Examples with KeyTemplate com.google.crypto.tink.KeyTemplate used on opensource projects

Search in sources :

Example 51 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtRsaSsaPkcs1SignKeyManagerTest method createSignVerifyDifferentKey_throw.

// Note: we use Theory as a parametrized test -- different from what the Theory framework intends.
@Theory
public void createSignVerifyDifferentKey_throw(@FromDataPoints("templates") String templateName) throws Exception {
    if (TestUtil.isTsan()) {
        // We do not use assume because Theories expects to find something which is not skipped.
        return;
    }
    KeyTemplate template = KeyTemplates.get(templateName);
    KeysetHandle handle = KeysetHandle.generateNew(template);
    JwtPublicKeySign signer = handle.getPrimitive(JwtPublicKeySign.class);
    RawJwt rawToken = RawJwt.newBuilder().setJwtId("id123").withoutExpiration().build();
    String signedCompact = signer.signAndEncode(rawToken);
    KeysetHandle otherHandle = KeysetHandle.generateNew(template);
    JwtPublicKeyVerify otherVerifier = otherHandle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    assertThrows(GeneralSecurityException.class, () -> otherVerifier.verifyAndDecode(signedCompact, validator));
}
Also used : KeysetHandle(com.google.crypto.tink.KeysetHandle) CleartextKeysetHandle(com.google.crypto.tink.CleartextKeysetHandle) ByteString(com.google.protobuf.ByteString) KeyTemplate(com.google.crypto.tink.KeyTemplate) Theory(org.junit.experimental.theories.Theory)

Example 52 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtRsaSsaPkcs1SignKeyManagerTest method signAndVerifyWithCustomKid.

@Test
public void signAndVerifyWithCustomKid() throws Exception {
    if (TestUtil.isTsan()) {
        // We do not use assume because Theories expects to find something which is not skipped.
        return;
    }
    KeyTemplate template = KeyTemplates.get("JWT_RS256_2048_F4_RAW");
    KeysetHandle handleWithoutKid = KeysetHandle.generateNew(template);
    KeysetHandle handleWithKid = withCustomKid(handleWithoutKid, "Lorem ipsum dolor sit amet, consectetur adipiscing elit");
    JwtPublicKeySign signerWithKid = handleWithKid.getPrimitive(JwtPublicKeySign.class);
    JwtPublicKeySign signerWithoutKid = handleWithoutKid.getPrimitive(JwtPublicKeySign.class);
    RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
    String signedCompactWithKid = signerWithKid.signAndEncode(rawToken);
    String signedCompactWithoutKid = signerWithoutKid.signAndEncode(rawToken);
    // Verify the kid in the header
    String jsonHeaderWithKid = JwtFormat.splitSignedCompact(signedCompactWithKid).header;
    String kid = JsonUtil.parseJson(jsonHeaderWithKid).get("kid").getAsString();
    assertThat(kid).isEqualTo("Lorem ipsum dolor sit amet, consectetur adipiscing elit");
    String jsonHeaderWithoutKid = JwtFormat.splitSignedCompact(signedCompactWithoutKid).header;
    assertThat(JsonUtil.parseJson(jsonHeaderWithoutKid).has("kid")).isFalse();
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    JwtPublicKeyVerify verifierWithoutKid = handleWithoutKid.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    JwtPublicKeyVerify verifierWithKid = handleWithKid.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    // Even if custom_kid is set, we don't require a "kid" in the header.
    assertThat(verifierWithoutKid.verifyAndDecode(signedCompactWithKid, validator).getJwtId()).isEqualTo("jwtId");
    assertThat(verifierWithKid.verifyAndDecode(signedCompactWithKid, validator).getJwtId()).isEqualTo("jwtId");
    assertThat(verifierWithoutKid.verifyAndDecode(signedCompactWithoutKid, validator).getJwtId()).isEqualTo("jwtId");
    assertThat(verifierWithKid.verifyAndDecode(signedCompactWithoutKid, validator).getJwtId()).isEqualTo("jwtId");
}
Also used : KeysetHandle(com.google.crypto.tink.KeysetHandle) CleartextKeysetHandle(com.google.crypto.tink.CleartextKeysetHandle) ByteString(com.google.protobuf.ByteString) KeyTemplate(com.google.crypto.tink.KeyTemplate) Test(org.junit.Test)

Example 53 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtRsaSsaPkcs1SignKeyManagerTest method createSignVerifyTink_withDifferentHeaders.

@Test
public void createSignVerifyTink_withDifferentHeaders() throws Exception {
    if (TestUtil.isTsan()) {
        // We do not use assume because Theories expects to find something which is not skipped.
        return;
    }
    KeyTemplate template = KeyTemplates.get("JWT_RS256_2048_F4");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtRsaSsaPkcs1PrivateKey keyProto = JwtRsaSsaPkcs1PrivateKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    RSAPrivateCrtKey privateKey = createPrivateKey(keyProto);
    JwtRsaSsaPkcs1Algorithm algorithm = keyProto.getPublicKey().getAlgorithm();
    Enums.HashType hash = JwtRsaSsaPkcs1VerifyKeyManager.hashForPkcs1Algorithm(algorithm);
    RsaSsaPkcs1SignJce rawSigner = new RsaSsaPkcs1SignJce(privateKey, hash);
    JwtPublicKeyVerify verifier = handle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    String kid = JwtFormat.getKid(keyset.getKey(0).getKeyId(), keyset.getKey(0).getOutputPrefixType()).get();
    JsonObject payload = new JsonObject();
    payload.addProperty("jti", "jwtId");
    // normal, valid token
    JsonObject normalHeader = new JsonObject();
    normalHeader.addProperty("alg", "RS256");
    normalHeader.addProperty("kid", kid);
    String validToken = generateSignedCompact(rawSigner, normalHeader, payload);
    verifier.verifyAndDecode(validToken, validator);
    // token without kid are rejected, even if they are valid.
    JsonObject headerWithoutKid = new JsonObject();
    headerWithoutKid.addProperty("alg", "RS256");
    String tokenWithoutKid = generateSignedCompact(rawSigner, headerWithoutKid, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithoutKid, validator));
    // token without algorithm in header
    JsonObject headerWithoutAlg = new JsonObject();
    headerWithoutAlg.addProperty("kid", kid);
    String tokenWithoutAlg = generateSignedCompact(rawSigner, headerWithoutAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithoutAlg, validator));
    // invalid token with an incorrect algorithm in the header
    JsonObject headerWithBadAlg = new JsonObject();
    headerWithBadAlg.addProperty("alg", "PS256");
    headerWithBadAlg.addProperty("kid", kid);
    String tokenWithBadAlg = generateSignedCompact(rawSigner, headerWithBadAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithBadAlg, validator));
    // token with an unknown "kid" in the header is invalid
    JsonObject headerWithUnknownKid = new JsonObject();
    headerWithUnknownKid.addProperty("alg", "RS256");
    headerWithUnknownKid.addProperty("kid", "unknown");
    String tokenWithUnknownKid = generateSignedCompact(rawSigner, headerWithUnknownKid, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithUnknownKid, validator));
}
Also used : KeysetHandle(com.google.crypto.tink.KeysetHandle) CleartextKeysetHandle(com.google.crypto.tink.CleartextKeysetHandle) Keyset(com.google.crypto.tink.proto.Keyset) RSAPrivateCrtKey(java.security.interfaces.RSAPrivateCrtKey) JwtRsaSsaPkcs1PrivateKey(com.google.crypto.tink.proto.JwtRsaSsaPkcs1PrivateKey) JsonObject(com.google.gson.JsonObject) RsaSsaPkcs1SignJce(com.google.crypto.tink.subtle.RsaSsaPkcs1SignJce) ByteString(com.google.protobuf.ByteString) Enums(com.google.crypto.tink.subtle.Enums) JwtRsaSsaPkcs1Algorithm(com.google.crypto.tink.proto.JwtRsaSsaPkcs1Algorithm) KeyTemplate(com.google.crypto.tink.KeyTemplate) Test(org.junit.Test)

Example 54 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtRsaSsaPssSignKeyManagerTest method createSignVerifyTink_withDifferentHeaders.

@Test
public void createSignVerifyTink_withDifferentHeaders() throws Exception {
    // creating keys is too slow in Tsan.
    assumeFalse(TestUtil.isTsan());
    KeyTemplate template = KeyTemplates.get("JWT_PS256_2048_F4");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtRsaSsaPssPrivateKey keyProto = JwtRsaSsaPssPrivateKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    RSAPrivateCrtKey privateKey = createPrivateKey(keyProto);
    JwtRsaSsaPssAlgorithm algorithm = keyProto.getPublicKey().getAlgorithm();
    Enums.HashType hash = JwtRsaSsaPssVerifyKeyManager.hashForPssAlgorithm(algorithm);
    int saltLength = JwtRsaSsaPssVerifyKeyManager.saltLengthForPssAlgorithm(algorithm);
    RsaSsaPssSignJce rawSigner = new RsaSsaPssSignJce(privateKey, hash, hash, saltLength);
    JwtPublicKeyVerify verifier = handle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    String kid = JwtFormat.getKid(keyset.getKey(0).getKeyId(), keyset.getKey(0).getOutputPrefixType()).get();
    JsonObject payload = new JsonObject();
    payload.addProperty("jti", "jwtId");
    // normal, valid token
    JsonObject normalHeader = new JsonObject();
    normalHeader.addProperty("alg", "PS256");
    normalHeader.addProperty("kid", kid);
    String validToken = generateSignedCompact(rawSigner, normalHeader, payload);
    verifier.verifyAndDecode(validToken, validator);
    // token without kid are rejected, even if they are valid.
    JsonObject headerWithoutKid = new JsonObject();
    headerWithoutKid.addProperty("alg", "PS256");
    String tokenWithoutKid = generateSignedCompact(rawSigner, headerWithoutKid, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithoutKid, validator));
    // token without algorithm in header
    JsonObject headerWithoutAlg = new JsonObject();
    headerWithoutAlg.addProperty("kid", kid);
    String tokenWithoutAlg = generateSignedCompact(rawSigner, headerWithoutAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithoutAlg, validator));
    // invalid token with an incorrect algorithm in the header
    JsonObject headerWithBadAlg = new JsonObject();
    headerWithBadAlg.addProperty("alg", "RS256");
    headerWithBadAlg.addProperty("kid", kid);
    String tokenWithBadAlg = generateSignedCompact(rawSigner, headerWithBadAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithBadAlg, validator));
    // token with an unknown "kid" in the header is invalid
    JsonObject headerWithUnknownKid = new JsonObject();
    headerWithUnknownKid.addProperty("alg", "PS256");
    headerWithUnknownKid.addProperty("kid", "unknown");
    String tokenWithUnknownKid = generateSignedCompact(rawSigner, headerWithUnknownKid, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithUnknownKid, validator));
}
Also used : KeysetHandle(com.google.crypto.tink.KeysetHandle) CleartextKeysetHandle(com.google.crypto.tink.CleartextKeysetHandle) Keyset(com.google.crypto.tink.proto.Keyset) RSAPrivateCrtKey(java.security.interfaces.RSAPrivateCrtKey) JsonObject(com.google.gson.JsonObject) ByteString(com.google.protobuf.ByteString) RsaSsaPssSignJce(com.google.crypto.tink.subtle.RsaSsaPssSignJce) Enums(com.google.crypto.tink.subtle.Enums) JwtRsaSsaPssPrivateKey(com.google.crypto.tink.proto.JwtRsaSsaPssPrivateKey) JwtRsaSsaPssAlgorithm(com.google.crypto.tink.proto.JwtRsaSsaPssAlgorithm) KeyTemplate(com.google.crypto.tink.KeyTemplate) Test(org.junit.Test)

Example 55 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtEcdsaSignKeyManagerTest method createSignVerifyTink_withDifferentHeaders.

@Test
public void createSignVerifyTink_withDifferentHeaders() throws Exception {
    // KeysetHandle.generateNew is too slow in Tsan.
    assumeFalse(TestUtil.isTsan());
    KeyTemplate template = KeyTemplates.get("JWT_ES256");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtEcdsaPrivateKey keyProto = JwtEcdsaPrivateKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    ECPrivateKey privateKey = EllipticCurves.getEcPrivateKey(JwtEcdsaVerifyKeyManager.getCurve(keyProto.getPublicKey().getAlgorithm()), keyProto.getKeyValue().toByteArray());
    JwtEcdsaAlgorithm algorithm = keyProto.getPublicKey().getAlgorithm();
    Enums.HashType hash = JwtEcdsaVerifyKeyManager.hashForEcdsaAlgorithm(algorithm);
    EcdsaSignJce rawSigner = new EcdsaSignJce(privateKey, hash, EcdsaEncoding.IEEE_P1363);
    String kid = JwtFormat.getKid(keyset.getKey(0).getKeyId(), keyset.getKey(0).getOutputPrefixType()).get();
    JsonObject payload = new JsonObject();
    payload.addProperty("jti", "jwtId");
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    JwtPublicKeyVerify verifier = handle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    // Normal, valid signed token.
    JsonObject normalHeader = new JsonObject();
    normalHeader.addProperty("alg", "ES256");
    normalHeader.addProperty("kid", kid);
    String normalToken = generateSignedCompact(rawSigner, normalHeader, payload);
    verifier.verifyAndDecode(normalToken, validator);
    // token without kid are rejected, even if they are valid.
    JsonObject headerWithoutKid = new JsonObject();
    headerWithoutKid.addProperty("alg", "ES256");
    String tokenWithoutKid = generateSignedCompact(rawSigner, headerWithoutKid, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithoutKid, validator));
    // token without algorithm in the header
    JsonObject headerWithoutAlg = new JsonObject();
    headerWithoutAlg.addProperty("kid", kid);
    String tokenWithoutAlg = generateSignedCompact(rawSigner, headerWithoutAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(tokenWithoutAlg, validator));
    // token with an incorrect algorithm in the header
    JsonObject headerWithBadAlg = new JsonObject();
    headerWithBadAlg.addProperty("kid", kid);
    headerWithBadAlg.addProperty("alg", "RS256");
    String badAlgToken = generateSignedCompact(rawSigner, headerWithBadAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(badAlgToken, validator));
    // token with an unknown kid header
    JsonObject unknownKidHeader = new JsonObject();
    unknownKidHeader.addProperty("alg", "ES256");
    unknownKidHeader.addProperty("kid", "unknown");
    String unknownKidSignedCompact = generateSignedCompact(rawSigner, unknownKidHeader, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(unknownKidSignedCompact, validator));
}
Also used : KeysetHandle(com.google.crypto.tink.KeysetHandle) CleartextKeysetHandle(com.google.crypto.tink.CleartextKeysetHandle) Keyset(com.google.crypto.tink.proto.Keyset) ECPrivateKey(java.security.interfaces.ECPrivateKey) JsonObject(com.google.gson.JsonObject) ByteString(com.google.protobuf.ByteString) JwtEcdsaPrivateKey(com.google.crypto.tink.proto.JwtEcdsaPrivateKey) Enums(com.google.crypto.tink.subtle.Enums) EcdsaSignJce(com.google.crypto.tink.subtle.EcdsaSignJce) JwtEcdsaAlgorithm(com.google.crypto.tink.proto.JwtEcdsaAlgorithm) KeyTemplate(com.google.crypto.tink.KeyTemplate) Test(org.junit.Test)

Aggregations

KeyTemplate (com.google.crypto.tink.KeyTemplate)143 Test (org.junit.Test)135 KeysetHandle (com.google.crypto.tink.KeysetHandle)56 ByteString (com.google.protobuf.ByteString)39 CleartextKeysetHandle (com.google.crypto.tink.CleartextKeysetHandle)37 KeyData (com.google.crypto.tink.proto.KeyData)16 Keyset (com.google.crypto.tink.proto.Keyset)12 JsonObject (com.google.gson.JsonObject)8 KeysetManager (com.google.crypto.tink.KeysetManager)7 BigInteger (java.math.BigInteger)7 Instant (java.time.Instant)7 Aead (com.google.crypto.tink.Aead)6 Enums (com.google.crypto.tink.subtle.Enums)6 Clock (java.time.Clock)6 AesEaxKeyFormat (com.google.crypto.tink.proto.AesEaxKeyFormat)5 AesCtrHmacStreamingKeyFormat (com.google.crypto.tink.proto.AesCtrHmacStreamingKeyFormat)4 AesGcmHkdfStreamingKeyFormat (com.google.crypto.tink.proto.AesGcmHkdfStreamingKeyFormat)4 AesGcmKeyFormat (com.google.crypto.tink.proto.AesGcmKeyFormat)4 AesGcmSivKeyFormat (com.google.crypto.tink.proto.AesGcmSivKeyFormat)4 EciesAeadHkdfKeyFormat (com.google.crypto.tink.proto.EciesAeadHkdfKeyFormat)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial