In recent projects, due to integration requirements, single sign-on needs to be implemented. After consideration, JWT and RS256 public-private encryption are selected. After searching, it is found that there are not many implementations based on RS256. Most of them are based on HS256 symmetric encryption, and the same SecretKey is used for encryption and decryption. After the leak, the security aspect was completely destroyed. Some of the references to RS256 were all fragmented codes and had no reference value. After google and my own finishing, the key demo codes are sorted as follows:
import junit.framework.TestCase;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.IOUtils;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.lang.JoseException;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import java.io.FileInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.*;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.text.SimpleDateFormat;
import java.util.UUID;
public class LocalTest extends TestCase{
public void testCreateToken() throws IOException {
System.out.println(createToken());
}
public void testVerifyToken() throws Exception {
String token = createToken();
System.out.println(token);
JwtClaims jwtClaims = verifyToken(token);
System.out.println(jwtClaims.getClaimValue("name"));
System.out.println(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(jwtClaims.getIssuedAt().getValueInMillis()));
System.out.println(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(jwtClaims.getExpirationTime().getValueInMillis()));
}
/**
* Generate jwt, SHA256 encryption
* @return
* @throws IOException
*/
private String createToken() throws IOException {
PrivateKey privateKey = getPrivateKey(getPrivateKeyString());
final JwtClaims claims = new JwtClaims();
claims.setClaim("name", "jack");
claims.setSubject("[email protected]");
claims.setAudience("test");//It is used to verify whether the signature is legal, the verifier must include these contents to pass the verification
claims.setExpirationTimeMinutesInTheFuture(60*24*30);
claims.setIssuedAtToNow ();
// Generate the payload
final JsonWebSignature jws = new JsonWebSignature();
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
jws.setPayload(claims.toJson());
jws.setKeyIdHeaderValue(UUID.randomUUID().toString());
// Sign using the private key
jws.setKey(privateKey);
try {
return jws.getCompactSerialization();
} catch (JoseException e) {
return null;
}
}
/**
* Verify jwt
* @param token
* @return
* @throws Exception
*/
private JwtClaims verifyToken(String token) throws Exception {
try {
PublicKey publicKey = getPublicKey(getPEMPublicKeyString());
JwtConsumer jwtConsumer = new JwtConsumerBuilder()
.setRequireExpirationTime()
.setVerificationKey(publicKey)
.setExpectedAudience("test")//Used to verify whether the signature is legal
.build();
return jwtConsumer.processToClaims(token);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
private String getPrivateKeyString() throws IOException {
// Generation method: install openssl, execute openssl genrsa -out private.pem 2048
return IOUtils.toString(new FileInputStream("/home/leen/.ssh/private.pem"));
}
private String getPEMPublicKeyString() throws IOException {
// Export public key method: After generating the private key (private.pem), execute openssl rsa -in private.pem -outform PEM -pubout -out public.pem
return IOUtils.toString(new FileInputStream("/home/leen/.ssh/public.pem"));
}
/**
* Get the PublicKey object
* @param publicKeyBase64
* @return
* @throws NoSuchAlgorithmException
* @throws InvalidKeySpecException
*/
private PublicKey getPublicKey(String publicKeyBase64) throws NoSuchAlgorithmException, InvalidKeySpecException {
String pem = publicKeyBase64
.replaceAll("\\-*BEGIN.*KEY\\-*", "")
.replaceAll("\\-*END.*KEY\\-*", "");
java.security.Security.addProvider(
new org.bouncycastle.jce.provider.BouncyCastleProvider()
);
X509EncodedKeySpec pubKeySpec = new X509EncodedKeySpec(Base64.decodeBase64(pem));
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(pubKeySpec);
System.out.println(publicKey);
return publicKey;
}
/**
* Get the PrivateKey object
* @param privateKeyBase64
* @return
*/
private PrivateKey getPrivateKey(String privateKeyBase64) {
String privKeyPEM = privateKeyBase64
.replaceAll("\\-*BEGIN.*KEY\\-*", "")
.replaceAll("\\-*END.*KEY\\-*", "");
// Base64 decode the data
byte[] encoded = Base64.decodeBase64(privKeyPEM);
try {
DerInputStream derReader = new DerInputStream(encoded);
DerValue[] seq = derReader.getSequence(0);
if (seq.length < 9) {
throw new GeneralSecurityException("Could not read private key");
}
// skip version seq[0];
BigInteger modulus = seq[1].getBigInteger();
BigInteger publicExp = seq[2].getBigInteger();
BigInteger privateExp = seq[3].getBigInteger();
BigInteger primeP = seq[4].getBigInteger();
BigInteger primeQ = seq[5].getBigInteger();
BigInteger expP = seq[6].getBigInteger();
BigInteger expQ = seq[7].getBigInteger();
BigInteger crtCoeff = seq[8].getBigInteger();
RSAPrivateCrtKeySpec keySpec = new RSAPrivateCrtKeySpec(modulus, publicExp, privateExp,
primeP, primeQ, expP, expQ, crtCoeff);
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePrivate(keySpec);
} catch (IOException | GeneralSecurityException e) {
e.printStackTrace ();
}
return null;
}
}
pom dependencies:
<dependency>
<groupId>org.bitbucket.b_c</groupId>
<artifactId>jose4j</artifactId>
<version>0.6.3</version>
</dependency>