chore: change class name to JwtUtils (#1724)

Author: algattik

docs/developer/decision-records/2022-06-19-json-web-token/README.md

@@ -7,7 +7,7 @@
 | Claim           | Value                                                        |
 | --------------- | ------------------------------------------------------------ |
 | Issuer          | The request source connector [did:web](https://w3c-ccg.github.io/did-method-web/) identifier (example: `did:web:edc.example.com`). This allows the server to verify the JWT signature against the source's public key. |
-| Subject         | The fixed string `verifiable-credential`.                    |
+| Subject         | The same value as in the `Issuer` claim.                     |
 | Audience        | The request destination connector IDS endpoint (example: `http://edc.example.com:8181/api/v1/ids/data`). This allows the server to verify the intended audience. |
 | JWT ID          | A random UUID.                                               |
 | Expiration Time | A time set in the near future.                               |

extensions/iam/decentralized-identity/identity-did-service/src/main/java/org/eclipse/dataspaceconnector/identity/DecentralizedIdentityService.java

@@ -17,7 +17,6 @@
 package org.eclipse.dataspaceconnector.identity;
 
 import com.nimbusds.jwt.SignedJWT;
-import org.eclipse.dataspaceconnector.iam.did.crypto.credentials.VerifiableCredentialFactory;
 import org.eclipse.dataspaceconnector.iam.did.crypto.key.KeyConverter;
 import org.eclipse.dataspaceconnector.iam.did.spi.credentials.CredentialsVerifier;
 import org.eclipse.dataspaceconnector.iam.did.spi.document.DidConstants;
@@ -56,7 +55,7 @@ public DecentralizedIdentityService(DidResolverRegistry resolverRegistry, Creden
 
     @Override
     public Result<TokenRepresentation> obtainClientCredentials(TokenParameters parameters) {
-        var jwt = VerifiableCredentialFactory.create(privateKey, issuer, parameters.getAudience(), clock);
+        var jwt = JwtUtils.create(privateKey, issuer, issuer, parameters.getAudience(), clock);
         var token = jwt.serialize();
         return Result.success(TokenRepresentation.Builder.newInstance().token(token).build());
     }
@@ -85,7 +84,7 @@ public Result<ClaimToken> verifyJwtToken(TokenRepresentation tokenRepresentation
             var publicKeyWrapper = KeyConverter.toPublicKeyWrapper(publicKeyJwk, publicKey.get().getId());
 
             monitor.debug("Verifying JWT with public key...");
-            var verified = VerifiableCredentialFactory.verify(jwt, publicKeyWrapper, audience);
+            var verified = JwtUtils.verify(jwt, publicKeyWrapper, audience);
             if (verified.failed()) {
                 verified.getFailureMessages().forEach(m -> monitor.debug(() -> "Failure in token verification: " + m));
                 return Result.failure("Token could not be verified!");

extensions/iam/decentralized-identity/identity-did-crypto/src/main/java/org/eclipse/dataspaceconnector/iam/did/crypto/credentials/VerifiableCredentialFactory.java extensions/iam/decentralized-identity/identity-did-service/src/main/java/org/eclipse/dataspaceconnector/identity/JwtUtils.java

@@ -12,7 +12,7 @@
  *
  */
 
-package org.eclipse.dataspaceconnector.iam.did.crypto.credentials;
+package org.eclipse.dataspaceconnector.identity;
 
 import com.nimbusds.jose.Algorithm;
 import com.nimbusds.jose.JOSEException;
@@ -36,31 +36,30 @@
 import java.util.UUID;
 
 /**
- * Convenience/helper class to generate, verify and deserialize verifiable credentials, which are, in fact, Signed JSON Web Tokens (JWTs).
+ * Convenience/helper class to generate and verify Signed JSON Web Tokens (JWTs) for communicating between connector instances.
  */
-public class VerifiableCredentialFactory {
-
+class JwtUtils {
     // RFC 7519 Registered (standard) claims
     private static final String ISSUER_CLAIM = "iss";
+    private static final String SUBJECT_CLAIM = "sub";
     private static final String EXPIRATION_TIME_CLAIM = "exp";
 
-    // Subject claim value
-    public static final String VERIFIABLE_CREDENTIAL = "verifiable-credential";
-
     /**
-     * Creates a signed JWT {@link SignedJWT} that contains a set of claims and an issuer. Although all private key types are possible, in the context of Distributed Identity and ION
+     * Creates a signed JWT {@link SignedJWT} that contains a set of claims and an issuer. Although all private key types are possible, in the context of Distributed Identity
      * using an Elliptic Curve key ({@code P-256}) is advisable.
      *
      * @param privateKey A Private Key represented as {@link PrivateKeyWrapper}.
-     * @param issuer     the "owner" of the VC, in most cases this will be the DID ID. The VC will store this in the "iss" claim
-     * @param audience   the audience of the token, e.g. the IDS Webhook address. The VC will store this in the "aud" claim
-     * @param clock      clock used to get current time
-     * @return a {@code SignedJWT} that is signed with the private key and contains all claims listed
+     * @param issuer     the value of the token issuer claim.
+     * @param subject    the value of the token subject claim. For Distributed Identity, this value is identical to the issuer claim.
+     * @param audience   the value of the token audience claim, e.g. the IDS Webhook address.
+     * @param clock      clock used to get current time.
+     * @return a {@code SignedJWT} that is signed with the private key and contains all claims listed.
      */
-    public static SignedJWT create(PrivateKeyWrapper privateKey, String issuer, String audience, Clock clock) {
-        var claimsSet = new JWTClaimsSet.Builder().issuer(issuer)
+
+    static SignedJWT create(PrivateKeyWrapper privateKey, String issuer, String subject, String audience, Clock clock) {
+        var claimsSet = new JWTClaimsSet.Builder()
                 .issuer(issuer)
-                .subject(VERIFIABLE_CREDENTIAL)
+                .subject(subject)
                 .audience(audience)
                 .expirationTime(Date.from(clock.instant().plus(10, ChronoUnit.MINUTES)))
                 .jwtID(UUID.randomUUID().toString())
@@ -91,7 +90,7 @@ public static SignedJWT create(PrivateKeyWrapper privateKey, String issuer, Stri
      * @param audience  The intended audience
      * @return true if verified, false otherwise
      */
-    public static Result<Void> verify(SignedJWT jwt, PublicKeyWrapper publicKey, String audience) {
+    static Result<Void> verify(SignedJWT jwt, PublicKeyWrapper publicKey, String audience) {
         // verify JWT signature
         try {
             var verified = jwt.verify(publicKey.verifier());
@@ -112,10 +111,10 @@ public static Result<Void> verify(SignedJWT jwt, PublicKeyWrapper publicKey, Str
         // verify claims
         var exactMatchClaims = new JWTClaimsSet.Builder()
                 .audience(audience)
-                .subject(VERIFIABLE_CREDENTIAL)
                 .build();
         var requiredClaims = Set.of(
                 ISSUER_CLAIM,
+                SUBJECT_CLAIM,
                 EXPIRATION_TIME_CLAIM);
 
         var claimsVerifier = new DefaultJWTClaimsVerifier<>(exactMatchClaims, requiredClaims);

extensions/iam/decentralized-identity/identity-did-crypto/src/test/java/org/eclipse/dataspaceconnector/iam/did/crypto/credentials/VerifiableCredentialFactoryTest.java extensions/iam/decentralized-identity/identity-did-service/src/test/java/org/eclipse/dataspaceconnector/identity/JwtUtilsTest.java

@@ -13,7 +13,7 @@
  *
  */
 
-package org.eclipse.dataspaceconnector.iam.did.crypto.credentials;
+package org.eclipse.dataspaceconnector.identity;
 
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.jwk.ECKey;
@@ -46,12 +46,14 @@
 import static java.time.temporal.ChronoUnit.SECONDS;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.eclipse.dataspaceconnector.iam.did.crypto.key.KeyPairFactory.generateKeyPairP256;
+import static org.eclipse.dataspaceconnector.identity.JwtUtils.create;
+import static org.eclipse.dataspaceconnector.identity.JwtUtils.verify;
 import static org.eclipse.dataspaceconnector.junit.testfixtures.TestUtils.getResourceFileContentAsString;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
-class VerifiableCredentialFactoryTest {
+class JwtUtilsTest {
     private static final Faker FAKER = new Faker();
 
     private final Instant now = Instant.now();
@@ -68,19 +70,19 @@ void setup() throws JOSEException {
     @Test
     @SuppressWarnings("ResultOfMethodCallIgnored")
     void createVerifiableCredential() throws Exception {
-        var vc = VerifiableCredentialFactory.create(privateKey, "test-connector", "test-audience", clock);
+        var vc = create(privateKey, "test-issuer", "test-subject", "test-audience", clock);
 
         assertThat(vc).isNotNull();
-        assertThat(vc.getJWTClaimsSet().getIssuer()).isEqualTo("test-connector");
-        assertThat(vc.getJWTClaimsSet().getSubject()).isEqualTo("verifiable-credential");
+        assertThat(vc.getJWTClaimsSet().getIssuer()).isEqualTo("test-issuer");
+        assertThat(vc.getJWTClaimsSet().getSubject()).isEqualTo("test-subject");
         assertThat(vc.getJWTClaimsSet().getAudience()).containsExactly("test-audience");
         assertThat(vc.getJWTClaimsSet().getJWTID()).satisfies(UUID::fromString);
         assertThat(vc.getJWTClaimsSet().getExpirationTime()).isEqualTo(now.plus(10, MINUTES).truncatedTo(SECONDS));
     }
 
     @Test
     void ensureSerialization() throws Exception {
-        var vc = VerifiableCredentialFactory.create(privateKey, "test-connector", "test-audience", clock);
+        var vc = create(privateKey, "test-issuer", "test-subject", "test-audience", clock);
 
         assertThat(vc).isNotNull();
         String jwtString = vc.serialize();
@@ -95,17 +97,17 @@ void ensureSerialization() throws Exception {
 
     @Test
     void verifyJwt_OnInvalidSignature_fails() {
-        var jwt = VerifiableCredentialFactory.create(privateKey, "test-connector", "test-audience", clock);
+        var jwt = create(privateKey, "test-issuer", "test-subject", "test-audience", clock);
         var unrelatedPublicKey = new EcPublicKeyWrapper(generateKeyPairP256());
-        assertThat(VerifiableCredentialFactory.verify(jwt, unrelatedPublicKey, "test-audience").getFailureMessages()).containsExactly("Invalid signature");
+        assertThat(verify(jwt, unrelatedPublicKey, "test-audience").getFailureMessages()).containsExactly("Invalid signature");
     }
 
     @Test
     void verifyJwt_OnVerificationFailure_fails() throws Exception {
         var jwt = mock(SignedJWT.class);
         var message = FAKER.lorem().sentence();
         when(jwt.verify(any())).thenThrow(new JOSEException(message));
-        assertThat(VerifiableCredentialFactory.verify(jwt, publicKey, "test-audience").getFailureMessages())
+        assertThat(verify(jwt, publicKey, "test-audience").getFailureMessages())
                 .containsExactly("Unable to verify JWT token. " + message);
 
     }
@@ -116,22 +118,22 @@ void verifyJwt_OnInvalidClaims_fails() throws Exception {
         var message = FAKER.lorem().sentence();
         when(jwt.verify(any())).thenReturn(true);
         when(jwt.getJWTClaimsSet()).thenThrow(new ParseException(message, 0));
-        assertThat(VerifiableCredentialFactory.verify(jwt, publicKey, "test-audience").getFailureMessages())
+        assertThat(verify(jwt, publicKey, "test-audience").getFailureMessages())
                 .containsExactly("Error verifying JWT token. The payload must represent a valid JSON object and a JWT claims set. " + message);
     }
 
     @ParameterizedTest(name = "{2}")
     @ArgumentsSource(ClaimsArgs.class)
     void verifyJwt_OnClaims(UnaryOperator<JWTClaimsSet.Builder> builderOperator, boolean expectSuccess, String ignoredName) throws Exception {
-        var vc = VerifiableCredentialFactory.create(privateKey, "test-connector", "test-audience", clock);
+        var vc = create(privateKey, "test-issuer", "test-subject", "test-audience", clock);
 
         var claimsSetBuilder = new JWTClaimsSet.Builder(vc.getJWTClaimsSet());
         var claimsSet = builderOperator.apply(claimsSetBuilder).build();
 
         var jwt = new SignedJWT(vc.getHeader(), claimsSet);
         jwt.sign(privateKey.signer());
 
-        var result = VerifiableCredentialFactory.verify(jwt, publicKey, "test-audience");
+        var result = verify(jwt, publicKey, "test-audience");
         assertThat(result.succeeded()).isEqualTo(expectSuccess);
         if (!expectSuccess) {
             assertThat(result.getFailureMessages())
@@ -149,8 +151,7 @@ public Stream<? extends Arguments> provideArguments(ExtensionContext context) {
                     jwtCase(b -> b.audience(List.of("https://otherserver.com")), false, "wrong audience"),
                     jwtCase(b -> b.audience(List.of("test-audience")), true, "expected audience"), // sanity check
                     jwtCase(b -> b.subject(null), false, "empty subject"),
-                    jwtCase(b -> b.subject("other-subject"), false, "wrong subject"),
-                    jwtCase(b -> b.subject("verifiable-credential"), true, "expected subject"), // sanity check
+                    jwtCase(b -> b.subject("a-subject"), true, "expected subject"), // sanity check
                     jwtCase(b -> b.issuer(null), false, "empty issuer"),
                     jwtCase(b -> b.issuer("other-issuer"), true, "other issuer"),
                     jwtCase(b -> b.expirationTime(null), false, "empty expiration"),