import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
public String getSignedContent(String content) {
    Payload contentPayload = new Payload(content);

    try {
        RSASSASigner rsa = new RSASSASigner((RSAPrivateKey) clientJwk);
        JWSAlgorithm alg = JWSAlgorithm.RS256;
        JWSHeader header = new JWSHeader.Builder(alg)
            .keyID(clientJwk.getKeyID())
            .build();
        JWSObject jws = new JWSObject(header, contentPayload);
        jws.sign(rsa);
        return jws.serialize();
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
public static JWTUser getJWTUser(String token) throws JWTException {
	if (StringUtils.isEmpty(token)) {
		throw new JWTException("没有找到token信息！");
	}
	try {
		JWSObject jwsObject = JWSObject.parse(token);
		if (JWT.verify(jwsObject)) {
			// 判断有效期，不在有效期内则直接抛出错误
			JWTUser user = new JWTUser(jwsObject.getPayload().toJSONObject());
			if (user.getExp() >= Calendar.getInstance().getTimeInMillis()) {
				return user;
			} else {
				throw new JWTException("token已经超过有效期！");
			}
		} else {
			throw new JWTException("token校验失败！");
		}
	} catch (Exception e) {
		throw new JWTException(e);
	}
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
/**
 * Verify the signature of the JWT token in this method. This method depends
 * on the public key that was established during init based upon the
 * provisioned public key. Override this method in subclasses in order to
 * customize the signature verification behavior.
 *
 * @param jwtToken the token that contains the signature to be validated
 * @return valid true if signature verifies successfully; false otherwise
 */
protected boolean validateSignature(SignedJWT jwtToken) {
  boolean valid = false;
  if (JWSObject.State.SIGNED == jwtToken.getState()) {
    LOG.debug("JWT token is in a SIGNED state");
    if (jwtToken.getSignature() != null) {
      LOG.debug("JWT token signature is not null");
      try {
        JWSVerifier verifier = new RSASSAVerifier(publicKey);
        if (jwtToken.verify(verifier)) {
          valid = true;
          LOG.debug("JWT token has been successfully verified");
        } else {
          LOG.warn("JWT signature verification failed.");
        }
      } catch (JOSEException je) {
        LOG.warn("Error while validating signature", je);
      }
    }
  }
  return valid;
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
public String sign(String algorithm, String kid, String keyStr, String dataToSign) {
    try {

        Key key = getKey(algorithm, keyStr);

        JWSHeader.Builder jwsBuilder = new JWSHeader.Builder("HS256".equals(algorithm) ? JWSAlgorithm.HS256 : JWSAlgorithm.RS256);
        jwsBuilder.keyID(kid);

        JWSHeader signingHeader = jwsBuilder.build();
        JWSSigner signer = "HS256".equals(algorithm) ? new MACSigner(key.getEncoded()) : new RSASSASigner((RSAPrivateKey) key);
        JWSObject jwsObject = new JWSObject(signingHeader, new Payload(dataToSign));
        jwsObject.sign(signer);
        checkObject(jwsObject);

        String parts[] = jwsObject.serialize().split("\\.");

        return "{\"protected\":\"" + parts[0] + "\", \"payload\":\"" + parts[1] + "\", \"signature\":\"" + parts[2] + "\"}";

    } catch (Exception e) {
        throw new CryptoException("Exception signing data: " + e.getMessage(), e);
    }
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
@Test
public void checkObjectFailure() throws Exception {
    Method method = encryptionUtility.getClass().getDeclaredMethod("checkObject", JWSObject.class);

    method.setAccessible(true);
    JWSObject object = mock(JWSObject.class);

    Throwable exception = null;
    try {
        method.invoke(encryptionUtility, object);
    } catch(InvocationTargetException e) {
        exception = e.getCause();
    }

    assertNotNull(exception);
    assertTrue(exception instanceof CryptoException);
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
public static boolean verifySignature( String token, String sharedKey )
{
    boolean verifiedSignature = false;

    try
    {
        JWSObject jwsObject = JWSObject.parse( token );
        JWSVerifier verifier = new MACVerifier( sharedKey.getBytes() );
        verifiedSignature = jwsObject.verify( verifier );
    }
    catch ( Exception e )
    {
        LOG.warn( e.getMessage() );
    }

    return verifiedSignature;
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
public static String createTokenRSA( PrivateKey privateKey, String claimJson )
{
    try
    {
        JWSSigner signer = new RSASSASigner( ( RSAPrivateKey ) privateKey );

        Payload pl = new Payload( claimJson );
        JWSObject jwsObject = new JWSObject( new JWSHeader( JWSAlgorithm.RS256 ), pl );

        jwsObject.sign( signer );

        return jwsObject.serialize();
    }
    catch ( Exception e )
    {
        LOG.error( "Error creating RSA token", e.getMessage() );

        return "";
    }
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
public static boolean verifyTokenRSA( PublicKey pKey, String token )
{
    try
    {
        Payload pl = new Payload( token );
        JWSObject jwsObject = new JWSObject( new JWSHeader( JWSAlgorithm.RS256 ), pl );
        JWSVerifier verifier = new RSASSAVerifier( ( RSAPublicKey ) pKey );

        return jwsObject.verify( verifier );
    }
    catch ( JOSEException e )
    {
        LOG.warn( "Error verifying RSA token", e.getMessage() );

        return false;
    }
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
protected boolean validateSignature(SignedJWT jwtToken) {
  boolean valid = false;
  if (JWSObject.State.SIGNED == jwtToken.getState()) {

    if (jwtToken.getSignature() != null) {

      try {
        RSAPublicKey publicKey = parseRSAPublicKey(publicKeyPath);
        JWSVerifier verifier = new RSASSAVerifier(publicKey);
        if (verifier != null && jwtToken.verify(verifier)) {
          valid = true;
        }
      } catch (Exception e) {
        LOGGER.info("Exception in validateSignature", e);
      }
    }
  }
  return valid;
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
private static Any<Key, JsonObject> extractChainData(Map<String, List<String>> maindata) throws ParseException {
	List<String> chain = maindata.get("chain");
	try {
		PublicKey key = parseKey(MOJANG_KEY);
		boolean foundMojangKey = false;
		boolean signatureValid = false;
		for (String element : chain) {
			JWSObject jwsobject = JWSObject.parse(element);
			if (!foundMojangKey && jwsobject.getHeader().getX509CertURL().toString().equals(MOJANG_KEY)) {
				foundMojangKey = true;
				signatureValid = true;
			}
			if (foundMojangKey && !verify(jwsobject, key)) {
				signatureValid = false;
			}
			JsonObject jsonobject = Utils.GSON.fromJson(jwsobject.getPayload().toString(), JsonObject.class);
			key = parseKey(JsonUtils.getString(jsonobject, "identityPublicKey"));
			if (jsonobject.has("extraData")) {
				return new Any<Key, JsonObject>(signatureValid ? key : null, JsonUtils.getJsonObject(jsonobject, "extraData"));
			}
		}
	} catch (InvalidKeySpecException | JOSEException e) {
		throw new DecoderException("Unable to decode login chain", e);
	}
	throw new DecoderException("Unable to find extraData");
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
public JwtClaims authenticate(Jwt jwt) throws JwtVerifyException {
    JWSObject jwsObject = jwt.getJwsObject();
    JSONObject payload = jwsObject.getPayload().toJSONObject();

    // Do the verification steps in order of performance cost / likelihood of failing. Signature verification is
    // costly so we do that last.
    assertTimeValid(payload);

    X509Certificate signingCertificate = getSigningCertificate(jwsObject);

    assertAllowedSignerDn(signingCertificate);
    assertJwtIssuerMatchesSigner(signingCertificate, payload.get(JwtClaims.ISSUER).toString());
    assertSignatureValid(jwsObject, signingCertificate);

    //
    // IMPORTANT!
    //
    // You need to assert that signing certificate is valid by walking trust chain. This will depend on
    // your CA hierarchy and revocation policy. This has been left for the implementer to decide but is a
    // critical part of the verification process.

    LOGGER.debug("Verified JWT (jti={})", payload.get(JwtClaims.JWT_ID));
    JwtClaims.JwtClaimsBuilder builder = JwtClaims.JwtClaimsBuilder.newInstanceFromClaimsMap(payload);
    return builder.build();
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
default String createToken(Object userId) {
    try {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();

        builder.issuer(getIssuer());
        builder.subject(userId.toString());
        builder.issueTime(new Date());
        builder.notBeforeTime(new Date());
        builder.expirationTime(new Date(new Date().getTime() + getExpirationDate()));
        builder.jwtID(UUID.randomUUID().toString());

        JWTClaimsSet claimsSet = builder.build();
        JWSHeader header = new JWSHeader(JWSAlgorithm.HS256);

        Payload payload = new Payload(claimsSet.toJSONObject());

        JWSObject jwsObject = new JWSObject(header, payload);

        JWSSigner signer = new MACSigner(getSharedKey());
        jwsObject.sign(signer);
        return jwsObject.serialize();
    } catch (JOSEException ex) {
        return null;
    }
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
public JWTAuthenticationToken createToken(String token) {
    try {
        JWSObject jwsObject = JWSObject.parse(token);
        String decrypted = jwsObject.getPayload().toString();
        
        try (JsonReader jr = Json.createReader(new StringReader(decrypted))) {
            JsonObject object = jr.readObject();

            String userId = object.getString("sub", null);
            return new JWTAuthenticationToken(userId, token);
        }

    } catch (ParseException ex) {
        throw new AuthenticationException(ex);
    }

}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
@Test
public void validToken() throws JOSEException, ParseException {
    JWTClaimsSet jwtClaims = getJWTClaimsSet("issuer", "subject", new Date(), new Date(), new Date(new Date().getTime() + 100000));

    JWSHeader header = new JWSHeader(JWSAlgorithm.HS256);

    Payload payload = new Payload(jwtClaims.toJSONObject());

    JWSObject jwsObject = new JWSObject(header, payload);

    JWSSigner signer = new MACSigner(sharedKey);
    jwsObject.sign(signer);
    String token = jwsObject.serialize();

    SignedJWT signed = SignedJWT.parse(token);
    JWSVerifier verifier = new MACVerifierExtended(sharedKey, signed.getJWTClaimsSet());
    signed.verify(verifier);

    Assert.assertTrue("Must be valid", signed.verify(verifier));
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
@Test
public void invalidTokenNotBeforeTime() throws JOSEException, ParseException {
    JWTClaimsSet jwtClaims = getJWTClaimsSet("issuer", "subject", new Date(), new Date(new Date().getTime() + 100000), new Date(new Date().getTime() + 200000));

    JWSHeader header = new JWSHeader(JWSAlgorithm.HS256);

    Payload payload = new Payload(jwtClaims.toJSONObject());

    JWSObject jwsObject = new JWSObject(header, payload);

    JWSSigner signer = new MACSigner(sharedKey);
    jwsObject.sign(signer);
    String token = jwsObject.serialize();

    SignedJWT signed = SignedJWT.parse(token);
    JWSVerifier verifier = new MACVerifierExtended(sharedKey, signed.getJWTClaimsSet());
    signed.verify(verifier);

    Assert.assertFalse("Must be invalid", signed.verify(verifier));
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
@Test
public void invalidTokenExpirationTime() throws JOSEException, ParseException {
    JWTClaimsSet jwtClaims = getJWTClaimsSet("issuer", "subject", new Date(), new Date(), new Date());

    JWSHeader header = new JWSHeader(JWSAlgorithm.HS256);

    Payload payload = new Payload(jwtClaims.toJSONObject());

    JWSObject jwsObject = new JWSObject(header, payload);

    JWSSigner signer = new MACSigner(sharedKey);
    jwsObject.sign(signer);
    String token = jwsObject.serialize();

    SignedJWT signed = SignedJWT.parse(token);
    JWSVerifier verifier = new MACVerifierExtended(sharedKey, signed.getJWTClaimsSet());
    signed.verify(verifier);

    Assert.assertFalse("Must be invalid", signed.verify(verifier));
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
@Override
public JsonObject process(String jwt) throws JWTException {
    String[] parts = jwt.split("\\.");
    if(parts.length == 3) {
        Base64URL first = new Base64URL(parts[0]);
        Base64URL second = new Base64URL(parts[1]);
        Base64URL third = new Base64URL(parts[2]);
        try {
            String rawJwt = new JWSObject(first, second, third).getPayload().toString();
            return Json.createReader(new StringReader(rawJwt)).readObject();
        }
        catch (ParseException e) {
            throw new JWTException("Unable to parse JWT", e);
        }
    }
    else {
        return null;
    }
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
@Override
public Authentication authenticate(Authentication authentication)
    throws AuthenticationException {
    Authentication authenticationResult = authenticationManager
        .authenticate(authentication);

    if (authenticationResult.isAuthenticated()) {
        // validates nonce because JWT is already valid
        if (authentication instanceof PoPAuthenticationToken) {
            PoPAuthenticationToken popAuthentication = (PoPAuthenticationToken) authentication;

            // starts validating nonce here
            String nonce = popAuthentication.getNonce();
            if (nonce == null) {
                throw new UnapprovedClientAuthenticationException(
                    "This request does not have a valid signed nonce");
            }

            String token = (String) popAuthentication.getPrincipal();

            System.out.println("access token:" + token);

            try {
                JWT jwt = JWTParser.parse(token);
                String publicKey = jwt.getJWTClaimsSet().getClaim("public_key").toString();
                JWK jwk = JWK.parse(publicKey);

                JWSObject jwsNonce = JWSObject.parse(nonce);
                JWSVerifier verifier = new RSASSAVerifier((RSAKey) jwk);
                if (!jwsNonce.verify(verifier)) {
                    throw new InvalidTokenException("Client hasn't possession of given token");
                }
            } catch (Exception e) {
                throw new RuntimeException(e);
            }

        }
    }

    return authenticationResult;
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
public JwtPayload validate(ConnectionInfo connectionInfo) throws NotAuthorizedException {
    log.trace("Validation: {}", connectionInfo.toString());
    String[] chain = connectionInfo.getTokenChain().getChain();
    String token = connectionInfo.getClientDataToken();

    if (!validateCertificateChain(chain)) {
        throw new NotAuthorizedException("Invalid certificate chain");
    }

    Optional<JWSObject> jwsTokenOptional = getJwsToken(token);
    if (!jwsTokenOptional.isPresent()) {
        throw new NotAuthorizedException("Invalid token");
    }

    JWSObject jwtToken = jwsTokenOptional.get();
    ECPublicKey key = getECX509PublicKey(jwtToken.getHeader().getX509CertURL().toString());
    if (!validatePublicKey(jwtToken, key)) {
        throw new NotAuthorizedException("Invalid public key");
    }

    // TODO: Verify server address from payload data
    String payloadData = jwtToken.getPayload().toString();

    JwtPayload payload = GSON.fromJson(payloadData, JwtPayload.class);
    payload.setPublicKey(key);

    return payload;
}
 

import com.nimbusds.jose.JWSObject; //导入依赖的package包/类
private boolean verifyCertificateIsValid(String token) {
    try {
        JWSObject jwsToken = JWSObject.parse(token);
        jwsToken.verify(VERIFIER_FACTORY.createJWSVerifier(jwsToken.getHeader(), mojangPublicKey));
    } catch (ParseException | JOSEException ex) {
        return false;
    }
    return true;
}