Examples with KeyTemplate com.google.crypto.tink.KeyTemplate used on opensource projects

Example 41 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtHmacKeyManagerTest method createSignVerifyRaw_withDifferentHeaders.

@Test
public void createSignVerifyRaw_withDifferentHeaders() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_HS256_RAW");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtHmacKey keyProto = JwtHmacKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    byte[] keyValue = keyProto.getKeyValue().toByteArray();
    SecretKeySpec keySpec = new SecretKeySpec(keyValue, "HMAC");
    PrfHmacJce prf = new PrfHmacJce("HMACSHA256", keySpec);
    PrfMac rawPrimitive = new PrfMac(prf, prf.getMaxOutputLength());
    JwtMac primitive = handle.getPrimitive(JwtMac.class);
    JsonObject payload = new JsonObject();
    payload.addProperty("jti", "jwtId");
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    // Normal, valid signed compact.
    JsonObject normalHeader = new JsonObject();
    normalHeader.addProperty("alg", "HS256");
    String normalSignedCompact = generateSignedCompact(rawPrimitive, normalHeader, payload);
    primitive.verifyMacAndDecode(normalSignedCompact, validator);
    // valid token, with "typ" set in the header
    JsonObject goodHeader = new JsonObject();
    goodHeader.addProperty("alg", "HS256");
    goodHeader.addProperty("typ", "typeHeader");
    String goodSignedCompact = generateSignedCompact(rawPrimitive, goodHeader, payload);
    primitive.verifyMacAndDecode(goodSignedCompact, JwtValidator.newBuilder().expectTypeHeader("typeHeader").allowMissingExpiration().build());
    // invalid token with an empty header
    JsonObject emptyHeader = new JsonObject();
    String emptyHeaderSignedCompact = generateSignedCompact(rawPrimitive, emptyHeader, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(emptyHeaderSignedCompact, validator));
    // invalid token with a valid but incorrect algorithm in the header
    JsonObject badAlgoHeader = new JsonObject();
    badAlgoHeader.addProperty("alg", "RS256");
    String badAlgoSignedCompact = generateSignedCompact(rawPrimitive, badAlgoHeader, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(badAlgoSignedCompact, validator));
    // for raw keys without customKid, the validation should work even if a "kid" header is present.
    JsonObject headerWithUnknownKid = new JsonObject();
    headerWithUnknownKid.addProperty("alg", "HS256");
    headerWithUnknownKid.addProperty("kid", "unknown");
    String tokenWithUnknownKid = generateSignedCompact(rawPrimitive, headerWithUnknownKid, payload);
    primitive.verifyMacAndDecode(tokenWithUnknownKid, validator);
}

Example 42 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtHmacKeyManagerTest method testHs512Template.

@Test
public void testHs512Template() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_HS512");
    assertThat(template.getTypeUrl()).isEqualTo(new JwtHmacKeyManager().getKeyType());
    assertThat(template.getOutputPrefixType()).isEqualTo(KeyTemplate.OutputPrefixType.TINK);
    JwtHmacKeyFormat format = JwtHmacKeyFormat.parseFrom(template.getValue(), ExtensionRegistryLite.getEmptyRegistry());
    assertThat(format.getKeySize()).isEqualTo(64);
    assertThat(format.getAlgorithm()).isEqualTo(JwtHmacAlgorithm.HS512);
}

Example 43 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtHmacKeyManagerTest method verify_audience_success.

@Test
public void verify_audience_success() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_HS256");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    JwtMac mac = handle.getPrimitive(JwtMac.class);
    RawJwt unverified = RawJwt.newBuilder().addAudience("foo").withoutExpiration().build();
    String compact = mac.computeMacAndEncode(unverified);
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().expectAudience("foo").build();
    VerifiedJwt token = mac.verifyMacAndDecode(compact, validator);
    assertThat(token.getAudiences()).containsExactly("foo");
}

Example 44 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtPublicKeySignVerifyWrappersTest method test_wrapMultipleRawKeys.

@Test
public void test_wrapMultipleRawKeys() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_ES256_RAW");
    KeysetManager manager = KeysetManager.withEmptyKeyset();
    manager.addNewKey(KeyTemplateProtoConverter.toProto(template), /*asPrimary=*/
    true);
    KeysetHandle oldHandle = manager.getKeysetHandle();
    manager.addNewKey(KeyTemplateProtoConverter.toProto(template), /*asPrimary=*/
    true);
    KeysetHandle newHandle = manager.getKeysetHandle();
    JwtPublicKeySign oldSigner = oldHandle.getPrimitive(JwtPublicKeySign.class);
    JwtPublicKeySign newSigner = newHandle.getPrimitive(JwtPublicKeySign.class);
    JwtPublicKeyVerify oldVerifier = oldHandle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    JwtPublicKeyVerify newVerifier = newHandle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
    String oldSignedCompact = oldSigner.signAndEncode(rawToken);
    String newSignedCompact = newSigner.signAndEncode(rawToken);
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    assertThat(oldVerifier.verifyAndDecode(oldSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
    assertThat(newVerifier.verifyAndDecode(oldSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
    assertThat(newVerifier.verifyAndDecode(newSignedCompact, validator).getJwtId()).isEqualTo("jwtId");
    assertThrows(GeneralSecurityException.class, () -> oldVerifier.verifyAndDecode(newSignedCompact, validator));
}

Example 45 with KeyTemplate

use of com.google.crypto.tink.KeyTemplate in project tink by google.

the class JwtPublicKeySignVerifyWrappersTest method notYetValidCompact_throwsInvalidException.

@Test
public void notYetValidCompact_throwsInvalidException() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_ES256");
    KeysetHandle keysetHandle = KeysetHandle.generateNew(template);
    JwtPublicKeySign jwtSigner = keysetHandle.getPrimitive(JwtPublicKeySign.class);
    KeysetHandle publicHandle = keysetHandle.getPublicKeysetHandle();
    JwtPublicKeyVerify jwtVerifier = publicHandle.getPrimitive(JwtPublicKeyVerify.class);
    Instant now = Clock.systemUTC().instant().truncatedTo(ChronoUnit.SECONDS);
    RawJwt rawJwt = RawJwt.newBuilder().setNotBefore(// is valid in 1 hour, but not before
    now.plusSeconds(3600)).setIssuedAt(now).withoutExpiration().build();
    String compact = jwtSigner.signAndEncode(rawJwt);
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    assertThrows(JwtInvalidException.class, () -> jwtVerifier.verifyAndDecode(compact, validator));
}