Initial commit

Author: jricher

.gitignore

@@ -0,0 +1,4 @@
+.classpath
+.project
+.settings/
+target/

pom.xml

@@ -0,0 +1,127 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>io.bspk</groupId>
+	<artifactId>httpsig</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<name>HTTP Messsage Signatures</name>
+	<properties>
+		<java.version>14</java.version>
+		<maven.compiler.source>14</maven.compiler.source>
+		<maven.compiler.target>14</maven.compiler.target>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>org.greenbytes.http</groupId>
+			<artifactId>structured-fields</artifactId>
+			<version>0.4</version>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-jdk18on</artifactId>
+			<version>1.71</version>
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-annotations</artifactId>
+			<version>2.11.4</version>
+		</dependency>
+		<dependency>
+			<groupId>com.nimbusds</groupId>
+			<artifactId>nimbus-jose-jwt</artifactId>
+			<version>9.4.1</version>
+			<scope>compile</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.slf4j</groupId>
+			<artifactId>slf4j-api</artifactId>
+			<version>1.7.30</version>
+		</dependency>
+		<dependency>
+			<groupId>com.google.guava</groupId>
+			<artifactId>guava</artifactId>
+			<version>28.1-jre</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-web</artifactId>
+			<version>5.2.22.RELEASE</version>
+			<scope>provided</scope>
+		</dependency>
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>servlet-api</artifactId>
+			<version>2.5</version>
+			<scope>provided</scope>
+		</dependency>
+	</dependencies>
+	<distributionManagement>
+		<snapshotRepository>
+			<id>ossrh</id>
+			<url>https://s01.oss.sonatype.org/content/repositories/snapshots</url>
+		</snapshotRepository>
+		<repository>
+			<id>ossrh</id>
+			<url>https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/</url>
+		</repository>
+	</distributionManagement>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.sonatype.plugins</groupId>
+				<artifactId>nexus-staging-maven-plugin</artifactId>
+				<version>1.6.7</version>
+				<extensions>true</extensions>
+				<configuration>
+					<serverId>ossrh</serverId>
+					<nexusUrl>https://s01.oss.sonatype.org/</nexusUrl>
+					<autoReleaseAfterClose>true</autoReleaseAfterClose>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-source-plugin</artifactId>
+				<version>2.2.1</version>
+				<executions>
+					<execution>
+						<id>attach-sources</id>
+						<goals>
+							<goal>jar-no-fork</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-javadoc-plugin</artifactId>
+				<version>3.0.1</version>
+			    <configuration>
+			        <doclint>all,-missing</doclint>
+			    </configuration>
+				<executions>
+					<execution>
+						<id>attach-javadocs</id>
+						<goals>
+							<goal>jar</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-gpg-plugin</artifactId>
+				<version>1.5</version>
+				<executions>
+					<execution>
+						<id>sign-artifacts</id>
+						<phase>verify</phase>
+						<goals>
+							<goal>sign</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+</project>

src/main/java/io/bspk/httpsig/HttpSigAlgorithm.java

@@ -0,0 +1,81 @@
+package io.bspk.httpsig;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
+
+/**
+ * Signature algorithms.
+ * @author jricher
+ *
+ */
+public class HttpSigAlgorithm {
+
+	public static final HttpSigAlgorithm RSAPSS = new HttpSigAlgorithm("rsa-pss-sha512");
+	public static final HttpSigAlgorithm RSA15 = new HttpSigAlgorithm("rsa-v1_5-sha256");
+	public static final HttpSigAlgorithm HMAC = new HttpSigAlgorithm("hmac-sha256");
+	public static final HttpSigAlgorithm ECDSA = new HttpSigAlgorithm("ecdsa-p256-sha256");
+	public static final HttpSigAlgorithm ED25519 = new HttpSigAlgorithm("ed25519");
+	public static final HttpSigAlgorithm JOSE = new HttpSigAlgorithm(null);
+
+	@JsonValue
+	private final String explicitAlg;
+
+	/**
+	 * @param object
+	 */
+	private HttpSigAlgorithm(String explicitAlg) {
+		this.explicitAlg = explicitAlg;
+	}
+
+	/**
+	 * @return the explicitAlg
+	 */
+	public String getExplicitAlg() {
+		return explicitAlg;
+	}
+
+	/**
+	 * @return
+	 */
+	@JsonCreator
+	public static HttpSigAlgorithm of(String alg) {
+		if (alg == null) {
+			return null;
+		} else if (alg.equalsIgnoreCase("jose")) {
+			return JOSE;
+		} else {
+			return new HttpSigAlgorithm(alg);
+		}
+	}
+
+	@Override
+	public boolean equals(Object obj) {
+		if (this == obj) {
+			return true;
+		}
+		if (obj == null) {
+			return false;
+		}
+		if (getClass() != obj.getClass()) {
+			return false;
+		}
+		HttpSigAlgorithm other = (HttpSigAlgorithm) obj;
+		if (getExplicitAlg() == null) {
+			if (other.getExplicitAlg() != null) {
+				return false;
+			}
+		} else if (!getExplicitAlg().equals(other.getExplicitAlg())) {
+			return false;
+		}
+		return true;
+	}
+
+	@Override
+	public int hashCode() {
+		final int prime = 31;
+		int result = 1;
+		result = prime * result + ((getExplicitAlg() == null) ? 0 : getExplicitAlg().hashCode());
+		return result;
+	}
+
+}

src/main/java/io/bspk/httpsig/HttpSign.java

@@ -0,0 +1,122 @@
+package io.bspk.httpsig;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
+
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+
+import org.bouncycastle.jcajce.provider.digest.SHA256;
+import org.bouncycastle.jcajce.provider.digest.SHA512;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
+import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
+import com.nimbusds.jose.crypto.impl.ECDSA;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.KeyType;
+import com.nimbusds.jose.util.Base64URL;
+
+/**
+ * @author jricher
+ *
+ */
+public class HttpSign {
+
+	private static final Logger log = LoggerFactory.getLogger(HttpSign.class);
+
+
+	private HttpSigAlgorithm alg;
+	private JWK signingKey; // TODO: other key formats?
+
+	public HttpSign(HttpSigAlgorithm alg, JWK signingKey) {
+		this.alg = alg;
+		this.signingKey = signingKey;
+	}
+
+	public byte[] sign(byte[] base) {
+		try {
+			if (alg.equals(HttpSigAlgorithm.RSAPSS)) {
+				if (signingKey.getKeyType().equals(KeyType.RSA)) {
+					PrivateKey privateKey = signingKey.toRSAKey().toPrivateKey();
+
+					Signature signer = Signature.getInstance("RSASSA-PSS");
+					signer.setParameter(
+						new PSSParameterSpec("SHA-512", "MGF1", MGF1ParameterSpec.SHA512, 64, 1));
+
+					MessageDigest sha = new SHA512.Digest();
+					byte[] hash = sha.digest(base);
+
+					signer.initSign(privateKey);
+					signer.update(hash);
+					byte[] s = signer.sign();
+					return s;
+				}
+			} else if (alg.equals(HttpSigAlgorithm.RSA15)) {
+				if (signingKey.getKeyType().equals(KeyType.RSA)) {
+					PrivateKey privateKey = signingKey.toRSAKey().toPrivateKey();
+
+					Signature signer = Signature.getInstance("SHA256withRSA");
+
+					MessageDigest sha = new SHA256.Digest();
+					byte[] hash = sha.digest(base);
+
+					signer.initSign(privateKey);
+					signer.update(hash);
+					byte[] s = signer.sign();
+					return s;
+				}
+			} else if (alg.equals(HttpSigAlgorithm.HMAC)) {
+				if (signingKey.getKeyType().equals(KeyType.OCT)) {
+					SecretKey secretKey = signingKey.toOctetSequenceKey().toSecretKey();
+
+					Mac mac = Mac.getInstance("HmacSHA256");
+					mac.init(secretKey);
+					mac.update(base);
+					byte[] s = mac.doFinal();
+					return s;
+				}
+			} else if (alg.equals(HttpSigAlgorithm.ECDSA)) {
+				if (signingKey.getKeyType().equals(KeyType.EC)) {
+					PrivateKey privateKey = signingKey.toECKey().toPrivateKey();
+
+					Signature signer = Signature.getInstance("SHA256withECDSA");
+
+					MessageDigest sha = new SHA256.Digest();
+					byte[] hash = sha.digest(base);
+
+					signer.initSign(privateKey);
+					signer.update(hash);
+					byte[] rs = signer.sign();
+					byte[] s = ECDSA.transcodeSignatureToConcat(rs, 64);
+					return s;
+				}
+			} else if (alg.equals(HttpSigAlgorithm.JOSE)) {
+				// do a JOSE signature based on what's in the key
+				JWSSigner signer = new DefaultJWSSignerFactory().createJWSSigner(signingKey);
+
+				// create a fake header
+				JWSAlgorithm alg = new JWSAlgorithm(signingKey.getAlgorithm().getName());
+				JWSHeader header = new JWSHeader.Builder(alg).build();
+
+				Base64URL s = signer.sign(header, base);
+				return s.decode();
+			}
+		} catch (InvalidKeyException | NoSuchAlgorithmException | InvalidAlgorithmParameterException | SignatureException | JOSEException e) {
+			log.warn("Could not sign input", e);
+		}
+		return null;
+	}
+
+}