add HS verification

lbalmaceda · lbalmaceda · commit 3e05c56d890d · 2016-10-28T15:47:15.000-03:00
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/JWTDecoder.java b/lib/src/main/java/com/auth0/jwtdecodejava/JWTDecoder.java
@@ -1,5 +1,6 @@
 package com.auth0.jwtdecodejava;
 
+import com.auth0.jwtdecodejava.enums.Algorithm;
 import com.auth0.jwtdecodejava.exceptions.JWTException;
 import com.auth0.jwtdecodejava.impl.JWTParser;
 import com.auth0.jwtdecodejava.interfaces.Claim;
@@ -27,23 +28,15 @@ public static JWT decode(String jwt) {
     }
 
     private void parseToken(String token) throws JWTException {
-        final String[] parts = splitToken(token);
+        final String[] parts = Utils.splitToken(token);
         final JWTParser converter = new JWTParser();
         header = converter.parseHeader(base64Decode(parts[0]));
         payload = converter.parsePayload(base64Decode(parts[1]));
         signature = parts[2];
     }
 
-    private String[] splitToken(String token) {
-        String[] parts = token.split("\\.");
-        if (parts.length != 3) {
-            throw new JWTException(String.format("The token was expected to have 3 parts, but got %s.", parts.length));
-        }
-        return parts;
-    }
-
     @Override
-    public String getAlgorithm() {
+    public Algorithm getAlgorithm() {
         return header.getAlgorithm();
     }
 
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/Utils.java b/lib/src/main/java/com/auth0/jwtdecodejava/Utils.java
@@ -1,17 +1,21 @@
 package com.auth0.jwtdecodejava;
 
+import com.auth0.jwtdecodejava.enums.Algorithm;
 import com.auth0.jwtdecodejava.exceptions.JWTException;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import com.sun.istack.internal.Nullable;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.StringUtils;
 
-import java.io.IOException;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 
-class Utils {
+public class Utils {
 
     @Nullable
-    static String base64Decode(String string) throws JWTException {
+    public static String base64Decode(String string) throws JWTException {
         String decoded;
         try {
             decoded = StringUtils.newStringUtf8(Base64.decodeBase64(string));
@@ -22,7 +26,7 @@ static String base64Decode(String string) throws JWTException {
     }
 
     @Nullable
-    static String base64Encode(String string) throws JWTException {
+    public static String base64Encode(String string) throws JWTException {
         String encoded;
         try {
             encoded = StringUtils.newStringUtf8(Base64.encodeBase64(string.getBytes(), false, true));
@@ -31,4 +35,26 @@ static String base64Encode(String string) throws JWTException {
         }
         return encoded;
     }
+
+    public static boolean verifyHS(String[] jwtParts, String secret, Algorithm algorithm) throws NoSuchAlgorithmException, InvalidKeyException {
+        if (secret == null) {
+            throw new IllegalArgumentException("The Secret cannot be null");
+        }
+        if (algorithm != Algorithm.HS256 && algorithm != Algorithm.HS384 && algorithm != Algorithm.HS512) {
+            throw new IllegalArgumentException("The Algorithm must be one of HS256, HS384, or HS512.");
+        }
+        Mac mac = Mac.getInstance(algorithm.toString());
+        mac.init(new SecretKeySpec(secret.getBytes(), algorithm.toString()));
+        String message = String.format("%s.%s", jwtParts[0], jwtParts[1]);
+        byte[] result = mac.doFinal(message.getBytes());
+        return MessageDigest.isEqual(result, Base64.decodeBase64(jwtParts[2]));
+    }
+
+    public static String[] splitToken(String token) {
+        String[] parts = token.split("\\.");
+        if (parts.length != 3) {
+            throw new JWTException(String.format("The token was expected to have 3 parts, but got %s.", parts.length));
+        }
+        return parts;
+    }
 }
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/enums/Algorithm.java b/lib/src/main/java/com/auth0/jwtdecodejava/enums/Algorithm.java
@@ -0,0 +1,29 @@
+package com.auth0.jwtdecodejava.enums;
+
+import org.apache.commons.codec.digest.HmacAlgorithms;
+
+public enum Algorithm {
+    none(null),
+    HS256(HmacAlgorithms.HMAC_SHA_256.toString()),
+    HS384(HmacAlgorithms.HMAC_SHA_384.toString()),
+    HS512(HmacAlgorithms.HMAC_SHA_512.toString());
+
+    private final String description;
+
+    Algorithm(String description) {
+        this.description = description;
+    }
+
+    @Override
+    public String toString() {
+        return description;
+    }
+
+    public static Algorithm parseFrom(String algorithmName) {
+        try {
+            return Algorithm.valueOf(algorithmName);
+        } catch (IllegalArgumentException ignored) {
+            return null;
+        }
+    }
+}
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/exceptions/AlgorithmMismatchException.java b/lib/src/main/java/com/auth0/jwtdecodejava/exceptions/AlgorithmMismatchException.java
@@ -0,0 +1,7 @@
+package com.auth0.jwtdecodejava.exceptions;
+
+public class AlgorithmMismatchException extends JWTException{
+    public AlgorithmMismatchException(String message) {
+        super(message);
+    }
+}
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/exceptions/InvalidClaimException.java b/lib/src/main/java/com/auth0/jwtdecodejava/exceptions/InvalidClaimException.java
@@ -2,7 +2,7 @@
 
 
 public class InvalidClaimException extends JWTException {
-    public InvalidClaimException(String description) {
-        super(description);
+    public InvalidClaimException(String message) {
+        super(message);
     }
 }
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/exceptions/SignatureVerificationException.java b/lib/src/main/java/com/auth0/jwtdecodejava/exceptions/SignatureVerificationException.java
@@ -0,0 +1,13 @@
+package com.auth0.jwtdecodejava.exceptions;
+
+import com.auth0.jwtdecodejava.enums.Algorithm;
+
+public class SignatureVerificationException extends JWTException {
+    public SignatureVerificationException(Algorithm algorithm) {
+        this(algorithm, null);
+    }
+
+    public SignatureVerificationException(Algorithm algorithm, Throwable cause) {
+        super("The Token's Signature resulted invalid when verified using the Algorithm: " + algorithm.name(), cause);
+    }
+}
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/impl/HeaderImpl.java b/lib/src/main/java/com/auth0/jwtdecodejava/impl/HeaderImpl.java
@@ -1,5 +1,6 @@
 package com.auth0.jwtdecodejava.impl;
 
+import com.auth0.jwtdecodejava.enums.Algorithm;
 import com.auth0.jwtdecodejava.interfaces.Header;
 import com.fasterxml.jackson.databind.JsonNode;
 
@@ -16,8 +17,9 @@ class HeaderImpl implements Header {
     }
 
     @Override
-    public String getAlgorithm() {
-        return extractClaim(ALGORITHM, tree).asString();
+    public Algorithm getAlgorithm() {
+        String alg = extractClaim(ALGORITHM, tree).asString();
+        return Algorithm.parseFrom(alg);
     }
 
     @Override
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/impl/JWTVerifier.java b/lib/src/main/java/com/auth0/jwtdecodejava/impl/JWTVerifier.java
@@ -1,24 +1,47 @@
 package com.auth0.jwtdecodejava.impl;
 
 import com.auth0.jwtdecodejava.JWTDecoder;
+import com.auth0.jwtdecodejava.Utils;
+import com.auth0.jwtdecodejava.enums.Algorithm;
+import com.auth0.jwtdecodejava.exceptions.AlgorithmMismatchException;
 import com.auth0.jwtdecodejava.exceptions.InvalidClaimException;
 import com.auth0.jwtdecodejava.exceptions.JWTException;
+import com.auth0.jwtdecodejava.exceptions.SignatureVerificationException;
 import com.auth0.jwtdecodejava.interfaces.JWT;
 
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 
 public class JWTVerifier {
+    private final Algorithm algorithm;
+    private final String secret;
     private final Map<String, Object> claims;
 
-    private JWTVerifier() {
+    private JWTVerifier(Algorithm algorithm, String secret) {
+        this.algorithm = algorithm;
+        this.secret = secret;
         this.claims = new HashMap<>();
     }
 
-    public static JWTVerifier init(){
-        return new JWTVerifier();
+    public static JWTVerifier init(Algorithm algorithm, String secret) throws IllegalArgumentException {
+        if (algorithm == null) {
+            throw new IllegalArgumentException("The Algorithm cannot be null.");
+        }
+        switch (algorithm) {
+            case HS256:
+            case HS384:
+            case HS512:
+                if (secret == null) {
+                    throw new IllegalArgumentException(String.format("You can't use the %s algorithm without providing a valid Secret.", algorithm.name()));
+                }
+                break;
+            default:
+        }
+        return new JWTVerifier(algorithm, secret);
     }
 
     public JWTVerifier withIssuer(String issuer) {
@@ -56,10 +79,33 @@ public JWTVerifier withJWTId(String jwtId) {
         return this;
     }
 
-    public JWT verify(String jwt) throws JWTException{
-        JWT decode = JWTDecoder.decode(jwt);
-        verifyClaims(decode, claims);
-        return decode;
+    public JWT verify(String token) throws JWTException {
+        JWT jwt = JWTDecoder.decode(token);
+        verifyClaims(jwt, claims);
+        verifyAlgorithm(jwt, algorithm);
+        verifySignature(Utils.splitToken(token));
+        return jwt;
+    }
+
+    private void verifySignature(String[] parts) {
+        switch (algorithm) {
+            case HS256:
+            case HS384:
+            case HS512:
+                try {
+                    Utils.verifyHS(parts, secret, algorithm);
+                } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+                    throw new SignatureVerificationException(algorithm, e);
+                }
+                break;
+            default:
+        }
+    }
+
+    private void verifyAlgorithm(JWT jwt, Algorithm expectedAlgorithm) throws AlgorithmMismatchException, IllegalArgumentException {
+        if (!expectedAlgorithm.equals(jwt.getAlgorithm())) {
+            throw new AlgorithmMismatchException("The provided Algorithm doesn't match the one defined in the JWT's Header.");
+        }
     }
 
     private void verifyClaims(JWT jwt, Map<String, Object> claims) {
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/interfaces/Header.java b/lib/src/main/java/com/auth0/jwtdecodejava/interfaces/Header.java
@@ -1,13 +1,14 @@
 package com.auth0.jwtdecodejava.interfaces;
 
+import com.auth0.jwtdecodejava.enums.Algorithm;
 import com.sun.istack.internal.Nullable;
 
 import java.util.Map;
 
 public interface Header {
 
     @Nullable
-    String getAlgorithm();
+    Algorithm getAlgorithm();
 
     @Nullable
     String getType();
diff --git a/lib/src/test/java/com/auth0/jwtdecodejava/JWTDecoderTest.java b/lib/src/test/java/com/auth0/jwtdecodejava/JWTDecoderTest.java
@@ -1,5 +1,6 @@
 package com.auth0.jwtdecodejava;
 
+import com.auth0.jwtdecodejava.enums.Algorithm;
 import com.auth0.jwtdecodejava.exceptions.JWTException;
 import com.auth0.jwtdecodejava.impl.BaseClaim;
 import com.auth0.jwtdecodejava.interfaces.Claim;
@@ -76,7 +77,7 @@ public void shouldGetStringToken() throws Exception {
     public void shouldGetHeader() throws Exception {
         JWT jwt = JWTDecoder.decode("eyJhbGciOiJIUzI1NiJ9.e30.XmNK3GpH3Ys_7wsYBfq4C3M6goz71I7dTgUkuIa5lyQ");
         assertThat(jwt, is(notNullValue()));
-        assertThat(jwt.getAlgorithm(), is("HS256"));
+        assertThat(jwt.getAlgorithm(), is(Algorithm.HS256));
     }
 
     @Test
diff --git a/lib/src/test/java/com/auth0/jwtdecodejava/UtilsTest.java b/lib/src/test/java/com/auth0/jwtdecodejava/UtilsTest.java
diff --git a/lib/src/test/java/com/auth0/jwtdecodejava/impl/JWTVerifierTest.java b/lib/src/test/java/com/auth0/jwtdecodejava/impl/JWTVerifierTest.java

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`
`3`	`3`
`4`	`4`	`public class InvalidClaimException extends JWTException {`
`5`		`- public InvalidClaimException(String description) {`
`6`		`- super(description);`
	`5`	`+ public InvalidClaimException(String message) {`
	`6`	`+ super(message);`
`7`	`7`	`}`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`package com.auth0.jwtdecodejava.impl;`
`2`	`2`
	`3`	`+import com.auth0.jwtdecodejava.enums.Algorithm;`
`3`	`4`	`import com.auth0.jwtdecodejava.interfaces.Header;`
`4`	`5`	`import com.fasterxml.jackson.databind.JsonNode;`
`5`	`6`
`@@ -16,8 +17,9 @@ class HeaderImpl implements Header {`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`@Override`
`19`		`- public String getAlgorithm() {`
`20`		`- return extractClaim(ALGORITHM, tree).asString();`
	`20`	`+ public Algorithm getAlgorithm() {`
	`21`	`+ String alg = extractClaim(ALGORITHM, tree).asString();`
	`22`	`+ return Algorithm.parseFrom(alg);`
`21`	`23`	`}`
`22`	`24`
`23`	`25`	`@Override`