diff --git a/pom.xml b/pom.xml
index cc2180df9..cb9c8afc3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -334,6 +334,11 @@
java-jwt
3.3.0
+
+ com.nimbusds
+ nimbus-jose-jwt
+ 4.23
+
diff --git a/src/main/scala/code/api/GatewayLogin.scala b/src/main/scala/code/api/GatewayLogin.scala
index 485ded743..2ccf74b21 100755
--- a/src/main/scala/code/api/GatewayLogin.scala
+++ b/src/main/scala/code/api/GatewayLogin.scala
@@ -107,7 +107,12 @@ object GatewayLogin extends RestHelper with MdcLoggable {
//Invalid Signing configuration / Couldn't convert Claims.
logger.error(exception)
}
- jwt
+ APIUtil.getPropsAsBoolValue("jwt.use.ssl", false) match {
+ case true =>
+ CertificateUtil.encryptJwtWithRsa(jwt)
+ case false =>
+ jwt
+ }
}
def parseJwt(parameters: Map[String, String]): Box[String] = {
diff --git a/src/main/scala/code/api/util/CertificateUtil.scala b/src/main/scala/code/api/util/CertificateUtil.scala
index ffd778029..723087edf 100644
--- a/src/main/scala/code/api/util/CertificateUtil.scala
+++ b/src/main/scala/code/api/util/CertificateUtil.scala
@@ -6,6 +6,10 @@ import java.security.{PublicKey, _}
import javax.crypto.Cipher
import code.api.util.CryptoSystem.CryptoSystem
+import com.nimbusds.jose.crypto.RSAEncrypter
+import com.nimbusds.jose.{EncryptionMethod, JOSEObject, JWEAlgorithm, JWEHeader}
+import com.nimbusds.jwt.EncryptedJWT
+import code.util.Helper.MdcLoggable
import net.liftweb.util.{Helpers, Props}
@@ -14,7 +18,7 @@ object CryptoSystem extends Enumeration {
val RSA = Value
}
-object CertificateUtil {
+object CertificateUtil extends MdcLoggable {
lazy val (publicKey: RSAPublicKey, privateKey: RSAPrivateKey) = APIUtil.getPropsAsBoolValue("jwt.use.ssl", false) match {
case true =>
@@ -95,6 +99,45 @@ object CertificateUtil {
cipher.doFinal(encrypted)
}
+ def getClaimSet(jwt: String) = {
+ import com.nimbusds.jose.util.Base64URL
+ import com.nimbusds.jwt.PlainJWT
+ // {"alg":"none"}// {"alg":"none"}
+ val header = "eyJhbGciOiJub25lIn0"
+ val parts: Array[Base64URL] = JOSEObject.split(jwt)
+ val plainJwt = new PlainJWT(new Base64URL(header), (parts(1)))
+ plainJwt.getJWTClaimsSet
+ }
+ def encryptJwtWithRsa(jwt: String) = {
+ // Request JWT encrypted with RSA-OAEP-256 and 128-bit AES/GCM
+ val header = new JWEHeader(JWEAlgorithm.RSA_OAEP_256, EncryptionMethod.A128GCM)
+ // Create an encrypter with the specified public RSA key
+ val encrypter = new RSAEncrypter(publicKey)
+ // Create the encrypted JWT object
+ val encryptedJWT = new EncryptedJWT(header, CertificateUtil.getClaimSet(jwt))
+ // Do the actual encryption
+ encryptedJWT.encrypt(encrypter)
+ logger.debug("encryptedJWT.serialize(): " + encryptedJWT.serialize())
+ // Return JWT
+ encryptedJWT.serialize()
+ }
+ def decryptJwtWithRsa(jwt: String) = {
+ import com.nimbusds.jose.crypto.RSADecrypter
+ import com.nimbusds.jwt.EncryptedJWT
+ // Parse back
+ val jwtParsed = EncryptedJWT.parse(jwt)
+ System.out.println("decryptJwtWithRsa: " + jwtParsed.serialize())
+ // Create a decrypter with the specified private RSA key
+ val decrypter = new RSADecrypter(privateKey)
+ jwtParsed.decrypt(decrypter)
+ logger.debug("jwt: " + jwt)
+ logger.debug("getState: " + jwtParsed.getState)
+ logger.debug("getJWTClaimsSet: " + jwtParsed.getJWTClaimsSet)
+ logger.debug("getCipherText: " + jwtParsed.getCipherText)
+ logger.debug("getAuthTag: " + jwtParsed.getAuthTag)
+ jwtParsed.serialize()
+ }
+
@throws[Exception]
def main(args: Array[String]): Unit = {