/
JsonWebSignatureTest.java
164 lines (145 loc) · 7.18 KB
/
JsonWebSignatureTest.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
/*
* Copyright (c) 2012 Google Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
* in compliance with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License
* is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
* or implied. See the License for the specific language governing permissions and limitations under
* the License.
*/
package com.google.api.client.json.webtoken;
import com.google.api.client.testing.json.MockJsonFactory;
import com.google.api.client.testing.json.webtoken.TestCertificates;
import com.google.api.client.testing.util.SecurityTestUtils;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.X509TrustManager;
import com.google.api.client.util.Base64;
import com.google.api.client.util.StringUtils;
import org.junit.Assert;
import org.junit.Test;
/**
* Tests {@link JsonWebSignature}.
*
* @author Yaniv Inbar
*/
public class JsonWebSignatureTest {
@Test
public void testSign() throws Exception {
JsonWebSignature.Header header = new JsonWebSignature.Header();
header.setAlgorithm("RS256");
header.setType("JWT");
JsonWebToken.Payload payload = new JsonWebToken.Payload();
payload
.setIssuer("issuer")
.setAudience("audience")
.setIssuedAtTimeSeconds(0L)
.setExpirationTimeSeconds(3600L);
RSAPrivateKey privateKey = SecurityTestUtils.newRsaPrivateKey();
Assert.assertEquals(
"..kDmKaHNYByLmqAi9ROeLcFmZM7W_emsceKvDZiEGAo-ineCunC6_Nb0HEpAuzIidV-LYTMHS3BvI49KFz9gi6hI3"
+ "ZndDL5EzplpFJo1ZclVk1_hLn94P2OTAkZ4ydsTfus6Bl98EbCkInpF_2t5Fr8OaHxCZCDdDU7W5DSnOsx4",
JsonWebSignature.signUsingRsaSha256(privateKey, new MockJsonFactory(), header, payload));
}
private X509Certificate verifyX509WithCaCert(TestCertificates.CertData caCert)
throws IOException, GeneralSecurityException {
JsonWebSignature signature = TestCertificates.getJsonWebSignature();
X509TrustManager trustManager = caCert.getTrustManager();
return signature.verifySignature(trustManager);
}
@Test
public void testImmutableSignatureBytes() throws IOException {
JsonWebSignature signature = TestCertificates.getJsonWebSignature();
byte[] bytes = signature.getSignatureBytes();
bytes[0] = (byte) (bytes[0] + 1);
byte[] bytes2 = signature.getSignatureBytes();
Assert.assertNotEquals(bytes2[0], bytes[0]);
}
@Test
public void testImmutableSignedContentBytes() throws IOException {
JsonWebSignature signature = TestCertificates.getJsonWebSignature();
byte[] bytes = signature.getSignedContentBytes();
bytes[0] = (byte) (bytes[0] + 1);
byte[] bytes2 = signature.getSignedContentBytes();
Assert.assertNotEquals(bytes2[0], bytes[0]);
}
@Test
public void testImmutableCertificates() throws IOException {
JsonWebSignature signature = TestCertificates.getJsonWebSignature();
List<String> certificates = signature.getHeader().getX509Certificates();
certificates.set(0, "foo");
Assert.assertNotEquals("foo", signature.getHeader().getX509Certificates().get(0));
}
@Test
public void testImmutableCritical() throws IOException {
JsonWebSignature signature = TestCertificates.getJsonWebSignature();
List<String> critical = new ArrayList<>();
signature.getHeader().setCritical(critical);
critical.add("bar");
Assert.assertNull(signature.getHeader().getCritical());
}
@Test
public void testCriticalNullForNone() throws IOException {
JsonWebSignature signature = TestCertificates.getJsonWebSignature();
Assert.assertNull(signature.getHeader().getCritical());
}
@Test
public void testVerifyX509() throws Exception {
X509Certificate signatureCert = verifyX509WithCaCert(TestCertificates.CA_CERT);
Assert.assertNotNull(signatureCert);
Assert.assertTrue(signatureCert.getSubjectDN().getName().startsWith("CN=foo.bar.com"));
}
@Test
public void testVerifyX509WrongCa() throws Exception {
Assert.assertNull(verifyX509WithCaCert(TestCertificates.BOGUS_CA_CERT));
}
private static final String ES256_CONTENT = "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Im1wZjBEQSJ9.eyJhdWQiOiIvcHJvamVjdHMvNjUyNTYyNzc2Nzk4L2FwcHMvY2xvdWQtc2FtcGxlcy10ZXN0cy1waHAtaWFwIiwiZW1haWwiOiJjaGluZ29yQGdvb2dsZS5jb20iLCJleHAiOjE1ODQwNDc2MTcsImdvb2dsZSI6eyJhY2Nlc3NfbGV2ZWxzIjpbImFjY2Vzc1BvbGljaWVzLzUxODU1MTI4MDkyNC9hY2Nlc3NMZXZlbHMvcmVjZW50U2VjdXJlQ29ubmVjdERhdGEiLCJhY2Nlc3NQb2xpY2llcy81MTg1NTEyODA5MjQvYWNjZXNzTGV2ZWxzL3Rlc3ROb09wIiwiYWNjZXNzUG9saWNpZXMvNTE4NTUxMjgwOTI0L2FjY2Vzc0xldmVscy9ldmFwb3JhdGlvblFhRGF0YUZ1bGx5VHJ1c3RlZCJdfSwiaGQiOiJnb29nbGUuY29tIiwiaWF0IjoxNTg0MDQ3MDE3LCJpc3MiOiJodHRwczovL2Nsb3VkLmdvb2dsZS5jb20vaWFwIiwic3ViIjoiYWNjb3VudHMuZ29vZ2xlLmNvbToxMTIxODE3MTI3NzEyMDE5NzI4OTEifQ";
private static final String ES256_SIGNATURE = "yKNtdFY5EKkRboYNexBdfugzLhC3VuGyFcuFYA8kgpxMqfyxa41zkML68hYKrWu2kOBTUW95UnbGpsIi_u1fiA";
// x, y values for keyId "mpf0DA" from https://www.gstatic.com/iap/verify/public_key-jwk
private static final String GOOGLE_ES256_X = "fHEdeT3a6KaC1kbwov73ZwB_SiUHEyKQwUUtMCEn0aI";
private static final String GOOGLE_ES256_Y = "QWOjwPhInNuPlqjxLQyhveXpWqOFcQPhZ3t-koMNbZI";
private PublicKey buildEs256PublicKey(String x, String y)
throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
AlgorithmParameters parameters = AlgorithmParameters.getInstance("EC");
parameters.init(new ECGenParameterSpec("secp256r1"));
ECPublicKeySpec ecPublicKeySpec = new ECPublicKeySpec(
new ECPoint(
new BigInteger(1, Base64.decodeBase64(x)),
new BigInteger(1, Base64.decodeBase64(y))
),
parameters.getParameterSpec(ECParameterSpec.class)
);
KeyFactory keyFactory = KeyFactory.getInstance("EC");
return keyFactory.generatePublic(ecPublicKeySpec);
}
@Test
public void testVerifyES256() throws Exception {
PublicKey publicKey = buildEs256PublicKey(GOOGLE_ES256_X, GOOGLE_ES256_Y);
JsonWebSignature.Header header = new JsonWebSignature.Header();
header.setAlgorithm("ES256");
JsonWebSignature.Payload payload = new JsonWebToken.Payload();
byte[] signatureBytes = Base64.decodeBase64(ES256_SIGNATURE);
byte[] signedContentBytes = StringUtils.getBytesUtf8(ES256_CONTENT);
JsonWebSignature jsonWebSignature = new JsonWebSignature(header, payload, signatureBytes, signedContentBytes);
Assert.assertTrue(jsonWebSignature.verifySignature(publicKey));
}
}