add RS verification

lbalmaceda · lbalmaceda · commit 918ec0bdecfb · 2016-10-31T16:58:33.000-03:00
diff --git a/lib/build.gradle b/lib/build.gradle
@@ -8,6 +8,7 @@ dependencies {
     compile fileTree(dir: 'libs', include: ['*.jar'])
     compile 'com.fasterxml.jackson.core:jackson-databind:2.8.4'
     compile 'commons-codec:commons-codec:1.10'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.55'
     testCompile 'junit:junit:4.12'
     testCompile 'org.hamcrest:hamcrest-library:1.3'
     testCompile 'org.mockito:mockito-core:2.2.8'
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/Utils.java b/lib/src/main/java/com/auth0/jwtdecodejava/Utils.java
@@ -7,9 +7,7 @@
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
-import java.security.InvalidKeyException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
+import java.security.*;
 
 public class Utils {
 
@@ -58,4 +56,19 @@ public static String[] splitToken(String token) {
         }
         return parts;
     }
+
+    public static boolean verifyRS(String[] jwtParts, PublicKey publicKey, Algorithm algorithm) throws InvalidKeyException, NoSuchAlgorithmException, SignatureException {
+        if (publicKey == null) {
+            throw new IllegalArgumentException("The PublicKey cannot be null");
+        }
+        if (algorithm != Algorithm.RS256 && algorithm != Algorithm.RS384 && algorithm != Algorithm.RS512) {
+            throw new IllegalArgumentException("The Algorithm must be one of RS256, RS384, or RS512.");
+        }
+
+        final String content = String.format("%s.%s", jwtParts[0], jwtParts[1]);
+        Signature s = Signature.getInstance(algorithm.toString());
+        s.initVerify(publicKey);
+        s.update(content.getBytes());
+        return s.verify(Base64.decodeBase64(jwtParts[2]));
+    }
 }
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/enums/Algorithm.java b/lib/src/main/java/com/auth0/jwtdecodejava/enums/Algorithm.java
@@ -6,7 +6,10 @@ public enum Algorithm {
     none(null),
     HS256(HmacAlgorithms.HMAC_SHA_256.toString()),
     HS384(HmacAlgorithms.HMAC_SHA_384.toString()),
-    HS512(HmacAlgorithms.HMAC_SHA_512.toString());
+    HS512(HmacAlgorithms.HMAC_SHA_512.toString()),
+    RS256("SHA256withRSA"),
+    RS384("SHA384withRSA"),
+    RS512("SHA512withRSA");
 
     private final String description;
 
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/impl/JWTVerifier.java b/lib/src/main/java/com/auth0/jwtdecodejava/impl/JWTVerifier.java
@@ -11,6 +11,8 @@
 
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.SignatureException;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
@@ -19,10 +21,12 @@
 public class JWTVerifier {
     private final Algorithm algorithm;
     private final String secret;
+    private final PublicKey key;
     private final Map<String, Object> claims;
 
-    private JWTVerifier(Algorithm algorithm, String secret) {
+    private JWTVerifier(Algorithm algorithm, String secret, PublicKey key) {
         this.algorithm = algorithm;
+        this.key = key;
         this.secret = secret;
         this.claims = new HashMap<>();
     }
@@ -49,7 +53,7 @@ public static JWTVerifier init(Algorithm algorithm, String secret) throws Illega
                 }
             default:
         }
-        return new JWTVerifier(algorithm, secret);
+        return new JWTVerifier(algorithm, secret, null);
     }
 
     public JWTVerifier withIssuer(String issuer) {
@@ -106,8 +110,17 @@ private void verifySignature(String[] parts) {
                     throw new SignatureVerificationException(algorithm, e);
                 }
                 break;
+            case RS256:
+            case RS384:
+            case RS512:
+                try {
+                    Utils.verifyRS(parts, key, algorithm);
+                } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
+                    throw new SignatureVerificationException(algorithm, e);
+                }
+                break;
             case none:
-                if (!parts[2].isEmpty()){
+                if (!parts[2].isEmpty()) {
                     throw new SignatureVerificationException(algorithm);
                 }
             default:
diff --git a/lib/src/main/java/com/auth0/jwtdecodejava/impl/pem/PemUtils.java b/lib/src/main/java/com/auth0/jwtdecodejava/impl/pem/PemUtils.java
@@ -0,0 +1,43 @@
+package com.auth0.jwtdecodejava.impl.pem;
+
+import org.bouncycastle.util.io.pem.PemObject;
+import org.bouncycastle.util.io.pem.PemReader;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.spec.EncodedKeySpec;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+
+public class PemUtils {
+
+    public static byte[] parsePEMFile(File pemFile) throws IOException {
+        if (!pemFile.isFile() || !pemFile.exists()) {
+            throw new FileNotFoundException(String.format("The file '%s' doesn't exist.", pemFile.getAbsolutePath()));
+        }
+        PemReader reader = new PemReader(new FileReader(pemFile));
+        PemObject pemObject = reader.readPemObject();
+        return pemObject.getContent();
+    }
+
+
+    public static PublicKey getPublicKey(byte[] keyBytes, String algorithm) {
+        PublicKey publicKey = null;
+        try {
+            KeyFactory kf = KeyFactory.getInstance(algorithm);
+            EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
+            publicKey = kf.generatePublic(keySpec);
+        } catch (NoSuchAlgorithmException e) {
+            System.out.println("Could not reconstruct the public key, the given algorithm oculd not be found.");
+        } catch (InvalidKeySpecException e) {
+            System.out.println("Could not reconstruct the public key");
+        }
+
+        return publicKey;
+    }
+}
diff --git a/lib/src/test/java/com/auth0/jwtdecodejava/UtilsTest.java b/lib/src/test/java/com/auth0/jwtdecodejava/UtilsTest.java
@@ -2,15 +2,23 @@
 
 import com.auth0.jwtdecodejava.enums.Algorithm;
 import com.auth0.jwtdecodejava.exceptions.JWTException;
+import com.auth0.jwtdecodejava.impl.pem.PemUtils;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
 
+import java.io.File;
+import java.io.IOException;
+import java.security.PublicKey;
+
 import static org.hamcrest.Matchers.*;
 import static org.junit.Assert.*;
 
 public class UtilsTest {
 
+    private static final String PUBLIC_KEY_FILE = "src/test/resources/rsa_public.pem";
+    private static final String INVALID_PUBLIC_KEY_FILE = "src/test/resources/rsa_public_invalid.pem";
+
     @Rule
     public ExpectedException exception = ExpectedException.none();
 
@@ -72,6 +80,8 @@ public void shouldEncodeBase64() throws Exception {
         assertThat(result, is("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"));
     }
 
+    // HS
+
     @Test
     public void shouldPassHS256Verification() throws Exception {
         String jwt = "eyJhbGciOiJIUzI1NiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mZ0m_N1J4PgeqWmi903JuUoDRZDBPB7HwkS4nVyWH1M";
@@ -141,11 +151,109 @@ public void shouldThrowWhenAlgorithmIsNotHS() throws Exception {
     }
 
     @Test
-    public void shouldThrowWhenAlgorithmIsNull() throws Exception {
+    public void shouldThrowWhenHSAlgorithmIsNull() throws Exception {
         exception.expect(IllegalArgumentException.class);
         exception.expectMessage("The Algorithm must be one of HS256, HS384, or HS512.");
         String jwt = "eyJhbGciOiJIUzUxMiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.VUo2Z9SWDV-XcOc_Hr6Lff3vl7L9e5Vb8ThXpmGDFjHxe3Dr1ZBmUChYF-xVA7cAdX1P_D4ZCUcsv3IefpVaJw";
         Utils.verifyHS(jwt.split("\\."), "secret", null);
     }
 
+    // RS
+
+    @Test
+    public void shouldPassRS256Verification() throws Exception {
+        PublicKey key = readPublicKey();
+        String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.dxXF3MdsyW-AuvwJpaQtrZ33fAde9xWxpLIg9cO2tMLH2GSRNuLAe61KsJusZhqZB9Iy7DvflcmRz-9OZndm6cj_ThGeJH2LLc90K83UEvvRPo8l85RrQb8PcanxCgIs2RcZOLygERizB3pr5icGkzR7R2y6zgNCjKJ5_NJ6EiZsGN6_nc2PRK_DbyY-Wn0QDxIxKoA5YgQJ9qafe7IN980pXvQv2Z62c3XR8dYuaXBqhthBj-AbaFHEpZapN-V-TmuLNzR2MCB6Xr7BYMuCaqWf_XU8og4XNe8f_8w9Wv5vvgqMM1KhqVpG5VdMJv4o_L4NoCROHhtUQSLRh2M9cA";
+        assertTrue(Utils.verifyRS(jwt.split("\\."), key, Algorithm.RS256));
+    }
+
+    @Test
+    public void shouldFailRS256VerificationWithInvalidPublicKey() throws Exception {
+        PublicKey key = readInvalidPublicKey();
+        String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.dxXF3MdsyW-AuvwJpaQtrZ33fAde9xWxpLIg9cO2tMLH2GSRNuLAe61KsJusZhqZB9Iy7DvflcmRz-9OZndm6cj_ThGeJH2LLc90K83UEvvRPo8l85RrQb8PcanxCgIs2RcZOLygERizB3pr5icGkzR7R2y6zgNCjKJ5_NJ6EiZsGN6_nc2PRK_DbyY-Wn0QDxIxKoA5YgQJ9qafe7IN980pXvQv2Z62c3XR8dYuaXBqhthBj-AbaFHEpZapN-V-TmuLNzR2MCB6Xr7BYMuCaqWf_XU8og4XNe8f_8w9Wv5vvgqMM1KhqVpG5VdMJv4o_L4NoCROHhtUQSLRh2M9cA";
+        assertFalse(Utils.verifyRS(jwt.split("\\."), key, Algorithm.RS256));
+    }
+
+    @Test
+    public void shouldThrowRS256VerificationWithNullPublicKey() throws Exception {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("The PublicKey cannot be null");
+        String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.dxXF3MdsyW-AuvwJpaQtrZ33fAde9xWxpLIg9cO2tMLH2GSRNuLAe61KsJusZhqZB9Iy7DvflcmRz-9OZndm6cj_ThGeJH2LLc90K83UEvvRPo8l85RrQb8PcanxCgIs2RcZOLygERizB3pr5icGkzR7R2y6zgNCjKJ5_NJ6EiZsGN6_nc2PRK_DbyY-Wn0QDxIxKoA5YgQJ9qafe7IN980pXvQv2Z62c3XR8dYuaXBqhthBj-AbaFHEpZapN-V-TmuLNzR2MCB6Xr7BYMuCaqWf_XU8og4XNe8f_8w9Wv5vvgqMM1KhqVpG5VdMJv4o_L4NoCROHhtUQSLRh2M9cA";;
+        Utils.verifyRS(jwt.split("\\."), null, Algorithm.RS256);
+    }
+
+    @Test
+    public void shouldPassRS384Verification() throws Exception {
+        PublicKey key = readPublicKey();
+        String jwt = "eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.TZlWjXObwGSQOiu2oMq8kiKz0_BR7bbBddNL6G8eZ_GoR82BXOZDqNrQr7lb_M-78XGBguWLWNIdYhzgxOUL9EoCJlrqVm9s9vo6G8T1sj1op-4TbjXZ61TwIvrJee9BvPLdKUJ9_fp1Js5kl6yXkst40Th8Auc5as4n49MLkipjpEhKDKaENKHpSubs1ripSz8SCQZSofeTM_EWVwSw7cpiM8Fy8jOPvWG8Xz4-e3ODFowvHVsDcONX_4FTMNbeRqDuHq2ZhCJnEfzcSJdrve_5VD5fM1LperBVslTrOxIgClOJ3RmM7-WnaizJrWP3D6Z9OLxPxLhM6-jx6tcxEw";
+        assertTrue(Utils.verifyRS(jwt.split("\\."), key, Algorithm.RS384));
+    }
+
+    @Test
+    public void shouldFailRS384VerificationWithInvalidPublicKey() throws Exception {
+        PublicKey key = readInvalidPublicKey();
+        String jwt = "eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.TZlWjXObwGSQOiu2oMq8kiKz0_BR7bbBddNL6G8eZ_GoR82BXOZDqNrQr7lb_M-78XGBguWLWNIdYhzgxOUL9EoCJlrqVm9s9vo6G8T1sj1op-4TbjXZ61TwIvrJee9BvPLdKUJ9_fp1Js5kl6yXkst40Th8Auc5as4n49MLkipjpEhKDKaENKHpSubs1ripSz8SCQZSofeTM_EWVwSw7cpiM8Fy8jOPvWG8Xz4-e3ODFowvHVsDcONX_4FTMNbeRqDuHq2ZhCJnEfzcSJdrve_5VD5fM1LperBVslTrOxIgClOJ3RmM7-WnaizJrWP3D6Z9OLxPxLhM6-jx6tcxEw";
+        assertFalse(Utils.verifyRS(jwt.split("\\."), key, Algorithm.RS384));
+    }
+
+    @Test
+    public void shouldThrowRS384VerificationWithNullPublicKey() throws Exception {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("The PublicKey cannot be null");
+        String jwt = "eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.TZlWjXObwGSQOiu2oMq8kiKz0_BR7bbBddNL6G8eZ_GoR82BXOZDqNrQr7lb_M-78XGBguWLWNIdYhzgxOUL9EoCJlrqVm9s9vo6G8T1sj1op-4TbjXZ61TwIvrJee9BvPLdKUJ9_fp1Js5kl6yXkst40Th8Auc5as4n49MLkipjpEhKDKaENKHpSubs1ripSz8SCQZSofeTM_EWVwSw7cpiM8Fy8jOPvWG8Xz4-e3ODFowvHVsDcONX_4FTMNbeRqDuHq2ZhCJnEfzcSJdrve_5VD5fM1LperBVslTrOxIgClOJ3RmM7-WnaizJrWP3D6Z9OLxPxLhM6-jx6tcxEw";;
+        Utils.verifyRS(jwt.split("\\."), null, Algorithm.RS384);
+    }
+
+    @Test
+    public void shouldPassRS512Verification() throws Exception {
+        PublicKey key = readPublicKey();
+        String jwt = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mvL5LoMyIrWYjk5umEXZTmbyIrkbbcVPUkvdGZbu0qFBxGOf0nXP5PZBvPcOu084lvpwVox5n3VaD4iqzW-PsJyvKFgi5TnwmsbKchAp7JexQEsQOnTSGcfRqeUUiBZqRQdYsho71oAB3T4FnalDdFEpM-fztcZY9XqKyayqZLreTeBjqJm4jfOWH7KfGBHgZExQhe96NLq1UA9eUyQwdOA1Z0SgXe4Ja5PxZ6Fm37KnVDtDlNnY4JAAGFo6y74aGNnp_BKgpaVJCGFu1f1S5xCQ1HSvs8ZSdVWs5NgawW3wRd0kRt_GJ_Y3mIwiF4qUyHWGtsSHu_qjVdCTtbFyow";
+        assertTrue(Utils.verifyRS(jwt.split("\\."), key, Algorithm.RS512));
+    }
+
+    @Test
+    public void shouldFailRS512VerificationWithInvalidPublicKey() throws Exception {
+        PublicKey key = readInvalidPublicKey();
+        String jwt = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mvL5LoMyIrWYjk5umEXZTmbyIrkbbcVPUkvdGZbu0qFBxGOf0nXP5PZBvPcOu084lvpwVox5n3VaD4iqzW-PsJyvKFgi5TnwmsbKchAp7JexQEsQOnTSGcfRqeUUiBZqRQdYsho71oAB3T4FnalDdFEpM-fztcZY9XqKyayqZLreTeBjqJm4jfOWH7KfGBHgZExQhe96NLq1UA9eUyQwdOA1Z0SgXe4Ja5PxZ6Fm37KnVDtDlNnY4JAAGFo6y74aGNnp_BKgpaVJCGFu1f1S5xCQ1HSvs8ZSdVWs5NgawW3wRd0kRt_GJ_Y3mIwiF4qUyHWGtsSHu_qjVdCTtbFyow";
+        assertFalse(Utils.verifyRS(jwt.split("\\."), key, Algorithm.RS512));
+    }
+
+    @Test
+    public void shouldThrowRS512VerificationWithNullPublicKey() throws Exception {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("The PublicKey cannot be null");
+        String jwt = "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mvL5LoMyIrWYjk5umEXZTmbyIrkbbcVPUkvdGZbu0qFBxGOf0nXP5PZBvPcOu084lvpwVox5n3VaD4iqzW-PsJyvKFgi5TnwmsbKchAp7JexQEsQOnTSGcfRqeUUiBZqRQdYsho71oAB3T4FnalDdFEpM-fztcZY9XqKyayqZLreTeBjqJm4jfOWH7KfGBHgZExQhe96NLq1UA9eUyQwdOA1Z0SgXe4Ja5PxZ6Fm37KnVDtDlNnY4JAAGFo6y74aGNnp_BKgpaVJCGFu1f1S5xCQ1HSvs8ZSdVWs5NgawW3wRd0kRt_GJ_Y3mIwiF4qUyHWGtsSHu_qjVdCTtbFyow";;
+        Utils.verifyRS(jwt.split("\\."), null, Algorithm.RS512);
+    }
+
+    @Test
+    public void shouldThrowWhenAlgorithmIsNotRS() throws Exception {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("The Algorithm must be one of RS256, RS384, or RS512.");
+        PublicKey key = readPublicKey();
+        String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.dxXF3MdsyW-AuvwJpaQtrZ33fAde9xWxpLIg9cO2tMLH2GSRNuLAe61KsJusZhqZB9Iy7DvflcmRz-9OZndm6cj_ThGeJH2LLc90K83UEvvRPo8l85RrQb8PcanxCgIs2RcZOLygERizB3pr5icGkzR7R2y6zgNCjKJ5_NJ6EiZsGN6_nc2PRK_DbyY-Wn0QDxIxKoA5YgQJ9qafe7IN980pXvQv2Z62c3XR8dYuaXBqhthBj-AbaFHEpZapN-V-TmuLNzR2MCB6Xr7BYMuCaqWf_XU8og4XNe8f_8w9Wv5vvgqMM1KhqVpG5VdMJv4o_L4NoCROHhtUQSLRh2M9cA";
+        Utils.verifyRS(jwt.split("\\."), key, Algorithm.none);
+    }
+
+    @Test
+    public void shouldThrowWhenRSAlgorithmIsNull() throws Exception {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("The Algorithm must be one of RS256, RS384, or RS512.");
+        PublicKey key = readPublicKey();
+        String jwt = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.dxXF3MdsyW-AuvwJpaQtrZ33fAde9xWxpLIg9cO2tMLH2GSRNuLAe61KsJusZhqZB9Iy7DvflcmRz-9OZndm6cj_ThGeJH2LLc90K83UEvvRPo8l85RrQb8PcanxCgIs2RcZOLygERizB3pr5icGkzR7R2y6zgNCjKJ5_NJ6EiZsGN6_nc2PRK_DbyY-Wn0QDxIxKoA5YgQJ9qafe7IN980pXvQv2Z62c3XR8dYuaXBqhthBj-AbaFHEpZapN-V-TmuLNzR2MCB6Xr7BYMuCaqWf_XU8og4XNe8f_8w9Wv5vvgqMM1KhqVpG5VdMJv4o_L4NoCROHhtUQSLRh2M9cA";
+        Utils.verifyRS(jwt.split("\\."), key, null);
+    }
+
+    //Private
+
+    private PublicKey readPublicKey() throws IOException {
+        byte[] bytes = PemUtils.parsePEMFile(new File(PUBLIC_KEY_FILE));
+        return PemUtils.getPublicKey(bytes, "RSA");
+    }
+
+    private PublicKey readInvalidPublicKey() throws IOException {
+        byte[] bytes = PemUtils.parsePEMFile(new File(INVALID_PUBLIC_KEY_FILE));
+        return PemUtils.getPublicKey(bytes, "RSA");
+    }
+
 }
diff --git a/lib/src/test/java/com/auth0/jwtdecodejava/impl/pem/PemUtilsTest.java b/lib/src/test/java/com/auth0/jwtdecodejava/impl/pem/PemUtilsTest.java
@@ -0,0 +1,39 @@
+package com.auth0.jwtdecodejava.impl.pem;
+
+import org.junit.Assert;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+
+import java.io.File;
+import java.nio.charset.StandardCharsets;
+import java.security.PublicKey;
+
+import static org.hamcrest.Matchers.is;
+
+public class PemUtilsTest {
+
+    private static final String PUBLIC_KEY_FILE = "src/test/resources/rsa_public.pem";
+
+
+    private static final String PUBLIC_KEY_CONTENT = "-----BEGIN PUBLIC KEY-----\n" +
+            "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuGbXWiK3dQTyCbX5xdE4\n" +
+            "yCuYp0AF2d15Qq1JSXT/lx8CEcXb9RbDddl8jGDv+spi5qPa8qEHiK7FwV2KpRE9\n" +
+            "83wGPnYsAm9BxLFb4YrLYcDFOIGULuk2FtrPS512Qea1bXASuvYXEpQNpGbnTGVs\n" +
+            "WXI9C+yjHztqyL2h8P6mlThPY9E9ue2fCqdgixfTFIF9Dm4SLHbphUS2iw7w1JgT\n" +
+            "69s7of9+I9l5lsJ9cozf1rxrXX4V1u/SotUuNB3Fp8oB4C1fLBEhSlMcUJirz1E8\n" +
+            "AziMCxS+VrRPDM+zfvpIJg3JljAh3PJHDiLu902v9w+Iplu1WyoB2aPfitxEhRN0\n" +
+            "YwIDAQAB\n" +
+            "-----END PUBLIC KEY-----";
+    @Rule
+    public ExpectedException exception = ExpectedException.none();
+
+    @Test
+    public void shouldReadPemFile() throws Exception {
+        File pemFile = new File(PUBLIC_KEY_FILE);
+        byte[] bytes = PemUtils.parsePEMFile(pemFile);
+        PublicKey rsaKey = PemUtils.getPublicKey(bytes, "RSA");
+        String stringValue = new String(rsaKey.getEncoded(), StandardCharsets.UTF_8);
+        Assert.assertThat(stringValue, is(PUBLIC_KEY_CONTENT));
+    }
+}
diff --git a/lib/src/test/resources/rsa_public.pem b/lib/src/test/resources/rsa_public.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuGbXWiK3dQTyCbX5xdE4
+yCuYp0AF2d15Qq1JSXT/lx8CEcXb9RbDddl8jGDv+spi5qPa8qEHiK7FwV2KpRE9
+83wGPnYsAm9BxLFb4YrLYcDFOIGULuk2FtrPS512Qea1bXASuvYXEpQNpGbnTGVs
+WXI9C+yjHztqyL2h8P6mlThPY9E9ue2fCqdgixfTFIF9Dm4SLHbphUS2iw7w1JgT
+69s7of9+I9l5lsJ9cozf1rxrXX4V1u/SotUuNB3Fp8oB4C1fLBEhSlMcUJirz1E8
+AziMCxS+VrRPDM+zfvpIJg3JljAh3PJHDiLu902v9w+Iplu1WyoB2aPfitxEhRN0
+YwIDAQAB
+-----END PUBLIC KEY-----
diff --git a/lib/src/test/resources/rsa_public_invalid.pem b/lib/src/test/resources/rsa_public_invalid.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxzYuc22QSst/dS7geYYK
+5l5kLxU0tayNdixkEQ17ix+CUcUbKIsnyftZxaCYT46rQtXgCaYRdJcbB3hmyrOa
+vkhTpX79xJZnQmfuamMbZBqitvscxW9zRR9tBUL6vdi/0rpoUwPMEh8+Bw7CgYR0
+FK0DhWYBNDfe9HKcyZEv3max8Cdq18htxjEsdYO0iwzhtKRXomBWTdhD5ykd/fAC
+VTr4+KEY+IeLvubHVmLUhbE5NgWXxrRpGasDqzKhCTmsa2Ysf712rl57SlH0Wz/M
+r3F7aM9YpErzeYLrl0GhQr9BVJxOvXcVd4kmY+XkiCcrkyS1cnghnllh+LCwQu1s
+YwIDAQAB
+-----END PUBLIC KEY-----
