001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2020, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.openid.connect.sdk.federation.entities; 019 020 021import java.util.Arrays; 022import java.util.Date; 023import java.util.HashSet; 024 025import net.jcip.annotations.Immutable; 026 027import com.nimbusds.jose.proc.SecurityContext; 028import com.nimbusds.jwt.JWTClaimsSet; 029import com.nimbusds.jwt.proc.BadJWTException; 030import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier; 031import com.nimbusds.jwt.util.DateUtils; 032import com.nimbusds.oauth2.sdk.id.Audience; 033 034 035/** 036 * Entity statement claims verifier. 037 * 038 * <p>Verifies: 039 * 040 * <ul> 041 * <li>The presence of the required "iss", "sub", "iat", "exp" and "jwks" 042 * claims. 043 * <li>The current time is within the "iat" and "exp" window. 044 * </ul> 045 */ 046@Immutable 047public class EntityStatementClaimsVerifier extends DefaultJWTClaimsVerifier { 048 049 050 /** 051 * {@code true} for self-issued statements. 052 */ 053 private final boolean isSelfIssued; 054 055 056 /** 057 * Creates a new entity statement claims verifier for self-issued 058 * statements. 059 */ 060 public EntityStatementClaimsVerifier() { 061 super(null, new HashSet<>(Arrays.asList("iss", "sub", "iat", "exp", "jwks"))); 062 isSelfIssued = true; 063 } 064 065 066 /** 067 * Creates a new entity statement claims verifier. 068 * 069 * @param expectedAudience The expected audience, {@code null} if not 070 * specified. 071 */ 072 public EntityStatementClaimsVerifier(final Audience expectedAudience) { 073 super( 074 expectedAudience != null ? expectedAudience.getValue() : null, 075 null, 076 new HashSet<>(Arrays.asList("iss", "sub", "iat", "exp")) 077 ); 078 isSelfIssued = false; 079 } 080 081 082 @Override 083 public void verify(final JWTClaimsSet claimsSet, final SecurityContext context) throws BadJWTException { 084 085 super.verify(claimsSet, context); 086 087 if (isSelfIssued) { 088 if (!claimsSet.getIssuer().equals(claimsSet.getSubject())) { 089 throw new BadJWTException("JWT not self-issued"); 090 } 091 } 092 093 // Add iat check 094 Date now = new Date(); 095 if (! DateUtils.isBefore(claimsSet.getIssueTime(), now, getMaxClockSkew())) { 096 throw new BadJWTException("JWT issue time after current time"); 097 } 098 } 099}