001/* 002 * nimbus-jose-jwt 003 * 004 * Copyright 2012-2016, Connect2id Ltd. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.jose.crypto; 019 020 021import java.security.InvalidKeyException; 022import java.security.Signature; 023import java.security.SignatureException; 024import java.security.interfaces.RSAPublicKey; 025import java.util.Set; 026 027import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral; 028import com.nimbusds.jose.crypto.impl.RSASSA; 029import com.nimbusds.jose.crypto.impl.RSASSAProvider; 030import net.jcip.annotations.ThreadSafe; 031 032import com.nimbusds.jose.*; 033import com.nimbusds.jose.jwk.RSAKey; 034import com.nimbusds.jose.util.Base64URL; 035 036 037/** 038 * RSA Signature-Scheme-with-Appendix (RSASSA) verifier of 039 * {@link com.nimbusds.jose.JWSObject JWS objects}. Expects a public RSA key. 040 * 041 * <p>See RFC 7518, sections 042 * <a href="https://tools.ietf.org/html/rfc7518#section-3.3">3.3</a> and 043 * <a href="https://tools.ietf.org/html/rfc7518#section-3.5">3.5</a> for more 044 * information. 045 * 046 * <p>This class is thread-safe. 047 * 048 * <p>Supports the following algorithms: 049 * 050 * <ul> 051 * <li>{@link com.nimbusds.jose.JWSAlgorithm#RS256} 052 * <li>{@link com.nimbusds.jose.JWSAlgorithm#RS384} 053 * <li>{@link com.nimbusds.jose.JWSAlgorithm#RS512} 054 * <li>{@link com.nimbusds.jose.JWSAlgorithm#PS256} 055 * <li>{@link com.nimbusds.jose.JWSAlgorithm#PS384} 056 * <li>{@link com.nimbusds.jose.JWSAlgorithm#PS512} 057 * </ul> 058 * 059 * @author Vladimir Dzhuvinov 060 * @version 2015-06-02 061 */ 062@ThreadSafe 063public class RSASSAVerifier extends RSASSAProvider implements JWSVerifier, CriticalHeaderParamsAware { 064 065 066 /** 067 * The critical header policy. 068 */ 069 private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral(); 070 071 072 /** 073 * The public RSA key. 074 */ 075 private final RSAPublicKey publicKey; 076 077 078 /** 079 * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) verifier. 080 * 081 * @param publicKey The public RSA key. Must not be {@code null}. 082 */ 083 public RSASSAVerifier(final RSAPublicKey publicKey) { 084 085 this(publicKey, null); 086 } 087 088 089 /** 090 * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) verifier. 091 * 092 * @param rsaJWK The RSA JSON Web Key (JWK). Must not be {@code null}. 093 * 094 * @throws JOSEException If the RSA JWK extraction failed. 095 */ 096 public RSASSAVerifier(final RSAKey rsaJWK) 097 throws JOSEException { 098 099 this(rsaJWK.toRSAPublicKey(), null); 100 } 101 102 103 /** 104 * Creates a new RSA Signature-Scheme-with-Appendix (RSASSA) verifier. 105 * 106 * @param publicKey The public RSA key. Must not be {@code null}. 107 * @param defCritHeaders The names of the critical header parameters 108 * that are deferred to the application for 109 * processing, empty set or {@code null} if none. 110 */ 111 public RSASSAVerifier(final RSAPublicKey publicKey, 112 final Set<String> defCritHeaders) { 113 114 if (publicKey == null) { 115 throw new IllegalArgumentException("The public RSA key must not be null"); 116 } 117 118 this.publicKey = publicKey; 119 120 critPolicy.setDeferredCriticalHeaderParams(defCritHeaders); 121 } 122 123 124 /** 125 * Gets the public RSA key. 126 * 127 * @return The public RSA key. 128 */ 129 public RSAPublicKey getPublicKey() { 130 131 return publicKey; 132 } 133 134 135 @Override 136 public Set<String> getProcessedCriticalHeaderParams() { 137 138 return critPolicy.getProcessedCriticalHeaderParams(); 139 } 140 141 142 @Override 143 public Set<String> getDeferredCriticalHeaderParams() { 144 145 return critPolicy.getDeferredCriticalHeaderParams(); 146 } 147 148 149 @Override 150 public boolean verify(final JWSHeader header, 151 final byte[] signedContent, 152 final Base64URL signature) 153 throws JOSEException { 154 155 if (! critPolicy.headerPasses(header)) { 156 return false; 157 } 158 159 final Signature verifier = RSASSA.getSignerAndVerifier(header.getAlgorithm(), getJCAContext().getProvider()); 160 161 try { 162 verifier.initVerify(publicKey); 163 164 } catch (InvalidKeyException e) { 165 throw new JOSEException("Invalid public RSA key: " + e.getMessage(), e); 166 } 167 168 try { 169 verifier.update(signedContent); 170 return verifier.verify(signature.decode()); 171 172 } catch (SignatureException e) { 173 return false; 174 } 175 } 176}