Refactor extracting methods to improve readability.
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
This commit is contained in:
Max Lambrecht
parent
5221f838eb
commit
cbca3a1ec2
|
|
@ -107,16 +107,10 @@ public class JwtSvid {
|
||||||
throw new IllegalArgumentException("Token cannot be blank");
|
throw new IllegalArgumentException("Token cannot be blank");
|
||||||
}
|
}
|
||||||
|
|
||||||
final SignedJWT signedJwt;
|
val signedJwt = getSignedJWT(token);
|
||||||
final JWTClaimsSet claimsSet;
|
val claimsSet = getJwtClaimsSet(signedJwt);
|
||||||
try {
|
|
||||||
signedJwt = SignedJWT.parse(token);
|
|
||||||
claimsSet = signedJwt.getJWTClaimsSet();
|
|
||||||
} catch (ParseException e) {
|
|
||||||
throw new IllegalArgumentException("Unable to parse JWT token", e);
|
|
||||||
}
|
|
||||||
|
|
||||||
Set<String> claimAudience = new HashSet<>(claimsSet.getAudience());
|
val claimAudience = new HashSet<>(claimsSet.getAudience());
|
||||||
validateAudience(claimAudience, audience);
|
validateAudience(claimAudience, audience);
|
||||||
|
|
||||||
val expirationTime = claimsSet.getExpirationTime();
|
val expirationTime = claimsSet.getExpirationTime();
|
||||||
|
|
@ -152,16 +146,10 @@ public class JwtSvid {
|
||||||
throw new IllegalArgumentException("Token cannot be blank");
|
throw new IllegalArgumentException("Token cannot be blank");
|
||||||
}
|
}
|
||||||
|
|
||||||
final SignedJWT signedJwt;
|
val signedJwt = getSignedJWT(token);
|
||||||
final JWTClaimsSet claimsSet;
|
val claimsSet = getJwtClaimsSet(signedJwt);
|
||||||
try {
|
|
||||||
signedJwt = SignedJWT.parse(token);
|
|
||||||
claimsSet = signedJwt.getJWTClaimsSet();
|
|
||||||
} catch (ParseException e) {
|
|
||||||
throw new IllegalArgumentException("Unable to parse JWT token", e);
|
|
||||||
}
|
|
||||||
|
|
||||||
Set<String> claimAudience = new HashSet<>(claimsSet.getAudience());
|
val claimAudience = new HashSet<>(claimsSet.getAudience());
|
||||||
validateAudience(claimAudience, audience);
|
validateAudience(claimAudience, audience);
|
||||||
|
|
||||||
val expirationTime = claimsSet.getExpirationTime();
|
val expirationTime = claimsSet.getExpirationTime();
|
||||||
|
|
@ -186,10 +174,29 @@ public class JwtSvid {
|
||||||
* @return a copy of the expiration date time of the JWT SVID.
|
* @return a copy of the expiration date time of the JWT SVID.
|
||||||
*/
|
*/
|
||||||
public Date getExpiry() {
|
public Date getExpiry() {
|
||||||
// defensive copying to prevent exposing a mutable object
|
// defensive copy to prevent exposing a mutable object
|
||||||
return new Date(expiry.getTime());
|
return new Date(expiry.getTime());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static JWTClaimsSet getJwtClaimsSet(final SignedJWT signedJwt) {
|
||||||
|
final JWTClaimsSet claimsSet;
|
||||||
|
try {
|
||||||
|
claimsSet = signedJwt.getJWTClaimsSet();
|
||||||
|
} catch (ParseException e) {
|
||||||
|
throw new IllegalArgumentException("Unable to parse JWT token", e);
|
||||||
|
}
|
||||||
|
return claimsSet;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static SignedJWT getSignedJWT(final String token) {
|
||||||
|
final SignedJWT signedJwt;
|
||||||
|
try {
|
||||||
|
signedJwt = SignedJWT.parse(token);
|
||||||
|
} catch (ParseException e) {
|
||||||
|
throw new IllegalArgumentException("Unable to parse JWT token", e);
|
||||||
|
}
|
||||||
|
return signedJwt;
|
||||||
|
}
|
||||||
|
|
||||||
private static void verifySignature(final SignedJWT signedJwt, final PublicKey jwtAuthority, final String algorithm, final String keyId) throws JwtSvidException {
|
private static void verifySignature(final SignedJWT signedJwt, final PublicKey jwtAuthority, final String algorithm, final String keyId) throws JwtSvidException {
|
||||||
boolean verify;
|
boolean verify;
|
||||||
|
|
|
||||||
|
|
@ -120,14 +120,32 @@ public class X509Svid {
|
||||||
}
|
}
|
||||||
|
|
||||||
private static X509Svid createX509Svid(final byte[] certsBytes, final byte[] privateKeyBytes, KeyFileFormat keyFileFormat) throws X509SvidException {
|
private static X509Svid createX509Svid(final byte[] certsBytes, final byte[] privateKeyBytes, KeyFileFormat keyFileFormat) throws X509SvidException {
|
||||||
|
List<X509Certificate> x509Certificates = generateX509Certificates(certsBytes);
|
||||||
|
PrivateKey privateKey = generatePrivateKey(privateKeyBytes, keyFileFormat, x509Certificates);
|
||||||
|
SpiffeId spiffeId = getSpiffeId(x509Certificates);
|
||||||
|
|
||||||
List<X509Certificate> x509Certificates;
|
validatePrivateKey(privateKey, x509Certificates);
|
||||||
try {
|
validateLeafCertificate(x509Certificates.get(0));
|
||||||
x509Certificates = CertificateUtils.generateCertificates(certsBytes);
|
|
||||||
} catch (CertificateParsingException e) {
|
// there is intermediate CA certificates
|
||||||
throw new X509SvidException("Certificate could not be parsed from cert bytes", e);
|
if (x509Certificates.size() > 1) {
|
||||||
|
validateSigningCertificates(x509Certificates);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return new X509Svid(spiffeId, x509Certificates, privateKey);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static SpiffeId getSpiffeId(final List<X509Certificate> x509Certificates) throws X509SvidException {
|
||||||
|
SpiffeId spiffeId;
|
||||||
|
try {
|
||||||
|
spiffeId = CertificateUtils.getSpiffeId(x509Certificates.get(0));
|
||||||
|
} catch (CertificateException e) {
|
||||||
|
throw new X509SvidException(e.getMessage(), e);
|
||||||
|
}
|
||||||
|
return spiffeId;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static PrivateKey generatePrivateKey(final byte[] privateKeyBytes, final KeyFileFormat keyFileFormat, final List<X509Certificate> x509Certificates) throws X509SvidException {
|
||||||
PrivateKeyAlgorithm algorithm = PrivateKeyAlgorithm.parse(x509Certificates.get(0).getPublicKey().getAlgorithm());
|
PrivateKeyAlgorithm algorithm = PrivateKeyAlgorithm.parse(x509Certificates.get(0).getPublicKey().getAlgorithm());
|
||||||
PrivateKey privateKey;
|
PrivateKey privateKey;
|
||||||
try {
|
try {
|
||||||
|
|
@ -135,22 +153,17 @@ public class X509Svid {
|
||||||
} catch (InvalidKeySpecException | InvalidKeyException | NoSuchAlgorithmException e) {
|
} catch (InvalidKeySpecException | InvalidKeyException | NoSuchAlgorithmException e) {
|
||||||
throw new X509SvidException("Private Key could not be parsed from key bytes", e);
|
throw new X509SvidException("Private Key could not be parsed from key bytes", e);
|
||||||
}
|
}
|
||||||
|
return privateKey;
|
||||||
|
}
|
||||||
|
|
||||||
SpiffeId spiffeId;
|
private static List<X509Certificate> generateX509Certificates(final byte[] certsBytes) throws X509SvidException {
|
||||||
|
final List<X509Certificate> x509Certificates;
|
||||||
try {
|
try {
|
||||||
spiffeId = CertificateUtils.getSpiffeId(x509Certificates.get(0));
|
x509Certificates = CertificateUtils.generateCertificates(certsBytes);
|
||||||
} catch (CertificateException e) {
|
} catch (CertificateParsingException e) {
|
||||||
throw new X509SvidException(e.getMessage(), e);
|
throw new X509SvidException("Certificate could not be parsed from cert bytes", e);
|
||||||
}
|
}
|
||||||
|
return x509Certificates;
|
||||||
validatePrivateKey(privateKey, x509Certificates);
|
|
||||||
validateLeafCertificate(x509Certificates.get(0));
|
|
||||||
|
|
||||||
if (x509Certificates.size() > 1) {
|
|
||||||
validateSigningCertificates(x509Certificates);
|
|
||||||
}
|
|
||||||
|
|
||||||
return new X509Svid(spiffeId, x509Certificates, privateKey);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static void validateSigningCertificates(final List<X509Certificate> certificates) throws X509SvidException {
|
private static void validateSigningCertificates(final List<X509Certificate> certificates) throws X509SvidException {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue