Examples with JwtEcdsaPrivateKey com.google.crypto.tink.proto.JwtEcdsaPrivateKey used on opensource projects

Example 6 with JwtEcdsaPrivateKey

use of com.google.crypto.tink.proto.JwtEcdsaPrivateKey in project tink by google.

the class JwtEcdsaSignKeyManagerTest method createSignVerifyRaw_withDifferentHeaders.

@Test
public void createSignVerifyRaw_withDifferentHeaders() throws Exception {
    // KeysetHandle.generateNew is too slow in Tsan.
    assumeFalse(TestUtil.isTsan());
    KeyTemplate template = KeyTemplates.get("JWT_ES256_RAW");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtEcdsaPrivateKey keyProto = JwtEcdsaPrivateKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    ECPrivateKey privateKey = EllipticCurves.getEcPrivateKey(JwtEcdsaVerifyKeyManager.getCurve(keyProto.getPublicKey().getAlgorithm()), keyProto.getKeyValue().toByteArray());
    JwtEcdsaAlgorithm algorithm = keyProto.getPublicKey().getAlgorithm();
    Enums.HashType hash = JwtEcdsaVerifyKeyManager.hashForEcdsaAlgorithm(algorithm);
    EcdsaSignJce rawSigner = new EcdsaSignJce(privateKey, hash, EcdsaEncoding.IEEE_P1363);
    JsonObject payload = new JsonObject();
    payload.addProperty("jid", "jwtId");
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    JwtPublicKeyVerify verifier = handle.getPublicKeysetHandle().getPrimitive(JwtPublicKeyVerify.class);
    // Normal, valid signed compact.
    JsonObject normalHeader = new JsonObject();
    normalHeader.addProperty("alg", "ES256");
    String normalSignedCompact = generateSignedCompact(rawSigner, normalHeader, payload);
    verifier.verifyAndDecode(normalSignedCompact, validator);
    // valid token, with "typ" set in the header
    JsonObject goodHeader = new JsonObject();
    goodHeader.addProperty("alg", "ES256");
    goodHeader.addProperty("typ", "typeHeader");
    String goodSignedCompact = generateSignedCompact(rawSigner, goodHeader, payload);
    verifier.verifyAndDecode(goodSignedCompact, JwtValidator.newBuilder().expectTypeHeader("typeHeader").allowMissingExpiration().build());
    // invalid token with an empty header
    JsonObject emptyHeader = new JsonObject();
    String emptyHeaderSignedCompact = generateSignedCompact(rawSigner, emptyHeader, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(emptyHeaderSignedCompact, validator));
    // invalid token with a valid but incorrect algorithm in the header
    JsonObject badAlgoHeader = new JsonObject();
    badAlgoHeader.addProperty("alg", "RS256");
    String badAlgoSignedCompact = generateSignedCompact(rawSigner, badAlgoHeader, payload);
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecode(badAlgoSignedCompact, validator));
    // for raw keys, the validation should work even if a "kid" header is present.
    JsonObject unknownKidHeader = new JsonObject();
    unknownKidHeader.addProperty("alg", "ES256");
    unknownKidHeader.addProperty("kid", "unknown");
    String unknownKidSignedCompact = generateSignedCompact(rawSigner, unknownKidHeader, payload);
    verifier.verifyAndDecode(unknownKidSignedCompact, validator);
}

Example 7 with JwtEcdsaPrivateKey

use of com.google.crypto.tink.proto.JwtEcdsaPrivateKey in project tink by google.

the class JwtEcdsaSignKeyManagerTest method createCorruptedPublicKeyPrimitive_throws.

// Note: we use Theory as a parametrized test -- different from what the Theory framework intends.
@Theory
public void createCorruptedPublicKeyPrimitive_throws(@FromDataPoints("parametersAlgos") JwtEcdsaAlgorithm algorithm) throws Exception {
    JwtEcdsaKeyFormat format = createKeyFormat(algorithm);
    JwtEcdsaPrivateKey originalKey = factory.createKey(format);
    byte[] originalPubX = originalKey.getPublicKey().getX().toByteArray();
    byte[] originalPubY = originalKey.getPublicKey().getY().toByteArray();
    originalPubX[0] = (byte) (originalPubX[0] ^ 0x01);
    ByteString corruptedPubX = ByteString.copyFrom(originalPubX);
    JwtEcdsaPublicKey corruptedPub = JwtEcdsaPublicKey.newBuilder().setVersion(originalKey.getPublicKey().getVersion()).setAlgorithm(algorithm).setX(corruptedPubX).setY(ByteString.copyFrom(originalPubY)).build();
    JwtEcdsaPrivateKey corruptedKey = JwtEcdsaPrivateKey.newBuilder().setVersion(originalKey.getVersion()).setPublicKey(corruptedPub).setKeyValue(originalKey.getKeyValue()).build();
    assertThrows(GeneralSecurityException.class, () -> manager.getPrimitive(corruptedKey, JwtPublicKeySignInternal.class));
}

Example 8 with JwtEcdsaPrivateKey

use of com.google.crypto.tink.proto.JwtEcdsaPrivateKey in project tink by google.

the class JwtEcdsaVerifyKeyManagerTest method createPrimitive_anotherKey_throw.

// Note: we use Theory as a parametrized test -- different from what the Theory framework intends.
@Theory
public void createPrimitive_anotherKey_throw(@FromDataPoints("parametersAlgos") JwtEcdsaAlgorithm algorithm) throws Exception {
    if (TestUtil.isTsan()) {
        // factory.createKey is too slow in Tsan.
        return;
    }
    JwtEcdsaKeyFormat keyFormat = JwtEcdsaKeyFormat.newBuilder().setAlgorithm(algorithm).build();
    JwtEcdsaPrivateKey privateKey = factory.createKey(keyFormat);
    // Create a different key.
    JwtEcdsaPublicKey publicKey = signManager.getPublicKey(factory.createKey(keyFormat));
    JwtPublicKeySignInternal signer = signManager.getPrimitive(privateKey, JwtPublicKeySignInternal.class);
    JwtPublicKeyVerifyInternal verifier = verifyManager.getPrimitive(publicKey, JwtPublicKeyVerifyInternal.class);
    RawJwt token = RawJwt.newBuilder().withoutExpiration().build();
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    assertThrows(GeneralSecurityException.class, () -> verifier.verifyAndDecodeWithKid(signer.signAndEncodeWithKid(token, Optional.empty()), validator, Optional.empty()));
}

Example 9 with JwtEcdsaPrivateKey

use of com.google.crypto.tink.proto.JwtEcdsaPrivateKey in project tink by google.

the class JwtEcdsaVerifyKeyManagerTest method validateKey_ok.

// Note: we use Theory as a parametrized test -- different from what the Theory framework intends.
@Theory
public void validateKey_ok(@FromDataPoints("parametersAlgos") JwtEcdsaAlgorithm algorithm) throws Exception {
    if (TestUtil.isTsan()) {
        // factory.createKey is too slow in Tsan.
        return;
    }
    JwtEcdsaKeyFormat keyFormat = JwtEcdsaKeyFormat.newBuilder().setAlgorithm(algorithm).build();
    JwtEcdsaPrivateKey privateKey = factory.createKey(keyFormat);
    JwtEcdsaPublicKey publicKey = signManager.getPublicKey(privateKey);
    verifyManager.validateKey(publicKey);
}

Example 10 with JwtEcdsaPrivateKey

use of com.google.crypto.tink.proto.JwtEcdsaPrivateKey in project tink by google.

the class JwtEcdsaVerifyKeyManagerTest method createPrimitive_ok.

// Note: we use Theory as a parametrized test -- different from what the Theory framework intends.
@Theory
public void createPrimitive_ok(@FromDataPoints("parametersAlgos") JwtEcdsaAlgorithm algorithm) throws Exception {
    if (TestUtil.isTsan()) {
        // factory.createKey is too slow in Tsan.
        return;
    }
    JwtEcdsaKeyFormat keyFormat = JwtEcdsaKeyFormat.newBuilder().setAlgorithm(algorithm).build();
    JwtEcdsaPrivateKey privateKey = factory.createKey(keyFormat);
    JwtEcdsaPublicKey publicKey = signManager.getPublicKey(privateKey);
    JwtPublicKeySignInternal signer = signManager.getPrimitive(privateKey, JwtPublicKeySignInternal.class);
    JwtPublicKeyVerifyInternal verifier = verifyManager.getPrimitive(publicKey, JwtPublicKeyVerifyInternal.class);
    RawJwt token = RawJwt.newBuilder().withoutExpiration().build();
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    verifier.verifyAndDecodeWithKid(signer.signAndEncodeWithKid(token, Optional.empty()), validator, Optional.empty());
}