I have written X25519 DH keyagreement with Java, but I have to use nodejs to reimplement this, so that I can make keyagreement between js client and java backend.
I used node crypto module, but the length of shared key is not the same regarding implemented by Java.
Here is my Java code, and could anybody help me show the nodejs codes. Thanks.
package com.demo;
import java.util.Base64;
import javax.crypto.KeyAgreement;
import java.security.*;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.X509EncodedKeySpec;
public class Main {
public static void main(String[] args) {
// write your code here
System.out.println("Hello world");
String peerPub = "MCowBQYDK2VuAyEAfMePklV88QMhq8qlVxLI6RK1pV4cFUrMwJgPmrXLyVU=";
try {
buildSecret(peerPub);
}
catch (Exception e) {
}
}
public static void buildSecret(String peerPub) throws Exception {
KeyPairGenerator kpgen = KeyPairGenerator.getInstance("XDH");
kpgen.initialize(new ECGenParameterSpec("X25519"));
KeyPair myKP = kpgen.generateKeyPair();
byte[] pp = Base64.getDecoder().decode(peerPub);
PublicKey peerKey = bytesToPublicKey(pp);
KeyAgreement ka = KeyAgreement.getInstance("XDH");
ka.init(myKP.getPrivate());
ka.doPhase(peerKey, true);
// System.out.println( myKP.getPublic().getEncoded().length );
String publicKey = Base64.getEncoder().encodeToString(myKP.getPublic().getEncoded());
// System.out.println( ka.generateSecret().length );
String sharedKey = Base64.getEncoder().encodeToString(ka.generateSecret());
System.out.println(publicKey);
System.out.println(sharedKey);
}
private static PublicKey bytesToPublicKey(byte[] data) throws Exception {
KeyFactory kf = KeyFactory.getInstance("X25519");
return kf.generatePublic(new X509EncodedKeySpec(data));
}
}
And the nodejs code is following(not working):
const crypto = require('crypto');
const ecdhKeyagreement = () => {
const CURVE = 'x25519';
let m_privateKey;
let m_publicKey;
let m_sharedKey;
const generatePublicAndPrivateKeys = () => {
const {publicKey, privateKey} = crypto.generateKeyPairSync('x25519', {
modulusLength: 4096,
publicKeyEncoding: {
type: 'spki',
format: 'pem'
},
privateKeyEncoding: {
type: 'pkcs8',
format: 'pem'
}
})
m_privateKey = privateKey
m_publicKey = publicKey
}
const computeSharedKey = (peerPub) => {
// console.log(m_publicKey)
// console.log(m_privateKey)
const bob = crypto.createDiffieHellman(512)
bob.setPrivateKey(m_privateKey)
m_sharedKey = bob.computeSecret(peerPub).toString('base64')
console.log(m_sharedKey)
};
return {
generatePublicAndPrivateKeys,
computeSharedKey,
};
};
const my_obj = ecdhKeyagreement();
my_obj.generatePublicAndPrivateKeys()
const peerPub = "MCowBQYDK2VuAyEAME2NXThH2T+PMTV2R2YGo5hYiVFhu7nbQGY0R89aYFE="
my_obj.computeSharedKey(peerPub)
You don't show your nodejs code where the (presumed) problem is, which is the accepted practice on StackOverflow, but since you came halfway:
with your Java code, modified (only) to use the public half of one of my test (static) keypairs, and run on j16 because 11-15 apparently produce an algid with parameters which violates RFC8410 and is rejected by OpenSSL and thus nodejs crypto which uses OpenSSL, and the following straightforward js code using the corresponding private key (run on v14.15.5), I get exactly the same agreement result as Java:
const crypto = require('crypto'), fs = require('fs')
const peerb64 = "MCowBQYDK2VuAyEAZWJZEjPzc6E4UUSyOcMmxj2cRqqmDhE4/VfyPyfe7j4="
console.log("sRbfKaWmO9u2eKWSfY25i8Z2YFNNiLYeVcoh6DOI2ik=") // expected agreement
const myprv = crypto.createPrivateKey(fs.readFileSync('n:certx/x2.pem'))
const peerpub = crypto.createPublicKey({key:Buffer.from(peerb64,'base64'),format:'der',type:'spki'})
console.log( crypto.diffieHellman({privateKey:myprv,publicKey:peerpub}) .toString('base64') )
Related
Hi Guys I am really confused about so many things.All I know is that I have to generate a token at the end of the day.I am given some RSA private key which is some "XYZ............dsdsfm",(obviously I can't reveal it because of security issues),from there I have to generate some token which will serve as a header for authorisation of my API http request.
The problem is these internet related stuff of JsonWebKey and all that is not in my domain,but still I tried learning them but it is not very clear.I tried to implement some code which was written in Java by someone (and that guy knows only Java and not flutter),in flutter.
For Flutter implementation I tried two plugin in pub.dev...But I am not getting the proper output.
The first one was https://pub.dev/packages/jose>I tried what is similar in the example page of it as shown:
import 'dart:convert';
import 'dart:io';
import 'package:crypto_keys/crypto_keys.dart';
import 'package:jose/jose.dart';
import 'package:x509/x509.dart';
String pkey="XXXXXXXXXXXXXsfds";
void keyGenerator() async {
//await example1();
await example2();
// await example3();
// await example4();
// await example5();
// await example6();
// await example7();
// await example8();
}
// decode and verify a JWS
void example1() async {
var encoded = pkey;
// create a JsonWebSignature from the encoded string
var jws = JsonWebSignature.fromCompactSerialization(encoded);
// extract the payload
var payload = jws.unverifiedPayload;
print('content of jws: ${payload.stringContent}');
print('protected parameters: ${payload.protectedHeader.toJson()}');
// create a JsonWebKey for verifying the signature
var jwk = JsonWebKey.fromJson({
'kty': 'RSA',
'alg': 'RS256',
});
var keyStore = JsonWebKeyStore()..addKey(jwk);
// verify the signature
var verified = await jws.verify(keyStore);
print('signature verified: $verified');
}
// create a JWS
void example2() async {
// create a builder
var builder = JsonWebSignatureBuilder();
// set the content
builder.stringContent = 'It is me';
// set some protected header
builder.setProtectedHeader('createdAt', DateTime.now().toIso8601String());
// add a key to sign, you can add multiple keys for different recipients
builder.addRecipient(
JsonWebKey.fromJson({
'kty': 'RSA',
'kid': pkey,
}),
algorithm: 'RS256');
// build the jws
var jws = builder.build();
// output the compact serialization
print('jws compact serialization: ${jws.toCompactSerialization()}');
// output the json serialization
print('jws json serialization: ${jws.toJson()}');
}
// decode and decrypt a JWE
void example3() async {
var encoded = 'eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.'
'UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-kFm'
'1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKxGHZ7Pc'
'HALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3YvkkysZIF'
'NPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPhcCdZ6XDP0_F8'
'rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPgwCp6X-nZZd9OHBv'
'-B3oWh2TbqmScqXMR4gp_A.'
'AxY8DCtDaGlsbGljb3RoZQ.'
'KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.'
'9hH0vgRfYgPnAHOd8stkvw';
// create a JsonWebEncryption from the encoded string
var jwe = JsonWebEncryption.fromCompactSerialization(encoded);
// create a JsonWebKey for decrypting the signature
var jwk = JsonWebKey.fromJson(
{
'kty': 'RSA',
'n': 'sXchDaQebHnPiGvyDOAT4saGEUetSyo9MKLOoWFsueri23bOdgWp4Dy1Wl'
'UzewbgBHod5pcM9H95GQRV3JDXboIRROSBigeC5yjU1hGzHHyXss8UDpre'
'cbAYxknTcQkhslANGRUZmdTOQ5qTRsLAt6BTYuyvVRdhS8exSZEy_c4gs_'
'7svlJJQ4H9_NxsiIoLwAEk7-Q3UXERGYw_75IDrGA84-lA_-Ct4eTlXHBI'
'Y2EaV7t7LjJaynVJCpkv4LKjTTAumiGUIuQhrNhZLuF_RJLqHpM2kgWFLU'
'7-VTdL1VbC2tejvcI2BlMkEpk1BzBZI0KQB0GaDWFLN-aEAw3vRw',
'e': 'AQAB',
'd': 'VFCWOqXr8nvZNyaaJLXdnNPXZKRaWCjkU5Q2egQQpTBMwhprMzWzpR8Sxq'
'1OPThh_J6MUD8Z35wky9b8eEO0pwNS8xlh1lOFRRBoNqDIKVOku0aZb-ry'
'nq8cxjDTLZQ6Fz7jSjR1Klop-YKaUHc9GsEofQqYruPhzSA-QgajZGPbE_'
'0ZaVDJHfyd7UUBUKunFMScbflYAAOYJqVIVwaYR5zWEEceUjNnTNo_CVSj'
'-VvXLO5VZfCUAVLgW4dpf1SrtZjSt34YLsRarSb127reG_DUwg9Ch-Kyvj'
'T1SkHgUWRVGcyly7uvVGRSDwsXypdrNinPA4jlhoNdizK2zF2CWQ',
'p': '9gY2w6I6S6L0juEKsbeDAwpd9WMfgqFoeA9vEyEUuk4kLwBKcoe1x4HG68'
'ik918hdDSE9vDQSccA3xXHOAFOPJ8R9EeIAbTi1VwBYnbTp87X-xcPWlEP'
'krdoUKW60tgs1aNd_Nnc9LEVVPMS390zbFxt8TN_biaBgelNgbC95sM',
'q': 'uKlCKvKv_ZJMVcdIs5vVSU_6cPtYI1ljWytExV_skstvRSNi9r66jdd9-y'
'BhVfuG4shsp2j7rGnIio901RBeHo6TPKWVVykPu1iYhQXw1jIABfw-MVsN'
'-3bQ76WLdt2SDxsHs7q7zPyUyHXmps7ycZ5c72wGkUwNOjYelmkiNS0',
'dp': 'w0kZbV63cVRvVX6yk3C8cMxo2qCM4Y8nsq1lmMSYhG4EcL6FWbX5h9yuv'
'ngs4iLEFk6eALoUS4vIWEwcL4txw9LsWH_zKI-hwoReoP77cOdSL4AVcra'
'Hawlkpyd2TWjE5evgbhWtOxnZee3cXJBkAi64Ik6jZxbvk-RR3pEhnCs',
'dq': 'o_8V14SezckO6CNLKs_btPdFiO9_kC1DsuUTd2LAfIIVeMZ7jn1Gus_Ff'
'7B7IVx3p5KuBGOVF8L-qifLb6nQnLysgHDh132NDioZkhH7mI7hPG-PYE_'
'odApKdnqECHWw0J-F0JWnUd6D2B_1TvF9mXA2Qx-iGYn8OVV1Bsmp6qU',
'qi': 'eNho5yRBEBxhGBtQRww9QirZsB66TrfFReG_CcteI1aCneT0ELGhYlRlC'
'tUkTRclIfuEPmNsNDPbLoLqqCVznFbvdB7x-Tl-m0l_eFTj2KiqwGqE9PZ'
'B9nNTwMVvH3VRRSLWACvPnSiwP8N5Usy-WRXS-V7TbpxIhvepTfE0NNo'
},
);
var keyStore = JsonWebKeyStore()..addKey(jwk);
// decrypt the payload
var payload = await jwe.getPayload(keyStore);
print('decrypted content: ${payload.stringContent}');
}
// create a JWE
void example4() async {
// create a builder
var builder = JsonWebEncryptionBuilder();
// set the content
builder.stringContent = 'This is my bigest secret';
// set some protected header
builder.setProtectedHeader('createdAt', DateTime.now().toIso8601String());
// add a key to encrypt the Content Encryption Key
var jwk = JsonWebKey.fromJson(
{
'kty': 'RSA',
'n': 'sXchDaQebHnPiGvyDOAT4saGEUetSyo9MKLOoWFsueri23bOdgWp4Dy1Wl'
'UzewbgBHod5pcM9H95GQRV3JDXboIRROSBigeC5yjU1hGzHHyXss8UDpre'
'cbAYxknTcQkhslANGRUZmdTOQ5qTRsLAt6BTYuyvVRdhS8exSZEy_c4gs_'
'7svlJJQ4H9_NxsiIoLwAEk7-Q3UXERGYw_75IDrGA84-lA_-Ct4eTlXHBI'
'Y2EaV7t7LjJaynVJCpkv4LKjTTAumiGUIuQhrNhZLuF_RJLqHpM2kgWFLU'
'7-VTdL1VbC2tejvcI2BlMkEpk1BzBZI0KQB0GaDWFLN-aEAw3vRw',
'e': 'AQAB',
'd': 'VFCWOqXr8nvZNyaaJLXdnNPXZKRaWCjkU5Q2egQQpTBMwhprMzWzpR8Sxq'
'1OPThh_J6MUD8Z35wky9b8eEO0pwNS8xlh1lOFRRBoNqDIKVOku0aZb-ry'
'nq8cxjDTLZQ6Fz7jSjR1Klop-YKaUHc9GsEofQqYruPhzSA-QgajZGPbE_'
'0ZaVDJHfyd7UUBUKunFMScbflYAAOYJqVIVwaYR5zWEEceUjNnTNo_CVSj'
'-VvXLO5VZfCUAVLgW4dpf1SrtZjSt34YLsRarSb127reG_DUwg9Ch-Kyvj'
'T1SkHgUWRVGcyly7uvVGRSDwsXypdrNinPA4jlhoNdizK2zF2CWQ',
'p': '9gY2w6I6S6L0juEKsbeDAwpd9WMfgqFoeA9vEyEUuk4kLwBKcoe1x4HG68'
'ik918hdDSE9vDQSccA3xXHOAFOPJ8R9EeIAbTi1VwBYnbTp87X-xcPWlEP'
'krdoUKW60tgs1aNd_Nnc9LEVVPMS390zbFxt8TN_biaBgelNgbC95sM',
'q': 'uKlCKvKv_ZJMVcdIs5vVSU_6cPtYI1ljWytExV_skstvRSNi9r66jdd9-y'
'BhVfuG4shsp2j7rGnIio901RBeHo6TPKWVVykPu1iYhQXw1jIABfw-MVsN'
'-3bQ76WLdt2SDxsHs7q7zPyUyHXmps7ycZ5c72wGkUwNOjYelmkiNS0',
'dp': 'w0kZbV63cVRvVX6yk3C8cMxo2qCM4Y8nsq1lmMSYhG4EcL6FWbX5h9yuv'
'ngs4iLEFk6eALoUS4vIWEwcL4txw9LsWH_zKI-hwoReoP77cOdSL4AVcra'
'Hawlkpyd2TWjE5evgbhWtOxnZee3cXJBkAi64Ik6jZxbvk-RR3pEhnCs',
'dq': 'o_8V14SezckO6CNLKs_btPdFiO9_kC1DsuUTd2LAfIIVeMZ7jn1Gus_Ff'
'7B7IVx3p5KuBGOVF8L-qifLb6nQnLysgHDh132NDioZkhH7mI7hPG-PYE_'
'odApKdnqECHWw0J-F0JWnUd6D2B_1TvF9mXA2Qx-iGYn8OVV1Bsmp6qU',
'qi': 'eNho5yRBEBxhGBtQRww9QirZsB66TrfFReG_CcteI1aCneT0ELGhYlRlC'
'tUkTRclIfuEPmNsNDPbLoLqqCVznFbvdB7x-Tl-m0l_eFTj2KiqwGqE9PZ'
'B9nNTwMVvH3VRRSLWACvPnSiwP8N5Usy-WRXS-V7TbpxIhvepTfE0NNo'
},
);
builder.addRecipient(jwk, algorithm: 'RSA1_5');
// set the content encryption algorithm to use
builder.encryptionAlgorithm = 'A128CBC-HS256';
// build the jws
var jwe = builder.build();
// output the compact serialization
print('jwe compact serialization: ${jwe.toCompactSerialization()}');
// output the json serialization
print('jwe json serialization: ${jwe.toJson()}');
}
// decode and verify and validate a JWT
void example5() async {
var encoded = 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.'
'eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt'
'cGxlLmNvbS9pc19yb290Ijp0cnVlfQ.'
'dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk';
// decode the jwt, note: this constructor can only be used for JWT inside JWS
// structures
var jwt = JsonWebToken.unverified(encoded);
// output the claims
print('claims: ${jwt.claims}');
// create key store to verify the signature
var keyStore = JsonWebKeyStore()
..addKey(JsonWebKey.fromJson({
'kty': 'oct',
'k':
'AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow'
}));
var verified = await jwt.verify(keyStore);
print('verified: $verified');
// alternatively, create and verify the JsonWebToken together, this is also
// applicable for JWT inside JWE
jwt = await JsonWebToken.decodeAndVerify(encoded, keyStore);
// validate the claims
var violations = jwt.claims.validate(issuer: Uri.parse('alice'));
print('violations: $violations');
}
// create a JWT
void example6() async {
var claims = JsonWebTokenClaims.fromJson({
'exp': Duration(hours: 4).inSeconds,
'aud':"live-tv",
'iat':DateTime.now().toString(),
});
// create a builder, decoding the JWT in a JWS, so using a
// JsonWebSignatureBuilder
var builder = JsonWebSignatureBuilder();
// set the content
builder.jsonContent = claims.toJson();
// add a key to sign, can only add one for JWT
builder.addRecipient(
JsonWebKey.fromJson({
'kty': 'RSA',
'kid':pkey,
}),
algorithm: 'HS256');
// build the jws
var jws = builder.build();
// output the compact serialization
print('jwt compact serialization: ${jws.toCompactSerialization()}');
}
// create a JWT, sign with RS512
void example7() async {
var claims = JsonWebTokenClaims.fromJson({
'exp': Duration(hours: 4).inSeconds,
'iss': 'alice',
});
// create a builder, decoding the JWT in a JWS, so using a
// JsonWebSignatureBuilder
var builder = JsonWebSignatureBuilder();
// set the content
builder.jsonContent = claims.toJson();
// add a key to sign, can only add one for JWT
var key = JsonWebKey.fromPem(File('example/jwtRS512.key').readAsStringSync());
builder.addRecipient(key, algorithm: 'RS512');
// build the jws
var jws = builder.build();
// output the compact serialization
print('jwt compact serialization: ${jws.toCompactSerialization()}');
}
// generate a key for use with ES256 signing
void example8() async {
var alg = JsonWebAlgorithm.getByName('ES256');
var key = alg.generateRandomKey();
print(JsonEncoder.withIndent(' ').convert(key));
final hash = utf8.encode('TEST');
var sig = key.sign(hash);
final valid = key.verify(hash, sig);
print('valid? $valid');
}
I tried each example at a time modifying each of those.Few of them said saying "Compact serialisation should have 3 parts",then I did a bit of research and realised that the token to be generated should have 3 parts.The other error in example 2 was that the JSONWebKey can't be signed.
There is another library I used and that was https://pub.dev/packages/corsac_jwt.
The code is below:
import 'package:corsac_jwt/corsac_jwt.dart';
// ..setClaim('13', {'userId': 'xxxx'})
String pkey="sdfdsfdsfds";
void tokenGenerator() {
var builder = new JWTBuilder();
var token = builder
..audience="live-tv"
..issuedAt= new DateTime.now()
..expiresAt = new DateTime.now().add(new Duration(minutes: 3))
..getToken(); // returns token without signature
var signer = new JWTRsaSha256Signer(privateKey: pkey);
var signedToken = builder.getSignedToken(signer);
print("token");
print(signedToken); // prints encoded JWT
var stringToken = signedToken.toString();
var decodedToken = new JWT.parse(stringToken);
// Verify signature:
print(decodedToken.verify(signer)); // true
// Validate claims:
// var validator = new JWTValidator() ;// uses DateTime.now() by default
// // set claims you wish to validate
// Set<String> errors = validator.validate(decodedToken);
// print(errors); // (empty list)
}
But here I got the error invalid private key.If I changed it to public,I got invalid public key as well.
I honestly am I a very chaotic situation mentally with time running out to implement.My team mates are know only one thing I know only flutter only.
By the way the Java code we are trying to implement in flutter is given below.Basically what it does is it takes a StringKey,converts to a PrivateKey and then the token
import android.util.Log;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Date;
import java.util.concurrent.TimeUnit;
public class RSAKeyGenerator {
private static PrivateKey getPrivateKey() throws GeneralSecurityException {
String pKey = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
KeyFactory kf = KeyFactory.getInstance("RSA");
byte[] decode;
decode = android.util.Base64.decode(pKey, android.util.Base64.DEFAULT);
PKCS8EncodedKeySpec keySpecPKCS8 = new PKCS8EncodedKeySpec(decode);
return kf.generatePrivate(keySpecPKCS8);
}
public static String getJwtToken() {
final long VALIDITY_MS = TimeUnit.MINUTES.toMillis(60);
long nowMillis = System.currentTimeMillis();
Date now = new Date(nowMillis);
Date exp = new Date(nowMillis + VALIDITY_MS);
PrivateKey privateKey = null;
try {
privateKey = getPrivateKey();
} catch (GeneralSecurityException e) {
e.printStackTrace();
}
String jws = Jwts.builder()
.claim("version", "13")
.claim("user_id", "xxxxxxxxxxxxxxxxxxx")
.setIssuedAt(now)
.setExpiration(exp)
.signWith(privateKey, SignatureAlgorithm.RS256)
.setAudience("live-tv")
.compact();
Log.d("111__", jws);
SpUtil.Companion.getInstance().putString(J_TOKEN, jws);
return jws;
}
}
After hours of research,trial and errors and consulting my team mates I have arrived at the final conclusion.This works.The mistake I was doing was the RSA key I was passing it as a string like key="xxxxxxxxxxxx",but it should be in the format below
Hope this helps someone
import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
String token;
String dartJsonWebTokenGenerator() {
Duration delay = new Duration(minutes: 300);
final jwt = JWT(
payload: {
'version': '13',
'user_id': 'xxxxxxxxxxxxxxxxx',
},
audience: 'live-tv',
);
// Sign it (default with HS256 algorithm)
token = jwt.sign(PrivateKey('''-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7
wIxAoKDcHD7mv2R//I0QncGzT1I7cccrhIUB1gXH9wWdTXrafhACXrJ2Drfjg/YN
9q4TiKH1k2+zTfdU1IDxd6OX2cPNkwn/vpZeZ1pZqVoimRRJbJg8RhXYvZgd6Nfj
Zdw6LY3Zzm3XbLbTUmbVM5ARDweksnr6cg7HmR2OQ5j5UFuhRyIUTSCDbAmDeyHS
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx70YmgZPR
PIncbKBjLzQe5RB/szyswCAiLxfk7rCrUhPpvdJ4fnDgdXQE26t/CBFb8fpOHtiL
1FtxgURmX/Nh+OhO7pPvK4X7g2GarMdQ3Y6288/STQu/d8yEQDwcro6X9ribay46
Ss69AGJxGJbazUI9fNMETLpR6kIHKli7G7gtTFVY02YPKpqgYs1HFbIgV++gHTaw
XLU3PqroxKkhTuI8JCei1pphS/PAc3S/o0mPxTYLfiojYG/6IDd8WsGonwwk2hqd
e3ad0S56JZNN812vshc8NFMbEU2UzA7L0INf6X+GAhoZojUjZciKwAN/iF9YV0cU
XorRDXcXrXn7hpqAzDq/jMQO78jr2MyaY/dfiSVp6sTS8gNMCuz0g3I7gSkCAwEA
AQKCAgEAiPWqK/qdrFYR4unJwU9ouonlMWGl0BAndIUEcjIt4cPCVwtfuL+aE98q
J8MJYINVTgaJ7VbnKnSkARQkuUYWCLhYF8z9hq+h3Ce2QPJMhwC1GCT3MFGMQQRD
wP/U8q99k9xljOAckw6TnxjTFJCoFUQrbA9QcXb9ypSMvvorMDGzR+5X99IMsGFj
elwJJS4v7fV3oWZsoMcfAcuFlrAETNPjkaX0CmaIru/CaMupq7YQUa6CmMhwQwUJ
p/V+aD9OdndhGmTVtHvDq0bew8wHCLxKdQCOUjzHx9Itli1zUthbaZDKkuoH1cyR
JyoVkCJ5FV6y5ShN8KzF7UXzZqaEMrTRNF42O1w933CWj3Pm1+PQdHQJXeMvOtWv
QTjd1+OtDckREA5W8oiuPnF+RtTHpzXjPtnLNf5yszq2HOkFplqLmLhkN2GDqQib
8DjIo+tyF3yHKuVOya21JC1SYDO412nh3GzbttASBcfeas+6v75gB8Eb4IKRO7mj
HaN5BGf/XKORp6v95pTv2OAPqnvIimLOe6TNzlPoVedK90CwPwHEan/ooFZI9b9j
UlMLynJHQo6rSvmzoa5d1QuEcAjHVJdjfmvXeQaZs3o1Ajk/HbNBrV3Gr69CcHDO
vd960cvRZS/9oNloUdzT/3fOND+6DU/iDrTd1TVWt9nfBb9njv0CggEBAPChGrzL
s5xLhoh4Ogr6FQZcCvaURhtRI7jz4WrF8dVVtlwTbZSRn1fSCCwwm3lnGRTMZrzh
SYzFgzZ753MQPREm+46Swpe8N6XsMFYubmlhAEK8Z7MgJLwKswadxBsMEj7dqPBu
1Fezx9vFZO79MNFAzVBS74mXfLC7NVfIZe+Id53RzoDF5t8rGlo4owxRAySRllJU
F2UQrBMRf21aqvvdwJSWiFsCuJ2VJTE/N2iS9A6ISdvYWO+ZJPPqffRmpt6T3tIB
uOnf4LG1MSG1UyHpQ15BErwJ6M3CMRzRnjlhtI87xXOXsD39QOTd5QnwXETUYGRi
Yvj0JmozTlXCCQMCggEBAOqzcuIdix5kvU871T0m1vpMXYIA5+0NolqW/PNQYzQj
f55Kwyzlx6BNBKxCvgCoo9YYKRWKq0wN1H0CUvOFxBwu4h/XJqDtc6yM58UYImTG
ZWFVJI4GvB0jdTw3F4LMOnEgl2zMQB17Yf7p2WUIFpUowQC5ZEvFa16cYMKRCoPz
4RH1p83eDEok2XQSHlZH1hZHG6YlBlMiBPW0904xICnm8dT73jTijaNKrlV5E9FQ
IS0tl3Gc6aVEdd/r89ArHYByjRdLN3IXzy8BOLGFtT8/+PB7egdUPEejTNiIGKWo
hvWVp6wEyjdOh+zI1X4L1oVXqxBVajTSFk0qxqW2V2MCggEAJK4KK1lJybthiI/7
GQ1CAzQon6m+fg+CSIE0jVgbIw/rumFjxM/l4Dct8759FKZ4lkkKKCSXV5QMClQc
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxW
Qq/prxwXr/TUer7SzQXcfcMYdsjwougGeG6yYLZrT/FuOURoHDztEyOqZUeDU2zJ
Zdv6UGZfIsdHhcgGaE8B2l3ujkxIU6bGy3JRLETF80B9brHvIeKchpqom037LFuY
X7EKORMbp9R3jJ5eFG9TmTcCzXBtW6Aa2yH2RZzDNZ/1d+xhxEQzZVnyCEz/RhUI
Dd6EDQKCAQEAmpjDpt/xAH85F9UAvDw2RT9CJN016Dcf524nhppADlsHuBvk/lEJ
MrUoy9NW1pY+/UqC3XavKPS/L+z0+QX2zN2xA2o0PrLKjDFwhapFFX59zyRHZOpY
xRTTJ2vep8ChCl1+gSL1ZLYeMcyV72/peC0VHMYBo8uR0wtMzTy+4XYmni7jbr7B
96DYQBWjOBAvnBMQylr/FImHHNYsRKwlVJSUXUfe8ZT92T7bIOAVRr3ybJDofeTv
Hna+8lW5DzknQLGz8FESX6wBRCQY1Q6O+e/IqZecJPG+ly2g88yJ96zP4TrH7I5n
KREohbcwsctYbhL2UlcBE3QDTqdLnGJEowKCAQBwlBtw/BD5cefTcUB90XtuUpLG
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
moP4L4wBlad2aZYKnkZ87RZIa09wyf5hnPXQkQAHMRYxuaxvQUq/bSDO6JUbrGMp
J2LQgCreNAF7MsIDU2ijVHJNWp9m6LC1Osb1iMp/fZDy+hkAAHP5xDfDedwKmXLV
2kSdWPZebq1iIRyJ+BlbXAEgDMkp+k6mebq+kyH4+3odWvw8bRkmD/g1t/bS
-----END RSA PRIVATE KEY-----'''),
algorithm: JWTAlgorithm.RS256, expiresIn: delay);
print('Signed token: $token\n');
return token;
}
I am trying to write a code for encryption in Python and decryption in Java but I am getting an error.
I am using cryptography.fernet in python to encrypt a file and when I use Fernet Java for decryption it shows an error.
Here is my python code:
from cryptography.fernet import Fernet
key = Fernet.generate_key()
cipher_suite = Fernet(key)
with open("key.txt", "wb") as f:
f.write(key)
with open("read_plain_text_from_here.txt", "r") as f:
encoded_text = f.read().encode()
cipher_text = cipher_suite.encrypt(encoded_text)
with open("write_cipher_text_here.txt", "wb") as f:
f.write(cipher_text)
with open("write_cipher_text_here.txt", "rb") as f:
cipher_text = f.read()
with open("key.txt", "rb") as f:
decryption_key = f.read()
with open("write_plain_text_here.txt", "wb") as f:
cipher_suite = Fernet(decryption_key)
f.write(cipher_suite.decrypt(cipher_text))
Here is my java code:
package encryptapp;
import com.macasaet.fernet.*;
public class Decrypt
{
public static void main(String args[])
{
final Key key = new Key("***key i got from python**");
final Token token = Token.fromString("***cipher text i got from python***");
final Validator<String> validator = new StringValidator() {};
final String payload = token.validateAndDecrypt(key, validator);
System.out.println("Payload is " + payload);
}
}
The error in Java that I get is:
Exception in thread "main" com.macasaet.fernet.TokenExpiredException: Token is expired
at com.macasaet.fernet.Token.validateAndDecrypt(Token.java:240)
at com.macasaet.fernet.Validator.validateAndDecrypt(Validator.java:104)
at com.macasaet.fernet.Token.validateAndDecrypt(Token.java:218)
at encryptapp.Decrypt.main(Decrypt.java:60)
LINKS for docs:
Python: https://cryptography.io/en/latest/
Java: https://github.com/l0s/fernet-java8/blob/master/README.md
The fernet-java8 class does not have an explicit TTL argument for decryption like the python class does. Instead, it has a default of 60 seconds. You need to override the getTimeToLive() method of the Validator interface to specify a custom TTL. If you want to set the TTL to "forever", which is equivalent to the keyword argument ttl=None in python fernet, do something like this:
import java.time.Duration;
import java.time.Instant;
.
.
.
#Override
final Validator < String > validator = new StringValidator() {
public TemporalAmount getTimeToLive() {
return Duration.ofSeconds(Instant.MAX.getEpochSecond());
}
};
I need to tweak an API https://sandbox.api.visa.com/cybersource/payments/flex/v1/keys?apikey={apikey}
I am imitating the official document X-Pay Token,but it fail with "Token validation failed" error.
{
"responseStatus": {
"status": 401,
"code": "9159",
"severity": "ERROR",
"message": "Token validation failed",
"info": ""
}
}
Below is my x-pay-token generation code.
import java.math.BigInteger;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.SignatureException;
public class T {
private static String resoucePath = "payments/flex/v1/keys";
private static String queryString = "apikey=6DC0NMXO53QQFE6NFOLE213HXA-pvG6xE-1NtuCd5oOQr-O-s";
private static String requestBody = "{encryptionType:RsaOaep256}";
private static String sharedSecret = "gAynzAGf89+V}3{Q4Jx5cp-/R#Y#PEv#1XvxnjQC";
public static void main(String[] args) throws SignatureException {
System.out.println(T.generateXpaytoken(resoucePath, queryString, requestBody, sharedSecret));
}
public static String generateXpaytoken(String resourcePath, String queryString, String requestBody, String sharedSecret) throws SignatureException {
String timestamp = timeStamp();
String beforeHash = timestamp + resourcePath + queryString + requestBody;
String hash = hmacSha256Digest(beforeHash, sharedSecret);
String token = "xv2:" + timestamp + ":" + hash;
return token;
}
private static String timeStamp() {
return String.valueOf(System.currentTimeMillis() / 1000L);
}
private static String hmacSha256Digest(String data, String sharedSecret) throws SignatureException {
return getDigest("HmacSHA256", sharedSecret, data, true);
}
private static String getDigest(String algorithm, String sharedSecret, String data, boolean toLower) throws SignatureException {
try {
Mac sha256HMAC = Mac.getInstance(algorithm);
SecretKeySpec secretKey = new SecretKeySpec(sharedSecret.getBytes(StandardCharsets.UTF_8), algorithm);
sha256HMAC.init(secretKey);
byte[] hashByte = sha256HMAC.doFinal(data.getBytes(StandardCharsets.UTF_8));
String hashString = toHex(hashByte);
return toLower ? hashString.toLowerCase() : hashString;
} catch (Exception e) {
throw new SignatureException(e);
}
}
private static String toHex(byte[] bytes) {
BigInteger bi = new BigInteger(1, bytes);
return String.format("%0" + (bytes.length << 1) + "X", bi);
}
}
somebody can help me please?
The URL you are using:
https://sandbox.api.visa.com/cybersource/payments/flex/v1/keys?apikey={apikey}
Should be:
https://sandbox.api.visa.com/cybersource/payments/flex/v1/keys?apikey=6DC0NMXO53QQFE6NFOLE213HXA-pvG6xE-1NtuCd5oOQr-O-s
As on Feb 2020, If some one still has issue below points can help resolve issue.
Please make sure you have generated API Key and Secret for your sandbox project.
You can get these details in Dashboard -> Project -> Credentials -> Inbound and Authentication Keys -> API Key / Secret.
Please check the "Status" of the Key which should be Active.
If your "Credentials" tab does not have details for "Inbound and Authentication Keys" Please make sure to add the respective API then this section automatically appears.
Visa has "Visa Developer Center PlayGround" [similar to SoapUI/Postman] tool where you can easily test your API's. Unfortunately this is only supported with Windows as on Feb 2020, In future they may release the same for Mac/Linux too.
You can find this tool in Dashboard -> Project -> Assets -> Bottom of the page.
I am generating a keypair using Java's KeyPairGenerator for use with JGit. However, JSch (the underlying SSH implementation for JGit) keeps giving me "invalid privatekey" errors when trying to use the generated private key.
Here is the stack trace:
Caught: org.eclipse.jgit.api.errors.TransportException: ssh://git#bitbucket.hostname/~wlaw/bitbucket_upgrade_test_repo.git: invalid privatekey: [B#4650a407
org.eclipse.jgit.api.errors.TransportException: ssh://git#bitbucket.hostname/~wlaw/bitbucket_upgrade_test_repo.git: invalid privatekey: [B#4650a407
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:254)
at org.eclipse.jgit.api.CloneCommand.fetch(CloneCommand.java:306)
at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:200)
at org.eclipse.jgit.api.CloneCommand.call(CloneCommand.java:1)
at java_util_concurrent_Callable$call.call(Unknown Source)
at Test.run(Test.groovy:95)
Caused by: org.eclipse.jgit.errors.TransportException: ssh://git#bitbucket.hostname/~wlaw/bitbucket_upgrade_test_repo.git: invalid privatekey: [B#4650a407
at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:183)
at org.eclipse.jgit.transport.SshTransport.getSession(SshTransport.java:140)
at org.eclipse.jgit.transport.TransportGitSsh$SshFetchConnection.<init>(TransportGitSsh.java:280)
at org.eclipse.jgit.transport.TransportGitSsh.openFetch(TransportGitSsh.java:170)
at org.eclipse.jgit.transport.FetchProcess.executeImp(FetchProcess.java:137)
at org.eclipse.jgit.transport.FetchProcess.execute(FetchProcess.java:123)
at org.eclipse.jgit.transport.Transport.fetch(Transport.java:1271)
at org.eclipse.jgit.api.FetchCommand.call(FetchCommand.java:243)
... 5 more
Caused by: com.jcraft.jsch.JSchException: invalid privatekey: [B#4650a407
at com.jcraft.jsch.KeyPair.load(KeyPair.java:948)
at com.jcraft.jsch.IdentityFile.newInstance(IdentityFile.java:46)
at com.jcraft.jsch.JSch.addIdentity(JSch.java:442)
at Test$1.createDefaultJSch(Test.groovy:82)
at org.eclipse.jgit.transport.JschConfigSessionFactory.getJSch(JschConfigSessionFactory.java:335)
at org.eclipse.jgit.transport.JschConfigSessionFactory.createSession(JschConfigSessionFactory.java:293)
at org.eclipse.jgit.transport.JschConfigSessionFactory.createSession(JschConfigSessionFactory.java:200)
at org.eclipse.jgit.transport.JschConfigSessionFactory.getSession(JschConfigSessionFactory.java:130)
... 12 more
Here is my code:
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA")
keyGen.initialize(4096)
KeyPair pair = keyGen.generateKeyPair()
def pub = pair.public as RSAPublicKey
def priv = pair.private as RSAPrivateCrtKey
Base64.Encoder encoder = Base64.getEncoder();
def publicKeyText = "ssh-rsa " + encoder.encodeToString(keyBlob(pub.publicExponent, pub.modulus))
def id = bitbucket.post {
request.uri.path = "/rest/ssh/1.0/keys"
request.uri.query = [user: bitbucketUsername]
request.body = new JsonBuilder([text: publicKeyText]).toPrettyString()
response.success { FromServer fs, Object responseBody ->
responseBody.id
}
response.failure { FromServer fs, Object responseBody ->
println fs.statusCode
println fs.message
println fs.headers
println responseBody
null
}
}
def privateKeyText = "-----BEGIN RSA PRIVATE KEY-----\n" +
encoder.encodeToString(priv.getEncoded()) +
"\n-----END RSA PRIVATE KEY-----\n"
new File("priv").text = privateKeyText
new File("pub").text = publicKeyText
SshSessionFactory sshSessionFactory = new JschConfigSessionFactory() {
#Override
protected void configure(OpenSshConfig.Host hc, com.jcraft.jsch.Session session) {}
#Override
protected JSch createDefaultJSch(FS fs) throws JSchException {
JSch defaultJSch = super.createDefaultJSch(fs)
defaultJSch.addIdentity("test", privateKeyText.bytes, publicKeyText.bytes, null)
}
};
CloneCommand cloneCommand = Git.cloneRepository()
cloneCommand.setURI("ssh://git#$bitbucketHostPort/$project/${repo}.git")
cloneCommand.setTransportConfigCallback(new TransportConfigCallback() {
#Override
void configure(Transport transport) {
SshTransport sshTransport = (SshTransport) transport
sshTransport.setSshSessionFactory(sshSessionFactory)
}
})
cloneCommand.call()
I did some debugging in the JSch source code, and found that the library is getting an ArrayIndexOutOfBoundsException on line 228 in com.jcraft.jsch.KeyPairRSA.java.
Is it something I am doing wrong with formatting the keys for JSch? Or could this be a bug in Java's implementation of a KeyPair or perhaps JSch's implementation of parsing them?
Here is an example keypair that is generated by my code:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNPvFmy81wj3L4ndJzMcYFa9YctDzz0KvXyb9vg+UQ5622kyE255fwL4eatihL8/TrH1OOLQtSVjThLwWObx4fQ6bk25rJA0jS7G7CAfAQwbTY9JpNrcH5HHtiAhbUjEF/MXU6IlPNCmBMQPFh1eSa21aIdYie+KVgXQnUP4qN6ks1iR8XX4YHpg2KKhEoJtaVYGHp15EmpRvDYzsheqrcfyg4N5taGgG9/GzdfpeBWqCyJhrjgso85ARecGTpqCHqFNy46tXtIMR6FL36UDc/EpWifmf7oY4HVLa0DJpLq2BHmjRlUtiFFox1Jzk+shFiDZYwnCmdKnpCnlxFQ1Hv06XLgvcUx/0mkleh14Nme/b61pmJDO05v9zKho+9Q+lNgrTK+kOeC7I9PgUePyzWJteys/0MqENJxvM4g65/r9vzpcSvdEziSJ8Y3xI3qlzOa3Av1Jv5qIntgjEeAnth+AANdUP/GcpYbnCNp1QsjaZoFKFe2DcUTYM3CGzh0SFm9CeRfBV1phQ2+5gi1bH5ZiAfTNpksZz+SYIPyEsbaqNRcBk53htWfINShNVP7a/b/H7tyZs+zvMoHN2bZzsIMIUWO8Df+owpCK7ZT/EadDZzkzG2LUUUjm6aVsz2rjLFcvQtYOs0U/+suWhXNQ2dAW4psGLHkNb3NDHSzjzk7w==
-----BEGIN RSA PRIVATE KEY-----
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDNPvFmy81wj3L4ndJzMcYFa9YctDzz0KvXyb9vg+UQ5622kyE255fwL4eatihL8/TrH1OOLQtSVjThLwWObx4fQ6bk25rJA0jS7G7CAfAQwbTY9JpNrcH5HHtiAhbUjEF/MXU6IlPNCmBMQPFh1eSa21aIdYie+KVgXQnUP4qN6ks1iR8XX4YHpg2KKhEoJtaVYGHp15EmpRvDYzsheqrcfyg4N5taGgG9/GzdfpeBWqCyJhrjgso85ARecGTpqCHqFNy46tXtIMR6FL36UDc/EpWifmf7oY4HVLa0DJpLq2BHmjRlUtiFFox1Jzk+shFiDZYwnCmdKnpCnlxFQ1Hv06XLgvcUx/0mkleh14Nme/b61pmJDO05v9zKho+9Q+lNgrTK+kOeC7I9PgUePyzWJteys/0MqENJxvM4g65/r9vzpcSvdEziSJ8Y3xI3qlzOa3Av1Jv5qIntgjEeAnth+AANdUP/GcpYbnCNp1QsjaZoFKFe2DcUTYM3CGzh0SFm9CeRfBV1phQ2+5gi1bH5ZiAfTNpksZz+SYIPyEsbaqNRcBk53htWfINShNVP7a/b/H7tyZs+zvMoHN2bZzsIMIUWO8Df+owpCK7ZT/EadDZzkzG2LUUUjm6aVsz2rjLFcvQtYOs0U/+suWhXNQ2dAW4psGLHkNb3NDHSzjzk7wIDAQABAoICAFeJI83y1/DMzX0pWmtU7B69yji9yk02T0QeQG5gM18NYHJAt+bByXRf4Rbj37XdGzT4TFuT7IM2TyFHO7huvcsZwGFVI+Pdab7Dpc1KpEeRRf9N+01r8RG8ywaW24PVOc30mwmrQFBvv3hmLkzKu9AsAfD7J8SdSXMa2ylR3FcAeQkhLUh7rh8u/BFUNbMJNXXKAJiKHtb7jia7+KkjtyGJfe7UEIbSFrIfqZKh/h3mOCkixU8JJhXoLdDVYMSit6wtL6ISTiDvW7yxggDzG0zkMTt3bAPO+FM6Fx4dTeU99zcylmwsdDn2zvrcOrb5nR5Tqx2aTMlCJ5ioD7RerN+3YAhE1+cvrvZc5wa+aZruNMioTrxWzhc3iSoZHKKGE5VAnF/HkoR/lgCGVCcsWeNamdUjydD9H9Y/33S7Y0e+wLCNXOAmyE2jSMpHGEPwohlwyXrMvnKXoWX/LlNjhG8aWW8dWL6Lym3Z/eO3WBEe1Xccv9jd56h52rqvzW3MOpL320RcgqdLtgb7Ihz8twQdAyjaY81fJJtSnns/GBrbqAxO//EyWi8vBU82p4hl3tw8RAxGrx91LFPwv78ACvht8X8ogU4/c1B6rnI0n+Ofsvq9ZxQsATQAk1y83vPbTUNc+XJ8X/Jvxr/y1mp+8q9fIq2jHGUGJevBSW1+RBoZAoIBAQDzyhXuEiXtoBPMWew+ALUIJ5sW3JS+uShxq8KKo/a/V7OyrrBZTYmbjkxyxBlkKJUFA7xqwVXgnMkywA0EnrdE0TmmBwr7czZjT7Lp4PbhoZ73YJ/y31nuJJCGzkLeJKrtFaM2BdzPdqC86qeAIN9YHZnzyud+o6RkJlDje5hFv6cP5+JGu1OyhqNvFSyevKZLq5hGx6gkqSCVM65PhJELj4jwgI84E7pm9w7sZ5xN2X0W66dmElpN3OBj2VWlF6eiUNoIU3WyHwMn2+rrC8+YTGp9ByCR/+sHkM9mXQeT/3tjrBdXppRjy5EggcTW6T1KObnmOBgLDYLyxj4dFfXVAoIBAQDXhqUUFQarfK4jBgBcD3PzwyXtl9F6e4/IrdCwePjgRDuTNlcdUV/9HlfwNDEiVhd9ymcNwX/26W6VmEBAdec6czVVAY9fhZRz6Pp9DOH/7nJsln6Yz76ezOFeTJXm93dRLX/mkVM4qz4+JqPgll53IlYI9f6eqBZCfHJHj+LeCZDnDvKvF4M+LTpLR/fiF4/mVrBjrh6DuHwWPBnRCViKQyTkj8WCRRtRSWucZYplguCYN30iSH7Dv1MdnJGYie8dRDnDvV2G3dI666ugDVLZb48Rg+o3La3DzA7qEMQ6Lpy3abjyaaWOIz1Z/n3gQGWrqgeZpIZpnV04E5WS9X2zAoIBAH0iAmWjrRIuc1sV4PvmUwWvhpySdkr7MTY/amjNRm7qblNN9TixYuuUe8sAuuO9LNhZFZJaUGEtONyy1TvE198b4ZJF1S5B8e3Bz9zaWv5vffAOCauZV0i0Pfbj0lDB03ZD//VPxwo6IsE1VOqgdON+tjH7uR04k73QKP7KxtsuR2sTpAKYTpq5HxR6ct+7h0QZ/Nx/yN+gbBgJYfRw4B5l+20vH9Qx1CDbuS5A9GrFMr7cEJ2E2BNVR1wZByvpW2MmSvOxGx1la7I+4HLrKhBLUPGCAgbOrG3Ct6IcKDKgFU6Q255i45HhwElGMqn5KDt8K95udnDd65P/i4xUZE0CggEBALqThwixgwqlbqJHKbyIbBqTz5u1F9TubnSNc+Gxd9G9f81a92Mb9PrMb9gzdm2BFekBdOEFp996CQ9btBOZfcitv3eNWC6bFv6Yq2/h3SuPomK6jXGANkaGmnrl1ccSZ6pQty5ElES0ibeH/8oGolSD1vL+8aMrY8m+rbehqgYJRfWgjRpiQm1q/dH5xW9mcl42oZBJRYVGCbW95aN+cbWPlrp+c77oUFO4OX40sPBbsk5TivJIy+RtFmjGB4yDrAor6821euer07jKF9MAdb5hwvqotfN6ibi8SBT82sJ7Y5Or5D2Gk5lOjGgB1bpyRRGsqdOqB+oaHn7TBWMpPd0CggEAFPHds2f5CKjsNg9IkiA4yoCzfsjVhy9qiE/2BikA25JTc6nMfTfpWMzcDL3qnfhFGsFWz31Xf8MbZDMq0cCsMQhsgYPolU5N2AkWvAeqSbwMz9zIDiPeND/Ql4sOyicPd6LJrT3UTRWoY3+p4wo73rpOXM4Ju3u++sCeERTulghgGZoJBSIT+8H7pKa7cFchATvBKZQTUnOZEhqzQN4R2wZ3j5ujG8rGjfRHDRL8OPiNRRv/L/oHxGnhB4Rfbc4ba0zNx4zy6d+Em6H8wX72WHhz5eVs2xQR+EIBtxDVlmvdpGkvCtUhS1227yiiL+wqkfNz3UnTSjGy3eHNRGAsVg==
-----END RSA PRIVATE KEY-----
You need to write the private key in PEM format.
For that you need BouncyCastle library.
For an example see:
Java generate RSA key pair and convert to PEM
I've implemented the basic OpenID connect flow in my java application and it seems to work fine.
I'd like to use an existing java library to verify the id token, as detailed here on a Salesforce page about implementing OpenId connect.
Are there any existing libraries that implement this well? I've got the response parsed, I just need to find some simple way to verify the id token is valid.
The following example will validate an id_token from an OAuth2 call for Salesforce, without any 3rd party libraries. Note that you'll have to supply a valid id_token below to test this out.
package jwt_validate_signature_sf_no_third_party;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.RSAPublicKeySpec;
import org.apache.commons.codec.binary.Base64;
public class Main
{
// Sample id_token that needs validation. This is probably the only field you need to change to test your id_token.
// If it doesn't work, try making sure the MODULUS and EXPONENT constants are what you're using, as detailed below.
public static final String id_token = "YOUR_ID_TOKEN_HERE";
public static final String[] id_token_parts = id_token.split("\\.");
// Constants that come from the keys your token was signed with.
// Correct values can be found from using the "kid" value and looking up the "n (MODULUS)" and "e (EXPONENT)" fields
// at the following url: https://login.salesforce.com/id/keys
// MAJOR NOTE: This url will work for 90% of your use cases, but for the other 10%
// you'll need to make sure you get the "kid" value from the instance url that
// the api responses from Salesforce suggest for your token, as the kid values *will* be different.
// e.g. Some users would need to get their kid values from https://na44.salesforce.com/id/keys for example.
// The following 2 values are hard coded to work with the "kid=196" key values.
public static final String MODULUS = "5SGw1jcqyFYEZaf39RoxAhlq-hfRSOsneVtsT2k09yEQhwB2myvf3ckVAwFyBF6y0Hr1psvu1FlPzKQ9YfcQkfge4e7eeQ7uaez9mMQ8RpyAFZprq1iFCix4XQw-jKW47LAevr9w1ttZY932gFrGJ4gkf_uqutUny82vupVUETpQ6HDmIL958SxYb_-d436zi5LMlHnTxcR5TWIQGGxip-CrD7vOA3hrssYLhNGQdwVYtwI768EvwE8h4VJDgIrovoHPH1ofDQk8-oG20eEmZeWugI1K3z33fZJS-E_2p_OiDVr0EmgFMTvPTnQ75h_9vyF1qhzikJpN9P8KcEm8oGu7KJGIn8ggUY0ftqKG2KcWTaKiirFFYQ981PhLHryH18eOIxMpoh9pRXf2y7DfNTyid99ig0GUH-lzAlbKY0EV2sIuvEsIoo6G8YT2uI72xzl7sCcp41FS7oFwbUyHp_uHGiTZgN7g-18nm2TFmQ_wGB1xCwJMFzjIXq1PwEjmg3W5NBuMLSbG-aDwjeNrcD_4vfB6yg548GztQO2MpV_BuxtrZDJQm-xhJXdm4FfrJzWdwX_JN9qfsP0YU1_mxtSU_m6EKgmwFdE3Yh1WM0-kRRSk3gmNvXpiKeVduzm8I5_Jl7kwLgBw24QUVaLZn8jC2xWRk_jcBNFFLQgOf9U";
public static final String EXPONENT = "AQAB";
public static final String ID_TOKEN_HEADER = base64UrlDecode(id_token_parts[0]);
public static final String ID_TOKEN_PAYLOAD = base64UrlDecode(id_token_parts[1]);
public static final byte[] ID_TOKEN_SIGNATURE = base64UrlDecodeToBytes(id_token_parts[2]);
public static String base64UrlDecode(String input)
{
byte[] decodedBytes = base64UrlDecodeToBytes(input);
String result = new String(decodedBytes, StandardCharsets.UTF_8);
return result;
}
public static byte[] base64UrlDecodeToBytes(String input)
{
Base64 decoder = new Base64(-1, null, true);
byte[] decodedBytes = decoder.decode(input);
return decodedBytes;
}
public static void main(String args[])
{
dumpJwtInfo();
validateToken();
}
public static void dump(String data)
{
System.out.println(data);
}
public static void dumpJwtInfo()
{
dump(ID_TOKEN_HEADER);
dump(ID_TOKEN_PAYLOAD);
}
public static void validateToken()
{
PublicKey publicKey = getPublicKey(MODULUS, EXPONENT);
byte[] data = (id_token_parts[0] + "." + id_token_parts[1]).getBytes(StandardCharsets.UTF_8);
try
{
boolean isSignatureValid = verifyUsingPublicKey(data, ID_TOKEN_SIGNATURE, publicKey);
System.out.println("isSignatureValid: " + isSignatureValid);
}
catch (GeneralSecurityException e)
{
e.printStackTrace();
}
}
public static PublicKey getPublicKey(String MODULUS, String EXPONENT)
{
byte[] nb = base64UrlDecodeToBytes(MODULUS);
byte[] eb = base64UrlDecodeToBytes(EXPONENT);
BigInteger n = new BigInteger(1, nb);
BigInteger e = new BigInteger(1, eb);
RSAPublicKeySpec rsaPublicKeySpec = new RSAPublicKeySpec(n, e);
try
{
PublicKey publicKey = KeyFactory.getInstance("RSA").generatePublic(rsaPublicKeySpec);
return publicKey;
}
catch (Exception ex)
{
throw new RuntimeException("Cant create public key", ex);
}
}
private static boolean verifyUsingPublicKey(byte[] data, byte[] signature, PublicKey pubKey) throws GeneralSecurityException
{
Signature sig = Signature.getInstance("SHA256withRSA");
sig.initVerify(pubKey);
sig.update(data);
return sig.verify(signature);
}
}
Note if you're not opposed to using a third party library, I'd totally suggest using this, as it works great. I couldn't use it for business reasons, but was glad to find it as it helped me understand how this process works, validated an id_token, I'm sure in a much more robust way.
Also, to be certain this request was signed by the same client, ensure the aud parameter in the payload matches your own client key given to you by Salesforce.
As part of Spring Security OAuth, the Spring team has developed a library called Spring Security JWT that allows manipulation of JWTs, including decoding and verifying tokens.
See the following helper class for example:
https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtHelper.java
The library is in version 1.0.0-RELEASE and available in the maven repo.