From 8e8e14c6382bf54bf66e6b6ff89531fb7301798d Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Mon, 15 Apr 2013 17:12:47 -0400 Subject: [PATCH] added at_hash --- .../connect/token/ConnectTokenEnhancer.java | 51 ++++++++++++++++++- 1 file changed, 49 insertions(+), 2 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java index 83d4bec49..ad5909005 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java @@ -15,10 +15,17 @@ ******************************************************************************/ package org.mitre.openid.connect.token; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.util.Arrays; import java.util.Date; import java.util.Set; import java.util.UUID; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; import javax.servlet.http.HttpSession; import org.mitre.jwt.signer.service.JwtSigningAndValidationService; @@ -31,6 +38,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.oauth2.common.OAuth2AccessToken; +import org.springframework.security.oauth2.common.util.OAuth2Utils; import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.token.TokenEnhancer; import org.springframework.stereotype.Service; @@ -40,7 +48,9 @@ import org.springframework.web.context.request.ServletRequestAttributes; import com.google.common.base.Strings; import com.google.common.collect.Lists; import com.google.common.collect.Sets; +import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; +import com.nimbusds.jose.util.Base64URL; import com.nimbusds.jwt.JWTClaimsSet; import com.nimbusds.jwt.SignedJWT; @@ -80,7 +90,8 @@ public class ConnectTokenEnhancer implements TokenEnhancer { // TODO: use client's default signing algorithm - SignedJWT signed = new SignedJWT(new JWSHeader(jwtService.getDefaultSigningAlgorithm()), claims); + JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm(); + SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims); jwtService.signJwt(signed); @@ -132,7 +143,43 @@ public class ConnectTokenEnhancer implements TokenEnhancer { idClaims.setCustomClaim("nonce", nonce); } - SignedJWT idToken = new SignedJWT(new JWSHeader(jwtService.getDefaultSigningAlgorithm()), idClaims); + String responseType = authentication.getAuthorizationRequest().getAuthorizationParameters().get("response_type"); + Set responseTypes = OAuth2Utils.parseParameterList(responseType); + if (responseTypes.contains("token")) { + // calculate the token hash + + // get the right algorithm size + // TODO: all this string parsing feels like a bad hack + String algName = signingAlg.getName(); + Pattern re = Pattern.compile("^[HRE]S(\\d+)$"); + Matcher match = re.matcher(algName); + if (match.matches()) { + String bits = match.group(1); + String hmacAlg = "HMACSHA" + bits; + try { + Mac mac = Mac.getInstance(hmacAlg); + mac.init(new SecretKeySpec(token.getJwt().serialize().getBytes(), hmacAlg)); + + byte[] at_hash_bytes = mac.doFinal(); + byte[] at_hash_bytes_left = Arrays.copyOf(at_hash_bytes, at_hash_bytes.length / 2); + Base64URL at_hash = Base64URL.encode(at_hash_bytes_left); + + idClaims.setClaim("at_hash", at_hash); + + } catch (NoSuchAlgorithmException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } catch (InvalidKeyException e) { + // TODO Auto-generated catch block + e.printStackTrace(); + } + + } + + } + + + SignedJWT idToken = new SignedJWT(new JWSHeader(signingAlg), idClaims); //TODO: check for client's preferred signer alg and use that