From 386100d930ffd85da112ebae432175d0d045534a Mon Sep 17 00:00:00 2001 From: Luciano Balmaceda Date: Tue, 22 Nov 2016 11:56:52 -0300 Subject: [PATCH] make HMAC algorithm accept secret bytes --- .../com/auth0/jwt/algorithms/Algorithm.java | 47 ++++++- .../auth0/jwt/algorithms/HMACAlgorithm.java | 31 +++-- .../auth0/jwt/algorithms/AlgorithmTest.java | 78 ++++++++++-- .../jwt/algorithms/HMACAlgorithmTest.java | 115 +++++++++++++++--- 4 files changed, 231 insertions(+), 40 deletions(-) diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java index b9684da8..b74b1aa3 100644 --- a/lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java +++ b/lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java @@ -3,6 +3,7 @@ import com.auth0.jwt.exceptions.SignatureGenerationException; import com.auth0.jwt.exceptions.SignatureVerificationException; +import java.io.UnsupportedEncodingException; import java.security.interfaces.ECKey; import java.security.interfaces.RSAKey; @@ -52,9 +53,10 @@ public static Algorithm RSA512(RSAKey key) throws IllegalArgumentException { * * @param secret the secret to use in the verify or signing instance. * @return a valid HMAC256 Algorithm. - * @throws IllegalArgumentException if the provided Secret is null. + * @throws IllegalArgumentException if the provided Secret is null. + * @throws UnsupportedEncodingException if the current Java platform implementation doesn't support the UTF-8 character encoding. */ - public static Algorithm HMAC256(String secret) throws IllegalArgumentException { + public static Algorithm HMAC256(String secret) throws IllegalArgumentException, UnsupportedEncodingException { return new HMACAlgorithm("HS256", "HmacSHA256", secret); } @@ -63,9 +65,10 @@ public static Algorithm HMAC256(String secret) throws IllegalArgumentException { * * @param secret the secret to use in the verify or signing instance. * @return a valid HMAC384 Algorithm. - * @throws IllegalArgumentException if the provided Secret is null. + * @throws IllegalArgumentException if the provided Secret is null. + * @throws UnsupportedEncodingException if the current Java platform implementation doesn't support the UTF-8 character encoding. */ - public static Algorithm HMAC384(String secret) throws IllegalArgumentException { + public static Algorithm HMAC384(String secret) throws IllegalArgumentException, UnsupportedEncodingException { return new HMACAlgorithm("HS384", "HmacSHA384", secret); } @@ -74,9 +77,43 @@ public static Algorithm HMAC384(String secret) throws IllegalArgumentException { * * @param secret the secret to use in the verify or signing instance. * @return a valid HMAC512 Algorithm. + * @throws IllegalArgumentException if the provided Secret is null. + * @throws UnsupportedEncodingException if the current Java platform implementation doesn't support the UTF-8 character encoding. + */ + public static Algorithm HMAC512(String secret) throws IllegalArgumentException, UnsupportedEncodingException { + return new HMACAlgorithm("HS512", "HmacSHA512", secret); + } + + /** + * Creates a new Algorithm instance using HmacSHA256. Tokens specify this as "HS256". + * + * @param secret the secret bytes to use in the verify or signing instance. + * @return a valid HMAC256 Algorithm. + * @throws IllegalArgumentException if the provided Secret is null. + */ + public static Algorithm HMAC256(byte[] secret) throws IllegalArgumentException { + return new HMACAlgorithm("HS256", "HmacSHA256", secret); + } + + /** + * Creates a new Algorithm instance using HmacSHA384. Tokens specify this as "HS384". + * + * @param secret the secret bytes to use in the verify or signing instance. + * @return a valid HMAC384 Algorithm. + * @throws IllegalArgumentException if the provided Secret is null. + */ + public static Algorithm HMAC384(byte[] secret) throws IllegalArgumentException { + return new HMACAlgorithm("HS384", "HmacSHA384", secret); + } + + /** + * Creates a new Algorithm instance using HmacSHA512. Tokens specify this as "HS512". + * + * @param secret the secret bytes to use in the verify or signing instance. + * @return a valid HMAC512 Algorithm. * @throws IllegalArgumentException if the provided Secret is null. */ - public static Algorithm HMAC512(String secret) throws IllegalArgumentException { + public static Algorithm HMAC512(byte[] secret) throws IllegalArgumentException { return new HMACAlgorithm("HS512", "HmacSHA512", secret); } diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java index b70fa538..63f2d580 100644 --- a/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java +++ b/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java @@ -2,36 +2,49 @@ import com.auth0.jwt.exceptions.SignatureGenerationException; import com.auth0.jwt.exceptions.SignatureVerificationException; +import org.apache.commons.codec.CharEncoding; +import java.io.UnsupportedEncodingException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; class HMACAlgorithm extends Algorithm { private final CryptoHelper crypto; - private final String secret; + private final byte[] secret; - HMACAlgorithm(CryptoHelper crypto, String id, String algorithm, String secret) throws IllegalArgumentException { + HMACAlgorithm(CryptoHelper crypto, String id, String algorithm, byte[] secretBytes) throws IllegalArgumentException { super(id, algorithm); - if (secret == null) { + if (secretBytes == null) { throw new IllegalArgumentException("The Secret cannot be null"); } - this.secret = secret; + this.secret = secretBytes; this.crypto = crypto; } - HMACAlgorithm(String id, String algorithm, String secret) throws IllegalArgumentException { - this(new CryptoHelper(), id, algorithm, secret); + HMACAlgorithm(String id, String algorithm, byte[] secretBytes) throws IllegalArgumentException { + this(new CryptoHelper(), id, algorithm, secretBytes); + } + + HMACAlgorithm(String id, String algorithm, String secret) throws IllegalArgumentException, UnsupportedEncodingException { + this(new CryptoHelper(), id, algorithm, getSecretBytes(secret)); + } + + static byte[] getSecretBytes(String secret) throws IllegalArgumentException, UnsupportedEncodingException { + if (secret == null) { + throw new IllegalArgumentException("The Secret cannot be null"); + } + return secret.getBytes(CharEncoding.UTF_8); } - String getSecret() { + byte[] getSecret() { return secret; } @Override public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureVerificationException { try { - boolean valid = crypto.verifySignatureFor(getDescription(), secret.getBytes(), contentBytes, signatureBytes); + boolean valid = crypto.verifySignatureFor(getDescription(), secret, contentBytes, signatureBytes); if (!valid) { throw new SignatureVerificationException(this); } @@ -43,7 +56,7 @@ public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureV @Override public byte[] sign(byte[] contentBytes) throws SignatureGenerationException { try { - return crypto.createSignatureFor(getDescription(), secret.getBytes(), contentBytes); + return crypto.createSignatureFor(getDescription(), secret, contentBytes); } catch (NoSuchAlgorithmException | InvalidKeyException e) { throw new SignatureGenerationException(this, e); } diff --git a/lib/src/test/java/com/auth0/jwt/algorithms/AlgorithmTest.java b/lib/src/test/java/com/auth0/jwt/algorithms/AlgorithmTest.java index 2d44d30a..c52ff64a 100644 --- a/lib/src/test/java/com/auth0/jwt/algorithms/AlgorithmTest.java +++ b/lib/src/test/java/com/auth0/jwt/algorithms/AlgorithmTest.java @@ -17,25 +17,52 @@ public class AlgorithmTest { public ExpectedException exception = ExpectedException.none(); + @Test + public void shouldThrowHMAC256VerificationWithNullSecretBytes() throws Exception { + exception.expect(IllegalArgumentException.class); + exception.expectMessage("The Secret cannot be null"); + byte[] secret = null; + Algorithm.HMAC256(secret); + } + + @Test + public void shouldThrowHMAC384VerificationWithNullSecretBytes() throws Exception { + exception.expect(IllegalArgumentException.class); + exception.expectMessage("The Secret cannot be null"); + byte[] secret = null; + Algorithm.HMAC384(secret); + } + + @Test + public void shouldThrowHMAC512VerificationWithNullSecretBytes() throws Exception { + exception.expect(IllegalArgumentException.class); + exception.expectMessage("The Secret cannot be null"); + byte[] secret = null; + Algorithm.HMAC512(secret); + } + @Test public void shouldThrowHMAC256VerificationWithNullSecret() throws Exception { exception.expect(IllegalArgumentException.class); exception.expectMessage("The Secret cannot be null"); - Algorithm.HMAC256(null); + String secret = null; + Algorithm.HMAC256(secret); } @Test public void shouldThrowHMAC384VerificationWithNullSecret() throws Exception { exception.expect(IllegalArgumentException.class); exception.expectMessage("The Secret cannot be null"); - Algorithm.HMAC384(null); + String secret = null; + Algorithm.HMAC384(secret); } @Test public void shouldThrowHMAC512VerificationWithNullSecret() throws Exception { exception.expect(IllegalArgumentException.class); exception.expectMessage("The Secret cannot be null"); - Algorithm.HMAC512(null); + String secret = null; + Algorithm.HMAC512(secret); } @Test @@ -81,36 +108,69 @@ public void shouldThrowECDSA512VerificationWithNullPublicKey() throws Exception } @Test - public void shouldCreateHMAC256Algorithm() throws Exception { + public void shouldCreateHMAC256AlgorithmWithBytes() throws Exception { + Algorithm algorithm = Algorithm.HMAC256("secret".getBytes()); + + assertThat(algorithm, is(notNullValue())); + assertThat(algorithm, is(instanceOf(HMACAlgorithm.class))); + assertThat(algorithm.getDescription(), is("HmacSHA256")); + assertThat(algorithm.getName(), is("HS256")); + assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes())); + } + + @Test + public void shouldCreateHMAC384AlgorithmWithBytes() throws Exception { + Algorithm algorithm = Algorithm.HMAC384("secret".getBytes()); + + assertThat(algorithm, is(notNullValue())); + assertThat(algorithm, is(instanceOf(HMACAlgorithm.class))); + assertThat(algorithm.getDescription(), is("HmacSHA384")); + assertThat(algorithm.getName(), is("HS384")); + assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes())); + } + + @Test + public void shouldCreateHMAC512AlgorithmWithBytes() throws Exception { + Algorithm algorithm = Algorithm.HMAC512("secret".getBytes()); + + assertThat(algorithm, is(notNullValue())); + assertThat(algorithm, is(instanceOf(HMACAlgorithm.class))); + assertThat(algorithm.getDescription(), is("HmacSHA512")); + assertThat(algorithm.getName(), is("HS512")); + assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes())); + } + + @Test + public void shouldCreateHMAC256AlgorithmWithString() throws Exception { Algorithm algorithm = Algorithm.HMAC256("secret"); assertThat(algorithm, is(notNullValue())); assertThat(algorithm, is(instanceOf(HMACAlgorithm.class))); assertThat(algorithm.getDescription(), is("HmacSHA256")); assertThat(algorithm.getName(), is("HS256")); - assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret")); + assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes())); } @Test - public void shouldCreateHMAC384Algorithm() throws Exception { + public void shouldCreateHMAC384AlgorithmWithString() throws Exception { Algorithm algorithm = Algorithm.HMAC384("secret"); assertThat(algorithm, is(notNullValue())); assertThat(algorithm, is(instanceOf(HMACAlgorithm.class))); assertThat(algorithm.getDescription(), is("HmacSHA384")); assertThat(algorithm.getName(), is("HS384")); - assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret")); + assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes())); } @Test - public void shouldCreateHMAC512Algorithm() throws Exception { + public void shouldCreateHMAC512AlgorithmWithString() throws Exception { Algorithm algorithm = Algorithm.HMAC512("secret"); assertThat(algorithm, is(notNullValue())); assertThat(algorithm, is(instanceOf(HMACAlgorithm.class))); assertThat(algorithm.getDescription(), is("HmacSHA512")); assertThat(algorithm.getName(), is("HS512")); - assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret")); + assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes())); } @Test diff --git a/lib/src/test/java/com/auth0/jwt/algorithms/HMACAlgorithmTest.java b/lib/src/test/java/com/auth0/jwt/algorithms/HMACAlgorithmTest.java index ee4e33e6..2b063f87 100644 --- a/lib/src/test/java/com/auth0/jwt/algorithms/HMACAlgorithmTest.java +++ b/lib/src/test/java/com/auth0/jwt/algorithms/HMACAlgorithmTest.java @@ -9,9 +9,11 @@ import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; +import java.util.Arrays; import static org.hamcrest.Matchers.*; import static org.junit.Assert.assertThat; +import static org.junit.Assert.assertTrue; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.Mockito.mock; @@ -24,15 +26,24 @@ public class HMACAlgorithmTest { // Verify + @Test + public void shouldGetStringBytes() throws Exception { + String text = "abcdef123456!@#$%^"; + byte[] expectedBytes = text.getBytes("UTF-8"); + assertTrue(Arrays.equals(expectedBytes, HMACAlgorithm.getSecretBytes(text))); + } + @Test public void shouldPassHMAC256Verification() throws Exception { String jwt = "eyJhbGciOiJIUzI1NiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mZ0m_N1J4PgeqWmi903JuUoDRZDBPB7HwkS4nVyWH1M"; - Algorithm algorithm = Algorithm.HMAC256("secret"); - AlgorithmUtils.verify(algorithm, jwt); + Algorithm algorithmString = Algorithm.HMAC256("secret"); + Algorithm algorithmBytes = Algorithm.HMAC256("secret".getBytes()); + AlgorithmUtils.verify(algorithmString, jwt); + AlgorithmUtils.verify(algorithmBytes, jwt); } @Test - public void shouldFailHMAC256VerificationWithInvalidSecret() throws Exception { + public void shouldFailHMAC256VerificationWithInvalidSecretString() throws Exception { exception.expect(SignatureVerificationException.class); exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA256"); String jwt = "eyJhbGciOiJIUzI1NiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mZ0m_N1J4PgeqWmi903JuUoDRZDBPB7HwkS4nVyWH1M"; @@ -40,15 +51,26 @@ public void shouldFailHMAC256VerificationWithInvalidSecret() throws Exception { AlgorithmUtils.verify(algorithm, jwt); } + @Test + public void shouldFailHMAC256VerificationWithInvalidSecretBytes() throws Exception { + exception.expect(SignatureVerificationException.class); + exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA256"); + String jwt = "eyJhbGciOiJIUzI1NiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mZ0m_N1J4PgeqWmi903JuUoDRZDBPB7HwkS4nVyWH1M"; + Algorithm algorithm = Algorithm.HMAC256("not_real_secret".getBytes()); + AlgorithmUtils.verify(algorithm, jwt); + } + @Test public void shouldPassHMAC384Verification() throws Exception { String jwt = "eyJhbGciOiJIUzM4NCIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.uztpK_wUMYJhrRv8SV-1LU4aPnwl-EM1q-wJnqgyb5DHoDteP6lN_gE1xnZJH5vw"; - Algorithm algorithm = Algorithm.HMAC384("secret"); - AlgorithmUtils.verify(algorithm, jwt); + Algorithm algorithmString = Algorithm.HMAC384("secret"); + Algorithm algorithmBytes = Algorithm.HMAC384("secret".getBytes()); + AlgorithmUtils.verify(algorithmString, jwt); + AlgorithmUtils.verify(algorithmBytes, jwt); } @Test - public void shouldFailHMAC384VerificationWithInvalidSecret() throws Exception { + public void shouldFailHMAC384VerificationWithInvalidSecretString() throws Exception { exception.expect(SignatureVerificationException.class); exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA384"); String jwt = "eyJhbGciOiJIUzM4NCIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.uztpK_wUMYJhrRv8SV-1LU4aPnwl-EM1q-wJnqgyb5DHoDteP6lN_gE1xnZJH5vw"; @@ -56,15 +78,26 @@ public void shouldFailHMAC384VerificationWithInvalidSecret() throws Exception { AlgorithmUtils.verify(algorithm, jwt); } + @Test + public void shouldFailHMAC384VerificationWithInvalidSecretBytes() throws Exception { + exception.expect(SignatureVerificationException.class); + exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA384"); + String jwt = "eyJhbGciOiJIUzM4NCIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.uztpK_wUMYJhrRv8SV-1LU4aPnwl-EM1q-wJnqgyb5DHoDteP6lN_gE1xnZJH5vw"; + Algorithm algorithm = Algorithm.HMAC384("not_real_secret".getBytes()); + AlgorithmUtils.verify(algorithm, jwt); + } + @Test public void shouldPassHMAC512Verification() throws Exception { String jwt = "eyJhbGciOiJIUzUxMiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.VUo2Z9SWDV-XcOc_Hr6Lff3vl7L9e5Vb8ThXpmGDFjHxe3Dr1ZBmUChYF-xVA7cAdX1P_D4ZCUcsv3IefpVaJw"; - Algorithm algorithm = Algorithm.HMAC512("secret"); - AlgorithmUtils.verify(algorithm, jwt); + Algorithm algorithmString = Algorithm.HMAC512("secret"); + Algorithm algorithmBytes = Algorithm.HMAC512("secret".getBytes()); + AlgorithmUtils.verify(algorithmString, jwt); + AlgorithmUtils.verify(algorithmBytes, jwt); } @Test - public void shouldFailHMAC512VerificationWithInvalidSecret() throws Exception { + public void shouldFailHMAC512VerificationWithInvalidSecretString() throws Exception { exception.expect(SignatureVerificationException.class); exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA512"); String jwt = "eyJhbGciOiJIUzUxMiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.VUo2Z9SWDV-XcOc_Hr6Lff3vl7L9e5Vb8ThXpmGDFjHxe3Dr1ZBmUChYF-xVA7cAdX1P_D4ZCUcsv3IefpVaJw"; @@ -72,6 +105,15 @@ public void shouldFailHMAC512VerificationWithInvalidSecret() throws Exception { AlgorithmUtils.verify(algorithm, jwt); } + @Test + public void shouldFailHMAC512VerificationWithInvalidSecretBytes() throws Exception { + exception.expect(SignatureVerificationException.class); + exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA512"); + String jwt = "eyJhbGciOiJIUzUxMiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.VUo2Z9SWDV-XcOc_Hr6Lff3vl7L9e5Vb8ThXpmGDFjHxe3Dr1ZBmUChYF-xVA7cAdX1P_D4ZCUcsv3IefpVaJw"; + Algorithm algorithm = Algorithm.HMAC512("not_real_secret".getBytes()); + AlgorithmUtils.verify(algorithm, jwt); + } + @Test public void shouldThrowOnVerifyWhenSignatureAlgorithmDoesNotExists() throws Exception { exception.expect(SignatureVerificationException.class); @@ -82,13 +124,13 @@ public void shouldThrowOnVerifyWhenSignatureAlgorithmDoesNotExists() throws Exce when(crypto.verifySignatureFor(anyString(), any(byte[].class), any(byte[].class), any(byte[].class))) .thenThrow(NoSuchAlgorithmException.class); - Algorithm algorithm = new HMACAlgorithm(crypto, "some-alg", "some-algorithm", "secret"); + Algorithm algorithm = new HMACAlgorithm(crypto, "some-alg", "some-algorithm", "secret".getBytes()); String jwt = "eyJhbGciOiJIUzI1NiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mZ0m_N1J4PgeqWmi903JuUoDRZDBPB7HwkS4nVyWH1M"; AlgorithmUtils.verify(algorithm, jwt); } @Test - public void shouldThrowOnVerifyhenTheSecretIsInvalid() throws Exception { + public void shouldThrowOnVerifyWhenTheSecretIsInvalid() throws Exception { exception.expect(SignatureVerificationException.class); exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: some-alg"); exception.expectCause(isA(InvalidKeyException.class)); @@ -97,7 +139,7 @@ public void shouldThrowOnVerifyhenTheSecretIsInvalid() throws Exception { when(crypto.verifySignatureFor(anyString(), any(byte[].class), any(byte[].class), any(byte[].class))) .thenThrow(InvalidKeyException.class); - Algorithm algorithm = new HMACAlgorithm(crypto, "some-alg", "some-algorithm", "secret"); + Algorithm algorithm = new HMACAlgorithm(crypto, "some-alg", "some-algorithm", "secret".getBytes()); String jwt = "eyJhbGciOiJIUzI1NiIsImN0eSI6IkpXVCJ9.eyJpc3MiOiJhdXRoMCJ9.mZ0m_N1J4PgeqWmi903JuUoDRZDBPB7HwkS4nVyWH1M"; AlgorithmUtils.verify(algorithm, jwt); } @@ -110,7 +152,46 @@ public void shouldThrowOnVerifyhenTheSecretIsInvalid() throws Exception { private static final String auth0IssPayload = "eyJpc3MiOiJhdXRoMCJ9"; @Test - public void shouldDoHMAC256Signing() throws Exception { + public void shouldDoHMAC256SigningWithBytes() throws Exception { + Algorithm algorithm = Algorithm.HMAC256("secret".getBytes()); + byte[] contentBytes = String.format("%s.%s", HS256Header, auth0IssPayload).getBytes(); + byte[] signatureBytes = algorithm.sign(contentBytes); + String signature = Base64.encodeBase64URLSafeString(signatureBytes); + String expectedSignature = "s69x7Mmu4JqwmdxiK6sesALO7tcedbFsKEEITUxw9ho"; + + assertThat(signatureBytes, is(notNullValue())); + assertThat(signature, is(expectedSignature)); + algorithm.verify(contentBytes, signatureBytes); + } + + @Test + public void shouldDoHMAC384SigningWithBytes() throws Exception { + Algorithm algorithm = Algorithm.HMAC384("secret".getBytes()); + byte[] contentBytes = String.format("%s.%s", HS384Header, auth0IssPayload).getBytes(); + byte[] signatureBytes = algorithm.sign(contentBytes); + String signature = Base64.encodeBase64URLSafeString(signatureBytes); + String expectedSignature = "4-y2Gxz_foN0jAOFimmBPF7DWxf4AsjM20zxNkHg8Zah5Q64G42P9GfjmUp4Hldt"; + + assertThat(signatureBytes, is(notNullValue())); + assertThat(signature, is(expectedSignature)); + algorithm.verify(contentBytes, signatureBytes); + } + + @Test + public void shouldDoHMAC512SigningWithBytes() throws Exception { + Algorithm algorithm = Algorithm.HMAC512("secret".getBytes()); + byte[] contentBytes = String.format("%s.%s", HS512Header, auth0IssPayload).getBytes(); + byte[] signatureBytes = algorithm.sign(contentBytes); + String signature = Base64.encodeBase64URLSafeString(signatureBytes); + String expectedSignature = "OXWyxmf-VcVo8viOiTFfLaEy6mrQqLEos5R82Xsx8mtFxQadJAQ1aVniIWN8qT2GNE_pMQPcdzk4x7Cqxsp1dw"; + + assertThat(signatureBytes, is(notNullValue())); + assertThat(signature, is(expectedSignature)); + algorithm.verify(contentBytes, signatureBytes); + } + + @Test + public void shouldDoHMAC256SigningWithString() throws Exception { Algorithm algorithm = Algorithm.HMAC256("secret"); byte[] contentBytes = String.format("%s.%s", HS256Header, auth0IssPayload).getBytes(); byte[] signatureBytes = algorithm.sign(contentBytes); @@ -123,7 +204,7 @@ public void shouldDoHMAC256Signing() throws Exception { } @Test - public void shouldDoHMAC384Signing() throws Exception { + public void shouldDoHMAC384SigningWithString() throws Exception { Algorithm algorithm = Algorithm.HMAC384("secret"); byte[] contentBytes = String.format("%s.%s", HS384Header, auth0IssPayload).getBytes(); byte[] signatureBytes = algorithm.sign(contentBytes); @@ -136,7 +217,7 @@ public void shouldDoHMAC384Signing() throws Exception { } @Test - public void shouldDoHMAC512Signing() throws Exception { + public void shouldDoHMAC512SigningWithString() throws Exception { Algorithm algorithm = Algorithm.HMAC512("secret"); byte[] contentBytes = String.format("%s.%s", HS512Header, auth0IssPayload).getBytes(); byte[] signatureBytes = algorithm.sign(contentBytes); @@ -158,7 +239,7 @@ public void shouldThrowOnSignWhenSignatureAlgorithmDoesNotExists() throws Except when(crypto.createSignatureFor(anyString(), any(byte[].class), any(byte[].class))) .thenThrow(NoSuchAlgorithmException.class); - Algorithm algorithm = new HMACAlgorithm(crypto, "some-alg", "some-algorithm", "secret"); + Algorithm algorithm = new HMACAlgorithm(crypto, "some-alg", "some-algorithm", "secret".getBytes()); algorithm.sign(new byte[0]); } @@ -172,7 +253,7 @@ public void shouldThrowOnSignWhenTheSecretIsInvalid() throws Exception { when(crypto.createSignatureFor(anyString(), any(byte[].class), any(byte[].class))) .thenThrow(InvalidKeyException.class); - Algorithm algorithm = new HMACAlgorithm(crypto, "some-alg", "some-algorithm", "secret"); + Algorithm algorithm = new HMACAlgorithm(crypto, "some-alg", "some-algorithm", "secret".getBytes()); algorithm.sign(new byte[0]); }