Examples with PrfHmacJce com.google.crypto.tink.subtle.PrfHmacJce used on opensource projects

Example 1 with PrfHmacJce

use of com.google.crypto.tink.subtle.PrfHmacJce in project tink by google.

the class JwtHmacKeyManagerTest method createSignVerifyTink_withDifferentHeaders.

@Test
public void createSignVerifyTink_withDifferentHeaders() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_HS256");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtHmacKey keyProto = JwtHmacKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    byte[] keyValue = keyProto.getKeyValue().toByteArray();
    SecretKeySpec keySpec = new SecretKeySpec(keyValue, "HMAC");
    PrfHmacJce prf = new PrfHmacJce("HMACSHA256", keySpec);
    PrfMac rawPrimitive = new PrfMac(prf, prf.getMaxOutputLength());
    JwtMac primitive = handle.getPrimitive(JwtMac.class);
    String kid = JwtFormat.getKid(keyset.getKey(0).getKeyId(), keyset.getKey(0).getOutputPrefixType()).get();
    JsonObject payload = new JsonObject();
    payload.addProperty("jti", "jwtId");
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    // Normal, valid signed compact.
    JsonObject normalHeader = new JsonObject();
    normalHeader.addProperty("alg", "HS256");
    normalHeader.addProperty("kid", kid);
    String normalToken = generateSignedCompact(rawPrimitive, normalHeader, payload);
    primitive.verifyMacAndDecode(normalToken, validator);
    // valid token, with "typ" set in the header
    JsonObject headerWithTyp = new JsonObject();
    headerWithTyp.addProperty("alg", "HS256");
    headerWithTyp.addProperty("typ", "typeHeader");
    headerWithTyp.addProperty("kid", kid);
    String tokenWithTyp = generateSignedCompact(rawPrimitive, headerWithTyp, payload);
    primitive.verifyMacAndDecode(tokenWithTyp, JwtValidator.newBuilder().expectTypeHeader("typeHeader").allowMissingExpiration().build());
    // invalid token without algorithm
    JsonObject headerWithoutAlg = new JsonObject();
    headerWithoutAlg.addProperty("kid", kid);
    String tokenWithoutAlg = generateSignedCompact(rawPrimitive, headerWithoutAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(tokenWithoutAlg, validator));
    // invalid token with a valid but incorrect algorithm in the header
    JsonObject headerWithBadAlg = new JsonObject();
    headerWithBadAlg.addProperty("alg", "RS256");
    headerWithBadAlg.addProperty("kid", kid);
    String tokenWithBadAlg = generateSignedCompact(rawPrimitive, headerWithBadAlg, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(tokenWithBadAlg, validator));
    // token with an unknown "kid" in the header is valid
    JsonObject headerWithUnknownKid = new JsonObject();
    headerWithUnknownKid.addProperty("alg", "HS256");
    headerWithUnknownKid.addProperty("kid", "unknown");
    String tokenWithUnknownKid = generateSignedCompact(rawPrimitive, headerWithUnknownKid, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(tokenWithUnknownKid, validator));
}

Example 2 with PrfHmacJce

use of com.google.crypto.tink.subtle.PrfHmacJce in project tink by google.

the class JwtHmacKeyManagerTest method createSignVerifyRaw_withDifferentHeaders.

@Test
public void createSignVerifyRaw_withDifferentHeaders() throws Exception {
    KeyTemplate template = KeyTemplates.get("JWT_HS256_RAW");
    KeysetHandle handle = KeysetHandle.generateNew(template);
    Keyset keyset = CleartextKeysetHandle.getKeyset(handle);
    JwtHmacKey keyProto = JwtHmacKey.parseFrom(keyset.getKey(0).getKeyData().getValue(), ExtensionRegistryLite.getEmptyRegistry());
    byte[] keyValue = keyProto.getKeyValue().toByteArray();
    SecretKeySpec keySpec = new SecretKeySpec(keyValue, "HMAC");
    PrfHmacJce prf = new PrfHmacJce("HMACSHA256", keySpec);
    PrfMac rawPrimitive = new PrfMac(prf, prf.getMaxOutputLength());
    JwtMac primitive = handle.getPrimitive(JwtMac.class);
    JsonObject payload = new JsonObject();
    payload.addProperty("jti", "jwtId");
    JwtValidator validator = JwtValidator.newBuilder().allowMissingExpiration().build();
    // Normal, valid signed compact.
    JsonObject normalHeader = new JsonObject();
    normalHeader.addProperty("alg", "HS256");
    String normalSignedCompact = generateSignedCompact(rawPrimitive, normalHeader, payload);
    primitive.verifyMacAndDecode(normalSignedCompact, validator);
    // valid token, with "typ" set in the header
    JsonObject goodHeader = new JsonObject();
    goodHeader.addProperty("alg", "HS256");
    goodHeader.addProperty("typ", "typeHeader");
    String goodSignedCompact = generateSignedCompact(rawPrimitive, goodHeader, payload);
    primitive.verifyMacAndDecode(goodSignedCompact, JwtValidator.newBuilder().expectTypeHeader("typeHeader").allowMissingExpiration().build());
    // invalid token with an empty header
    JsonObject emptyHeader = new JsonObject();
    String emptyHeaderSignedCompact = generateSignedCompact(rawPrimitive, emptyHeader, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(emptyHeaderSignedCompact, validator));
    // invalid token with a valid but incorrect algorithm in the header
    JsonObject badAlgoHeader = new JsonObject();
    badAlgoHeader.addProperty("alg", "RS256");
    String badAlgoSignedCompact = generateSignedCompact(rawPrimitive, badAlgoHeader, payload);
    assertThrows(GeneralSecurityException.class, () -> primitive.verifyMacAndDecode(badAlgoSignedCompact, validator));
    // for raw keys without customKid, the validation should work even if a "kid" header is present.
    JsonObject headerWithUnknownKid = new JsonObject();
    headerWithUnknownKid.addProperty("alg", "HS256");
    headerWithUnknownKid.addProperty("kid", "unknown");
    String tokenWithUnknownKid = generateSignedCompact(rawPrimitive, headerWithUnknownKid, payload);
    primitive.verifyMacAndDecode(tokenWithUnknownKid, validator);
}

Example 3 with PrfHmacJce

use of com.google.crypto.tink.subtle.PrfHmacJce in project tink by google.

the class HmacKeyManagerTest method getPrimitive_worksForSha512.

@Test
public void getPrimitive_worksForSha512() throws Exception {
    HmacKey validKey = factory.createKey(makeHmacKeyFormat(16, 33, HashType.SHA512));
    Mac managerMac = manager.getPrimitive(validKey, Mac.class);
    Mac directMac = new PrfMac(new PrfHmacJce("HMACSHA512", new SecretKeySpec(validKey.getKeyValue().toByteArray(), "HMAC")), 33);
    byte[] message = Random.randBytes(50);
    managerMac.verifyMac(directMac.computeMac(message), message);
}

Example 4 with PrfHmacJce

use of com.google.crypto.tink.subtle.PrfHmacJce in project tink by google.

the class HmacPrfKeyManagerTest method getPrimitive_worksForSha256.

@Test
public void getPrimitive_worksForSha256() throws Exception {
    HmacPrfKey validKey = factory.createKey(makeHmacPrfKeyFormat(16, HashType.SHA256));
    Prf managerPrf = manager.getPrimitive(validKey, Prf.class);
    Prf directPrf = new PrfHmacJce("HMACSHA256", new SecretKeySpec(validKey.getKeyValue().toByteArray(), "HMAC"));
    byte[] message = Random.randBytes(50);
    assertThat(managerPrf.compute(message, 29)).isEqualTo(directPrf.compute(message, 29));
}

Example 5 with PrfHmacJce

use of com.google.crypto.tink.subtle.PrfHmacJce in project tink by google.

the class HmacPrfKeyManagerTest method getPrimitive_worksForSha512.

@Test
public void getPrimitive_worksForSha512() throws Exception {
    HmacPrfKey validKey = factory.createKey(makeHmacPrfKeyFormat(16, HashType.SHA512));
    Prf managerPrf = manager.getPrimitive(validKey, Prf.class);
    Prf directPrf = new PrfHmacJce("HMACSHA512", new SecretKeySpec(validKey.getKeyValue().toByteArray(), "HMAC"));
    byte[] message = Random.randBytes(50);
    assertThat(managerPrf.compute(message, 33)).isEqualTo(directPrf.compute(message, 33));
}