JWT (JSON Web Tokens) is a compact, URL-safe means of representing claims to be transferred between two parties. In this article, we will walk through how to generate and validate JWT tokens in Java, using a private certificate stored in a keystore. We will provide example Java code for both processes.
Generate JWT Token
Generating a JWT token involves several steps:
- Loading the Keystore: You need to load the keystore that contains the private key and certificate. You'll also specify the keystore password and the alias of the certificate in the keystore.
- Creating JWT Claims: Define the claims you want to include in the JWT. These can include the subject, issuer, expiration time, and a unique JWT ID (jti).
- Base64URL Encoding: Encode the JWT header and claims in base64 URL-safe format. This is a requirement for JWT.
- Combining Header and Claims: Combine the base64-encoded header and claims with a period separator.
- Signing the JWT: Sign the JWT using RSA with the private key from the keystore.
- Combining JWT Components: Combine the header, claims, and signature to create the final JWT token.
Here's the Java code for generating a JWT token:
import java.io.FileInputStream;
import java.security.*;
import java.security.interfaces.RSAPrivateKey;
import java.util.Base64;
import java.util.UUID;
public class GenerateJWTSignedByKSCert {
public static void main(String... args) throws Exception {
// Load the keystore and retrieve the private key and certificate
final var keystorePath = "<CERTIFICATE_KEYSTORE>";
final var keystorePassword = "<KEYSTORE_PASSWORD>";
final var alias = "<CERTIFICATE_ALIAS>";
final var keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(keystorePath), keystorePassword.toCharArray());
final var privateKey = (RSAPrivateKey) keystore.getKey(alias, keystorePassword.toCharArray());
// Sample JWT claims
final var subject = "user123";
final var issuer = "yourapp.com";
final var expirationTimeMillis = System.currentTimeMillis() + 3600 * 1000; // 1 hour
final var jwtID = UUID.randomUUID().toString();
// Build JWT claims
final var jwtHeader = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";
final var jwtClaims = "{\"sub\":\"" + subject + "\",\"iss\":\"" + issuer + "\",\"exp\":" + expirationTimeMillis + ",\"jti\":\"" + jwtID + "\"}";
// Base64Url encode the JWT header and claims
final var base64UrlHeader = base64UrlEncode(jwtHeader.getBytes());
final var base64UrlClaims = base64UrlEncode(jwtClaims.getBytes());
// Combine header and claims with a period separator
final var headerClaims = base64UrlHeader + "." + base64UrlClaims;
// Sign the JWT
final var signature = signWithRSA(headerClaims, privateKey);
// Combine the JWT components
final var jwtToken = headerClaims + "." + signature;
System.out.println("JWT Token: " + jwtToken);
}
// Base64 URL encoding
private static String base64UrlEncode(byte[] data) {
return Base64.getUrlEncoder().withoutPadding().encodeToString(data);
}
// Sign the JWT using RSA
private static String signWithRSA(String data, RSAPrivateKey privateKey) throws Exception {
// Perform the RSA signing (e.g., with Signature.getInstance("SHA256withRSA"))
// and return the base64Url-encoded signature
final var signature = Signature.getInstance("SHA256withRSA");
signature.initSign(privateKey);
signature.update(data.getBytes());
final var signatureBytes = signature.sign();
return base64UrlEncode(signatureBytes);
}
}
Validate JWT Token
Once you have generated a JWT token, you may need to validate it to ensure its integrity. Validation typically involves verifying the token's signature using the corresponding public key from the keystore. Here's the Java code for validating a JWT token:
import java.io.FileInputStream;
import java.security.*;
import java.security.cert.X509Certificate;
import java.util.Base64;
public class ValidateJWTSignedByKSCert {
public static void main(final String ... args) throws Exception {
// The JWT token to validate.
final var jwtToken = "<JWT_TOKEN>";
// Load the keystore and retrieve the public key
final var keystorePath = "<CERTIFICATE_KEYSTORE>";
final var keystorePassword = "<KEYSTORE_PASSWORD>";
final var alias = "<CERTIFICATE_ALIAS>";
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(keystorePath), keystorePassword.toCharArray());
final var certificate = (X509Certificate) keystore.getCertificate(alias);
// Parse JWT components
final var jwtParts = jwtToken.split("\\.");
if (jwtParts.length != 3) {
System.out.println("Invalid JWT format");
return;
}
// Decode and verify the JWT signature
final var base64UrlHeader = jwtParts[0];
final var base64UrlClaims = jwtParts[1];
final var signature = jwtParts[2];
// Verify the signature
if (verifySignature(base64UrlHeader, base64UrlClaims, signature, certificate.getPublicKey())) {
System.out.println("JWT signature is valid");
} else {
System.out.println("JWT signature is invalid");
}
}
private static boolean verifySignature(final String base64UrlHeader, final String base64UrlClaims, final String signature, final PublicKey publicKey) throws Exception {
final var signedData = base64UrlHeader + "." + base64UrlClaims;
final var signatureBytes = Base64.getUrlDecoder().decode(signature);
final var verifier = Signature.getInstance("SHA256withRSA");
verifier.initVerify(publicKey);
verifier.update(signedData.getBytes());
return verifier.verify(signatureBytes);
}
}
Tokens
In both code examples, there are tokens that need to be replaced with specific values:
<CERTIFICATE_KEYSTORE>
: Replace this with the absolute path of the keystore. It's possible to have separate keystores for the private and public certificates.<KEYSTORE_PASSWORD>
: Replace this with the password that corresponds to the keystore.<CERTIFICATE_ALIAS>
: Replace this with the alias of the certificate in the keystore.<JWT_TOKEN>
: Replace this with the JWT token you want to validate.
By using the provided code and replacing these tokens with the appropriate values, you can generate and validate JWT tokens in Java with ease, using a private certificate stored in a keystore.
Related Topic
Generating a Self-signed CA Certificate for JSON Web Token (JWT) in Java
Leave a Reply