/** * Returns a {@link SamlRequestIdManager} implementation based on JSON Web Tokens specification with * the {@link Algorithm} instance using {@code HmacSHA384}. * * @param issuer the ID of the entity who issues a token * @param secret the secret which is used to generate a signature * @param validSeconds the valid period of a token in seconds * @param leewaySeconds the leeway when there is a clock skew times between the signer and the verifier, * in seconds. */ static SamlRequestIdManager ofJwt(String issuer, String secret, int validSeconds, int leewaySeconds) throws UnsupportedEncodingException { final Algorithm algorithm = Algorithm.HMAC384(requireNonNull(secret, "secret")); return ofJwt(issuer, algorithm, validSeconds, leewaySeconds); }
@Test public void shouldPassHMAC384Verification() throws Exception { String jwt = "eyJhbGciOiJIUzM4NCIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.uztpK_wUMYJhrRv8SV-1LU4aPnwl-EM1q-wJnqgyb5DHoDteP6lN_gE1xnZJH5vw"; Algorithm algorithmString = Algorithm.HMAC384("secret"); Algorithm algorithmBytes = Algorithm.HMAC384("secret".getBytes(StandardCharsets.UTF_8)); DecodedJWT decoded = JWT.decode(jwt); algorithmString.verify(decoded); algorithmBytes.verify(decoded); }
@Test public void shouldCreateHMAC384AlgorithmWithBytes() throws Exception { Algorithm algorithm = Algorithm.HMAC384("secret".getBytes(StandardCharsets.UTF_8)); assertThat(algorithm, is(notNullValue())); assertThat(algorithm, is(instanceOf(HMACAlgorithm.class))); assertThat(algorithm.getDescription(), is("HmacSHA384")); assertThat(algorithm.getName(), is("HS384")); }
@Test public void shouldCreateHMAC384AlgorithmWithString() throws Exception { Algorithm algorithm = Algorithm.HMAC384("secret"); assertThat(algorithm, is(notNullValue())); assertThat(algorithm, is(instanceOf(HMACAlgorithm.class))); assertThat(algorithm.getDescription(), is("HmacSHA384")); assertThat(algorithm.getName(), is("HS384")); }
@Test public void shouldAcceptHMAC384Algorithm() throws Exception { String token = "eyJhbGciOiJIUzM4NCIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.uztpK_wUMYJhrRv8SV-1LU4aPnwl-EM1q-wJnqgyb5DHoDteP6lN_gE1xnZJH5vw"; DecodedJWT jwt = JWT.require(Algorithm.HMAC384("secret")) .build() .verify(token); assertThat(jwt, is(notNullValue())); }
@Test public void shouldThrowHMAC384InstanceWithNullSecretBytes() throws Exception { exception.expect(IllegalArgumentException.class); exception.expectMessage("The Secret cannot be null"); byte[] secret = null; Algorithm.HMAC384(secret); }
@Test public void shouldCreateAnEmptyHMAC384SignedToken() throws Exception { String signed = JWT.create().sign(Algorithm.HMAC384("secret")); assertThat(signed, is(notNullValue())); String[] parts = signed.split("\\."); String headerJson = new String(Base64.decodeBase64(parts[0]), StandardCharsets.UTF_8); assertThat(headerJson, JsonMatcher.hasEntry("alg", "HS384")); assertThat(headerJson, JsonMatcher.hasEntry("typ", "JWT")); assertThat(parts[1], is("e30")); JWTVerifier verified = JWT.require(Algorithm.HMAC384("secret")) .build(); assertThat(verified, is(notNullValue())); }
@Test public void shouldThrowHMAC384InstanceWithNullSecret() throws Exception { exception.expect(IllegalArgumentException.class); exception.expectMessage("The Secret cannot be null"); String secret = null; Algorithm.HMAC384(secret); }
@Test public void shouldFailHMAC384VerificationWithInvalidSecretBytes() throws Exception { exception.expect(SignatureVerificationException.class); exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA384"); String jwt = "eyJhbGciOiJIUzM4NCIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.uztpK_wUMYJhrRv8SV-1LU4aPnwl-EM1q-wJnqgyb5DHoDteP6lN_gE1xnZJH5vw"; Algorithm algorithm = Algorithm.HMAC384("not_real_secret".getBytes(StandardCharsets.UTF_8)); algorithm.verify(JWT.decode(jwt)); }
@Test public void shouldDoHMAC384SigningWithBytes() throws Exception { Algorithm algorithm = Algorithm.HMAC384("secret".getBytes(StandardCharsets.UTF_8)); String jwt = asJWT(algorithm, HS384Header, auth0IssPayload); String expectedSignature = "4-y2Gxz_foN0jAOFimmBPF7DWxf4AsjM20zxNkHg8Zah5Q64G42P9GfjmUp4Hldt"; assertSignaturePresent(jwt); assertSignatureValue(jwt, expectedSignature); algorithm.verify(JWT.decode(jwt)); }
@Test public void shouldPassHMAC384Verification() throws Exception { String token = "eyJhbGciOiJIUzM4NCIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.uztpK_wUMYJhrRv8SV-1LU4aPnwl-EM1q-wJnqgyb5DHoDteP6lN_gE1xnZJH5vw"; Algorithm algorithm = Algorithm.HMAC384("secret"); JWTVerifier verifier = JWTVerifier.init(algorithm).withIssuer("auth0").build(); concurrentVerify(verifier, token); }
@Test public void shouldFailHMAC384VerificationWithInvalidSecretString() throws Exception { exception.expect(SignatureVerificationException.class); exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA384"); String jwt = "eyJhbGciOiJIUzM4NCIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.uztpK_wUMYJhrRv8SV-1LU4aPnwl-EM1q-wJnqgyb5DHoDteP6lN_gE1xnZJH5vw"; Algorithm algorithm = Algorithm.HMAC384("not_real_secret"); algorithm.verify(JWT.decode(jwt)); }
@Test public void shouldDoHMAC384SigningWithString() throws Exception { Algorithm algorithm = Algorithm.HMAC384("secret"); String jwt = asJWT(algorithm, HS384Header, auth0IssPayload); String expectedSignature = "4-y2Gxz_foN0jAOFimmBPF7DWxf4AsjM20zxNkHg8Zah5Q64G42P9GfjmUp4Hldt"; assertSignaturePresent(jwt); assertSignatureValue(jwt, expectedSignature); algorithm.verify(JWT.decode(jwt)); }
private Algorithm getHMAC(String name, byte[] key) throws IllegalArgumentException { if ("HMAC256".equals(name) || "HS256".equals(name)) { return Algorithm.HMAC256(key); } else if ("HMAC384".equals(name) || "HS384".equals(name)) { return Algorithm.HMAC384(key); } else if ("HMAC512".equals(name) || "HS512".equals(name)) { return Algorithm.HMAC512(key); } else { throw new IllegalArgumentException("unknown HMAC algorithm " + name); } }
/** * Returns a {@link SamlRequestIdManager} implementation based on JSON Web Tokens specification with * the {@link Algorithm} instance using {@code HmacSHA384}. * * @param issuer the ID of the entity who issues a token * @param secret the secret which is used to generate a signature * @param validSeconds the valid period of a token in seconds * @param leewaySeconds the leeway when there is a clock skew times between the signer and the verifier, * in seconds. */ static SamlRequestIdManager ofJwt(String issuer, String secret, int validSeconds, int leewaySeconds) throws UnsupportedEncodingException { final Algorithm algorithm = Algorithm.HMAC384(requireNonNull(secret, "secret")); return ofJwt(issuer, algorithm, validSeconds, leewaySeconds); }
return Algorithm.HMAC384(key);