add support for supplying multiple public keys that will be attempted when validating a token signature

this facilitates the supporting of certificate rotation, and there being multiple valid keys available during a rotation cycle
This commit is contained in:
Paul Cook 2017-07-25 16:19:09 +01:00
parent ac73b1caa9
commit ba3ae16141
10 changed files with 260 additions and 91 deletions

View File

@ -16,6 +16,7 @@
package io.jsonwebtoken;
import java.security.Key;
import java.util.Collection;
/**
* A {@code SigningKeyResolver} can be used by a {@link io.jsonwebtoken.JwtParser JwtParser} to find a signing key that
@ -60,6 +61,17 @@ public interface SigningKeyResolver {
*/
Key resolveSigningKey(JwsHeader header, Claims claims);
/**
* Returns a collection signing key that should be used to attempt to validate a digital signature for the Claims JWS with the specified
* header and claims. This allows for a key rotation scenario to support multiple keys during an overlap period.
*
* @param header the header of the JWS to validate
* @param claims the claims (body) of the JWS to validate
* @return the signing key that should be used to validate a digital signature for the Claims JWS with the specified
* header and claims.
*/
Collection<Key> resolveSigningKeys(JwsHeader header, Claims claims);
/**
* Returns the signing key that should be used to validate a digital signature for the Plaintext JWS with the
* specified header and plaintext payload.
@ -70,4 +82,16 @@ public interface SigningKeyResolver {
* specified header and plaintext payload.
*/
Key resolveSigningKey(JwsHeader header, String plaintext);
/**
* Returns the signing key that should be used to attempt to validate a digital signature for the Plaintext JWS with the
* specified header and plaintext payload. This allows for a key rotation scenario to support multiple keys during an overlap period.
*
* @param header the header of the JWS to validate
* @param plaintext the plaintext body of the JWS to validate
* @return the signing key that should be used to validate a digital signature for the Plaintext JWS with the
* specified header and plaintext payload.
*/
Collection<Key> resolveSigningKeys(JwsHeader header, String plaintext);
}

View File

@ -19,6 +19,8 @@ import io.jsonwebtoken.lang.Assert;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
import java.util.ArrayList;
import java.util.Collection;
/**
* An <a href="http://en.wikipedia.org/wiki/Adapter_pattern">Adapter</a> implementation of the
@ -51,6 +53,23 @@ public class SigningKeyResolverAdapter implements SigningKeyResolver {
return new SecretKeySpec(keyBytes, alg.getJcaName());
}
@Override
public Collection<Key> resolveSigningKeys(JwsHeader header, Claims claims) {
SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, Claims) implementation cannot be " +
"used for asymmetric key algorithms (RSA, Elliptic Curve). " +
"Override the resolveSigningKey(JwsHeader, Claims) method instead and return a " +
"Key instance appropriate for the " + alg.name() + " algorithm.");
Collection<byte[]> keysBytes = resolveSigningKeysBytes(header, claims);
if (keysBytes == null)
return null;
Collection<Key> keys = new ArrayList<>();
for (byte[] keyBytes: keysBytes)
keys.add(new SecretKeySpec(keyBytes, alg.getJcaName()));
return keys;
}
@Override
public Key resolveSigningKey(JwsHeader header, String plaintext) {
SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
@ -62,6 +81,23 @@ public class SigningKeyResolverAdapter implements SigningKeyResolver {
return new SecretKeySpec(keyBytes, alg.getJcaName());
}
@Override
public Collection<Key> resolveSigningKeys(JwsHeader header, String plaintext) {
SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, String) implementation cannot be " +
"used for asymmetric key algorithms (RSA, Elliptic Curve). " +
"Override the resolveSigningKey(JwsHeader, String) method instead and return a " +
"Key instance appropriate for the " + alg.name() + " algorithm.");
Collection<byte[]> keysBytes = resolveSigningKeysBytes(header, plaintext);
if (keysBytes == null)
return null;
Collection<Key> keys = new ArrayList<>();
for (byte[] keyBytes: keysBytes)
keys.add(new SecretKeySpec(keyBytes, alg.getJcaName()));
return keys;
}
/**
* Convenience method invoked by {@link #resolveSigningKey(JwsHeader, Claims)} that obtains the necessary signing
* key bytes. This implementation simply throws an exception: if the JWS parsed is a Claims JWS, you must
@ -81,6 +117,25 @@ public class SigningKeyResolverAdapter implements SigningKeyResolver {
"resolveSigningKeyBytes(JwsHeader, Claims) method.");
}
/**
* Convenience method invoked by {@link #resolveSigningKey(JwsHeader, Claims)} that obtains the necessary signing
* key bytes. This implementation simply throws an exception: if the JWS parsed is a Claims JWS, you must
* override this method or the {@link #resolveSigningKey(JwsHeader, Claims)} method instead.
*
* <p><b>NOTE:</b> You cannot override this method when validating RSA signatures. If you expect RSA signatures,
* you must override the {@link #resolveSigningKey(JwsHeader, Claims)} method instead.</p>
*
* @param header the parsed {@link JwsHeader}
* @param claims the parsed {@link Claims}
* @return the signing key bytes to use to verify the JWS signature.
*/
public Collection<byte[]> resolveSigningKeysBytes(JwsHeader header, Claims claims) {
throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
"Claims JWS signing key resolution. Consider overriding either the " +
"resolveSigningKey(JwsHeader, Claims) method or, for HMAC algorithms, the " +
"resolveSigningKeyBytes(JwsHeader, Claims) method.");
}
/**
* Convenience method invoked by {@link #resolveSigningKey(JwsHeader, String)} that obtains the necessary signing
* key bytes. This implementation simply throws an exception: if the JWS parsed is a plaintext JWS, you must
@ -96,4 +151,20 @@ public class SigningKeyResolverAdapter implements SigningKeyResolver {
"resolveSigningKey(JwsHeader, String) method or, for HMAC algorithms, the " +
"resolveSigningKeyBytes(JwsHeader, String) method.");
}
/**
* Convenience method invoked by {@link #resolveSigningKey(JwsHeader, String)} that obtains the necessary signing
* key bytes. This implementation simply throws an exception: if the JWS parsed is a plaintext JWS, you must
* override this method or the {@link #resolveSigningKey(JwsHeader, String)} method instead.
*
* @param header the parsed {@link JwsHeader}
* @param payload the parsed String plaintext payload
* @return the signing key bytes to use to verify the JWS signature.
*/
public Collection<byte[]> resolveSigningKeysBytes(JwsHeader header, String payload) {
throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
"plaintext JWS signing key resolution. Consider overriding either the " +
"resolveSigningKey(JwsHeader, String) method or, for HMAC algorithms, the " +
"resolveSigningKeyBytes(JwsHeader, String) method.");
}
}

View File

@ -49,6 +49,8 @@ import javax.crypto.spec.SecretKeySpec;
import java.io.IOException;
import java.security.Key;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
@ -59,11 +61,11 @@ public class DefaultJwtParser implements JwtParser {
private static final String ISO_8601_FORMAT = "yyyy-MM-dd'T'HH:mm:ss'Z'";
private static final int MILLISECONDS_PER_SECOND = 1000;
private ObjectMapper objectMapper = new ObjectMapper();
private final ObjectMapper objectMapper = new ObjectMapper();
private byte[] keyBytes;
private Collection<byte[]> keyBytes;
private Key key;
private Collection<Key> keys;
private SigningKeyResolver signingKeyResolver;
@ -77,43 +79,43 @@ public class DefaultJwtParser implements JwtParser {
@Override
public JwtParser requireIssuedAt(Date issuedAt) {
expectedClaims.setIssuedAt(issuedAt);
this.expectedClaims.setIssuedAt(issuedAt);
return this;
}
@Override
public JwtParser requireIssuer(String issuer) {
expectedClaims.setIssuer(issuer);
this.expectedClaims.setIssuer(issuer);
return this;
}
@Override
public JwtParser requireAudience(String audience) {
expectedClaims.setAudience(audience);
this.expectedClaims.setAudience(audience);
return this;
}
@Override
public JwtParser requireSubject(String subject) {
expectedClaims.setSubject(subject);
this.expectedClaims.setSubject(subject);
return this;
}
@Override
public JwtParser requireId(String id) {
expectedClaims.setId(id);
this.expectedClaims.setId(id);
return this;
}
@Override
public JwtParser requireExpiration(Date expiration) {
expectedClaims.setExpiration(expiration);
this.expectedClaims.setExpiration(expiration);
return this;
}
@Override
public JwtParser requireNotBefore(Date notBefore) {
expectedClaims.setNotBefore(notBefore);
this.expectedClaims.setNotBefore(notBefore);
return this;
}
@ -121,7 +123,7 @@ public class DefaultJwtParser implements JwtParser {
public JwtParser require(String claimName, Object value) {
Assert.hasText(claimName, "claim name cannot be null or empty.");
Assert.notNull(value, "The value cannot be null for claim name: " + claimName);
expectedClaims.put(claimName, value);
this.expectedClaims.put(claimName, value);
return this;
}
@ -141,21 +143,27 @@ public class DefaultJwtParser implements JwtParser {
@Override
public JwtParser setSigningKey(byte[] key) {
Assert.notEmpty(key, "signing key cannot be null or empty.");
this.keyBytes = key;
if (this.keyBytes == null)
this.keyBytes = new ArrayList<>();
this.keyBytes.add(key);
return this;
}
@Override
public JwtParser setSigningKey(String base64EncodedKeyBytes) {
Assert.hasText(base64EncodedKeyBytes, "signing key cannot be null or empty.");
this.keyBytes = TextCodec.BASE64.decode(base64EncodedKeyBytes);
if (this.keyBytes == null)
this.keyBytes = new ArrayList<>();
this.keyBytes.add(TextCodec.BASE64.decode(base64EncodedKeyBytes));
return this;
}
@Override
public JwtParser setSigningKey(Key key) {
Assert.notNull(key, "signing key cannot be null.");
this.key = key;
if (this.keys == null)
this.keys = new ArrayList<>();
this.keys.add(key);
return this;
}
@ -257,7 +265,7 @@ public class DefaultJwtParser implements JwtParser {
header = new DefaultHeader(m);
}
compressionCodec = compressionCodecResolver.resolveCompressionCodec(header);
compressionCodec = this.compressionCodecResolver.resolveCompressionCodec(header);
}
// =============== Body =================
@ -297,47 +305,59 @@ public class DefaultJwtParser implements JwtParser {
throw new MalformedJwtException(msg);
}
if (key != null && keyBytes != null) {
if (this.keys != null && this.keyBytes != null) {
throw new IllegalStateException("A key object and key bytes cannot both be specified. Choose either.");
} else if ((key != null || keyBytes != null) && signingKeyResolver != null) {
String object = key != null ? "a key object" : "key bytes";
} else if ((this.keys != null || this.keyBytes != null) && this.signingKeyResolver != null) {
String object = this.keys != null ? "a key object" : "key bytes";
throw new IllegalStateException("A signing key resolver and " + object + " cannot both be specified. Choose either.");
}
//digitally signed, let's assert the signature:
Key key = this.key;
Collection<Key> keys = this.keys;
if (key == null) { //fall back to keyBytes
if (keys == null) { //fall back to keyBytes
byte[] keyBytes = this.keyBytes;
if (Objects.isEmpty(keyBytes) && signingKeyResolver != null) { //use the signingKeyResolver
if (Objects.isEmpty(this.keyBytes) && this.signingKeyResolver != null) { //use the signingKeyResolver
keys = new ArrayList<>();
if (claims != null) {
key = signingKeyResolver.resolveSigningKey(jwsHeader, claims);
Key key = this.signingKeyResolver.resolveSigningKey(jwsHeader, claims);
if (key != null)
keys.add(key);
Collection<Key> keyList = this.signingKeyResolver.resolveSigningKeys(jwsHeader, claims);
if (!Objects.isEmpty(keyList))
keys.addAll(keyList);
} else {
key = signingKeyResolver.resolveSigningKey(jwsHeader, payload);
Key key = this.signingKeyResolver.resolveSigningKey(jwsHeader, payload);
if (key != null)
keys.add(key);
Collection<Key> keyList = this.signingKeyResolver.resolveSigningKeys(jwsHeader, payload);
if (!Objects.isEmpty(keyList))
keys.addAll(keyList);
}
}
if (!Objects.isEmpty(keyBytes)) {
if (!Objects.isEmpty(this.keyBytes)) {
Assert.isTrue(algorithm.isHmac(),
"Key bytes can only be specified for HMAC signatures. Please specify a PublicKey or PrivateKey instance.");
key = new SecretKeySpec(keyBytes, algorithm.getJcaName());
keys = new ArrayList<>();
for (byte[] bytes: this.keyBytes)
this.keys.add(new SecretKeySpec(bytes, algorithm.getJcaName()));
}
}
Assert.notNull(key, "A signing key must be specified if the specified JWT is digitally signed.");
Assert.notNull(keys, "A signing key must be specified if the specified JWT is digitally signed.");
//re-create the jwt part without the signature. This is what needs to be signed for verification:
String jwtWithoutSignature = base64UrlEncodedHeader + SEPARATOR_CHAR + base64UrlEncodedPayload;
JwtSignatureValidator validator;
try {
validator = createSignatureValidator(algorithm, key);
validator = createSignatureValidator(algorithm, keys);
} catch (IllegalArgumentException e) {
String algName = algorithm.getValue();
Key key = keys.iterator().next();
String msg = "The parsed JWT indicates it was signed with the " + algName + " signature " +
"algorithm, but the specified signing key of type " + key.getClass().getName() +
" may not be used to validate " + algName + " signatures. Because the specified " +
@ -421,9 +441,9 @@ public class DefaultJwtParser implements JwtParser {
}
private void validateExpectedClaims(Header header, Claims claims) {
for (String expectedClaimName : expectedClaims.keySet()) {
for (String expectedClaimName : this.expectedClaims.keySet()) {
Object expectedClaimValue = expectedClaims.get(expectedClaimName);
Object expectedClaimValue = this.expectedClaims.get(expectedClaimName);
Object actualClaimValue = claims.get(expectedClaimName);
if (
@ -431,7 +451,7 @@ public class DefaultJwtParser implements JwtParser {
Claims.EXPIRATION.equals(expectedClaimName) ||
Claims.NOT_BEFORE.equals(expectedClaimName)
) {
expectedClaimValue = expectedClaims.get(expectedClaimName, Date.class);
expectedClaimValue = this.expectedClaims.get(expectedClaimName, Date.class);
actualClaimValue = claims.get(expectedClaimName, Date.class);
} else if (
expectedClaimValue instanceof Date &&
@ -468,8 +488,8 @@ public class DefaultJwtParser implements JwtParser {
/*
* @since 0.5 mostly to allow testing overrides
*/
protected JwtSignatureValidator createSignatureValidator(SignatureAlgorithm alg, Key key) {
return new DefaultJwtSignatureValidator(alg, key);
protected JwtSignatureValidator createSignatureValidator(SignatureAlgorithm alg, Collection<Key> keys) {
return new DefaultJwtSignatureValidator(alg, keys);
}
@Override
@ -484,16 +504,16 @@ public class DefaultJwtParser implements JwtParser {
Jws jws = (Jws) jwt;
Object body = jws.getBody();
if (body instanceof Claims) {
return handler.onClaimsJws((Jws<Claims>) jws);
return handler.onClaimsJws(jws);
} else {
return handler.onPlaintextJws((Jws<String>) jws);
return handler.onPlaintextJws(jws);
}
} else {
Object body = jwt.getBody();
if (body instanceof Claims) {
return handler.onClaimsJwt((Jwt<Header, Claims>) jwt);
return handler.onClaimsJwt(jwt);
} else {
return handler.onPlaintextJwt((Jwt<Header, String>) jwt);
return handler.onPlaintextJwt(jwt);
}
}
}
@ -549,7 +569,7 @@ public class DefaultJwtParser implements JwtParser {
@SuppressWarnings("unchecked")
protected Map<String, Object> readValue(String val) {
try {
return objectMapper.readValue(val, Map.class);
return this.objectMapper.readValue(val, Map.class);
} catch (IOException e) {
throw new MalformedJwtException("Unable to read JSON value: " + val, e);
}

View File

@ -21,6 +21,7 @@ import io.jsonwebtoken.lang.Assert;
import java.nio.charset.Charset;
import java.security.Key;
import java.util.Collection;
public class DefaultJwtSignatureValidator implements JwtSignatureValidator {
@ -28,13 +29,13 @@ public class DefaultJwtSignatureValidator implements JwtSignatureValidator {
private final SignatureValidator signatureValidator;
public DefaultJwtSignatureValidator(SignatureAlgorithm alg, Key key) {
this(DefaultSignatureValidatorFactory.INSTANCE, alg, key);
public DefaultJwtSignatureValidator(SignatureAlgorithm alg, Collection<Key> keys) {
this(DefaultSignatureValidatorFactory.INSTANCE, alg, keys);
}
public DefaultJwtSignatureValidator(SignatureValidatorFactory factory, SignatureAlgorithm alg, Key key) {
public DefaultJwtSignatureValidator(SignatureValidatorFactory factory, SignatureAlgorithm alg, Collection<Key> keys) {
Assert.notNull(factory, "SignerFactory argument cannot be null.");
this.signatureValidator = factory.createSignatureValidator(alg, key);
this.signatureValidator = factory.createSignatureValidator(alg, keys);
}
@Override

View File

@ -19,32 +19,33 @@ import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.lang.Assert;
import java.security.Key;
import java.util.Collection;
public class DefaultSignatureValidatorFactory implements SignatureValidatorFactory {
public static final SignatureValidatorFactory INSTANCE = new DefaultSignatureValidatorFactory();
@Override
public SignatureValidator createSignatureValidator(SignatureAlgorithm alg, Key key) {
public SignatureValidator createSignatureValidator(SignatureAlgorithm alg, Collection<Key> keys) {
Assert.notNull(alg, "SignatureAlgorithm cannot be null.");
Assert.notNull(key, "Signing Key cannot be null.");
Assert.notNull(keys, "Signing Key cannot be null.");
switch (alg) {
case HS256:
case HS384:
case HS512:
return new MacValidator(alg, key);
return new MacValidator(alg, keys);
case RS256:
case RS384:
case RS512:
case PS256:
case PS384:
case PS512:
return new RsaSignatureValidator(alg, key);
return new RsaSignatureValidator(alg, keys);
case ES256:
case ES384:
case ES512:
return new EllipticCurveSignatureValidator(alg, key);
return new EllipticCurveSignatureValidator(alg, keys);
default:
throw new IllegalArgumentException("The '" + alg.name() + "' algorithm cannot be used for signing.");
}

View File

@ -20,6 +20,7 @@ import java.security.Key;
import java.security.PublicKey;
import java.security.Signature;
import java.security.interfaces.ECPublicKey;
import java.util.Collection;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
@ -30,30 +31,38 @@ public class EllipticCurveSignatureValidator extends EllipticCurveProvider imple
private static final String EC_PUBLIC_KEY_REQD_MSG =
"Elliptic Curve signature validation requires an ECPublicKey instance.";
public EllipticCurveSignatureValidator(SignatureAlgorithm alg, Key key) {
super(alg, key);
Assert.isTrue(key instanceof ECPublicKey, EC_PUBLIC_KEY_REQD_MSG);
private final Collection<Key> keys;
public EllipticCurveSignatureValidator(SignatureAlgorithm alg, Collection<Key> keys) {
super(alg, null);
this.keys = keys;
for (Key key: keys)
Assert.isTrue(key instanceof ECPublicKey, EC_PUBLIC_KEY_REQD_MSG);
}
@Override
public boolean isValid(byte[] data, byte[] signature) {
Signature sig = createSignatureInstance();
PublicKey publicKey = (PublicKey) key;
try {
int expectedSize = getSignatureByteArrayLength(alg);
/**
*
* If the expected size is not valid for JOSE, fall back to ASN.1 DER signature.
* This fallback is for backwards compatibility ONLY (to support tokens generated by previous versions of jjwt)
* and backwards compatibility will possibly be removed in a future version of this library.
*
* **/
byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : EllipticCurveProvider.transcodeSignatureToDER(signature);
return doVerify(sig, publicKey, data, derSignature);
} catch (Exception e) {
String msg = "Unable to verify Elliptic Curve signature using configured ECPublicKey. " + e.getMessage();
throw new SignatureException(msg, e);
for (Key key: this.keys) {
PublicKey publicKey = (PublicKey) key;
try {
int expectedSize = getSignatureByteArrayLength(this.alg);
/**
*
* If the expected size is not valid for JOSE, fall back to ASN.1 DER signature.
* This fallback is for backwards compatibility ONLY (to support tokens generated by previous versions of jjwt)
* and backwards compatibility will possibly be removed in a future version of this library.
*
* **/
byte[] derSignature = expectedSize != signature.length && signature[0] == 0x30 ? signature : EllipticCurveProvider.transcodeSignatureToDER(signature);
if (doVerify(sig, publicKey, data, derSignature))
return true;
} catch (Exception e) {
String msg = "Unable to verify Elliptic Curve signature using configured ECPublicKey. " + e.getMessage();
throw new SignatureException(msg, e);
}
}
return false;
}
protected boolean doVerify(Signature sig, PublicKey publicKey, byte[] data, byte[] signature)

View File

@ -19,19 +19,27 @@ import io.jsonwebtoken.SignatureAlgorithm;
import java.security.Key;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.ArrayList;
import java.util.Collection;
public class MacValidator implements SignatureValidator {
private final MacSigner signer;
private final Collection<MacSigner> signers;
public MacValidator(SignatureAlgorithm alg, Key key) {
this.signer = new MacSigner(alg, key);
public MacValidator(SignatureAlgorithm alg, Collection<Key> keys) {
Collection<MacSigner> signers = new ArrayList<>();
for (Key key: keys)
signers.add(new MacSigner(alg, key));
this.signers = signers;
}
@Override
public boolean isValid(byte[] data, byte[] signature) {
byte[] computed = this.signer.sign(data);
return MessageDigest.isEqual(computed, signature);
for (MacSigner signer: this.signers) {
byte[] computed = signer.sign(data);
if (MessageDigest.isEqual(computed, signature))
return true;
}
return false;
}
}

View File

@ -25,35 +25,58 @@ import java.security.PublicKey;
import java.security.Signature;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
public class RsaSignatureValidator extends RsaProvider implements SignatureValidator {
private final RsaSigner SIGNER;
private final Collection<SignerAndKey> SIGNERS;
public RsaSignatureValidator(SignatureAlgorithm alg, Key key) {
super(alg, key);
Assert.isTrue(key instanceof RSAPrivateKey || key instanceof RSAPublicKey,
"RSA Signature validation requires either a RSAPublicKey or RSAPrivateKey instance.");
this.SIGNER = key instanceof RSAPrivateKey ? new RsaSigner(alg, key) : null;
public static final class SignerAndKey {
private final RsaSigner signer;
private final Key key;
public SignerAndKey(final RsaSigner signer, final Key key) {
this.signer = signer;
this.key = key;
}
}
public RsaSignatureValidator(SignatureAlgorithm alg, Collection<Key> keys) {
super(alg, null);
Collection<SignerAndKey> SIGNERS = new ArrayList<>();
for (Key key: keys) {
Assert.isTrue(key instanceof RSAPrivateKey || key instanceof RSAPublicKey,
"RSA Signature validation requires either a RSAPublicKey or RSAPrivateKey instance.");
SIGNERS.add(new SignerAndKey(new RsaSigner(alg, key), key));
}
this.SIGNERS = SIGNERS;
}
@Override
public boolean isValid(byte[] data, byte[] signature) {
if (key instanceof PublicKey) {
Signature sig = createSignatureInstance();
PublicKey publicKey = (PublicKey) key;
try {
return doVerify(sig, publicKey, data, signature);
} catch (Exception e) {
String msg = "Unable to verify RSA signature using configured PublicKey. " + e.getMessage();
throw new SignatureException(msg, e);
for (SignerAndKey signerAndKey: this.SIGNERS) {
if (signerAndKey.key instanceof PublicKey) {
Signature sig = createSignatureInstance();
PublicKey publicKey = (PublicKey) signerAndKey.key;
try {
if (doVerify(sig, publicKey, data, signature))
return true;
} catch (Exception e) {
String msg = "Unable to verify RSA signature using configured PublicKey. " + e.getMessage();
throw new SignatureException(msg, e);
}
} else {
Assert.notNull(this.SIGNERS, "RSA Signer instance cannot be null. This is a bug. Please report it.");
byte[] computed = signerAndKey.signer.sign(data);
if (Arrays.equals(computed, signature))
return true;
}
} else {
Assert.notNull(this.SIGNER, "RSA Signer instance cannot be null. This is a bug. Please report it.");
byte[] computed = this.SIGNER.sign(data);
return Arrays.equals(computed, signature);
}
return false;
}
protected boolean doVerify(Signature sig, PublicKey publicKey, byte[] data, byte[] signature)

View File

@ -18,8 +18,9 @@ package io.jsonwebtoken.impl.crypto;
import io.jsonwebtoken.SignatureAlgorithm;
import java.security.Key;
import java.util.Collection;
public interface SignatureValidatorFactory {
SignatureValidator createSignatureValidator(SignatureAlgorithm alg, Key key);
SignatureValidator createSignatureValidator(SignatureAlgorithm alg, Collection<Key> keys);
}

View File

@ -19,6 +19,7 @@ import java.io.Closeable;
import java.io.IOException;
import java.lang.reflect.Array;
import java.util.Arrays;
import java.util.Collection;
public final class Objects {
@ -95,6 +96,16 @@ public final class Objects {
return (array == null || array.length == 0);
}
/**
* Determine whether the given collection is empty:
* i.e. <code>null</code> or of zero length.
*
* @param array the Collection to check
*/
public static boolean isEmpty(Collection<?> collection) {
return (collection == null || collection.isEmpty());
}
/**
* Returns {@code true} if the specified byte array is null or of zero length, {@code false} otherwise.
*