honeymoose
/
jjwt
mirror of https://github.com/jwtk/jjwt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Accept oid in assertValid (#589) 

* Add special handling for Hmac-Keys loaded from pkcs#12 keystores

* Link to openjdk bug in javadoc

* Switch to mocked key for OID algorithm name test, eliminate KeyStore Usage in Test.

* Replace alternateNames oid field and remove from public api.

* Rename oid to pkcs12Name, make sure it's non null.
This commit is contained in:
Johannes Ballmann 2020-06-06 22:44:07 +02:00 committed by GitHub
parent 403e1895e3
commit 6b02041be6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 48 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
api/src/main/java/io/jsonwebtoken/SignatureAlgorithm.java
View File

@ -45,17 +45,17 @@ public enum SignatureAlgorithm {
/** /**
* JWA algorithm name for {@code HMAC using SHA-256} * JWA algorithm name for {@code HMAC using SHA-256}
*/ */
HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true, 256, 256), HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true, 256, 256, "1.2.840.113549.2.9"),
/** /**
* JWA algorithm name for {@code HMAC using SHA-384} * JWA algorithm name for {@code HMAC using SHA-384}
*/ */
HS384("HS384", "HMAC using SHA-384", "HMAC", "HmacSHA384", true, 384, 384), HS384("HS384", "HMAC using SHA-384", "HMAC", "HmacSHA384", true, 384, 384, "1.2.840.113549.2.10"),
/** /**
* JWA algorithm name for {@code HMAC using SHA-512} * JWA algorithm name for {@code HMAC using SHA-512}
*/ */
HS512("HS512", "HMAC using SHA-512", "HMAC", "HmacSHA512", true, 512, 512), HS512("HS512", "HMAC using SHA-512", "HMAC", "HmacSHA512", true, 512, 512, "1.2.840.113549.2.11"),
/** /**
* JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-256} * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-256}
@ -122,9 +122,21 @@ public enum SignatureAlgorithm {
private final boolean jdkStandard; private final boolean jdkStandard;
private final int digestLength; private final int digestLength;
private final int minKeyLength; private final int minKeyLength;
/**
* Algorithm name as given by {@link Key#getAlgorithm()} if the key was loaded from a pkcs12 Keystore.
*
* @deprecated This is just a workaround for https://bugs.openjdk.java.net/browse/JDK-8243551
*/
@Deprecated
private final String pkcs12Name;
SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard, SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
int digestLength, int minKeyLength) { int digestLength, int minKeyLength) {
this(value, description,familyName, jcaName, jdkStandard, digestLength, minKeyLength, jcaName);
}
SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
int digestLength, int minKeyLength, String pkcs12Name) {
this.value = value; this.value = value;
this.description = description; this.description = description;
this.familyName = familyName; this.familyName = familyName;
@ -132,6 +144,7 @@ public enum SignatureAlgorithm {
this.jdkStandard = jdkStandard; this.jdkStandard = jdkStandard;
this.digestLength = digestLength; this.digestLength = digestLength;
this.minKeyLength = minKeyLength; this.minKeyLength = minKeyLength;
this.pkcs12Name = pkcs12Name;
} }
/** /**
@ -353,7 +366,10 @@ public enum SignatureAlgorithm {
// These next checks use equalsIgnoreCase per https://github.com/jwtk/jjwt/issues/381#issuecomment-412912272 // These next checks use equalsIgnoreCase per https://github.com/jwtk/jjwt/issues/381#issuecomment-412912272
if (!HS256.jcaName.equalsIgnoreCase(alg) && if (!HS256.jcaName.equalsIgnoreCase(alg) &&
!HS384.jcaName.equalsIgnoreCase(alg) && !HS384.jcaName.equalsIgnoreCase(alg) &&
!HS512.jcaName.equalsIgnoreCase(alg)) { !HS512.jcaName.equalsIgnoreCase(alg) &&
!HS256.pkcs12Name.equals(alg) &&
!HS384.pkcs12Name.equals(alg) &&
!HS512.pkcs12Name.equals(alg)) {
throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm '" + alg + throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm '" + alg +
"' does not equal a valid HmacSHA* algorithm name and cannot be used with " + name() + "."); "' does not equal a valid HmacSHA* algorithm name and cannot be used with " + name() + ".");
} }

28
api/src/test/groovy/io/jsonwebtoken/SignatureAlgorithmTest.groovy
View File

@ -387,6 +387,34 @@ class SignatureAlgorithmTest {
} }
} }
@Test // https://github.com/jwtk/jjwt/issues/588
void assertAssertValidHmacSigningKeyCaseOidAlgorithmName() {
for (SignatureAlgorithm alg in EnumSet.complementOf(EnumSet.of(SignatureAlgorithm.NONE))) {
assertNotNull(alg.pkcs12Name)
}
for (SignatureAlgorithm alg in SignatureAlgorithm.values().findAll {it.isHmac()}) {
int numBits = alg.minKeyLength
int numBytes = numBits / 8 as int
SecretKey key = createMock(SecretKey)
expect(key.getEncoded()).andReturn(new byte[numBytes])
expect(key.getAlgorithm()).andReturn(alg.pkcs12Name)
replay key
alg.assertValidSigningKey(key)
verify key
}
for (SignatureAlgorithm alg in SignatureAlgorithm.values().findAll {!it.isHmac()}) {
assertEquals("For non HmacSHA-keys the name when loaded from pkcs12 key store is identical to the jcaName",
alg.jcaName, alg.pkcs12Name)
}
}
@Test @Test
void testAssertValidHmacSigningKeyUnsupportedAlgorithm() { void testAssertValidHmacSigningKeyUnsupportedAlgorithm() {