@Test public void shouldPassRSA256VerificationWithProvidedPublicKey() throws Exception { RSAKeyProvider provider = mock(RSAKeyProvider.class); PublicKey publicKey = readPublicKeyFromFile(PUBLIC_KEY_FILE, "RSA"); when(provider.getPublicKeyById("my-key-id")).thenReturn((RSAPublicKey) publicKey); String jwt = "eyJhbGciOiJSUzI1NiIsImtpZCI6Im15LWtleS1pZCJ9.eyJpc3MiOiJhdXRoMCJ9.jXrbue3xJmnzWH9kU-uGeCTtgbQEKbch8uHd4Z52t86ncNyepfusl_bsyLJIcxMwK7odRzKiSE9efV9JaRSEDODDBdMeCzODFx82uBM7e46T1NLVSmjYIM7Hcfh81ZeTIk-hITvgtL6hvTdeJWOCZAB0bs18qSVW5SvursRUhY38xnhuNI6HOHCtqp7etxWAu6670L53I3GtXsmi6bXIzv_0v1xZcAFg4HTvXxfhfj3oCqkSs2nC27mHxBmQtmZKWmXk5HzVUyPRwTUWx5wHPT_hCsGer-CMCAyGsmOg466y1KDqf7ogpMYojfVZGWBsyA39LO1oWZ4Ryomkn8t5Vg"; Algorithm algorithm = Algorithm.RSA256(provider); algorithm.verify(JWT.decode(jwt)); }
@Test public void shouldPassRSA384Verification() throws Exception { String jwt = "eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.TZlWjXObwGSQOiu2oMq8kiKz0_BR7bbBddNL6G8eZ_GoR82BXOZDqNrQr7lb_M-78XGBguWLWNIdYhzgxOUL9EoCJlrqVm9s9vo6G8T1sj1op-4TbjXZ61TwIvrJee9BvPLdKUJ9_fp1Js5kl6yXkst40Th8Auc5as4n49MLkipjpEhKDKaENKHpSubs1ripSz8SCQZSofeTM_EWVwSw7cpiM8Fy8jOPvWG8Xz4-e3ODFowvHVsDcONX_4FTMNbeRqDuHq2ZhCJnEfzcSJdrve_5VD5fM1LperBVslTrOxIgClOJ3RmM7-WnaizJrWP3D6Z9OLxPxLhM6-jx6tcxEw"; Algorithm algorithm = Algorithm.RSA384((RSAKey) readPublicKeyFromFile(PUBLIC_KEY_FILE, "RSA")); algorithm.verify(JWT.decode(jwt)); }
@Test public void shouldPassRSA512Verification() throws Exception { String jwt = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mvL5LoMyIrWYjk5umEXZTmbyIrkbbcVPUkvdGZbu0qFBxGOf0nXP5PZBvPcOu084lvpwVox5n3VaD4iqzW-PsJyvKFgi5TnwmsbKchAp7JexQEsQOnTSGcfRqeUUiBZqRQdYsho71oAB3T4FnalDdFEpM-fztcZY9XqKyayqZLreTeBjqJm4jfOWH7KfGBHgZExQhe96NLq1UA9eUyQwdOA1Z0SgXe4Ja5PxZ6Fm37KnVDtDlNnY4JAAGFo6y74aGNnp_BKgpaVJCGFu1f1S5xCQ1HSvs8ZSdVWs5NgawW3wRd0kRt_GJ_Y3mIwiF4qUyHWGtsSHu_qjVdCTtbFyow"; Algorithm algorithm = Algorithm.RSA512((RSAKey) readPublicKeyFromFile(PUBLIC_KEY_FILE, "RSA")); algorithm.verify(JWT.decode(jwt)); }
@Test public void shouldPassHMAC384Verification() throws Exception { String jwt = "eyJhbGciOiJIUzM4NCIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.uztpK_wUMYJhrRv8SV-1LU4aPnwl-EM1q-wJnqgyb5DHoDteP6lN_gE1xnZJH5vw"; Algorithm algorithmString = Algorithm.HMAC384("secret"); Algorithm algorithmBytes = Algorithm.HMAC384("secret".getBytes(StandardCharsets.UTF_8)); DecodedJWT decoded = JWT.decode(jwt); algorithmString.verify(decoded); algorithmBytes.verify(decoded); }
@Test public void shouldCreateRSA512AlgorithmWithBothKeys() throws Exception { RSAPublicKey publicKey = mock(RSAPublicKey.class); RSAPrivateKey privateKey = mock(RSAPrivateKey.class); Algorithm algorithm = Algorithm.RSA512(publicKey, privateKey); assertThat(algorithm, is(notNullValue())); assertThat(algorithm, is(instanceOf(RSAAlgorithm.class))); assertThat(algorithm.getDescription(), is("SHA512withRSA")); assertThat(algorithm.getName(), is("RS512")); }
@Test public void shouldCreateHMAC384AlgorithmWithBytes() throws Exception { Algorithm algorithm = Algorithm.HMAC384("secret".getBytes(StandardCharsets.UTF_8)); assertThat(algorithm, is(notNullValue())); assertThat(algorithm, is(instanceOf(HMACAlgorithm.class))); assertThat(algorithm.getDescription(), is("HmacSHA384")); assertThat(algorithm.getName(), is("HS384")); }
@Test public void shouldValidateNotBeforeIfPresent() throws Exception { Clock clock = mock(Clock.class); when(clock.getToday()).thenReturn(new Date(DATE_TOKEN_MS_VALUE)); String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0Nzc1OTJ9.isvT0Pqx0yjnZk53mUFSeYFJLDs-Ls9IsNAm86gIdZo"; JWTVerifier.BaseVerification verification = (JWTVerifier.BaseVerification) JWTVerifier.init(Algorithm.HMAC256("secret")); DecodedJWT jwt = verification .build(clock) .verify(token); assertThat(jwt, is(notNullValue())); }
@Test public void shouldDoHMAC256SigningWithString() throws Exception { Algorithm algorithm = Algorithm.HMAC256("secret"); String jwt = asJWT(algorithm, HS256Header, auth0IssPayload); String expectedSignature = "s69x7Mmu4JqwmdxiK6sesALO7tcedbFsKEEITUxw9ho"; assertSignaturePresent(jwt); assertSignatureValue(jwt, expectedSignature); algorithm.verify(JWT.decode(jwt)); }
private Algorithm getHMAC(String name, byte[] key) throws IllegalArgumentException { if ("HMAC256".equals(name) || "HS256".equals(name)) { return Algorithm.HMAC256(key); } else if ("HMAC384".equals(name) || "HS384".equals(name)) { return Algorithm.HMAC384(key); } else if ("HMAC512".equals(name) || "HS512".equals(name)) { return Algorithm.HMAC512(key); } else { throw new IllegalArgumentException("unknown HMAC algorithm " + name); } }
/** * Creates a new Algorithm instance using SHA256withRSA. Tokens specify this as "RS256". * * @param publicKey the key to use in the verify instance. * @param privateKey the key to use in the signing instance. * @return a valid RSA256 Algorithm. * @throws IllegalArgumentException if both provided Keys are null. */ public static Algorithm RSA256(RSAPublicKey publicKey, RSAPrivateKey privateKey) throws IllegalArgumentException { return RSA256(RSAAlgorithm.providerForKeys(publicKey, privateKey)); }
@Test public void shouldCreateRSA256AlgorithmWithBothKeys() throws Exception { RSAPublicKey publicKey = mock(RSAPublicKey.class); RSAPrivateKey privateKey = mock(RSAPrivateKey.class); Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey); assertThat(algorithm, is(notNullValue())); assertThat(algorithm, is(instanceOf(RSAAlgorithm.class))); assertThat(algorithm.getDescription(), is("SHA256withRSA")); assertThat(algorithm.getName(), is("RS256")); }
@Test public void shouldPassECDSA384VerificationWithJOSESignature() throws Exception { String jwt = "eyJhbGciOiJFUzM4NCJ9.eyJpc3MiOiJhdXRoMCJ9.50UU5VKNdF1wfykY8jQBKpvuHZoe6IZBJm5NvoB8bR-hnRg6ti-CHbmvoRtlLfnHfwITa_8cJMy6TenMC2g63GQHytc8rYoXqbwtS4R0Ko_AXbLFUmfxnGnMC6v4MS_z"; ECKey key = (ECKey) readPublicKeyFromFile(PUBLIC_KEY_FILE_384, "EC"); Algorithm algorithm = Algorithm.ECDSA384(key); algorithm.verify(JWT.decode(jwt)); }
@Test public void shouldFailOnRSA256SigningWhenUsingPublicKey() throws Exception { exception.expect(SignatureGenerationException.class); exception.expectMessage("The Token's Signature couldn't be generated when signing using the Algorithm: SHA256withRSA"); exception.expectCause(isA(IllegalStateException.class)); exception.expectCause(hasMessage(is("The given Private Key is null."))); Algorithm algorithm = Algorithm.RSA256((RSAKey) readPublicKeyFromFile(PUBLIC_KEY_FILE, "RSA")); algorithm.sign(new byte[0], new byte[0]); }
@Test public void shouldCreateRSA384AlgorithmWithBothKeys() throws Exception { RSAPublicKey publicKey = mock(RSAPublicKey.class); RSAPrivateKey privateKey = mock(RSAPrivateKey.class); Algorithm algorithm = Algorithm.RSA384(publicKey, privateKey); assertThat(algorithm, is(notNullValue())); assertThat(algorithm, is(instanceOf(RSAAlgorithm.class))); assertThat(algorithm.getDescription(), is("SHA384withRSA")); assertThat(algorithm.getName(), is("RS384")); }
@Test public void shouldFailOnRSA512SigningWhenProvidedPrivateKeyIsNull() throws Exception { exception.expect(SignatureGenerationException.class); exception.expectMessage("The Token's Signature couldn't be generated when signing using the Algorithm: SHA512withRSA"); exception.expectCause(isA(IllegalStateException.class)); exception.expectCause(hasMessage(is("The given Private Key is null."))); RSAKeyProvider provider = mock(RSAKeyProvider.class); when(provider.getPrivateKey()).thenReturn(null); Algorithm algorithm = Algorithm.RSA512(provider); algorithm.sign(new byte[0], new byte[0]); }
@Test public void shouldFailOnRSA384SigningWhenProvidedPrivateKeyIsNull() throws Exception { exception.expect(SignatureGenerationException.class); exception.expectMessage("The Token's Signature couldn't be generated when signing using the Algorithm: SHA384withRSA"); exception.expectCause(isA(IllegalStateException.class)); exception.expectCause(hasMessage(is("The given Private Key is null."))); RSAKeyProvider provider = mock(RSAKeyProvider.class); when(provider.getPrivateKey()).thenReturn(null); Algorithm algorithm = Algorithm.RSA384(provider); algorithm.sign(new byte[0], new byte[0]); }
/** * Creates a new Algorithm instance using SHA384withRSA. Tokens specify this as "RS384". * * @param publicKey the key to use in the verify instance. * @param privateKey the key to use in the signing instance. * @return a valid RSA384 Algorithm. * @throws IllegalArgumentException if both provided Keys are null. */ public static Algorithm RSA384(RSAPublicKey publicKey, RSAPrivateKey privateKey) throws IllegalArgumentException { return RSA384(RSAAlgorithm.providerForKeys(publicKey, privateKey)); }
@Test public void shouldFailOnECDSA384SigningWhenProvidedPrivateKeyIsNull() throws Exception { exception.expect(SignatureGenerationException.class); exception.expectMessage("The Token's Signature couldn't be generated when signing using the Algorithm: SHA384withECDSA"); exception.expectCause(isA(IllegalStateException.class)); exception.expectCause(hasMessage(is("The given Private Key is null."))); ECDSAKeyProvider provider = mock(ECDSAKeyProvider.class); when(provider.getPrivateKey()).thenReturn(null); Algorithm algorithm = Algorithm.ECDSA384(provider); algorithm.sign(new byte[0], new byte[0]); }
/** * Creates a new Algorithm instance using SHA512withRSA. Tokens specify this as "RS512". * * @param publicKey the key to use in the verify instance. * @param privateKey the key to use in the signing instance. * @return a valid RSA512 Algorithm. * @throws IllegalArgumentException if both provided Keys are null. */ public static Algorithm RSA512(RSAPublicKey publicKey, RSAPrivateKey privateKey) throws IllegalArgumentException { return RSA512(RSAAlgorithm.providerForKeys(publicKey, privateKey)); }
/** * Returns a {@link SamlRequestIdManager} implementation based on JSON Web Tokens specification with * the {@link Algorithm} instance using {@code HmacSHA384}. * * @param issuer the ID of the entity who issues a token * @param secret the secret which is used to generate a signature * @param validSeconds the valid period of a token in seconds * @param leewaySeconds the leeway when there is a clock skew times between the signer and the verifier, * in seconds. */ static SamlRequestIdManager ofJwt(String issuer, String secret, int validSeconds, int leewaySeconds) throws UnsupportedEncodingException { final Algorithm algorithm = Algorithm.HMAC384(requireNonNull(secret, "secret")); return ofJwt(issuer, algorithm, validSeconds, leewaySeconds); }