|
*
|
|
* @param name the header name
|
|
* @param <T> the type of the header value
|
|
* @return the header value
|
|
*/
|
|
@SuppressWarnings("unchecked")
|
|
public <T> T getHeader(String name) {
|
|
Assert.hasText(name, "name cannot be empty");
|
|
return (T) getHeaders().get(name);
|
|
}
|
|
|
|
/**
|
|
* Returns a new {@link Builder}.
|
|
*
|
|
* @return the {@link Builder}
|
|
*/
|
|
public static Builder builder() {
|
|
return new Builder();
|
|
}
|
|
|
|
/**
|
|
* Returns a new {@link Builder}, initialized with the provided {@link JwsAlgorithm}.
|
|
*
|
|
* @param jwsAlgorithm the {@link JwsAlgorithm}
|
|
* @return the {@link Builder}
|
|
*/
|
|
public static Builder withAlgorithm(JwsAlgorithm jwsAlgorithm) {
|
|
return new Builder(jwsAlgorithm);
|
|
}
|
|
|
|
/**
|
|
* Returns a new {@link Builder}, initialized with the provided {@code headers}.
|
|
*
|
|
* @param headers the headers
|
|
* @return the {@link Builder}
|
|
*/
|
|
public static Builder from(JoseHeader headers) {
|
|
return new Builder(headers);
|
|
}
|
|
|
|
/**
|
|
* A builder for {@link JoseHeader}.
|
|
*/
|
|
public static final class Builder {
|
|
private final Map<String, Object> headers = new HashMap<>();
|
|
|
|
private Builder() {
|
|
}
|
|
|
|
private Builder(JwsAlgorithm jwsAlgorithm) {
|
|
Assert.notNull(jwsAlgorithm, "jwsAlgorithm cannot be null");
|
|
header(JoseHeaderNames.ALG, jwsAlgorithm);
|
|
}
|
|
|
|
private Builder(JoseHeader headers) {
|
|
Assert.notNull(headers, "headers cannot be null");
|
|
this.headers.putAll(headers.getHeaders());
|
|
}
|
|
|
|
/**
|
|
* Sets the {@link JwsAlgorithm JWS algorithm} used to digitally sign the JWS.
|
|
*
|
|
* @param jwsAlgorithm the JWS algorithm
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder jwsAlgorithm(JwsAlgorithm jwsAlgorithm) {
|
|
return header(JoseHeaderNames.ALG, jwsAlgorithm);
|
|
}
|
|
|
|
/**
|
|
* Sets the JWK Set URL that refers to the resource of a set of JSON-encoded public keys,
|
|
* one of which corresponds to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @param jwkSetUri the JWK Set URL
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder jwkSetUri(String jwkSetUri) {
|
|
return header(JoseHeaderNames.JKU, jwkSetUri);
|
|
}
|
|
|
|
/**
|
|
* Sets the JSON Web Key which is the public key that corresponds to the key
|
|
* used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @param jwk the JSON Web Key
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder jwk(Map<String, Object> jwk) {
|
|
return header(JoseHeaderNames.JWK, jwk);
|
|
}
|
|
|
|
/**
|
|
* Sets the key ID that is a hint indicating which key was used to secure the JWS or JWE.
|
|
*
|
|
* @param keyId the key ID
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder keyId(String keyId) {
|
|
return header(JoseHeaderNames.KID, keyId);
|
|
}
|
|
|
|
/**
|
|
* Sets the X.509 URL that refers to the resource for the X.509 public key certificate
|
|
* or certificate chain corresponding to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @param x509Uri the X.509 URL
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder x509Uri(String x509Uri) {
|
|
return header(JoseHeaderNames.X5U, x509Uri);
|
|
}
|
|
|
|
/**
|
|
* Sets the X.509 certificate chain that contains the X.509 public key certificate
|
|
* or certificate chain corresponding to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @param x509CertificateChain the X.509 certificate chain
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder x509CertificateChain(List<String> x509CertificateChain) {
|
|
return header(JoseHeaderNames.X5C, x509CertificateChain);
|
|
}
|
|
|
|
/**
|
|
* Sets the X.509 certificate SHA-1 thumbprint that is a base64url-encoded SHA-1 thumbprint (a.k.a. digest)
|
|
* of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @param x509SHA1Thumbprint the X.509 certificate SHA-1 thumbprint
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder x509SHA1Thumbprint(String x509SHA1Thumbprint) {
|
|
return header(JoseHeaderNames.X5T, x509SHA1Thumbprint);
|
|
}
|
|
|
|
/**
|
|
* Sets the X.509 certificate SHA-256 thumbprint that is a base64url-encoded SHA-256 thumbprint (a.k.a. digest)
|
|
* of the DER encoding of the X.509 certificate corresponding to the key used to digitally sign the JWS or encrypt the JWE.
|
|
*
|
|
* @param x509SHA256Thumbprint the X.509 certificate SHA-256 thumbprint
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder x509SHA256Thumbprint(String x509SHA256Thumbprint) {
|
|
return header(JoseHeaderNames.X5T_S256, x509SHA256Thumbprint);
|
|
}
|
|
|
|
/**
|
|
* Sets the critical headers that indicates which extensions to the JWS/JWE/JWA specifications
|
|
* are being used that MUST be understood and processed.
|
|
*
|
|
* @param headerNames the critical header names
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder critical(Set<String> headerNames) {
|
|
return header(JoseHeaderNames.CRIT, headerNames);
|
|
}
|
|
|
|
/**
|
|
* Sets the type header that declares the media type of the JWS/JWE.
|
|
*
|
|
* @param type the type header
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder type(String type) {
|
|
return header(JoseHeaderNames.TYP, type);
|
|
}
|
|
|
|
/**
|
|
* Sets the content type header that declares the media type of the secured content (the payload).
|
|
*
|
|
* @param contentType the content type header
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder contentType(String contentType) {
|
|
return header(JoseHeaderNames.CTY, contentType);
|
|
}
|
|
|
|
/**
|
|
* Sets the header.
|
|
*
|
|
* @param name the header name
|
|
* @param value the header value
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder header(String name, Object value) {
|
|
Assert.hasText(name, "name cannot be empty");
|
|
Assert.notNull(value, "value cannot be null");
|
|
this.headers.put(name, value);
|
|
return this;
|
|
}
|
|
|
|
/**
|
|
* A {@code Consumer} to be provided access to the headers
|
|
* allowing the ability to add, replace, or remove.
|
|
*
|
|
* @param headersConsumer a {@code Consumer} of the headers
|
|
* @return the {@link Builder}
|
|
*/
|
|
public Builder headers(Consumer<Map<String, Object>> headersConsumer) {
|
|
headersConsumer.accept(this.headers);
|
|
return this;
|
|
}
|
|
|
|
/**
|
|
* Builds a new {@link JoseHeader}.
|
|
*
|
|
* @return a {@link JoseHeader}
|
|
*/
|
|
public JoseHeader build() {
|
|
Assert.notEmpty(this.headers, "headers cannot be empty");
|
|
convertAsURL(JoseHeaderNames.JKU);
|
|
convertAsURL(JoseHeaderNames.X5U);
|
|
return new JoseHeader(this.headers);
|
|
}
|
|
|
|
private void convertAsURL(String header) {
|
|
Object value = this.headers.get(header);
|
|
if (value != null) {
|
|
URL convertedValue = ClaimConversionService.getSharedInstance().convert(value, URL.class);
|
|
Assert.isTrue(convertedValue != null,
|
|
() -> "Unable to convert header '" + header + "' of type '" + value.getClass() + "' to URL.");
|
|
this.headers.put(header, convertedValue);
|
|
}
|
|
}
|
|
}
|
|
}
|