lccodes
diff --git a/‎lib/build.gradle‎
Lines changed: 1 addition & 0 deletions b/‎lib/build.gradle‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/JWTDecoder.java‎
Lines changed: 28 additions & 11 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/JWTDecoder.java‎
Lines changed: 28 additions & 11 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/JWTVerifier.java‎
Lines changed: 226 additions & 0 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/JWTVerifier.java‎
Lines changed: 226 additions & 0 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/SignUtils.java‎
Lines changed: 96 additions & 0 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/SignUtils.java‎
Lines changed: 96 additions & 0 deletions
@@ -8,6 +8,7 @@ dependencies {
     compile fileTree(dir: 'libs', include: ['*.jar'])
     compile 'com.fasterxml.jackson.core:jackson-databind:2.8.4'
     compile 'commons-codec:commons-codec:1.10'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.55'
     testCompile 'junit:junit:4.12'
     testCompile 'org.hamcrest:hamcrest-library:1.3'
     testCompile 'org.mockito:mockito-core:2.2.8'
 
@@ -1,7 +1,7 @@
 package com.auth0.jwtdecodejava;
 
-import com.auth0.jwtdecodejava.enums.Algorithm;
-import com.auth0.jwtdecodejava.exceptions.JWTException;
+import com.auth0.jwtdecodejava.algorithms.Algorithm;
+import com.auth0.jwtdecodejava.exceptions.JWTDecodeException;
 import com.auth0.jwtdecodejava.impl.JWTParser;
 import com.auth0.jwtdecodejava.interfaces.Claim;
 import com.auth0.jwtdecodejava.interfaces.Header;
@@ -10,27 +10,44 @@
 
 import java.util.Date;
 
-import static com.auth0.jwtdecodejava.Utils.base64Decode;
-
+/**
+ * The JWTDecoder class holds the decode method to parse a given Token into it's JWT representation.
+ */
 public final class JWTDecoder implements JWT {
 
     private Header header;
     private Payload payload;
     private String signature;
 
-    private JWTDecoder(String jwt) {
+    private JWTDecoder(String jwt) throws JWTDecodeException {
         parseToken(jwt);
     }
 
-    public static JWT decode(String jwt) {
-        return new JWTDecoder(jwt);
+    /**
+     * Decode a given Token into a JWT instance.
+     * Note that this method doesn't verify the JWT's signature! Use it only if you trust the issuer of the Token.
+     *
+     * @param token the String representation of the JWT.
+     * @return a decoded JWT.
+     * @throws JWTDecodeException if any part of the Token contained an invalid JWT or JSON format.
+     */
+    public static JWT decode(String token) throws JWTDecodeException {
+        return new JWTDecoder(token);
     }
 
-    private void parseToken(String token) throws JWTException {
-        final String[] parts = Utils.splitToken(token);
+    private void parseToken(String token) throws JWTDecodeException {
+        final String[] parts = SignUtils.splitToken(token);
         final JWTParser converter = new JWTParser();
-        header = converter.parseHeader(base64Decode(parts[0]));
-        payload = converter.parsePayload(base64Decode(parts[1]));
+        String headerJson;
+        String payloadJson;
+        try {
+            headerJson = SignUtils.base64Decode(parts[0]);
+            payloadJson = SignUtils.base64Decode(parts[1]);
+        } catch (NullPointerException e) {
+            throw new JWTDecodeException("The UTF-8 Charset isn't initialized.", e);
+        }
+        header = converter.parseHeader(headerJson);
+        payload = converter.parsePayload(payloadJson);
         signature = parts[2];
     }
 
 
@@ -0,0 +1,226 @@
+package com.auth0.jwtdecodejava;
+
+import com.auth0.jwtdecodejava.algorithms.Algorithm;
+import com.auth0.jwtdecodejava.algorithms.HSAlgorithm;
+import com.auth0.jwtdecodejava.algorithms.NoneAlgorithm;
+import com.auth0.jwtdecodejava.algorithms.RSAlgorithm;
+import com.auth0.jwtdecodejava.exceptions.AlgorithmMismatchException;
+import com.auth0.jwtdecodejava.exceptions.InvalidClaimException;
+import com.auth0.jwtdecodejava.exceptions.JWTVerificationException;
+import com.auth0.jwtdecodejava.exceptions.SignatureVerificationException;
+import com.auth0.jwtdecodejava.impl.PublicClaims;
+import com.auth0.jwtdecodejava.interfaces.JWT;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+
+import static com.auth0.jwtdecodejava.algorithms.NoneAlgorithm.none;
+
+/**
+ * The JWTVerifier class holds the verify method to assert that a given Token has not only a proper JWT format, but also it's signature matches.
+ */
+public class JWTVerifier {
+    private final Algorithm algorithm;
+    private final String secret;
+    private final PublicKey key;
+    private final Map<String, Object> claims;
+
+    private JWTVerifier(Algorithm algorithm, String secret, PublicKey key) {
+        this.algorithm = algorithm;
+        this.key = key;
+        this.secret = secret;
+        this.claims = new HashMap<>();
+    }
+
+    /**
+     * Initialize a JWTVerifier instance using the Algorithm "none".
+     *
+     * @return a JWTVerifier instance to configure.
+     */
+    public static JWTVerifier init() {
+        return init(none, null, null);
+    }
+
+    /**
+     * Initialize a JWTVerifier instance using a HS Algorithm.
+     *
+     * @param algorithm a HSAlgorithm. Valid values are HS256, HS384, HS512.
+     * @param secret    to use when verifying the signature.
+     * @return a JWTVerifier instance to configure.
+     * @throws IllegalArgumentException if the provided algorithm is null or if the secret is null.
+     */
+    public static JWTVerifier init(HSAlgorithm algorithm, String secret) throws IllegalArgumentException {
+        return init(algorithm, null, secret);
+    }
+
+    /**
+     * Initialize a JWTVerifier instance using a RS Algorithm.
+     *
+     * @param algorithm a RSAlgorithm. Valid values are RS256, RS384, RS512.
+     * @param publicKey to use when verifying the signature.
+     * @return a JWTVerifier instance to configure.
+     * @throws IllegalArgumentException if the provided algorithm is null or if the publicKey is null.
+     */
+    public static JWTVerifier init(RSAlgorithm algorithm, PublicKey publicKey) throws IllegalArgumentException {
+        return init(algorithm, publicKey, null);
+    }
+
+    private static JWTVerifier init(Algorithm algorithm, PublicKey publicKey, String secret) throws IllegalArgumentException {
+        if (algorithm == null) {
+            throw new IllegalArgumentException("The Algorithm cannot be null.");
+        }
+        if (algorithm instanceof HSAlgorithm && secret == null) {
+            throw new IllegalArgumentException(String.format("You can't use the %s algorithm without providing a valid Secret.", algorithm.name()));
+        }
+        if (algorithm instanceof RSAlgorithm && publicKey == null) {
+            throw new IllegalArgumentException(String.format("You can't use the %s algorithm without providing a valid PublicKey.", algorithm.name()));
+        }
+        return new JWTVerifier(algorithm, secret, publicKey);
+    }
+
+    /**
+     * Require a specific Issuer ("iss") claim.
+     *
+     * @return this same JWTVerifier instance.
+     */
+    public JWTVerifier withIssuer(String issuer) {
+        requireClaim(PublicClaims.ISSUER, issuer);
+        return this;
+    }
+
+    /**
+     * Require a specific Subject ("sub") claim.
+     *
+     * @return this same JWTVerifier instance.
+     */
+    public JWTVerifier withSubject(String subject) {
+        requireClaim(PublicClaims.SUBJECT, subject);
+        return this;
+    }
+
+    /**
+     * Require a specific Audience ("aud") claim.
+     *
+     * @return this same JWTVerifier instance.
+     */
+    public JWTVerifier withAudience(String[] audience) {
+        requireClaim(PublicClaims.AUDIENCE, audience);
+        return this;
+    }
+
+    /**
+     * Require a specific Expires At ("exp") claim.
+     *
+     * @return this same JWTVerifier instance.
+     */
+    public JWTVerifier withExpiresAt(Date expiresAt) {
+        requireClaim(PublicClaims.EXPIRES_AT, expiresAt);
+        return this;
+    }
+
+    /**
+     * Require a specific Not Before ("nbf") claim.
+     *
+     * @return this same JWTVerifier instance.
+     */
+    public JWTVerifier withNotBefore(Date notBefore) {
+        requireClaim(PublicClaims.NOT_BEFORE, notBefore);
+        return this;
+    }
+
+    /**
+     * Require a specific Issued At ("iat") claim.
+     *
+     * @return this same JWTVerifier instance.
+     */
+    public JWTVerifier withIssuedAt(Date issuedAt) {
+        requireClaim(PublicClaims.ISSUED_AT, issuedAt);
+        return this;
+    }
+
+    /**
+     * Require a specific JWT Id ("jti") claim.
+     *
+     * @return this same JWTVerifier instance.
+     */
+    public JWTVerifier withJWTId(String jwtId) {
+        requireClaim(PublicClaims.JWT_ID, jwtId);
+        return this;
+    }
+
+    /**
+     * Perform the verification against the given Token, using any previous configured options.
+     *
+     * @param token the String representation of the JWT.
+     * @return a verified JWT.
+     * @throws JWTVerificationException if any of the required contents inside the JWT is invalid.
+     */
+    public JWT verify(String token) throws JWTVerificationException {
+        JWT jwt = JWTDecoder.decode(token);
+        verifyAlgorithm(jwt, algorithm);
+        verifySignature(SignUtils.splitToken(token));
+        verifyClaims(jwt, claims);
+        return jwt;
+    }
+
+    private void verifySignature(String[] parts) throws SignatureVerificationException {
+        if (algorithm instanceof HSAlgorithm) {
+            try {
+                SignUtils.verifyHS((HSAlgorithm) algorithm, parts, secret);
+            } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+                throw new SignatureVerificationException(algorithm, e);
+            }
+        } else if (algorithm instanceof RSAlgorithm) {
+            try {
+                SignUtils.verifyRS((RSAlgorithm) algorithm, parts, key);
+            } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
+                throw new SignatureVerificationException(algorithm, e);
+            }
+        } else if (algorithm instanceof NoneAlgorithm && !parts[2].isEmpty()) {
+            throw new SignatureVerificationException(algorithm);
+        }
+    }
+
+    private void verifyAlgorithm(JWT jwt, Algorithm expectedAlgorithm) throws AlgorithmMismatchException {
+        if (!expectedAlgorithm.equals(jwt.getAlgorithm())) {
+            throw new AlgorithmMismatchException("The provided Algorithm doesn't match the one defined in the JWT's Header.");
+        }
+    }
+
+    private void verifyClaims(JWT jwt, Map<String, Object> claims) {
+        for (Map.Entry<String, Object> entry : claims.entrySet()) {
+            assertValidClaim(jwt, entry.getKey(), entry.getValue());
+        }
+    }
+
+    private void assertValidClaim(JWT jwt, String claimName, Object expectedValue) throws InvalidClaimException {
+        boolean isValid;
+        if (PublicClaims.AUDIENCE.equals(claimName)) {
+            isValid = Arrays.equals(jwt.getAudience(), (String[]) expectedValue);
+        } else if (PublicClaims.NOT_BEFORE.equals(claimName) || PublicClaims.EXPIRES_AT.equals(claimName) || PublicClaims.ISSUED_AT.equals(claimName)) {
+            Date dateValue = (Date) expectedValue;
+            isValid = dateValue.equals(jwt.getClaim(claimName).asDate());
+        } else {
+            String stringValue = (String) expectedValue;
+            isValid = stringValue.equals(jwt.getClaim(claimName).asString());
+        }
+
+        if (!isValid) {
+            throw new InvalidClaimException(String.format("The Claim '%s' value doesn't match the required one.", claimName));
+        }
+    }
+
+    private void requireClaim(String name, Object value) {
+        if (value == null) {
+            claims.remove(name);
+            return;
+        }
+        claims.put(name, value);
+    }
+}
@@ -0,0 +1,96 @@
+package com.auth0.jwtdecodejava;
+
+import com.auth0.jwtdecodejava.algorithms.HSAlgorithm;
+import com.auth0.jwtdecodejava.algorithms.RSAlgorithm;
+import com.auth0.jwtdecodejava.exceptions.JWTDecodeException;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.codec.binary.StringUtils;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.*;
+
+class SignUtils {
+
+    /**
+     * Decodes a given String from it's Base64 string representation into a UTF-8 String.
+     *
+     * @param source the source of the decode process.
+     * @return a UTF-8 String representing the Base64 decoded source.
+     * @throws NullPointerException if the UTF-8 Charset isn't initialized.
+     */
+    static String base64Decode(String source) throws NullPointerException {
+        return StringUtils.newStringUtf8(Base64.decodeBase64(source));
+    }
+
+    /**
+     * Encodes a given String into it's Base64 string representation.
+     *
+     * @param source the source of the decode process.
+     * @return a UTF-8 String encoded into it's Base64 representation.
+     * @throws NullPointerException     if the UTF-8 Charset isn't initialized.
+     * @throws IllegalArgumentException if the source string is too long.
+     */
+    static String base64Encode(String source) throws NullPointerException, IllegalArgumentException {
+        return StringUtils.newStringUtf8(Base64.encodeBase64(source.getBytes(), false, true));
+    }
+
+    /**
+     * Splits the given token on the "." chars into a String array with 3 parts.
+     *
+     * @param token the string to split.
+     * @return the array representing the 3 parts of the token.
+     * @throws JWTDecodeException if the Token doesn't have 3 parts.
+     */
+    static String[] splitToken(String token) throws JWTDecodeException {
+        String[] parts = token.split("\\.");
+        if (parts.length == 2 && token.endsWith(".")) {
+            //Tokens with alg='none' have empty String as Signature.
+            parts = new String[]{parts[0], parts[1], ""};
+        }
+        if (parts.length != 3) {
+            throw new JWTDecodeException(String.format("The token was expected to have 3 parts, but got %s.", parts.length));
+        }
+        return parts;
+    }
+
+    /**
+     * Verify the given JWT parts using a specific HS Algorithm and a given secret.
+     *
+     * @param algorithm the HSAlgorithm to use. Must be one of HS256, HS384, or HS512.
+     * @param jwtParts  a valid array of size 3 representing the JWT parts.
+     * @param secret    the secret used when signing the token's content.
+     * @return whether the Token's signature is valid or not.
+     * @throws NoSuchAlgorithmException if the chosen algorithm isn't present.
+     * @throws InvalidKeyException
+     */
+    static boolean verifyHS(HSAlgorithm algorithm, String[] jwtParts, String secret) throws NoSuchAlgorithmException, InvalidKeyException {
+        if (secret == null) {
+            throw new IllegalArgumentException("The Secret cannot be null");
+        }
+        if (algorithm == null) {
+            throw new IllegalArgumentException("The Algorithm must be one of HS256, HS384, or HS512.");
+        }
+
+        Mac mac = Mac.getInstance(algorithm.describe());
+        mac.init(new SecretKeySpec(secret.getBytes(), algorithm.describe()));
+        String message = String.format("%s.%s", jwtParts[0], jwtParts[1]);
+        byte[] result = mac.doFinal(message.getBytes());
+        return MessageDigest.isEqual(result, Base64.decodeBase64(jwtParts[2]));
+    }
+
+    static boolean verifyRS(RSAlgorithm algorithm, String[] jwtParts, PublicKey publicKey) throws InvalidKeyException, NoSuchAlgorithmException, SignatureException {
+        if (publicKey == null) {
+            throw new IllegalArgumentException("The PublicKey cannot be null");
+        }
+        if (algorithm == null) {
+            throw new IllegalArgumentException("The Algorithm must be one of RS256, RS384, or RS512.");
+        }
+
+        final String content = String.format("%s.%s", jwtParts[0], jwtParts[1]);
+        Signature s = Signature.getInstance(algorithm.describe());
+        s.initVerify(publicKey);
+        s.update(content.getBytes());
+        return s.verify(Base64.decodeBase64(jwtParts[2]));
+    }
+}