Examples with JwtHmacKey com.google.crypto.tink.proto.JwtHmacKey used on opensource projects

Search in sources :

Example 1 with JwtHmacKey

use of com.google.crypto.tink.proto.JwtHmacKey in project tink by google.

the class JwtHmacKeyManagerTest method createSignVerifyTink_withDifferentHeaders.

@Test
public void createSignVerifyTink_withDifferentHeaders() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_HS256");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtHmacKey keyProto = JwtHmacKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    byte[] keyValue = keyProto.getKeyValue().toByteArray();
    SecretKeySpec keySpec = new SecretKeySpec(keyValue, "HMAC");
    PrfHmacJce prf = new PrfHmacJce("HMACSHA256", keySpec);
    PrfMac rawPrimitive = new PrfMac(prf, prf.getMaxOutputLength());
    JwtMac primitive = handle.getPrimitive(JwtMac.class);
    String kid = JwtFormat.getKid(keyset.getKey(0).getKeyId(), keyset.getKey(0).getOutputPrefixType()).get();
    JsonObject payload = new JsonObject();
    payload.addProperty("jti", "jwtId");
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    // Normal, valid signed compact.
    JsonObject normalHeader = new JsonObject();
    normalHeader.addProperty("alg", "HS256");
    normalHeader.addProperty("kid", kid);
    String normalToken = generateSignedCompact(rawPrimitive, normalHeader, payload);
    primitive.verifyMacAndDecode(normalToken, validator);
    // valid token, with "typ" set in the header
    JsonObject headerWithTyp = new JsonObject();
    headerWithTyp.addProperty("alg", "HS256");
    headerWithTyp.addProperty("typ", "typeHeader");
    headerWithTyp.addProperty("kid", kid);
    String tokenWithTyp = generateSignedCompact(rawPrimitive, headerWithTyp, payload);
    primitive.verifyMacAndDecode(tokenWithTyp, JwtValidator.newBuilder().expectTypeHeader("typeHeader").allowMissingExpiration().build());
    // invalid token without algorithm
    JsonObject headerWithoutAlg = new JsonObject();
    headerWithoutAlg.addProperty("kid", kid);
    String tokenWithoutAlg = generateSignedCompact(rawPrimitive, headerWithoutAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(tokenWithoutAlg, validator));
    // invalid token with a valid but incorrect algorithm in the header
    JsonObject headerWithBadAlg = new JsonObject();
    headerWithBadAlg.addProperty("alg", "RS256");
    headerWithBadAlg.addProperty("kid", kid);
    String tokenWithBadAlg = generateSignedCompact(rawPrimitive, headerWithBadAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(tokenWithBadAlg, validator));
    // token with an unknown "kid" in the header is valid
    JsonObject headerWithUnknownKid = new JsonObject();
    headerWithUnknownKid.addProperty("alg", "HS256");
    headerWithUnknownKid.addProperty("kid", "unknown");
    String tokenWithUnknownKid = generateSignedCompact(rawPrimitive, headerWithUnknownKid, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(tokenWithUnknownKid, validator));
}
Also used : KeysetHandle(com.google.crypto.tink.KeysetHandle) CleartextKeysetHandle(com.google.crypto.tink.CleartextKeysetHandle) Keyset(com.google.crypto.tink.proto.Keyset) PrfMac(com.google.crypto.tink.subtle.PrfMac) SecretKeySpec(javax.crypto.spec.SecretKeySpec) JwtHmacKey(com.google.crypto.tink.proto.JwtHmacKey) JsonObject(com.google.gson.JsonObject) PrfHmacJce(com.google.crypto.tink.subtle.PrfHmacJce) ByteString(com.google.protobuf.ByteString) KeyTemplate(com.google.crypto.tink.KeyTemplate) Test(org.junit.Test)

Example 2 with JwtHmacKey

use of com.google.crypto.tink.proto.JwtHmacKey in project tink by google.

the class JwtHmacKeyManagerTest method validateKey_notValid_throws.

@Test
public void validateKey_notValid_throws() throws Exception {
    JwtHmacKey validKey = factory.createKey(makeJwtHmacKeyFormat(32, JwtHmacAlgorithm.HS256));
    assertThrows(GeneralSecurityException.class, () -> manager.validateKey(JwtHmacKey.newBuilder(validKey).setKeyValue(ByteString.copyFrom(Random.randBytes(31))).build()));
}
Also used : JwtHmacKey(com.google.crypto.tink.proto.JwtHmacKey) Test(org.junit.Test)

Example 3 with JwtHmacKey

use of com.google.crypto.tink.proto.JwtHmacKey in project tink by google.

the class JwtHmacKeyManagerTest method createSignVerifyRaw_withDifferentHeaders.

@Test
public void createSignVerifyRaw_withDifferentHeaders() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_HS256_RAW");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtHmacKey keyProto = JwtHmacKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    byte[] keyValue = keyProto.getKeyValue().toByteArray();
    SecretKeySpec keySpec = new SecretKeySpec(keyValue, "HMAC");
    PrfHmacJce prf = new PrfHmacJce("HMACSHA256", keySpec);
    PrfMac rawPrimitive = new PrfMac(prf, prf.getMaxOutputLength());
    JwtMac primitive = handle.getPrimitive(JwtMac.class);
    JsonObject payload = new JsonObject();
    payload.addProperty("jti", "jwtId");
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    // Normal, valid signed compact.
    JsonObject normalHeader = new JsonObject();
    normalHeader.addProperty("alg", "HS256");
    String normalSignedCompact = generateSignedCompact(rawPrimitive, normalHeader, payload);
    primitive.verifyMacAndDecode(normalSignedCompact, validator);
    // valid token, with "typ" set in the header
    JsonObject goodHeader = new JsonObject();
    goodHeader.addProperty("alg", "HS256");
    goodHeader.addProperty("typ", "typeHeader");
    String goodSignedCompact = generateSignedCompact(rawPrimitive, goodHeader, payload);
    primitive.verifyMacAndDecode(goodSignedCompact, JwtValidator.newBuilder().expectTypeHeader("typeHeader").allowMissingExpiration().build());
    // invalid token with an empty header
    JsonObject emptyHeader = new JsonObject();
    String emptyHeaderSignedCompact = generateSignedCompact(rawPrimitive, emptyHeader, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(emptyHeaderSignedCompact, validator));
    // invalid token with a valid but incorrect algorithm in the header
    JsonObject badAlgoHeader = new JsonObject();
    badAlgoHeader.addProperty("alg", "RS256");
    String badAlgoSignedCompact = generateSignedCompact(rawPrimitive, badAlgoHeader, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(badAlgoSignedCompact, validator));
    // for raw keys without customKid, the validation should work even if a "kid" header is present.
    JsonObject headerWithUnknownKid = new JsonObject();
    headerWithUnknownKid.addProperty("alg", "HS256");
    headerWithUnknownKid.addProperty("kid", "unknown");
    String tokenWithUnknownKid = generateSignedCompact(rawPrimitive, headerWithUnknownKid, payload);
    primitive.verifyMacAndDecode(tokenWithUnknownKid, validator);
}
Also used : KeysetHandle(com.google.crypto.tink.KeysetHandle) CleartextKeysetHandle(com.google.crypto.tink.CleartextKeysetHandle) Keyset(com.google.crypto.tink.proto.Keyset) PrfMac(com.google.crypto.tink.subtle.PrfMac) SecretKeySpec(javax.crypto.spec.SecretKeySpec) JwtHmacKey(com.google.crypto.tink.proto.JwtHmacKey) JsonObject(com.google.gson.JsonObject) PrfHmacJce(com.google.crypto.tink.subtle.PrfHmacJce) ByteString(com.google.protobuf.ByteString) KeyTemplate(com.google.crypto.tink.KeyTemplate) Test(org.junit.Test)

Example 4 with JwtHmacKey

use of com.google.crypto.tink.proto.JwtHmacKey in project tink by google.

the class JwtHmacKeyManagerTest method withCustomKid.

/* Create a new keyset handle with the "custom_kid" value set. */
private KeysetHandle withCustomKid(KeysetHandle keysetHandle, String customKid) throws Exception {
    Keyset keyset = CleartextKeysetHandle.getKeyset(keysetHandle);
    JwtHmacKey hmacKey = JwtHmacKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    JwtHmacKey hmacKeyWithKid = hmacKey.toBuilder().setCustomKid(CustomKid.newBuilder().setValue(customKid).build()).build();
    KeyData keyDataWithKid = keyset.getKey(0).getKeyData().toBuilder().setValue(hmacKeyWithKid.toByteString()).build();
    Keyset.Key keyWithKid = keyset.getKey(0).toBuilder().setKeyData(keyDataWithKid).build();
    return CleartextKeysetHandle.fromKeyset(keyset.toBuilder().setKey(0, keyWithKid).build());
}
Also used : Keyset(com.google.crypto.tink.proto.Keyset) JwtHmacKey(com.google.crypto.tink.proto.JwtHmacKey) KeyData(com.google.crypto.tink.proto.KeyData)

Example 5 with JwtHmacKey

use of com.google.crypto.tink.proto.JwtHmacKey in project tink by google.

the class JwtHmacKeyManagerTest method macWithTinkKeyAndCustomKid_fails.

@Test
public void macWithTinkKeyAndCustomKid_fails() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_HS256");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    // Create a new handle with the "kid" value set.
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtHmacKey hmacKey = JwtHmacKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    JwtHmacKey hmacKeyWithKid = hmacKey.toBuilder().setCustomKid(CustomKid.newBuilder().setValue("Lorem ipsum dolor sit amet, consectetur adipiscing elit").build()).build();
    KeyData keyDataWithKid = keyset.getKey(0).getKeyData().toBuilder().setValue(hmacKeyWithKid.toByteString()).build();
    Keyset.Key keyWithKid = keyset.getKey(0).toBuilder().setKeyData(keyDataWithKid).build();
    KeysetHandle handleWithKid = CleartextKeysetHandle.fromKeyset(keyset.toBuilder().setKey(0, keyWithKid).build());
    JwtMac jwtMacWithKid = handleWithKid.getPrimitive(JwtMac.class);
    RawJwt rawToken = RawJwt.newBuilder().setJwtId("jwtId").withoutExpiration().build();
    assertThrows(JwtInvalidException.class, () -> jwtMacWithKid.computeMacAndEncode(rawToken));
}
Also used : KeysetHandle(com.google.crypto.tink.KeysetHandle) CleartextKeysetHandle(com.google.crypto.tink.CleartextKeysetHandle) Keyset(com.google.crypto.tink.proto.Keyset) JwtHmacKey(com.google.crypto.tink.proto.JwtHmacKey) KeyTemplate(com.google.crypto.tink.KeyTemplate) KeyData(com.google.crypto.tink.proto.KeyData) Test(org.junit.Test)

Aggregations

JwtHmacKey (com.google.crypto.tink.proto.JwtHmacKey)8 Test (org.junit.Test)6 Keyset (com.google.crypto.tink.proto.Keyset)5 CleartextKeysetHandle (com.google.crypto.tink.CleartextKeysetHandle)3 KeyTemplate (com.google.crypto.tink.KeyTemplate)3 KeysetHandle (com.google.crypto.tink.KeysetHandle)3 KeyData (com.google.crypto.tink.proto.KeyData)3 ByteString (com.google.protobuf.ByteString)3 PrfHmacJce (com.google.crypto.tink.subtle.PrfHmacJce)2 PrfMac (com.google.crypto.tink.subtle.PrfMac)2 JsonObject (com.google.gson.JsonObject)2 SecretKeySpec (javax.crypto.spec.SecretKeySpec)2 JwtHmacKeyFormat (com.google.crypto.tink.proto.JwtHmacKeyFormat)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial