chore: dedicated class for default JwsSignerProvider

core/common/lib/crypto-common-lib/build.gradle.kts

@@ -18,10 +18,11 @@ plugins {
 dependencies {
     api(project(":spi:common:identity-did-spi"))
     api(project(":spi:common:identity-trust-spi"))
+    api(libs.nimbus.jwt) // nimbus classes are exposed on the API surface of CryptoConverter and DefaultJwsSignerProvider
     implementation(project(":core:common:lib:util-lib"))
     implementation(project(":spi:common:core-spi"))
+    implementation(project(":spi:common:jwt-signer-spi"))
 
-    implementation(libs.nimbus.jwt)
     // used for the Ed25519 Verifier in conjunction with OctetKeyPairs (OKP)
     runtimeOnly(libs.tink)
     // Java does not natively implement elliptic curve multiplication, so we need to get bouncy

core/common/lib/crypto-common-lib/src/main/java/org/eclipse/edc/security/token/jwt/DefaultJwsSignerProvider.java

@@ -0,0 +1,39 @@
+/*
+ *  Copyright (c) 2024 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+ *
+ *  This program and the accompanying materials are made available under the
+ *  terms of the Apache License, Version 2.0 which is available at
+ *  https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Contributors:
+ *       Bayerische Motoren Werke Aktiengesellschaft (BMW AG) - initial API and implementation
+ *
+ */
+
+package org.eclipse.edc.security.token.jwt;
+
+import com.nimbusds.jose.JWSSigner;
+import org.eclipse.edc.jwt.signer.spi.JwsSignerProvider;
+import org.eclipse.edc.keys.spi.PrivateKeyResolver;
+import org.eclipse.edc.spi.result.Result;
+
+/**
+ * Provides a {@link JWSSigner} that is created based on a private key's algorithm.
+ * Note that the private key will be held in memory for the duration of the instantiation of the {@link JWSSigner}.
+ */
+public class DefaultJwsSignerProvider implements JwsSignerProvider {
+
+    private final PrivateKeyResolver privateKeyResolver;
+
+    public DefaultJwsSignerProvider(PrivateKeyResolver privateKeyResolver) {
+        this.privateKeyResolver = privateKeyResolver;
+    }
+
+    @Override
+    public Result<JWSSigner> createJwsSigner(String privateKeyId) {
+        return privateKeyResolver.resolvePrivateKey(privateKeyId)
+                .compose(pk -> Result.ofThrowable(() -> CryptoConverter.createSignerFor(pk)));
+    }
+}

core/common/token-core/src/main/java/org/eclipse/edc/token/TokenServicesExtension.java

@@ -19,8 +19,7 @@
 import org.eclipse.edc.runtime.metamodel.annotation.Extension;
 import org.eclipse.edc.runtime.metamodel.annotation.Inject;
 import org.eclipse.edc.runtime.metamodel.annotation.Provider;
-import org.eclipse.edc.security.token.jwt.CryptoConverter;
-import org.eclipse.edc.spi.result.Result;
+import org.eclipse.edc.security.token.jwt.DefaultJwsSignerProvider;
 import org.eclipse.edc.spi.system.ServiceExtension;
 import org.eclipse.edc.token.spi.TokenDecoratorRegistry;
 import org.eclipse.edc.token.spi.TokenValidationRulesRegistry;
@@ -56,8 +55,6 @@ public TokenDecoratorRegistry tokenDecoratorRegistry() {
 
     @Provider(isDefault = true)
     public JwsSignerProvider defaultSignerProvider() {
-        // default implementation: resolve the private key (from vault of config) and create a JWSSigner based on its algorithm
-        return privateKeyId -> privateKeyResolver.resolvePrivateKey(privateKeyId)
-                .compose(pk -> Result.ofThrowable(() -> CryptoConverter.createSignerFor(pk)));
+        return new DefaultJwsSignerProvider(privateKeyResolver);
     }
 }

extensions/common/iam/identity-trust/identity-trust-sts/identity-trust-sts-core/src/test/java/org/eclipse/edc/iam/identitytrust/sts/defaults/StsClientTokenIssuanceIntegrationTest.java

@@ -29,8 +29,7 @@
 import org.eclipse.edc.keys.keyparsers.PemParser;
 import org.eclipse.edc.keys.spi.KeyParserRegistry;
 import org.eclipse.edc.keys.spi.PrivateKeyResolver;
-import org.eclipse.edc.security.token.jwt.CryptoConverter;
-import org.eclipse.edc.spi.result.Result;
+import org.eclipse.edc.security.token.jwt.DefaultJwsSignerProvider;
 import org.eclipse.edc.spi.security.Vault;
 import org.eclipse.edc.token.JwtGenerationService;
 import org.eclipse.edc.transaction.spi.NoopTransactionContext;
@@ -73,8 +72,7 @@ void setup() {
         privateKeyResolver = new VaultPrivateKeyResolver(keyParserRegistry, vault, mock(), mock());
 
         tokenGeneratorService = new StsClientTokenGeneratorServiceImpl(
-                client -> new JwtGenerationService(keyId -> privateKeyResolver.resolvePrivateKey(keyId)
-                        .compose(pk -> Result.ofThrowable(() -> CryptoConverter.createSignerFor(pk)))),
+                client -> new JwtGenerationService(new DefaultJwsSignerProvider(privateKeyResolver)),
                 StsClient::getPrivateKeyAlias,
                 Clock.systemUTC(), 60 * 5);