Package io.fusionauth.jwt

Class JWTUtils

java.lang.Object
io.fusionauth.jwt.JWTUtils
public class JWTUtils extends Object
Helper to generate new HMAC secrets, EC and RSA public / private key pairs and other fun things.
Author:
Daniel DeGroff

  • Constructor Details

    • JWTUtils

      public JWTUtils()

  • Method Details

    • convertFingerprintToThumbprint

      public static String convertFingerprintToThumbprint(String fingerprint)
      Convert a HEX SHA-1 or SHA-256 X.509 certificate fingerprint to an x5t or x5t#256 thumbprint respectively.
      Parameters:
      fingerprint - the SHA-1 or SHA-256 fingerprint
      Returns:
      an x5t hash.

    • convertThumbprintToFingerprint

      public static String convertThumbprintToFingerprint(String x5tHash)
      Convert an X.509 certificate thumbprint to a HEX SHA-1 or SHA-256 fingerprint respectively.

      If a x5t thumbprint is provided, a SHA-1 HEX encoded fingerprint will be returned.

      If a x5t#256 thumbprint is provided, a SHA-256 HEX encoded fingerprint will be returned.

      Parameters:
      x5tHash - the x5t hash
      Returns:
      a SHA-1 or SHA-256 fingerprint

    • decodeHeader

      public static Header decodeHeader(String encodedJWT)
      WARNING!! This is not a secure or safe way to decode a JWT, this will not perform any validation on the signature.

      Consider the header returned from this method as un-trustworthy. This is intended for utility and a nice way to read the JWT header, but do not use it in production to verify the integrity.

      Parameters:
      encodedJWT - the encoded JWT
      Returns:
      a Header object

    • decodePayload

      public static JWT decodePayload(String encodedJWT)
      WARNING!! This is not a secure or safe way to decode a JWT, this will not perform any validation on the signature.

      Consider the JWT returned from this method as un-trustworthy. This is intended for utility and a nice way to read the JWT, but do not use it in production to verify the claims contained in this JWT.

      Parameters:
      encodedJWT - the encoded JWT
      Returns:
      a JWT object

    • generate2048_RSAKeyPair

      public static KeyPair generate2048_RSAKeyPair()
      Generate a new public / private key pair using a 2048 bit RSA key. This is the minimum key length for use with an RSA signing scheme for JWT.
      Returns:
      a public and private key PEM in their respective X.509 and PKCS#8 key formats.

    • generate256_ECKeyPair

      public static KeyPair generate256_ECKeyPair()
      Generate a new public / private key pair using a 256 bit EC key. A 256 bit EC key is roughly equivalent to a 3072 bit RSA key.
      Returns:
      a public and private key PEM in their respective X.509 and PKCS#8 key formats.

    • generate3072_RSAKeyPair

      public static KeyPair generate3072_RSAKeyPair()
      Generate a new public / private key pair using a 3072 bit RSA key.
      Returns:
      a public and private key PEM in their respective X.509 and PKCS#8 key formats.

    • generate384_ECKeyPair

      public static KeyPair generate384_ECKeyPair()
      Generate a new public / private key pair using a 384 bit EC key. A 384 bit EC key is roughly equivalent to a 7680 bit RSA key.
      Returns:
      a public and private key PEM in their respective X.509 and PKCS#8 key formats.

    • generate4096_RSAKeyPair

      public static KeyPair generate4096_RSAKeyPair()
      Generate a new public / private key pair using a 4096 bit RSA key.
      Returns:
      a public and private key PEM in their respective X.509 and PKCS#8 key formats.

    • generate521_ECKeyPair

      public static KeyPair generate521_ECKeyPair()
      Generate a new public / private key pair using a 521 bit EC key. A 521 bit EC key is roughly equivalent to a 15,360 bit RSA key.
      Returns:
      a public and private key PEM in their respective X.509 and PKCS#8 key formats.

    • generateJWS_kid

      public static String generateJWS_kid(String algorithm, JSONWebKey key)
      Generate the JWK Thumbprint as per RFC 7638.
      Parameters:
      algorithm - the algorithm used to calculate the hash of the thumbprint, generally SHA-1 or SHA-256.
      key - the JSONWebKey to determine the thumbprint for
      Returns:
      the base64url-encoded JWK Thumbprint

    • generateJWS_kid

      public static String generateJWS_kid(JSONWebKey key)
      Generate the JWK SHA-1 Thumbprint as per RFC 7638.
      Parameters:
      key - the JSONWebKey to determine the thumbprint for
      Returns:
      the base64url-encoded JWK Thumbprint

    • generateJWS_kid_S256

      public static String generateJWS_kid_S256(JSONWebKey key)
      Generate the JWK SHA-256 Thumbprint as per RFC 7638.
      Parameters:
      key - the JSONWebKey to determine the thumbprint for
      Returns:
      the base64url-encoded JWK Thumbprint

    • generateJWS_x5t

      public static String generateJWS_x5t(String encodedCertificate)
      Generate the x5t - the X.509 certificate thumbprint to be used in JWT header.
      Parameters:
      encodedCertificate - the Base64 encoded certificate
      Returns:
      an x5t hash.

    • generateJWS_x5t

      public static String generateJWS_x5t(String algorithm, String encodedCertificate)
      Generate the x5t - the X.509 certificate thumbprint to be used in JWT header.
      Parameters:
      algorithm - the algorithm used to calculate the hash, generally SHA-1 or SHA-256.
      encodedCertificate - the Base64 encoded certificate
      Returns:
      an x5t hash.

    • generateJWS_x5t

      public static String generateJWS_x5t(byte[] derEncodedCertificate)
      Generate the x5t - the X.509 certificate thumbprint to be used in JWT header.
      Parameters:
      derEncodedCertificate - the DER encoded certificate
      Returns:
      an x5t hash.

    • generateJWS_x5t

      public static String generateJWS_x5t(String algorithm, byte[] derEncodedCertificate)
      Generate the x5t - the X.509 certificate thumbprint to be used in JWT header.
      Parameters:
      algorithm - the algorithm used to calculate the hash, generally SHA-1 or SHA-256.
      derEncodedCertificate - the DER encoded certificate
      Returns:
      an x5t hash.

    • generateSHA256_HMACSecret

      public static String generateSHA256_HMACSecret()
      Generate a 32 byte (256 bit) HMAC secret for use with a SHA-256 hash.
      Returns:
      a secret for use with an HMAC signing and verification scheme.

    • generateSHA384_HMACSecret

      public static String generateSHA384_HMACSecret()
      Generate a 48 byte (384 bit) HMAC secret for use with a SHA-384 hash.
      Returns:
      a secret for use with an HMAC signing and verification scheme.

    • generateSHA512_HMACSecret

      public static String generateSHA512_HMACSecret()
      Generate a 64 byte (512 bit) HMAC secret for use with a SHA-512 hash.
      Returns:
      a secret for use with an HMAC signing and verification scheme.

    • generateSecureRandom

      public static String generateSecureRandom(int bytes)
      Return a secure random string
      Parameters:
      bytes - the number of bytes used to generate the random byte array to be encoded.
      Returns:
      a random string.