mirror of https://github.com/jwtk/jjwt.git
Accept oid in assertValid (#589)
* Add special handling for Hmac-Keys loaded from pkcs#12 keystores * Link to openjdk bug in javadoc * Switch to mocked key for OID algorithm name test, eliminate KeyStore Usage in Test. * Replace alternateNames oid field and remove from public api. * Rename oid to pkcs12Name, make sure it's non null.
This commit is contained in:
parent
403e1895e3
commit
6b02041be6
|
@ -45,17 +45,17 @@ public enum SignatureAlgorithm {
|
|||
/**
|
||||
* JWA algorithm name for {@code HMAC using SHA-256}
|
||||
*/
|
||||
HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true, 256, 256),
|
||||
HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true, 256, 256, "1.2.840.113549.2.9"),
|
||||
|
||||
/**
|
||||
* JWA algorithm name for {@code HMAC using SHA-384}
|
||||
*/
|
||||
HS384("HS384", "HMAC using SHA-384", "HMAC", "HmacSHA384", true, 384, 384),
|
||||
HS384("HS384", "HMAC using SHA-384", "HMAC", "HmacSHA384", true, 384, 384, "1.2.840.113549.2.10"),
|
||||
|
||||
/**
|
||||
* JWA algorithm name for {@code HMAC using SHA-512}
|
||||
*/
|
||||
HS512("HS512", "HMAC using SHA-512", "HMAC", "HmacSHA512", true, 512, 512),
|
||||
HS512("HS512", "HMAC using SHA-512", "HMAC", "HmacSHA512", true, 512, 512, "1.2.840.113549.2.11"),
|
||||
|
||||
/**
|
||||
* JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-256}
|
||||
|
@ -122,9 +122,21 @@ public enum SignatureAlgorithm {
|
|||
private final boolean jdkStandard;
|
||||
private final int digestLength;
|
||||
private final int minKeyLength;
|
||||
/**
|
||||
* Algorithm name as given by {@link Key#getAlgorithm()} if the key was loaded from a pkcs12 Keystore.
|
||||
*
|
||||
* @deprecated This is just a workaround for https://bugs.openjdk.java.net/browse/JDK-8243551
|
||||
*/
|
||||
@Deprecated
|
||||
private final String pkcs12Name;
|
||||
|
||||
SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
|
||||
int digestLength, int minKeyLength) {
|
||||
this(value, description,familyName, jcaName, jdkStandard, digestLength, minKeyLength, jcaName);
|
||||
}
|
||||
|
||||
SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
|
||||
int digestLength, int minKeyLength, String pkcs12Name) {
|
||||
this.value = value;
|
||||
this.description = description;
|
||||
this.familyName = familyName;
|
||||
|
@ -132,6 +144,7 @@ public enum SignatureAlgorithm {
|
|||
this.jdkStandard = jdkStandard;
|
||||
this.digestLength = digestLength;
|
||||
this.minKeyLength = minKeyLength;
|
||||
this.pkcs12Name = pkcs12Name;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -353,7 +366,10 @@ public enum SignatureAlgorithm {
|
|||
// These next checks use equalsIgnoreCase per https://github.com/jwtk/jjwt/issues/381#issuecomment-412912272
|
||||
if (!HS256.jcaName.equalsIgnoreCase(alg) &&
|
||||
!HS384.jcaName.equalsIgnoreCase(alg) &&
|
||||
!HS512.jcaName.equalsIgnoreCase(alg)) {
|
||||
!HS512.jcaName.equalsIgnoreCase(alg) &&
|
||||
!HS256.pkcs12Name.equals(alg) &&
|
||||
!HS384.pkcs12Name.equals(alg) &&
|
||||
!HS512.pkcs12Name.equals(alg)) {
|
||||
throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm '" + alg +
|
||||
"' does not equal a valid HmacSHA* algorithm name and cannot be used with " + name() + ".");
|
||||
}
|
||||
|
|
|
@ -387,6 +387,34 @@ class SignatureAlgorithmTest {
|
|||
}
|
||||
}
|
||||
|
||||
@Test // https://github.com/jwtk/jjwt/issues/588
|
||||
void assertAssertValidHmacSigningKeyCaseOidAlgorithmName() {
|
||||
for (SignatureAlgorithm alg in EnumSet.complementOf(EnumSet.of(SignatureAlgorithm.NONE))) {
|
||||
assertNotNull(alg.pkcs12Name)
|
||||
}
|
||||
|
||||
for (SignatureAlgorithm alg in SignatureAlgorithm.values().findAll {it.isHmac()}) {
|
||||
|
||||
int numBits = alg.minKeyLength
|
||||
int numBytes = numBits / 8 as int
|
||||
|
||||
SecretKey key = createMock(SecretKey)
|
||||
expect(key.getEncoded()).andReturn(new byte[numBytes])
|
||||
expect(key.getAlgorithm()).andReturn(alg.pkcs12Name)
|
||||
|
||||
replay key
|
||||
|
||||
alg.assertValidSigningKey(key)
|
||||
|
||||
verify key
|
||||
}
|
||||
|
||||
for (SignatureAlgorithm alg in SignatureAlgorithm.values().findAll {!it.isHmac()}) {
|
||||
assertEquals("For non HmacSHA-keys the name when loaded from pkcs12 key store is identical to the jcaName",
|
||||
alg.jcaName, alg.pkcs12Name)
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAssertValidHmacSigningKeyUnsupportedAlgorithm() {
|
||||
|
||||
|
|
Loading…
Reference in New Issue