Polish Asymmetric Auth

Author: jingming

src/main/java/com/twilio/example/ValidationExample.java

@@ -0,0 +1,69 @@
+package com.twilio.example;
+
+
+import com.twilio.Twilio;
+import com.twilio.http.TwilioRestClient;
+import com.twilio.http.ValidationClient;
+import com.twilio.rest.accounts.v1.credential.PublicKey;
+import com.twilio.rest.api.v2010.account.Message;
+import com.twilio.rest.api.v2010.account.NewSigningKey;
+import com.twilio.twiml.TwiMLException;
+import com.twilio.type.PhoneNumber;
+import org.apache.commons.codec.binary.Base64;
+
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+
+public class ValidationExample {
+
+    public static final String ACCOUNT_SID = System.getenv("TWILIO_ACCOUNT_SID");
+    public static final String AUTH_TOKEN = System.getenv("TWILIO_AUTH_TOKEN");
+
+    /**
+     * Example Twilio usage.
+     *
+     * @param args command line args
+     * @throws TwiMLException if unable to generate TwiML
+     */
+    public static void main(String[] args) throws Exception {
+
+        // Generate public/private key pair
+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+        keyGen.initialize(2048);
+        KeyPair pair = keyGen.generateKeyPair();
+        java.security.PublicKey pk = pair.getPublic();
+
+        // Use the default rest client
+        TwilioRestClient client =
+            new TwilioRestClient.Builder(ACCOUNT_SID, AUTH_TOKEN)
+                .build();
+        Twilio.setRestClient(client);
+
+        // Create a public key and signing key using the default client
+        PublicKey key = PublicKey.creator(
+            Base64.encodeBase64String(pk.getEncoded())
+        ).setFriendlyName("Public Key").create();
+        NewSigningKey signingKey = NewSigningKey.creator().create();
+
+        // Switch to validation client as the default client
+        client = new TwilioRestClient.Builder(signingKey.getSid(), signingKey.getSecret())
+            .accountSid(ACCOUNT_SID)
+            .httpClient(new ValidationClient(ACCOUNT_SID, key.getSid(), signingKey.getSid(), pair.getPrivate()))
+            .build();
+        Twilio.setRestClient(client);
+
+        // Make REST API requests
+        Iterable<Message> messages = Message.reader().read();
+        for (Message m : messages) {
+            System.out.println(m.getBody());
+        }
+
+        Message m = Message.creator(
+            new PhoneNumber("+11234567890"),
+            new PhoneNumber("+10987654321"),
+            "Asymmetric Auth Test"
+        ).create();
+        System.out.println(m.getSid());
+
+    }
+}

src/main/java/com/twilio/http/ValidationClient.java

@@ -16,6 +16,7 @@
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+import java.security.PrivateKey;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
@@ -27,7 +28,7 @@ public class ValidationClient extends HttpClient {
 
     private final org.apache.http.client.HttpClient client;
 
-    public ValidationClient(String credentialSid, String publicKey) {
+    public ValidationClient(String accountSid, String credentialSid, String signingKey, PrivateKey privateKey) {
         RequestConfig config = RequestConfig.custom()
             .setConnectTimeout(CONNECTION_TIMEOUT)
             .setSocketTimeout(SOCKET_TIMEOUT)
@@ -45,7 +46,7 @@ public ValidationClient(String credentialSid, String publicKey) {
             .setDefaultRequestConfig(config)
             .setDefaultHeaders(headers)
             .setMaxConnPerRoute(10)
-            .addInterceptorLast(new ValidationInterceptor(credentialSid, publicKey))
+            .addInterceptorLast(new ValidationInterceptor(accountSid, credentialSid, signingKey, privateKey))
             .build();
     }
 

src/main/java/com/twilio/http/ValidationInterceptor.java

@@ -9,23 +9,28 @@
 import org.apache.http.protocol.HttpContext;
 
 import java.io.IOException;
+import java.security.PrivateKey;
 import java.util.List;
 
 public class ValidationInterceptor implements HttpRequestInterceptor {
 
     private static final List<String> HEADERS = Lists.newArrayList("authorization", "host");
 
+    private final String accountSid;
     private final String credentialSid;
-    private final String privateKey;
+    private final String signingKeySid;
+    private final PrivateKey privateKey;
 
-    public ValidationInterceptor(String credentialSid, String privateKey) {
+    public ValidationInterceptor(String accountSid, String credentialSid, String signingKeySid, PrivateKey privateKey) {
+        this.accountSid = accountSid;
         this.credentialSid = credentialSid;
+        this.signingKeySid = signingKeySid;
         this.privateKey = privateKey;
     }
 
     @Override
     public void process(HttpRequest request, HttpContext context) throws HttpException, IOException {
-        Jwt jwt = ValidationToken.fromHttpRequest(credentialSid, privateKey, request, HEADERS);
+        Jwt jwt = ValidationToken.fromHttpRequest(accountSid, credentialSid, signingKeySid, privateKey, request, HEADERS);
         request.addHeader("Twilio-Client-Validation", jwt.toJwt());
     }
 }

src/main/java/com/twilio/jwt/Jwt.java

@@ -5,6 +5,7 @@
 import io.jsonwebtoken.SignatureAlgorithm;
 
 import java.nio.charset.StandardCharsets;
+import java.security.PrivateKey;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
@@ -15,6 +16,7 @@
 public abstract class Jwt {
 
     private final SignatureAlgorithm algorithm;
+    private final PrivateKey secretKey;
     private final String secret;
     private final String issuer;
     private final Date expiration;
@@ -35,6 +37,20 @@ public Jwt(
     ) {
         this.algorithm = algorithm;
         this.secret = secret;
+        this.secretKey = null;
+        this.issuer = issuer;
+        this.expiration = expiration;
+    }
+
+    public Jwt(
+        SignatureAlgorithm algorithm,
+        PrivateKey secretKey,
+        String issuer,
+        Date expiration
+    ) {
+        this.algorithm = algorithm;
+        this.secret = null;
+        this.secretKey = secretKey;
         this.issuer = issuer;
         this.expiration = expiration;
     }
@@ -51,11 +67,16 @@ public String toJwt() {
 
         JwtBuilder builder =
             Jwts.builder()
-                .signWith(this.algorithm, this.secret.getBytes(StandardCharsets.UTF_8))
                 .setHeaderParams(headers)
                 .setIssuer(this.issuer)
                 .setExpiration(expiration);
 
+        if (this.secret != null) {
+            builder.signWith(this.algorithm, this.secret.getBytes(StandardCharsets.UTF_8));
+        } else if (this.secretKey != null) {
+            builder.signWith(this.algorithm, this.secretKey);
+        }
+
         if (this.getClaims() != null) {
             for (Map.Entry<String, Object> entry : this.getClaims().entrySet()) {
                 builder.claim(entry.getKey(), entry.getValue());

src/main/java/com/twilio/jwt/validation/ValidationToken.java

@@ -19,6 +19,7 @@
 
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.security.PrivateKey;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Date;
@@ -30,9 +31,12 @@
 public class ValidationToken extends Jwt {
 
     private static final HashFunction HASH_FUNCTION = Hashing.sha256();
+    private static final String CTY = "twilio-pkrv;v=1";
     private static final String NEW_LINE = "\n";
 
+    private final String accountSid;
     private final String credentialSid;
+    private final String signingKeySid;
     private final String method;
     private final String uri;
     private final String queryString;
@@ -42,12 +46,14 @@ public class ValidationToken extends Jwt {
 
     private ValidationToken(Builder b) {
         super(
-            SignatureAlgorithm.HS256,
+            SignatureAlgorithm.RS256,
             b.privateKey,
             b.credentialSid,
             new Date(new Date().getTime() + b.ttl * 1000)
         );
+        this.accountSid = b.accountSid;
         this.credentialSid = b.credentialSid;
+        this.signingKeySid = b.signingKeySid;
         this.method = b.method;
         this.uri = b.uri;
         this.queryString = b.queryString;
@@ -59,7 +65,7 @@ private ValidationToken(Builder b) {
     @Override
     public Map<String, Object> getHeaders() {
         Map<String, Object> headers = new HashMap<>();
-        headers.put("cty", "twilio-pkrv;v=1");
+        headers.put("cty", CTY);
         headers.put("kid", this.credentialSid);
         return headers;
     }
@@ -68,6 +74,9 @@ public Map<String, Object> getHeaders() {
     public Map<String, Object> getClaims() {
         Map<String, Object> payload = new HashMap<>();
 
+        payload.put("iss", this.signingKeySid);
+        payload.put("sub", this.accountSid);
+
         // Sort the signed headers
         Collections.sort(signedHeaders);
         List<String> lowercaseSignedHeaders = Lists.transform(signedHeaders, LOWERCASE_STRING);
@@ -122,12 +131,14 @@ public Map<String, Object> getClaims() {
     }
 
     public static ValidationToken fromHttpRequest(
+        String accountSid,
         String credentialSid,
-        String privateKey,
+        String signingKeySid,
+        PrivateKey privateKey,
         HttpRequest request,
         List<String> signedHeaders
     ) throws IOException {
-        Builder builder = new Builder(credentialSid, privateKey);
+        Builder builder = new Builder(accountSid, credentialSid, signingKeySid, privateKey);
 
         String method = request.getRequestLine().getMethod();
         builder.method(method);
@@ -190,18 +201,22 @@ public String apply(String s) {
 
     public static class Builder {
 
+        private String accountSid;
         private String credentialSid;
-        private String privateKey;
+        private String signingKeySid;
+        private PrivateKey privateKey;
         private String method;
         private String uri;
         private String queryString = "";
         private Header[] headers;
         private List<String> signedHeaders = Collections.emptyList();
         private String requestBody = "";
-        private int ttl = 3600;
+        private int ttl = 300;
 
-        public Builder(String credentialSid, String privateKey) {
+        public Builder(String accountSid, String credentialSid, String signingKeySid, PrivateKey privateKey) {
+            this.accountSid = accountSid;
             this.credentialSid = credentialSid;
+            this.signingKeySid = signingKeySid;
             this.privateKey = privateKey;
         }
 

src/main/java/com/twilio/rest/Domains.java

@@ -8,6 +8,7 @@
 package com.twilio.rest;
 
 public enum Domains {
+    ACCOUNTS("accounts"),
     API("api"),
     CHAT("ip-messaging"),
     IPMESSAGING("ip-messaging"),