Merge pull request auth0#57 from auth0/bugfix-verifier

hzalaz · web-flow · commit d6e4bf042b21 · 2016-07-12T19:38:13.000-03:00
Fix verifier bug for aud &amp; iss
diff --git a/.travis.yml b/.travis.yml
@@ -0,0 +1,6 @@
+language: java
+jdk:
+- oraclejdk7
+branches:
+  only:
+  - master
diff --git a/pom.xml b/pom.xml
@@ -73,7 +73,7 @@
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
-      <version>4.11</version>
+      <version>4.12</version>
       <scope>test</scope>
     </dependency>
 
diff --git a/src/main/java/com/auth0/jwt/JWTAudienceException.java b/src/main/java/com/auth0/jwt/JWTAudienceException.java
@@ -14,13 +14,11 @@ public class JWTAudienceException extends JWTVerifyException {
     private JsonNode audienceNode;
 
     public JWTAudienceException(final JsonNode audienceNode) {
-        Validate.notNull(audienceNode);
         this.audienceNode = audienceNode;
     }
 
     public JWTAudienceException(final String message, final JsonNode audienceNode) {
         super(message);
-        Validate.notNull(audienceNode);
         this.audienceNode = audienceNode;
     }
 
diff --git a/src/main/java/com/auth0/jwt/JWTIssuerException.java b/src/main/java/com/auth0/jwt/JWTIssuerException.java
@@ -1,7 +1,5 @@
 package com.auth0.jwt;
 
-import org.apache.commons.lang3.Validate;
-
 /**
  * Represents Exception related to Issuer - for example issuer mismatch / missing upon verification
  */
@@ -10,13 +8,11 @@ public class JWTIssuerException extends JWTVerifyException {
     private final String issuer;
 
     public JWTIssuerException(final String issuer) {
-        Validate.notNull(issuer);
         this.issuer = issuer;
     }
 
     public JWTIssuerException(final String message, final String issuer) {
         super(message);
-        Validate.notNull(issuer);
         this.issuer = issuer;
     }
 
diff --git a/src/main/java/com/auth0/jwt/JWTVerifier.java b/src/main/java/com/auth0/jwt/JWTVerifier.java
@@ -94,8 +94,9 @@ public JWTVerifier(final PublicKey publicKey) {
      * @throws JWTAlgorithmException when the algorithm is missing or unsupported
      * @throws IllegalStateException when token's structure is invalid or secret / public key does not match algorithm of token
      */
+    @SuppressWarnings("WeakerAccess")
     public Map<String, Object> verify(final String token) throws NoSuchAlgorithmException, InvalidKeyException, IllegalStateException,
-            IOException, SignatureException, JWTVerifyException, JWTAlgorithmException {
+            IOException, SignatureException, JWTVerifyException {
         if (token == null || "".equals(token)) {
             throw new IllegalStateException("token not set");
         }
@@ -113,7 +114,7 @@ public Map<String, Object> verify(final String token) throws NoSuchAlgorithmExce
         return mapper.treeToValue(jwtPayload, Map.class);
     }
 
-    protected void verifySignature(final String[] pieces, final Algorithm algorithm) throws NoSuchAlgorithmException,
+    void verifySignature(final String[] pieces, final Algorithm algorithm) throws NoSuchAlgorithmException,
             InvalidKeyException, SignatureException, JWTAlgorithmException, IllegalStateException {
         Validate.notNull(pieces);
         Validate.notNull(algorithm);
@@ -136,24 +137,24 @@ protected void verifySignature(final String[] pieces, final Algorithm algorithm)
         }
     }
 
-    void verifyHmac(final Algorithm algorithm, final String[] pieces, final byte[] secret) throws SignatureException, NoSuchAlgorithmException, InvalidKeyException {
+    private void verifyHmac(final Algorithm algorithm, final String[] pieces, final byte[] secret) throws SignatureException, NoSuchAlgorithmException, InvalidKeyException {
         if (secret == null || secret.length == 0) {
             throw new IllegalStateException("Secret cannot be null or empty when using algorithm: " + algorithm.getValue());
         }
         final Mac hmac = Mac.getInstance(algorithm.getValue());
         hmac.init(new SecretKeySpec(secret, algorithm.getValue()));
-        final byte[] sig = hmac.doFinal(new StringBuilder(pieces[0]).append(".").append(pieces[1]).toString().getBytes());
+        final byte[] sig = hmac.doFinal((pieces[0] + "." + pieces[1]).getBytes());
         if (!MessageDigest.isEqual(sig, decoder.decode(pieces[2]))) {
             throw new SignatureException("signature verification failed");
         }
     }
 
-    void verifyRs(final Algorithm algorithm, final String[] pieces, final PublicKey publicKey) throws SignatureException, NoSuchAlgorithmException, InvalidKeyException, JWTAlgorithmException {
+    private void verifyRs(final Algorithm algorithm, final String[] pieces, final PublicKey publicKey) throws SignatureException, NoSuchAlgorithmException, InvalidKeyException, JWTAlgorithmException {
         if (publicKey == null) {
             throw new IllegalStateException("PublicKey cannot be null when using algorithm: " + algorithm.getValue());
         }
         final byte[] decodedSignatureBytes = new Base64(true).decode(pieces[2]);
-        final byte[] headerPayloadBytes = new StringBuilder(pieces[0]).append(".").append(pieces[1]).toString().getBytes();
+        final byte[] headerPayloadBytes = (pieces[0] + "." + pieces[1]).getBytes();
         final boolean verified = verifySignatureWithPublicKey(this.publicKey, headerPayloadBytes, decodedSignatureBytes, algorithm);
         if (!verified) {
             throw new SignatureException("signature verification failed");
@@ -175,42 +176,52 @@ private boolean verifySignatureWithPublicKey(final PublicKey publicKey, final by
         }
     }
 
-    protected void verifyExpiration(final JsonNode jwtClaims) throws JWTExpiredException {
+    void verifyExpiration(final JsonNode jwtClaims) throws JWTExpiredException {
         Validate.notNull(jwtClaims);
         final long expiration = jwtClaims.has("exp") ? jwtClaims.get("exp").asLong(0) : 0;
         if (expiration != 0 && System.currentTimeMillis() / 1000L >= expiration) {
             throw new JWTExpiredException("jwt expired", expiration);
         }
     }
 
-    protected void verifyIssuer(final JsonNode jwtClaims) throws JWTIssuerException {
+    void verifyIssuer(final JsonNode jwtClaims) throws JWTIssuerException {
         Validate.notNull(jwtClaims);
+
+        if (this.issuer == null ) {
+            return;
+        }
+
         final String issuerFromToken = jwtClaims.has("iss") ? jwtClaims.get("iss").asText() : null;
-        if (issuerFromToken != null && issuer != null && !issuer.equals(issuerFromToken)) {
+
+        if (issuerFromToken == null || !issuer.equals(issuerFromToken)) {
             throw new JWTIssuerException("jwt issuer invalid", issuerFromToken);
         }
     }
 
-    protected void verifyAudience(final JsonNode jwtClaims) throws JWTAudienceException {
+    void verifyAudience(final JsonNode jwtClaims) throws JWTAudienceException {
         Validate.notNull(jwtClaims);
-        if (audience == null)
+        if (audience == null) {
             return;
+        }
         final JsonNode audNode = jwtClaims.get("aud");
-        if (audNode == null)
-            return;
+        if (audNode == null) {
+            throw new JWTAudienceException("jwt audience invalid", null);
+        }
         if (audNode.isArray()) {
             for (final JsonNode jsonNode : audNode) {
-                if (audience.equals(jsonNode.textValue()))
+                if (audience.equals(jsonNode.textValue())) {
                     return;
+                }
             }
         } else if (audNode.isTextual()) {
-            if (audience.equals(audNode.textValue()))
+            if (audience.equals(audNode.textValue())) {
                 return;
+            }
         }
         throw new JWTAudienceException("jwt audience invalid", audNode);
     }
 
-    protected Algorithm getAlgorithm(final JsonNode jwtHeader) throws JWTAlgorithmException {
+    Algorithm getAlgorithm(final JsonNode jwtHeader) throws JWTAlgorithmException {
         Validate.notNull(jwtHeader);
         final String algorithmName = jwtHeader.has("alg") ? jwtHeader.get("alg").asText() : null;
         if (jwtHeader.get("alg") == null) {
@@ -219,11 +230,10 @@ protected Algorithm getAlgorithm(final JsonNode jwtHeader) throws JWTAlgorithmEx
         return Algorithm.findByName(algorithmName);
     }
 
-    protected JsonNode decodeAndParse(final String b64String) throws IOException {
+    JsonNode decodeAndParse(final String b64String) throws IOException {
         Validate.notNull(b64String);
         final String jsonString = new String(decoder.decode(b64String), "UTF-8");
-        final JsonNode jwtHeader = mapper.readValue(jsonString, JsonNode.class);
-        return jwtHeader;
+        return mapper.readValue(jsonString, JsonNode.class);
     }
 
 }
diff --git a/src/test/java/com/auth0/jwt/JWTVerifierTest.java b/src/test/java/com/auth0/jwt/JWTVerifierTest.java

Original file line number	Diff line number	Diff line change
`@@ -14,13 +14,11 @@ public class JWTAudienceException extends JWTVerifyException {`
`14`	`14`	`private JsonNode audienceNode;`
`15`	`15`
`16`	`16`	`public JWTAudienceException(final JsonNode audienceNode) {`
`17`		`- Validate.notNull(audienceNode);`
`18`	`17`	`this.audienceNode = audienceNode;`
`19`	`18`	`}`
`20`	`19`
`21`	`20`	`public JWTAudienceException(final String message, final JsonNode audienceNode) {`
`22`	`21`	`super(message);`
`23`		`- Validate.notNull(audienceNode);`
`24`	`22`	`this.audienceNode = audienceNode;`
`25`	`23`	`}`
`26`	`24`