feat: Implemented KMS, JWKS generation and JWT sign #14
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| package com.sphereon.oid.fed.common.jwt | ||
|
|
||
| expect fun sign(payload: String, opts: Map<String, Any>): String | ||
| expect fun verify(jwt: String, key: Any, opts: Map<String, Any>): Boolean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| package com.sphereon.oid.fed.common.jwt | ||
|
|
||
| @JsModule("jose") | ||
| @JsNonModule | ||
| external object Jose { | ||
| class SignJWT { | ||
| constructor(payload: dynamic) { | ||
| definedExternally | ||
| } | ||
| fun setProtectedHeader(protectedHeader: dynamic): SignJWT { | ||
| definedExternally | ||
| } | ||
| fun sign(key: Any?, signOptions: Any?): String { | ||
| definedExternally | ||
| } | ||
| } | ||
| fun generateKeyPair(alg: String, options: dynamic = definedExternally): dynamic | ||
| fun jwtVerify(jwt: String, key: Any, options: dynamic = definedExternally): dynamic | ||
| } | ||
|
|
||
| @JsModule("uuid") | ||
| @JsNonModule | ||
| external object Uuid { | ||
| fun v4(): String | ||
| } | ||
|
|
||
| @ExperimentalJsExport | ||
| @JsExport | ||
| actual fun sign( | ||
| payload: String, | ||
| opts: Map<String, Any> | ||
| ): String { | ||
| val privateKey = opts["privateKey"] ?: throw IllegalArgumentException("JWK private key is required") | ||
| val header = opts["jwtHeader"] as String? ?: "{\"typ\":\"JWT\",\"alg\":\"RS256\",\"kid\":\"${Uuid.v4()}\"}" | ||
| return Jose.SignJWT(JSON.parse<Any>(payload).asDynamic()) | ||
| .setProtectedHeader(JSON.parse<Any>(header).asDynamic()) | ||
| .sign(key = privateKey, signOptions = opts) | ||
| } | ||
|
|
||
| @ExperimentalJsExport | ||
| @JsExport | ||
| actual fun verify( | ||
| jwt: String, | ||
| key: Any, | ||
| opts: Map<String, Any> | ||
| ): Boolean { | ||
| return Jose.jwtVerify(jwt, key, opts) | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| package com.sphereon.oid.fed.common.jwt | ||
|
|
||
| import com.sphereon.oid.fed.common.jwt.Jose.generateKeyPair | ||
| import kotlinx.coroutines.async | ||
| import kotlinx.coroutines.await | ||
| import kotlinx.coroutines.test.runTest | ||
| import kotlin.js.Promise | ||
| import kotlin.test.Test | ||
| import kotlin.test.assertTrue | ||
|
|
||
| class JoseJwtTest { | ||
| @OptIn(ExperimentalJsExport::class) | ||
| @Test | ||
| fun signTest() = runTest { | ||
| val keyPair = (generateKeyPair("RS256") as Promise<dynamic>).await() | ||
| val result = async { sign("{ \"iss\": \"test\" }", mutableMapOf("privateKey" to keyPair.privateKey)) } | ||
| assertTrue((result.await() as Promise<String>).await().startsWith("ey")) | ||
| } | ||
|
|
||
| @OptIn(ExperimentalJsExport::class) | ||
| @Test | ||
| fun verifyTest() = runTest { | ||
| val keyPair = (generateKeyPair("RS256") as Promise<dynamic>).await() | ||
| val signed = (sign("{ \"iss\": \"test\" }", mutableMapOf("privateKey" to keyPair.privateKey)) as Promise<dynamic>).await() | ||
| val result = async { verify(signed, keyPair.publicKey, emptyMap()) } | ||
| assertTrue((result.await() as Promise<Boolean>).await()) | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| package com.sphereon.oid.fed.common.jwt | ||
|
|
||
| import com.nimbusds.jose.JWSAlgorithm | ||
| import com.nimbusds.jose.JWSHeader | ||
| import com.nimbusds.jose.JWSSigner | ||
| import com.nimbusds.jose.JWSVerifier | ||
| import com.nimbusds.jose.crypto.RSASSASigner | ||
| import com.nimbusds.jose.crypto.RSASSAVerifier | ||
| import com.nimbusds.jose.jwk.RSAKey | ||
| import com.nimbusds.jose.jwk.gen.RSAKeyGenerator | ||
| import com.nimbusds.jwt.JWTClaimsSet | ||
| import com.nimbusds.jwt.SignedJWT | ||
| import java.util.* | ||
|
|
||
| actual fun sign( | ||
| payload: String, | ||
| opts: Map<String, Any> | ||
| ): String { | ||
| val rsaJWK = opts["key"] as RSAKey? ?: RSAKeyGenerator(2048) | ||
| .keyID(UUID.randomUUID().toString()) | ||
|
There was a problem hiding this comment. @nklomp made a comment about not being possible to generate a random kid with uuid There was a problem hiding this comment. I've made header the second parameter of the sign function, the key should be passed in for both js and jvm now. |
||
| .generate() | ||
|
|
||
| val header = opts["jwtHeader"]?.let { | ||
| JWSHeader.parse(it as String?) | ||
| } ?: JWSHeader.Builder(JWSAlgorithm.RS256).keyID(rsaJWK.keyID).build() | ||
|
|
||
| val signer: JWSSigner = RSASSASigner(rsaJWK) | ||
|
|
||
| val claimsSet = JWTClaimsSet.parse(payload) | ||
|
|
||
| val signedJWT = SignedJWT( | ||
| header, | ||
| claimsSet | ||
| ) | ||
|
|
||
| signedJWT.sign(signer) | ||
| return signedJWT.serialize() | ||
| } | ||
|
|
||
| actual fun verify( | ||
| jwt: String, | ||
| key: Any, | ||
| opts: Map<String, Any> | ||
| ): Boolean { | ||
| try { | ||
| val rsaKey = key as RSAKey | ||
| val verifier: JWSVerifier = RSASSAVerifier(rsaKey) | ||
| val signedJWT = SignedJWT.parse(jwt) | ||
| val verified = signedJWT.verify(verifier) | ||
| return verified | ||
| } catch (e: Exception) { | ||
| throw Exception("Couldn't verify the JWT Signature: ${e.message}", e) | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| package com.sphereon.oid.fed.common.jwt | ||
|
|
||
| import com.nimbusds.jose.jwk.RSAKey | ||
| import com.nimbusds.jose.jwk.gen.RSAKeyGenerator | ||
| import kotlin.test.Test | ||
| import kotlin.test.assertTrue | ||
|
|
||
| class JoseJwtTest { | ||
|
|
||
| @Test | ||
| fun signTest() { | ||
| val signature = sign("{ \"iss\": \"test\" }", emptyMap()) | ||
| assertTrue { signature.startsWith("ey") } | ||
| } | ||
|
|
||
| @Test | ||
| fun verifyTest() { | ||
| val kid = "key1" | ||
| val key: RSAKey = RSAKeyGenerator(2048).keyID(kid).generate() | ||
| val signature = sign("{ \"iss\": \"test\" }", mutableMapOf( | ||
| "key" to key, | ||
| "jwtHeader" to "{\"typ\":\"JWT\",\"alg\":\"RS256\",\"kid\":\"${key.keyID}\"}" | ||
| )) | ||
| assertTrue { verify(signature, key, emptyMap()) } | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should not just create a header, let alone use a random kid value.
Although "kid" is officially not defined, normally they are the JWK thumbprint in case a JWK is used, or a DID VM in case DIDs are used.
So please make a header a first class citizen like the payload. Require it to be passed in. 2nd don't create random kids.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've made header the second parameter of the sign function, the key should be passed in for both js and jvm now.