// // Decompiled by Procyon v0.6.0 // package com.google.crypto.tink.jwt; import com.google.crypto.tink.Configuration; import com.google.crypto.tink.subtle.RsaSsaPssVerifyJce; import com.google.crypto.tink.signature.RsaSsaPssPublicKey; import com.google.crypto.tink.subtle.RsaSsaPkcs1VerifyJce; import com.google.crypto.tink.signature.RsaSsaPkcs1PublicKey; import com.google.gson.JsonObject; import com.google.crypto.tink.PublicKeyVerify; import com.google.crypto.tink.jwt.internal.JsonUtil; import com.google.crypto.tink.subtle.EcdsaVerifyJce; import com.google.crypto.tink.subtle.RsaSsaPssSignJce; import com.google.crypto.tink.signature.RsaSsaPssPrivateKey; import com.google.crypto.tink.subtle.RsaSsaPkcs1SignJce; import com.google.crypto.tink.signature.RsaSsaPkcs1PrivateKey; import com.google.crypto.tink.PublicKeySign; import java.nio.charset.StandardCharsets; import com.google.crypto.tink.subtle.EcdsaSignJce; import com.google.crypto.tink.signature.EcdsaPrivateKey; import com.google.crypto.tink.AccessesPartialKey; import com.google.crypto.tink.signature.EcdsaPublicKey; import java.security.GeneralSecurityException; import com.google.crypto.tink.Key; import com.google.crypto.tink.internal.PrimitiveConstructor; import com.google.crypto.tink.internal.PrimitiveRegistry; import com.google.crypto.tink.config.internal.TinkFipsUtil; import com.google.crypto.tink.internal.InternalConfiguration; class JwtSignatureConfigurationV0 { private static final InternalConfiguration INTERNAL_CONFIGURATION; private static final TinkFipsUtil.AlgorithmFipsCompatibility FIPS; private JwtSignatureConfigurationV0() { } private static InternalConfiguration create() { try { final PrimitiveRegistry.Builder builder = PrimitiveRegistry.builder(); JwtPublicKeySignWrapper.registerToInternalPrimitiveRegistry(builder); builder.registerPrimitiveConstructor((PrimitiveConstructor)PrimitiveConstructor.create((PrimitiveConstructor.PrimitiveConstructionFunction)JwtSignatureConfigurationV0::createJwtEcdsaSign, (Class)JwtEcdsaPrivateKey.class, (Class)JwtPublicKeySign.class)); builder.registerPrimitiveConstructor((PrimitiveConstructor)PrimitiveConstructor.create((PrimitiveConstructor.PrimitiveConstructionFunction)JwtSignatureConfigurationV0::createJwtRsaSsaPkcs1Sign, (Class)JwtRsaSsaPkcs1PrivateKey.class, (Class)JwtPublicKeySign.class)); builder.registerPrimitiveConstructor((PrimitiveConstructor)PrimitiveConstructor.create((PrimitiveConstructor.PrimitiveConstructionFunction)JwtSignatureConfigurationV0::createJwtRsaSsaPssSign, (Class)JwtRsaSsaPssPrivateKey.class, (Class)JwtPublicKeySign.class)); JwtPublicKeyVerifyWrapper.registerToInternalPrimitiveRegistry(builder); builder.registerPrimitiveConstructor((PrimitiveConstructor)PrimitiveConstructor.create((PrimitiveConstructor.PrimitiveConstructionFunction)JwtSignatureConfigurationV0::createJwtEcdsaVerify, (Class)JwtEcdsaPublicKey.class, (Class)JwtPublicKeyVerify.class)); builder.registerPrimitiveConstructor((PrimitiveConstructor)PrimitiveConstructor.create((PrimitiveConstructor.PrimitiveConstructionFunction)JwtSignatureConfigurationV0::createJwtRsaSsaPkcs1Verify, (Class)JwtRsaSsaPkcs1PublicKey.class, (Class)JwtPublicKeyVerify.class)); builder.registerPrimitiveConstructor((PrimitiveConstructor)PrimitiveConstructor.create((PrimitiveConstructor.PrimitiveConstructionFunction)JwtSignatureConfigurationV0::createJwtRsaSsaPssVerify, (Class)JwtRsaSsaPssPublicKey.class, (Class)JwtPublicKeyVerify.class)); return InternalConfiguration.createFromPrimitiveRegistry(builder.build()); } catch (final GeneralSecurityException e) { throw new IllegalStateException(e); } } @AccessesPartialKey private static EcdsaPublicKey toEcdsaPublicKey(final JwtEcdsaPublicKey publicKey) { return publicKey.getEcdsaPublicKey(); } @AccessesPartialKey private static EcdsaPrivateKey toEcdsaPrivateKey(final JwtEcdsaPrivateKey privateKey) throws GeneralSecurityException { return privateKey.getEcdsaPrivateKey(); } private static JwtPublicKeySign createJwtEcdsaSign(final JwtEcdsaPrivateKey privateKey) throws GeneralSecurityException { final EcdsaPrivateKey ecdsaPrivateKey = toEcdsaPrivateKey(privateKey); final PublicKeySign signer = EcdsaSignJce.create(ecdsaPrivateKey); final String algorithm = privateKey.getParameters().getAlgorithm().getStandardName(); return rawJwt -> { final String unsignedCompact = JwtFormat.createUnsignedCompact(algorithm, privateKey.getPublicKey().getKid(), rawJwt); return JwtFormat.createSignedCompact(unsignedCompact, signer.sign(unsignedCompact.getBytes(StandardCharsets.US_ASCII))); }; } @AccessesPartialKey private static RsaSsaPkcs1PrivateKey toRsaSsaPkcs1PrivateKey(final JwtRsaSsaPkcs1PrivateKey privateKey) { return privateKey.getRsaSsaPkcs1PrivateKey(); } private static JwtPublicKeySign createJwtRsaSsaPkcs1Sign(final JwtRsaSsaPkcs1PrivateKey privateKey) throws GeneralSecurityException { final RsaSsaPkcs1PrivateKey rsaSsaPkcs1PrivateKey = toRsaSsaPkcs1PrivateKey(privateKey); final PublicKeySign signer = RsaSsaPkcs1SignJce.create(rsaSsaPkcs1PrivateKey); final String algorithm = privateKey.getParameters().getAlgorithm().getStandardName(); return rawJwt -> { final String unsignedCompact = JwtFormat.createUnsignedCompact(algorithm, privateKey.getPublicKey().getKid(), rawJwt); return JwtFormat.createSignedCompact(unsignedCompact, signer.sign(unsignedCompact.getBytes(StandardCharsets.US_ASCII))); }; } @AccessesPartialKey private static RsaSsaPssPrivateKey toRsaSsaPssPrivateKey(final JwtRsaSsaPssPrivateKey privateKey) { return privateKey.getRsaSsaPssPrivateKey(); } private static JwtPublicKeySign createJwtRsaSsaPssSign(final JwtRsaSsaPssPrivateKey privateKey) throws GeneralSecurityException { final RsaSsaPssPrivateKey rsaSsaPssPrivateKey = toRsaSsaPssPrivateKey(privateKey); final PublicKeySign signer = RsaSsaPssSignJce.create(rsaSsaPssPrivateKey); final String algorithm = privateKey.getParameters().getAlgorithm().getStandardName(); return rawJwt -> { final String unsignedCompact = JwtFormat.createUnsignedCompact(algorithm, privateKey.getPublicKey().getKid(), rawJwt); return JwtFormat.createSignedCompact(unsignedCompact, signer.sign(unsignedCompact.getBytes(StandardCharsets.US_ASCII))); }; } private static JwtPublicKeyVerify createJwtEcdsaVerify(final JwtEcdsaPublicKey publicKey) throws GeneralSecurityException { final EcdsaPublicKey ecdsaPublicKey = toEcdsaPublicKey(publicKey); final PublicKeyVerify verifier = EcdsaVerifyJce.create(ecdsaPublicKey); return (compact, validator) -> { final JwtFormat.Parts parts = JwtFormat.splitSignedCompact(compact); verifier.verify(parts.signatureOrMac, parts.unsignedCompact.getBytes(StandardCharsets.US_ASCII)); final JsonObject parsedHeader = JsonUtil.parseJson(parts.header); JwtFormat.validateHeader(parsedHeader, publicKey.getParameters().getAlgorithm().getStandardName(), publicKey.getKid(), publicKey.getParameters().allowKidAbsent()); final RawJwt token = RawJwt.fromJsonPayload(JwtFormat.getTypeHeader(parsedHeader), parts.payload); return validator.validate(token); }; } @AccessesPartialKey private static RsaSsaPkcs1PublicKey toRsaSsaPkcs1PublicKey(final JwtRsaSsaPkcs1PublicKey publicKey) { return publicKey.getRsaSsaPkcs1PublicKey(); } private static JwtPublicKeyVerify createJwtRsaSsaPkcs1Verify(final JwtRsaSsaPkcs1PublicKey publicKey) throws GeneralSecurityException { final RsaSsaPkcs1PublicKey rsaSsaPkcs1PublicKey = toRsaSsaPkcs1PublicKey(publicKey); final PublicKeyVerify verifier = RsaSsaPkcs1VerifyJce.create(rsaSsaPkcs1PublicKey); return (compact, validator) -> { final JwtFormat.Parts parts = JwtFormat.splitSignedCompact(compact); verifier.verify(parts.signatureOrMac, parts.unsignedCompact.getBytes(StandardCharsets.US_ASCII)); final JsonObject parsedHeader = JsonUtil.parseJson(parts.header); JwtFormat.validateHeader(parsedHeader, publicKey.getParameters().getAlgorithm().getStandardName(), publicKey.getKid(), publicKey.getParameters().allowKidAbsent()); final RawJwt token = RawJwt.fromJsonPayload(JwtFormat.getTypeHeader(parsedHeader), parts.payload); return validator.validate(token); }; } @AccessesPartialKey private static RsaSsaPssPublicKey toRsaSsaPssPublicKey(final JwtRsaSsaPssPublicKey publicKey) { return publicKey.getRsaSsaPssPublicKey(); } private static JwtPublicKeyVerify createJwtRsaSsaPssVerify(final JwtRsaSsaPssPublicKey publicKey) throws GeneralSecurityException { final RsaSsaPssPublicKey rsaSsaPssPublicKey = toRsaSsaPssPublicKey(publicKey); final PublicKeyVerify verifier = RsaSsaPssVerifyJce.create(rsaSsaPssPublicKey); return (compact, validator) -> { final JwtFormat.Parts parts = JwtFormat.splitSignedCompact(compact); verifier.verify(parts.signatureOrMac, parts.unsignedCompact.getBytes(StandardCharsets.US_ASCII)); final JsonObject parsedHeader = JsonUtil.parseJson(parts.header); JwtFormat.validateHeader(parsedHeader, publicKey.getParameters().getAlgorithm().getStandardName(), publicKey.getKid(), publicKey.getParameters().allowKidAbsent()); final RawJwt token = RawJwt.fromJsonPayload(JwtFormat.getTypeHeader(parsedHeader), parts.payload); return validator.validate(token); }; } public static Configuration get() throws GeneralSecurityException { if (!JwtSignatureConfigurationV0.FIPS.isCompatible()) { throw new GeneralSecurityException("Cannot use JwtSignatureConfigurationV0, as BoringCrypto module is needed for FIPS compatibility"); } return JwtSignatureConfigurationV0.INTERNAL_CONFIGURATION; } static { INTERNAL_CONFIGURATION = create(); FIPS = TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO; } }