private Key resolveSigningKey(final JwsHeader header) {
    final LineApiResponse<JWKSet> response = apiClient.getJWKSet();
    if (!response.isSuccess()) {
        Log.e(TAG, "failed to get LINE JSON Web Key Set [JWK] document.");

        return null;
    }

    final JWKSet jwkSet = response.getResponseData();

    final String keyId = header.getKeyId();
    final JWK jwk = jwkSet.getJWK(keyId);
    if (jwk == null) {
        Log.e(TAG, "failed to find Key by Id: " + keyId);

        return null;
    }

    final String algorithm = header.getAlgorithm();
    final SignatureAlgorithm alg = SignatureAlgorithm.forName(algorithm);
    if (alg.isEllipticCurve()) {
        return generateECPublicKey(jwk);
    }

    throw new SecurityException("Unsupported signature algorithm '" + algorithm + '\'');
}
 

@Override
public Claims parse(final String credentials) {
    // Parse the JWT claims
    return Jwts.parserBuilder().setSigningKeyResolver(new SigningKeyResolverAdapter() {
        @Override
        public Key resolveSigningKey(final JwsHeader header, final Claims claims) {
            if (header.getKeyId() == null) {
                throw new JwtException("Missing Key ID (kid) header field");
            }
            try {
                if (keyIds.contains(header.getKeyId()) && keyStore.containsAlias(header.getKeyId())) {
                    return keyStore.getCertificate(header.getKeyId()).getPublicKey();
                }
            } catch (final KeyStoreException ex) {
                throw new SecurityException("Error retrieving key from keystore", ex);
            }
            throw new SecurityException("Could not locate key in keystore: " + header.getKeyId());
        }
    }).build().parseClaimsJws(credentials).getBody();
}
 

@Override
public Claims parse(final String token) {
    return Jwts.parserBuilder().setSigningKeyResolver(new SigningKeyResolverAdapter() {
        @Override
        public Key resolveSigningKey(final JwsHeader header, final Claims claims) {
            final String keyid = header.getKeyId();
            if (keyid == null) {
                throw new JwtException("Missing Key ID (kid) header field");
            }
            if (keys.containsKey(keyid)) {
                return keys.get(keyid);
            }
            throw new SecurityException("Could not locate key: " + keyid);
        }
    }).build().parseClaimsJws(token).getBody();
}
 

@Test
void testKeyStoreException() throws Exception {
    final KeyStore mockKeyStore = mock(KeyStore.class, inv -> {
        throw new KeyStoreException("Expected");
    });

    final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(getClass().getResourceAsStream("/keystore.jks"), passphrase);

    final String token = buildEcToken(ks.getKey("trellis-ec", passphrase), "trellis-ec");
    final Authenticator authenticator = new FederatedJwtAuthenticator(mockKeyStore,
            singletonList("trellis-ec"));

    assertThrows(SecurityException.class, () -> authenticator.authenticate(token),
            "Unexpectedly functional keystore!");
}
 

@Test
void testAuthenticateKeystoreNoMatch() throws Exception {
    final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(getClass().getResourceAsStream("/keystore.jks"), passphrase);

    final String token = buildEcToken(ks.getKey("trellis-ec", passphrase), "trellis-ec");
    final Authenticator authenticator = new FederatedJwtAuthenticator(ks,
            asList("trellis", "foo"));

    assertThrows(SecurityException.class, () -> authenticator.authenticate(token), "Unexpected keystore entry!");
}
 

@Test
void testAuthenticateKeystoreAnotherNoMatch() throws Exception {
    final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(getClass().getResourceAsStream("/keystore.jks"), passphrase);

    final String token = buildEcToken(ks.getKey("trellis-ec", passphrase), "foo");
    final Authenticator authenticator = new FederatedJwtAuthenticator(ks,
            singletonList("foo"));

    assertThrows(SecurityException.class, () -> authenticator.authenticate(token), "Unexpected keystore entry!");
}
 

@Test
void testAuthenticationTokenWebidBadKey() {
    final String key = "2YuUlb+t36yVzrTkYLl8xBlBJSC41CE7uNF3somMDxdYDfcACv9JYIU54z17s4Ah313uKu/4Ll+vDNKpxx6v4Q==";
    final String token = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ3ZWJpZCI6Imh0dHBzOi8vcGVvcGxlLmFwYWNoZS5vcmcvfm" +
        "Fjb2J1cm4vI2kiLCJzdWIiOiJhY29idXJuIiwibmFtZSI6IkFhcm9uIENvYnVybiIsImlzcyI6Imh0dHA6Ly9leGFtcGxlLm9yZy8ifQ" +
        ".kIHJDSzaisxfIF5fQou2e9rBInsDsl0vZ4QQ60zlZlSufm9nnmC7eL-875WPsVGzPAfptF6MrImrpFeNxdW9ZQ";

    final Authenticator authenticator = new JwtAuthenticator(hmacShaKeyFor(Base64.getDecoder().decode(key)));

    assertThrows(SecurityException.class, () -> authenticator.authenticate(token), "Parsed bad JWT!");
}
 

@Test
void testAuthenticateJwksWrongKeyid() throws Exception {
    final String webid = "https://people.apache.org/~acoburn/#i";

    final Key key = KeyFactory.getInstance("RSA").generatePrivate(new RSAPrivateKeySpec(modulus, exponent));
    final String token = Jwts.builder().setHeaderParam(JwsHeader.KEY_ID, "non-existent")
        .setSubject(webid).signWith(key).compact();

    final Authenticator authenticator = new JwksAuthenticator(url);

    assertThrows(SecurityException.class, () -> authenticator.authenticate(token), "Unexpected principal!");
}
 

@Test
void testAuthenticateJwksInvalidKeyLocation() throws Exception {
    final String webid = "https://people.apache.org/~acoburn/#i";

    final Key key = KeyFactory.getInstance("RSA").generatePrivate(new RSAPrivateKeySpec(modulus, exponent));
    final String token = Jwts.builder().setHeaderParam(JwsHeader.KEY_ID, keyid).setSubject(webid)
        .signWith(key).compact();

    final Authenticator authenticator = new JwksAuthenticator("https://www.trellisldp.org/tests/non-existent");

    assertThrows(SecurityException.class, () -> authenticator.authenticate(token), "Unexpected principal!");
}