001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2020, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.openid.connect.sdk.federation.entities;
019
020
021import java.util.Arrays;
022import java.util.Date;
023import java.util.HashSet;
024
025import net.jcip.annotations.Immutable;
026
027import com.nimbusds.jose.proc.SecurityContext;
028import com.nimbusds.jwt.JWTClaimsSet;
029import com.nimbusds.jwt.proc.BadJWTException;
030import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
031import com.nimbusds.jwt.util.DateUtils;
032import com.nimbusds.oauth2.sdk.id.Audience;
033
034
035/**
036 * Entity statement claims verifier.
037 *
038 * <p>Verifies:
039 *
040 * <ul>
041 *     <li>The presence of the required "iss", "sub", "iat", "exp" and "jwks"
042 *         claims.
043 *     <li>The current time is within the "iat" and "exp" window.
044 * </ul>
045 */
046@Immutable
047public class EntityStatementClaimsVerifier extends DefaultJWTClaimsVerifier {
048        
049        
050        /**
051         * {@code true} for self-issued statements.
052         */
053        private final boolean isSelfIssued;
054        
055        
056        /**
057         * Creates a new entity statement claims verifier for self-issued
058         * statements.
059         */
060        public EntityStatementClaimsVerifier() {
061                super(null, new HashSet<>(Arrays.asList("iss", "sub", "iat", "exp", "jwks")));
062                isSelfIssued = true;
063        }
064        
065        
066        /**
067         * Creates a new entity statement claims verifier.
068         *
069         * @param expectedAudience The expected audience, {@code null} if not
070         *                         specified.
071         */
072        public EntityStatementClaimsVerifier(final Audience expectedAudience) {
073                super(
074                        expectedAudience != null ? expectedAudience.getValue() : null,
075                        null,
076                        new HashSet<>(Arrays.asList("iss", "sub", "iat", "exp"))
077                );
078                isSelfIssued = false;
079        }
080        
081        
082        @Override
083        public void verify(final JWTClaimsSet claimsSet, final SecurityContext context) throws BadJWTException {
084                
085                super.verify(claimsSet, context);
086                
087                if (isSelfIssued) {
088                        if (!claimsSet.getIssuer().equals(claimsSet.getSubject())) {
089                                throw new BadJWTException("JWT not self-issued");
090                        }
091                }
092                
093                // Add iat check
094                Date now = new Date();
095                if (! DateUtils.isBefore(claimsSet.getIssueTime(), now, getMaxClockSkew())) {
096                        throw new BadJWTException("JWT issue time after current time");
097                }
098        }
099}