use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class AesSivKeyManagerTest method testRawAes256SivTemplate.
@Test
public void testRawAes256SivTemplate() throws Exception {
KeyTemplate template = AesSivKeyManager.rawAes256SivTemplate();
assertThat(template.getTypeUrl()).isEqualTo(new AesSivKeyManager().getKeyType());
assertThat(template.getOutputPrefixType()).isEqualTo(KeyTemplate.OutputPrefixType.RAW);
AesSivKeyFormat format = AesSivKeyFormat.parseFrom(template.getValue(), ExtensionRegistryLite.getEmptyRegistry());
assertThat(format.getKeySize()).isEqualTo(format.getKeySize());
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtEcdsaSignKeyManagerTest method signAndVerifyWithCustomKid.
@Test
public void signAndVerifyWithCustomKid() throws Exception {
// KeysetHandle.generateNew is too slow in Tsan.
assumeFalse(TestUtil.isTsan());
KeyTemplate template = KeyTemplates.get("JWT_ES256_RAW");
KeysetHandle handleWithoutKid = KeysetHandle.generateNew(template);
KeysetHandle handleWithKid = withCustomKid(handleWithoutKid, "Lorem ipsum dolor sit amet, consectetur adipiscing elit");
JwtPublicKeySign signerWithKid = handleWithKid.getPrimitive(JwtPublicKeySign.class);
JwtPublicKeySign signerWithoutKid = handleWithoutKid.getPrimitive(JwtPublicKeySign.class);
RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
String signedCompactWithKid = signerWithKid.signAndEncode(rawToken);
String signedCompactWithoutKid = signerWithoutKid.signAndEncode(rawToken);
// Verify the kid in the header
String jsonHeaderWithKid = JwtFormat.splitSignedCompact(signedCompactWithKid).header;
String kid = JsonUtil.parseJson(jsonHeaderWithKid).get("kid").getAsString();
assertThat(kid).isEqualTo("Lorem ipsum dolor sit amet, consectetur adipiscing elit");
String jsonHeaderWithoutKid = JwtFormat.splitSignedCompact(signedCompactWithoutKid).header;
assertThat(JsonUtil.parseJson(jsonHeaderWithoutKid).has("kid")).isFalse();
JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
JwtPublicKeyVerify verifierWithoutKid = handleWithoutKid.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
JwtPublicKeyVerify verifierWithKid = handleWithKid.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
// Even if custom_kid is set, we don't require a "kid" in the header.
assertThat(verifierWithoutKid.verifyAndDecode(signedCompactWithKid, validator).getJwtId()).isEqualTo("jwtId");
assertThat(verifierWithKid.verifyAndDecode(signedCompactWithKid, validator).getJwtId()).isEqualTo("jwtId");
assertThat(verifierWithoutKid.verifyAndDecode(signedCompactWithoutKid, validator).getJwtId()).isEqualTo("jwtId");
assertThat(verifierWithKid.verifyAndDecode(signedCompactWithoutKid, validator).getJwtId()).isEqualTo("jwtId");
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtEcdsaSignKeyManagerTest method testJwtES384Template_ok.
@Test
public void testJwtES384Template_ok() throws Exception {
KeyTemplate template = KeyTemplates.get("JWT_ES384_RAW");
checkTemplate(template, JwtEcdsaAlgorithm.ES384);
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtRsaSsaPkcs1SignKeyManagerTest method signWithTinkKeyAndCustomKid_fails.
@Test
public void signWithTinkKeyAndCustomKid_fails() throws Exception {
if (TestUtil.isTsan()) {
// We do not use assume because Theories expects to find something which is not skipped.
return;
}
KeyTemplate template = KeyTemplates.get("JWT_RS256_2048_F4");
KeysetHandle handleWithoutKid = KeysetHandle.generateNew(template);
KeysetHandle handleWithKid = withCustomKid(handleWithoutKid, "Lorem ipsum dolor sit amet, consectetur adipiscing elit");
JwtPublicKeySign signerWithKid = handleWithKid.getPrimitive(JwtPublicKeySign.class);
RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
assertThrows(JwtInvalidException.class, () -> signerWithKid.signAndEncode(rawToken));
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtRsaSsaPkcs1SignKeyManagerTest method createSignVerifyRaw_withDifferentHeaders.
@Test
public void createSignVerifyRaw_withDifferentHeaders() throws Exception {
if (TestUtil.isTsan()) {
// We do not use assume because Theories expects to find something which is not skipped.
return;
}
KeyTemplate template = KeyTemplates.get("JWT_RS256_2048_F4_RAW");
KeysetHandle handle = KeysetHandle.generateNew(template);
Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
JwtRsaSsaPkcs1PrivateKey keyProto = JwtRsaSsaPkcs1PrivateKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
RSAPrivateCrtKey privateKey = createPrivateKey(keyProto);
JwtRsaSsaPkcs1Algorithm algorithm = keyProto.getPublicKey().getAlgorithm();
Enums.HashType hash = JwtRsaSsaPkcs1VerifyKeyManager.hashForPkcs1Algorithm(algorithm);
RsaSsaPkcs1SignJce rawSigner = new RsaSsaPkcs1SignJce(privateKey, hash);
JwtPublicKeyVerify verifier = handle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
JsonObject payload = new JsonObject();
payload.addProperty("jti", "jwtId");
// valid token, with "typ" set in the header
JsonObject goodHeader = new JsonObject();
goodHeader.addProperty("alg", "RS256");
goodHeader.addProperty("typ", "typeHeader");
String goodSignedCompact = generateSignedCompact(rawSigner, goodHeader, payload);
verifier.verifyAndDecode(goodSignedCompact, JwtValidator.newBuilder().expectTypeHeader("typeHeader").allowMissingExpiration().build());
// invalid token with an empty header
JsonObject emptyHeader = new JsonObject();
String emptyHeaderSignedCompact = generateSignedCompact(rawSigner, emptyHeader, payload);
assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(emptyHeaderSignedCompact, validator));
// invalid token with an unknown algorithm in the header
JsonObject badAlgoHeader = new JsonObject();
badAlgoHeader.addProperty("alg", "RS255");
String badAlgoSignedCompact = generateSignedCompact(rawSigner, badAlgoHeader, payload);
assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(badAlgoSignedCompact, validator));
// token with an unknown "kid" in the header is valid
JsonObject unknownKidHeader = new JsonObject();
unknownKidHeader.addProperty("alg", "RS256");
unknownKidHeader.addProperty("kid", "unknown");
String unknownKidSignedCompact = generateSignedCompact(rawSigner, unknownKidHeader, payload);
verifier.verifyAndDecode(unknownKidSignedCompact, validator);
}
Aggregations