1 files changed, 84 insertions, 0 deletions

diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java
new file mode 100644
index 000000000..374320a5a
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java
@@ -0,0 +1,84 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.json;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+
+import net.oauth.jsontoken.crypto.RsaSHA256Verifier;
+import net.oauth.jsontoken.crypto.Verifier;
+
+/**
+ * A verifier that can verify signatures on byte arrays using a {@link PublicKey} and SHA-256. <br/>
+ * This is something like a copy of the {@link RsaSHA256Verifier}.
+ */
+public class OAuth20SHA256Verifier implements Verifier {
+	
+	private final PublicKey verificationKey;
+	private final Signature signer;
+	
+	/**
+	 * Public Constructor.
+	 * 
+	 * @param verificationKey
+	 *            the key used to verify the signature.
+	 */
+	public OAuth20SHA256Verifier(final PublicKey verificationKey) {
+		this.verificationKey = verificationKey;
+		
+		try {
+			this.signer = OAuth20SignatureUtil.findSignature(verificationKey).getSignatureInstance();
+			this.signer.initVerify(verificationKey);
+		}
+		catch (InvalidKeyException e) {
+			throw new IllegalStateException("key is invalid", e);
+		}
+		catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException("Cannot get algorithm for the given private key", e);
+		}
+		catch (NoSuchProviderException e) {
+			throw new IllegalStateException("Cannot get algorithm for the given private key", e);
+		}
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see net.oauth.jsontoken.crypto.Verifier#verifySignature(byte[], byte[])
+	 */
+	public void verifySignature(byte[] source, byte[] signature) throws SignatureException {
+		try {
+			signer.initVerify(verificationKey);
+		}
+		catch (InvalidKeyException e) {
+			throw new RuntimeException("key someone become invalid since calling the constructor");
+		}
+		signer.update(source);
+		if (!signer.verify(signature)) {
+			throw new SignatureException("signature did not verify");
+		}
+	}
+}