use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtMacWrapperTest method test_wrapLegacy_throws.
@Test
public void test_wrapLegacy_throws() throws Exception {
KeyTemplate rawTemplate = KeyTemplates.get("JWT_HS256_RAW");
// Convert the normal, raw template into a template with output prefix type LEGACY
KeyTemplate tinkTemplate = KeyTemplate.create(rawTemplate.getTypeUrl(), rawTemplate.getValue(), KeyTemplate.OutputPrefixType.LEGACY);
KeysetHandle handle = KeysetHandle.generateNew(tinkTemplate);
assertThrows(GeneralSecurityException.class, () -> handle.getPrimitive(JwtMac.class));
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtMacWrapperTest method test_wrapSingleTinkKey_works.
@Test
public void test_wrapSingleTinkKey_works() throws Exception {
KeyTemplate tinkTemplate = KeyTemplates.get("JWT_HS256");
KeysetHandle handle = KeysetHandle.generateNew(tinkTemplate);
JwtMac jwtMac = handle.getPrimitive(JwtMac.class);
RawJwt rawJwt = RawJwt.newBuilder().setJwtId("id123").withoutExpiration().build();
String signedCompact = jwtMac.computeMacAndEncode(rawJwt);
JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
VerifiedJwt verifiedToken = jwtMac.verifyMacAndDecode(signedCompact, validator);
assertThat(verifiedToken.getJwtId()).isEqualTo("id123");
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtMacWrapperTest method test_wrapMultipleKeys.
@Test
public void test_wrapMultipleKeys() throws Exception {
KeyTemplate template = KeyTemplates.get("JWT_HS256");
KeysetManager manager = KeysetManager.withEmptyKeyset();
manager.addNewKey(KeyTemplateProtoConverter.toProto(template), /*asPrimary=*/
true);
KeysetHandle oldHandle = manager.getKeysetHandle();
manager.addNewKey(KeyTemplateProtoConverter.toProto(template), /*asPrimary=*/
true);
KeysetHandle newHandle = manager.getKeysetHandle();
JwtMac oldJwtMac = oldHandle.getPrimitive(JwtMac.class);
JwtMac newJwtMac = newHandle.getPrimitive(JwtMac.class);
RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
String oldSignedCompact = oldJwtMac.computeMacAndEncode(rawToken);
String newSignedCompact = newJwtMac.computeMacAndEncode(rawToken);
JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
assertThat(oldJwtMac.verifyMacAndDecode(oldSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
assertThat(newJwtMac.verifyMacAndDecode(oldSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
assertThat(newJwtMac.verifyMacAndDecode(newSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
assertThrows(GeneralSecurityException.class, () -> oldJwtMac.verifyMacAndDecode(newSignedCompact, validator));
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtMacWrapperTest method test_wrapSingleRawKey_works.
@Test
public void test_wrapSingleRawKey_works() throws Exception {
KeyTemplate template = KeyTemplates.get("JWT_HS256_RAW");
KeysetHandle handle = KeysetHandle.generateNew(template);
JwtMac jwtMac = handle.getPrimitive(JwtMac.class);
RawJwt rawToken = RawJwt.newBuilder().setJwtId("id123").withoutExpiration().build();
String signedCompact = jwtMac.computeMacAndEncode(rawToken);
JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
VerifiedJwt verifiedToken = jwtMac.verifyMacAndDecode(signedCompact, validator);
assertThat(verifiedToken.getJwtId()).isEqualTo("id123");
}
use of com.google.crypto.tink.KeyTemplate in project tink by google.
the class JwtHmacKeyManagerTest method validate_notBefore_clockSkew_success.
@Test
public void validate_notBefore_clockSkew_success() throws Exception {
KeyTemplate template = KeyTemplates.get("JWT_HS256");
KeysetHandle handle = KeysetHandle.generateNew(template);
JwtMac mac = handle.getPrimitive(JwtMac.class);
Clock clock1 = Clock.systemUTC();
// This token cannot be used until 1 minute in the future.
Instant notBefore = clock1.instant().plus(Duration.ofMinutes(1));
RawJwt unverified = RawJwt.newBuilder().setNotBefore(notBefore).withoutExpiration().build();
String compact = mac.computeMacAndEncode(unverified);
// A clock skew of 1 minute is allowed.
JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().setClockSkew(Duration.ofMinutes(1)).build();
VerifiedJwt token = mac.verifyMacAndDecode(compact, validator);
assertThat(token.getNotBefore()).isEqualTo(unverified.getNotBefore());
}
Aggregations