lccodes
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/JWTDecoder.java‎
Lines changed: 4 additions & 12 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/JWTDecoder.java‎
Lines changed: 4 additions & 12 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/Utils.java‎
Lines changed: 35 additions & 8 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/Utils.java‎
Lines changed: 35 additions & 8 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/enums/Algorithm.java‎
Lines changed: 29 additions & 0 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/enums/Algorithm.java‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/exceptions/AlgorithmMismatchException.java‎
Lines changed: 7 additions & 0 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/exceptions/AlgorithmMismatchException.java‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/exceptions/InvalidClaimException.java‎
Lines changed: 2 additions & 2 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/exceptions/InvalidClaimException.java‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/exceptions/SignatureVerificationException.java‎
Lines changed: 13 additions & 0 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/exceptions/SignatureVerificationException.java‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/impl/ClaimImpl.java‎
Lines changed: 2 additions & 4 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/impl/ClaimImpl.java‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/impl/HeaderImpl.java‎
Lines changed: 4 additions & 2 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/impl/HeaderImpl.java‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/impl/JWTVerifier.java‎
Lines changed: 65 additions & 7 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/impl/JWTVerifier.java‎
Lines changed: 65 additions & 7 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwtdecodejava/impl/PayloadImpl.java‎
Lines changed: 1 addition & 2 deletions b/‎lib/src/main/java/com/auth0/jwtdecodejava/impl/PayloadImpl.java‎
Lines changed: 1 addition & 2 deletions
@@ -1,12 +1,12 @@
 package com.auth0.jwtdecodejava;
 
+import com.auth0.jwtdecodejava.enums.Algorithm;
 import com.auth0.jwtdecodejava.exceptions.JWTException;
 import com.auth0.jwtdecodejava.impl.JWTParser;
 import com.auth0.jwtdecodejava.interfaces.Claim;
 import com.auth0.jwtdecodejava.interfaces.Header;
 import com.auth0.jwtdecodejava.interfaces.JWT;
 import com.auth0.jwtdecodejava.interfaces.Payload;
-import com.sun.istack.internal.NotNull;
 
 import java.util.Date;
 
@@ -27,23 +27,15 @@ public static JWT decode(String jwt) {
     }
 
     private void parseToken(String token) throws JWTException {
-        final String[] parts = splitToken(token);
+        final String[] parts = Utils.splitToken(token);
         final JWTParser converter = new JWTParser();
         header = converter.parseHeader(base64Decode(parts[0]));
         payload = converter.parsePayload(base64Decode(parts[1]));
         signature = parts[2];
     }
 
-    private String[] splitToken(String token) {
-        String[] parts = token.split("\\.");
-        if (parts.length != 3) {
-            throw new JWTException(String.format("The token was expected to have 3 parts, but got %s.", parts.length));
-        }
-        return parts;
-    }
-
     @Override
-    public String getAlgorithm() {
+    public Algorithm getAlgorithm() {
         return header.getAlgorithm();
     }
 
@@ -93,7 +85,7 @@ public String getId() {
     }
 
     @Override
-    public Claim getClaim(@NotNull String name) {
+    public Claim getClaim(String name) {
         return payload.getClaim(name);
     }
 
 
@@ -1,17 +1,19 @@
 package com.auth0.jwtdecodejava;
 
+import com.auth0.jwtdecodejava.enums.Algorithm;
 import com.auth0.jwtdecodejava.exceptions.JWTException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.sun.istack.internal.Nullable;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.codec.binary.StringUtils;
 
-import java.io.IOException;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 
-class Utils {
+public class Utils {
 
-    @Nullable
-    static String base64Decode(String string) throws JWTException {
+    public static String base64Decode(String string) throws JWTException {
         String decoded;
         try {
             decoded = StringUtils.newStringUtf8(Base64.decodeBase64(string));
@@ -21,8 +23,7 @@ static String base64Decode(String string) throws JWTException {
         return decoded;
     }
 
-    @Nullable
-    static String base64Encode(String string) throws JWTException {
+    public static String base64Encode(String string) throws JWTException {
         String encoded;
         try {
             encoded = StringUtils.newStringUtf8(Base64.encodeBase64(string.getBytes(), false, true));
@@ -31,4 +32,30 @@ static String base64Encode(String string) throws JWTException {
         }
         return encoded;
     }
+
+    public static boolean verifyHS(String[] jwtParts, String secret, Algorithm algorithm) throws NoSuchAlgorithmException, InvalidKeyException {
+        if (secret == null) {
+            throw new IllegalArgumentException("The Secret cannot be null");
+        }
+        if (algorithm != Algorithm.HS256 && algorithm != Algorithm.HS384 && algorithm != Algorithm.HS512) {
+            throw new IllegalArgumentException("The Algorithm must be one of HS256, HS384, or HS512.");
+        }
+        Mac mac = Mac.getInstance(algorithm.toString());
+        mac.init(new SecretKeySpec(secret.getBytes(), algorithm.toString()));
+        String message = String.format("%s.%s", jwtParts[0], jwtParts[1]);
+        byte[] result = mac.doFinal(message.getBytes());
+        return MessageDigest.isEqual(result, Base64.decodeBase64(jwtParts[2]));
+    }
+
+    public static String[] splitToken(String token) {
+        String[] parts = token.split("\\.");
+        if (parts.length == 2 && token.endsWith(".")) {
+            //Tokens with alg='none' have empty String as Signature.
+            parts = new String[]{parts[0], parts[1], ""};
+        }
+        if (parts.length != 3) {
+            throw new JWTException(String.format("The token was expected to have 3 parts, but got %s.", parts.length));
+        }
+        return parts;
+    }
 }
@@ -0,0 +1,29 @@
+package com.auth0.jwtdecodejava.enums;
+
+import org.apache.commons.codec.digest.HmacAlgorithms;
+
+public enum Algorithm {
+    none(null),
+    HS256(HmacAlgorithms.HMAC_SHA_256.toString()),
+    HS384(HmacAlgorithms.HMAC_SHA_384.toString()),
+    HS512(HmacAlgorithms.HMAC_SHA_512.toString());
+
+    private final String description;
+
+    Algorithm(String description) {
+        this.description = description;
+    }
+
+    @Override
+    public String toString() {
+        return description;
+    }
+
+    public static Algorithm parseFrom(String algorithmName) {
+        try {
+            return Algorithm.valueOf(algorithmName);
+        } catch (IllegalArgumentException ignored) {
+            return null;
+        }
+    }
+}
@@ -0,0 +1,7 @@
+package com.auth0.jwtdecodejava.exceptions;
+
+public class AlgorithmMismatchException extends JWTException{
+    public AlgorithmMismatchException(String message) {
+        super(message);
+    }
+}
@@ -2,7 +2,7 @@
 
 
 public class InvalidClaimException extends JWTException {
-    public InvalidClaimException(String description) {
-        super(description);
+    public InvalidClaimException(String message) {
+        super(message);
     }
 }
@@ -0,0 +1,13 @@
+package com.auth0.jwtdecodejava.exceptions;
+
+import com.auth0.jwtdecodejava.enums.Algorithm;
+
+public class SignatureVerificationException extends JWTException {
+    public SignatureVerificationException(Algorithm algorithm) {
+        this(algorithm, null);
+    }
+
+    public SignatureVerificationException(Algorithm algorithm, Throwable cause) {
+        super("The Token's Signature resulted invalid when verified using the Algorithm: " + algorithm.name(), cause);
+    }
+}
@@ -5,7 +5,6 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.sun.istack.internal.NotNull;
 
 import java.lang.reflect.Array;
 import java.util.ArrayList;
@@ -17,7 +16,7 @@ class ClaimImpl extends BaseClaim {
 
     private final JsonNode data;
 
-    private ClaimImpl(@NotNull JsonNode node) {
+    private ClaimImpl(JsonNode node) {
         this.data = node;
     }
 
@@ -87,12 +86,11 @@ public <T> List<T> asList(Class<T> tClazz) throws JWTException {
         return list;
     }
 
-    public static Claim extractClaim(@NotNull String claimName, @NotNull Map<String, JsonNode> tree) {
+    public static Claim extractClaim(String claimName, Map<String, JsonNode> tree) {
         JsonNode node = tree.get(claimName);
         return claimFromNode(node);
     }
 
-    @NotNull
     public static Claim claimFromNode(JsonNode node) {
         if (node == null || node.isNull() || node.isMissingNode()) {
             return new BaseClaim();
 
@@ -1,5 +1,6 @@
 package com.auth0.jwtdecodejava.impl;
 
+import com.auth0.jwtdecodejava.enums.Algorithm;
 import com.auth0.jwtdecodejava.interfaces.Header;
 import com.fasterxml.jackson.databind.JsonNode;
 
@@ -16,8 +17,9 @@ class HeaderImpl implements Header {
     }
 
     @Override
-    public String getAlgorithm() {
-        return extractClaim(ALGORITHM, tree).asString();
+    public Algorithm getAlgorithm() {
+        String alg = extractClaim(ALGORITHM, tree).asString();
+        return Algorithm.parseFrom(alg);
     }
 
     @Override
 
@@ -1,24 +1,55 @@
 package com.auth0.jwtdecodejava.impl;
 
 import com.auth0.jwtdecodejava.JWTDecoder;
+import com.auth0.jwtdecodejava.Utils;
+import com.auth0.jwtdecodejava.enums.Algorithm;
+import com.auth0.jwtdecodejava.exceptions.AlgorithmMismatchException;
 import com.auth0.jwtdecodejava.exceptions.InvalidClaimException;
 import com.auth0.jwtdecodejava.exceptions.JWTException;
+import com.auth0.jwtdecodejava.exceptions.SignatureVerificationException;
 import com.auth0.jwtdecodejava.interfaces.JWT;
 
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;
 
 public class JWTVerifier {
+    private final Algorithm algorithm;
+    private final String secret;
     private final Map<String, Object> claims;
 
-    private JWTVerifier() {
+    private JWTVerifier(Algorithm algorithm, String secret) {
+        this.algorithm = algorithm;
+        this.secret = secret;
         this.claims = new HashMap<>();
     }
 
-    public static JWTVerifier init(){
-        return new JWTVerifier();
+    public static JWTVerifier init() throws IllegalArgumentException {
+        return init(Algorithm.none, null);
+    }
+
+    public static JWTVerifier init(Algorithm algorithm, String secret) throws IllegalArgumentException {
+        if (algorithm == null) {
+            throw new IllegalArgumentException("The Algorithm cannot be null.");
+        }
+        switch (algorithm) {
+            case HS256:
+            case HS384:
+            case HS512:
+                if (secret == null) {
+                    throw new IllegalArgumentException(String.format("You can't use the %s algorithm without providing a valid Secret.", algorithm.name()));
+                }
+                break;
+            case none:
+                if (secret != null) {
+                    throw new IllegalArgumentException("You can't use the Algorithm 'none' with a non-null Secret.");
+                }
+            default:
+        }
+        return new JWTVerifier(algorithm, secret);
     }
 
     public JWTVerifier withIssuer(String issuer) {
@@ -56,10 +87,37 @@ public JWTVerifier withJWTId(String jwtId) {
         return this;
     }
 
-    public JWT verify(String jwt) throws JWTException{
-        JWT decode = JWTDecoder.decode(jwt);
-        verifyClaims(decode, claims);
-        return decode;
+    public JWT verify(String token) throws JWTException {
+        JWT jwt = JWTDecoder.decode(token);
+        verifyClaims(jwt, claims);
+        verifyAlgorithm(jwt, algorithm);
+        verifySignature(Utils.splitToken(token));
+        return jwt;
+    }
+
+    private void verifySignature(String[] parts) {
+        switch (algorithm) {
+            case HS256:
+            case HS384:
+            case HS512:
+                try {
+                    Utils.verifyHS(parts, secret, algorithm);
+                } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+                    throw new SignatureVerificationException(algorithm, e);
+                }
+                break;
+            case none:
+                if (!parts[2].isEmpty()){
+                    throw new SignatureVerificationException(algorithm);
+                }
+            default:
+        }
+    }
+
+    private void verifyAlgorithm(JWT jwt, Algorithm expectedAlgorithm) throws AlgorithmMismatchException, IllegalArgumentException {
+        if (!expectedAlgorithm.equals(jwt.getAlgorithm())) {
+            throw new AlgorithmMismatchException("The provided Algorithm doesn't match the one defined in the JWT's Header.");
+        }
     }
 
     private void verifyClaims(JWT jwt, Map<String, Object> claims) {
 
@@ -3,7 +3,6 @@
 import com.auth0.jwtdecodejava.interfaces.Claim;
 import com.auth0.jwtdecodejava.interfaces.Payload;
 import com.fasterxml.jackson.databind.JsonNode;
-import com.sun.istack.internal.NotNull;
 
 import java.util.Date;
 import java.util.Map;
@@ -67,7 +66,7 @@ public String getId() {
     }
 
     @Override
-    public Claim getClaim(@NotNull String name) {
+    public Claim getClaim(String name) {
         return extractClaim(name, tree);
     }
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`
`3`	`3`
`4`	`4`	`public class InvalidClaimException extends JWTException {`
`5`		`- public InvalidClaimException(String description) {`
`6`		`- super(description);`
	`5`	`+ public InvalidClaimException(String message) {`
	`6`	`+ super(message);`
`7`	`7`	`}`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`package com.auth0.jwtdecodejava.impl;`
`2`	`2`
	`3`	`+import com.auth0.jwtdecodejava.enums.Algorithm;`
`3`	`4`	`import com.auth0.jwtdecodejava.interfaces.Header;`
`4`	`5`	`import com.fasterxml.jackson.databind.JsonNode;`
`5`	`6`
`@@ -16,8 +17,9 @@ class HeaderImpl implements Header {`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`@Override`
`19`		`- public String getAlgorithm() {`
`20`		`- return extractClaim(ALGORITHM, tree).asString();`
	`20`	`+ public Algorithm getAlgorithm() {`
	`21`	`+ String alg = extractClaim(ALGORITHM, tree).asString();`
	`22`	`+ return Algorithm.parseFrom(alg);`
`21`	`23`	`}`
`22`	`24`
`23`	`25`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,6 @@`
`3`	`3`	`import com.auth0.jwtdecodejava.interfaces.Claim;`
`4`	`4`	`import com.auth0.jwtdecodejava.interfaces.Payload;`
`5`	`5`	`import com.fasterxml.jackson.databind.JsonNode;`
`6`		`-import com.sun.istack.internal.NotNull;`
`7`	`6`
`8`	`7`	`import java.util.Date;`
`9`	`8`	`import java.util.Map;`
`@@ -67,7 +66,7 @@ public String getId() {`
`67`	`66`	`}`
`68`	`67`
`69`	`68`	`@Override`
`70`		`- public Claim getClaim(@NotNull String name) {`
	`69`	`+ public Claim getClaim(String name) {`
`71`	`70`	`return extractClaim(name, tree);`
`72`	`71`	`}`
`73`	`72`