Merge pull request #1549 from alphagov/auth-1177-sign-token-using-new-key-alias

AUTH-1177: Sign token with new key id

Author: mrwilson

shared/src/main/java/uk/gov/di/authentication/shared/services/TokenService.java

@@ -1,5 +1,6 @@
 package uk.gov.di.authentication.shared.services;
 
+import com.amazonaws.services.kms.model.GetPublicKeyRequest;
 import com.amazonaws.services.kms.model.SignRequest;
 import com.amazonaws.services.kms.model.SignResult;
 import com.amazonaws.services.kms.model.SigningAlgorithmSpec;
@@ -67,6 +68,7 @@
 import java.util.stream.Collectors;
 
 import static uk.gov.di.authentication.shared.helpers.ConstructUriHelper.buildURI;
+import static uk.gov.di.authentication.shared.helpers.HashHelper.hashSha256String;
 
 public class TokenService {
 
@@ -373,10 +375,18 @@ private RefreshToken generateAndStoreRefreshToken(
     }
 
     private SignedJWT generateSignedJWT(JWTClaimsSet claimsSet) {
+
+        var signingKeyId =
+                kmsConnectionService
+                        .getPublicKey(
+                                new GetPublicKeyRequest()
+                                        .withKeyId(configService.getTokenSigningKeyAlias()))
+                        .getKeyId();
+
         try {
             JWSHeader jwsHeader =
                     new JWSHeader.Builder(TOKEN_ALGORITHM)
-                            .keyID(configService.getTokenSigningKeyAlias())
+                            .keyID(hashSha256String(signingKeyId))
                             .build();
             Base64URL encodedHeader = jwsHeader.toBase64URL();
             Base64URL encodedClaims = Base64URL.encode(claimsSet.toString());

shared/src/test/java/uk/gov/di/authentication/shared/services/TokenServiceTest.java

@@ -1,11 +1,14 @@
 package uk.gov.di.authentication.shared.services;
 
+import com.amazonaws.services.kms.model.GetPublicKeyRequest;
+import com.amazonaws.services.kms.model.GetPublicKeyResult;
 import com.amazonaws.services.kms.model.SignRequest;
 import com.amazonaws.services.kms.model.SignResult;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.crypto.ECDSASigner;
 import com.nimbusds.jose.crypto.impl.ECDSA;
 import com.nimbusds.jose.jwk.Curve;
@@ -65,6 +68,7 @@
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.not;
+import static org.hamcrest.core.Is.is;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -114,6 +118,9 @@ void setUp() {
         when(configurationService.getAccessTokenExpiry()).thenReturn(300L);
         when(configurationService.getIDTokenExpiry()).thenReturn(120L);
         when(configurationService.getSessionExpiry()).thenReturn(300L);
+        when(kmsConnectionService.getPublicKey(any(GetPublicKeyRequest.class)))
+                .thenReturn(new GetPublicKeyResult().withKeyId("789789789789789"));
+
         nonce = new Nonce();
     }
 
@@ -529,6 +536,13 @@ private void assertSuccessfullTokenResponse(OIDCTokenResponse tokenResponse)
                         accessTokenKey,
                         new ObjectMapper().writeValueAsString(accessTokenStore),
                         300L);
+
+        var header = (JWSHeader) tokenResponse.getOIDCTokens().getIDToken().getHeader();
+
+        assertThat(
+                header.getKeyID(),
+                is("1d504aece298a14d74ee0a02b6740b4372a1fab4206778e486ba72770ff4beb8"));
+
         assertThat(
                 tokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet().getClaims().size(),
                 equalTo(9));