use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtEcdsaSignKeyManagerTest method createSignVerifyRaw_withDifferentHeaders.
@Test
public void createSignVerifyRaw_withDifferentHeaders() throws Exception {
// KeysetHandle.generateNew is too slow in Tsan.
assumeFalse(TestUtil.isTsan());
KeyTemplate template = KeyTemplates.get("JWT_ES256_RAW");
KeysetHandle handle = KeysetHandle.generateNew(template);
Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
JwtEcdsaPrivateKey keyProto = JwtEcdsaPrivateKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
ECPrivateKey privateKey = EllipticCurves.getEcPrivateKey(JwtEcdsaVerifyKeyManager.getCurve(keyProto.getPublicKey().getAlgorithm()), keyProto.getKeyValue().toByteArray());
JwtEcdsaAlgorithm algorithm = keyProto.getPublicKey().getAlgorithm();
Enums.HashType hash = JwtEcdsaVerifyKeyManager.hashForEcdsaAlgorithm(algorithm);
EcdsaSignJce rawSigner = new EcdsaSignJce(privateKey, hash, EcdsaEncoding.IEEE_P1363);
JsonObject payload = new JsonObject();
payload.addProperty("jid", "jwtId");
JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
JwtPublicKeyVerify verifier = handle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
// Normal, valid signed compact.
JsonObject normalHeader = new JsonObject();
normalHeader.addProperty("alg", "ES256");
String normalSignedCompact = generateSignedCompact(rawSigner, normalHeader, payload);
verifier.verifyAndDecode(normalSignedCompact, validator);
// valid token, with "typ" set in the header
JsonObject goodHeader = new JsonObject();
goodHeader.addProperty("alg", "ES256");
goodHeader.addProperty("typ", "typeHeader");
String goodSignedCompact = generateSignedCompact(rawSigner, goodHeader, payload);
verifier.verifyAndDecode(goodSignedCompact, JwtValidator.newBuilder().expectTypeHeader("typeHeader").allowMissingExpiration().build());
// invalid token with an empty header
JsonObject emptyHeader = new JsonObject();
String emptyHeaderSignedCompact = generateSignedCompact(rawSigner, emptyHeader, payload);
assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(emptyHeaderSignedCompact, validator));
// invalid token with a valid but incorrect algorithm in the header
JsonObject badAlgoHeader = new JsonObject();
badAlgoHeader.addProperty("alg", "RS256");
String badAlgoSignedCompact = generateSignedCompact(rawSigner, badAlgoHeader, payload);
assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(badAlgoSignedCompact, validator));
// for raw keys, the validation should work even if a "kid" header is present.
JsonObject unknownKidHeader = new JsonObject();
unknownKidHeader.addProperty("alg", "ES256");
unknownKidHeader.addProperty("kid", "unknown");
String unknownKidSignedCompact = generateSignedCompact(rawSigner, unknownKidHeader, payload);
verifier.verifyAndDecode(unknownKidSignedCompact, validator);
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtHmacKeyManagerTest method macWithTinkKeyAndCustomKid_fails.
@Test
public void macWithTinkKeyAndCustomKid_fails() throws Exception {
KeyTemplate template = KeyTemplates.get("JWT_HS256");
KeysetHandle handle = KeysetHandle.generateNew(template);
// Create a new handle with the "kid" value set.
Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
JwtHmacKey hmacKey = JwtHmacKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
JwtHmacKey hmacKeyWithKid = hmacKey.toBuilder().setCustomKid(CustomKid.newBuilder().setValue("Lorem ipsum dolor sit amet, consectetur adipiscing elit").build()).build();
KeyData keyDataWithKid = keyset.getKey(0).getKeyData().toBuilder().setValue(hmacKeyWithKid.toByteString()).build();
Keyset.Key keyWithKid = keyset.getKey(0).toBuilder().setKeyData(keyDataWithKid).build();
KeysetHandle handleWithKid = CleartextKeysetHandle.fromKeyset(keyset.toBuilder().setKey(0, keyWithKid).build());
JwtMac jwtMacWithKid = handleWithKid.getPrimitive(JwtMac.class);
RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
assertThrows(JwtInvalidException.class, () -> jwtMacWithKid.computeMacAndEncode(rawToken));
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtHmacKeyManagerTest method verify_before_shouldThrow.
@Test
public void verify_before_shouldThrow() throws Exception {
KeyTemplate template = KeyTemplates.get("JWT_HS256");
KeysetHandle handle = KeysetHandle.generateNew(template);
JwtMac mac = handle.getPrimitive(JwtMac.class);
Clock clock = Clock.systemUTC();
// This token cannot be used until 1 minute in the future.
Instant notBefore = clock.instant().plus(Duration.ofMinutes(1));
RawJwt unverified = RawJwt.newBuilder().setNotBefore(notBefore).withoutExpiration().build();
String compact = mac.computeMacAndEncode(unverified);
JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
assertThrows(JwtInvalidException.class, () -> mac.verifyMacAndDecode(compact, validator));
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class HmacKeyManagerTest method testHmacSha512HalfDigestTemplate.
@Test
public void testHmacSha512HalfDigestTemplate() throws Exception {
KeyTemplate template = HmacKeyManager.hmacSha512HalfDigestTemplate();
assertThat(template.getTypeUrl()).isEqualTo(new HmacKeyManager().getKeyType());
assertThat(template.getOutputPrefixType()).isEqualTo(KeyTemplate.OutputPrefixType.TINK);
HmacKeyFormat format = HmacKeyFormat.parseFrom(template.getValue(), ExtensionRegistryLite.getEmptyRegistry());
assertThat(format.getKeySize()).isEqualTo(64);
assertThat(format.getParams().getTagSize()).isEqualTo(32);
assertThat(format.getParams().getHash()).isEqualTo(HashType.SHA512);
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class HmacPrfKeyManagerTest method testHmacSha512Template.
@Test
public void testHmacSha512Template() throws Exception {
KeyTemplate template = HmacPrfKeyManager.hmacSha512Template();
assertThat(template.getTypeUrl()).isEqualTo(new HmacPrfKeyManager().getKeyType());
assertThat(template.getOutputPrefixType()).isEqualTo(KeyTemplate.OutputPrefixType.RAW);
HmacPrfKeyFormat format = HmacPrfKeyFormat.parseFrom(template.getValue(), ExtensionRegistryLite.getEmptyRegistry());
assertThat(format.getKeySize()).isEqualTo(64);
assertThat(format.getParams().getHash()).isEqualTo(HashType.SHA512);
}
Aggregations