auth0 · lbalmaceda · Nov 22, 2016 · Nov 22, 2016
diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java
@@ -3,6 +3,7 @@
 import com.auth0.jwt.exceptions.SignatureGenerationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
 
+import java.io.UnsupportedEncodingException;
 import java.security.interfaces.ECKey;
 import java.security.interfaces.RSAKey;
 
@@ -52,9 +53,10 @@ public static Algorithm RSA512(RSAKey key) throws IllegalArgumentException {
      *
      * @param secret the secret to use in the verify or signing instance.
      * @return a valid HMAC256 Algorithm.
-     * @throws IllegalArgumentException if the provided Secret is null.
+     * @throws IllegalArgumentException     if the provided Secret is null.
+     * @throws UnsupportedEncodingException if the current Java platform implementation doesn't support the UTF-8 character encoding.
      */
-    public static Algorithm HMAC256(String secret) throws IllegalArgumentException {
+    public static Algorithm HMAC256(String secret) throws IllegalArgumentException, UnsupportedEncodingException {
         return new HMACAlgorithm("HS256", "HmacSHA256", secret);
     }
 
@@ -63,9 +65,10 @@ public static Algorithm HMAC256(String secret) throws IllegalArgumentException {
      *
      * @param secret the secret to use in the verify or signing instance.
      * @return a valid HMAC384 Algorithm.
-     * @throws IllegalArgumentException if the provided Secret is null.
+     * @throws IllegalArgumentException     if the provided Secret is null.
+     * @throws UnsupportedEncodingException if the current Java platform implementation doesn't support the UTF-8 character encoding.
      */
-    public static Algorithm HMAC384(String secret) throws IllegalArgumentException {
+    public static Algorithm HMAC384(String secret) throws IllegalArgumentException, UnsupportedEncodingException {
         return new HMACAlgorithm("HS384", "HmacSHA384", secret);
     }
 
@@ -74,9 +77,43 @@ public static Algorithm HMAC384(String secret) throws IllegalArgumentException {
      *
      * @param secret the secret to use in the verify or signing instance.
      * @return a valid HMAC512 Algorithm.
+     * @throws IllegalArgumentException     if the provided Secret is null.
+     * @throws UnsupportedEncodingException if the current Java platform implementation doesn't support the UTF-8 character encoding.
+     */
+    public static Algorithm HMAC512(String secret) throws IllegalArgumentException, UnsupportedEncodingException {
+        return new HMACAlgorithm("HS512", "HmacSHA512", secret);
+    }
+
+    /**
+     * Creates a new Algorithm instance using HmacSHA256. Tokens specify this as "HS256".
+     *
+     * @param secret the secret bytes to use in the verify or signing instance.
+     * @return a valid HMAC256 Algorithm.
+     * @throws IllegalArgumentException if the provided Secret is null.
+     */
+    public static Algorithm HMAC256(byte[] secret) throws IllegalArgumentException {
+        return new HMACAlgorithm("HS256", "HmacSHA256", secret);
+    }
+
+    /**
+     * Creates a new Algorithm instance using HmacSHA384. Tokens specify this as "HS384".
+     *
+     * @param secret the secret bytes to use in the verify or signing instance.
+     * @return a valid HMAC384 Algorithm.
+     * @throws IllegalArgumentException if the provided Secret is null.
+     */
+    public static Algorithm HMAC384(byte[] secret) throws IllegalArgumentException {
+        return new HMACAlgorithm("HS384", "HmacSHA384", secret);
+    }
+
+    /**
+     * Creates a new Algorithm instance using HmacSHA512. Tokens specify this as "HS512".
+     *
+     * @param secret the secret bytes to use in the verify or signing instance.
+     * @return a valid HMAC512 Algorithm.
      * @throws IllegalArgumentException if the provided Secret is null.
      */
-    public static Algorithm HMAC512(String secret) throws IllegalArgumentException {
+    public static Algorithm HMAC512(byte[] secret) throws IllegalArgumentException {
         return new HMACAlgorithm("HS512", "HmacSHA512", secret);
     }
 

diff --git a/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java b/lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java
@@ -2,36 +2,49 @@
 
 import com.auth0.jwt.exceptions.SignatureGenerationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
+import org.apache.commons.codec.CharEncoding;
 
+import java.io.UnsupportedEncodingException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 
 class HMACAlgorithm extends Algorithm {
 
     private final CryptoHelper crypto;
-    private final String secret;
+    private final byte[] secret;
 
-    HMACAlgorithm(CryptoHelper crypto, String id, String algorithm, String secret) throws IllegalArgumentException {
+    HMACAlgorithm(CryptoHelper crypto, String id, String algorithm, byte[] secretBytes) throws IllegalArgumentException {
         super(id, algorithm);
-        if (secret == null) {
+        if (secretBytes == null) {
             throw new IllegalArgumentException("The Secret cannot be null");
         }
-        this.secret = secret;
+        this.secret = secretBytes;
         this.crypto = crypto;
     }
 
-    HMACAlgorithm(String id, String algorithm, String secret) throws IllegalArgumentException {
-        this(new CryptoHelper(), id, algorithm, secret);
+    HMACAlgorithm(String id, String algorithm, byte[] secretBytes) throws IllegalArgumentException {
+        this(new CryptoHelper(), id, algorithm, secretBytes);
+    }
+
+    HMACAlgorithm(String id, String algorithm, String secret) throws IllegalArgumentException, UnsupportedEncodingException {
+        this(new CryptoHelper(), id, algorithm, getSecretBytes(secret));
+    }
+
+    static byte[] getSecretBytes(String secret) throws IllegalArgumentException, UnsupportedEncodingException {
+        if (secret == null) {
+            throw new IllegalArgumentException("The Secret cannot be null");
+        }
+        return secret.getBytes(CharEncoding.UTF_8);
     }
 
-    String getSecret() {
+    byte[] getSecret() {
         return secret;
     }
 
     @Override
     public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureVerificationException {
         try {
-            boolean valid = crypto.verifySignatureFor(getDescription(), secret.getBytes(), contentBytes, signatureBytes);
+            boolean valid = crypto.verifySignatureFor(getDescription(), secret, contentBytes, signatureBytes);
             if (!valid) {
                 throw new SignatureVerificationException(this);
             }
@@ -43,7 +56,7 @@ public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureV
     @Override
     public byte[] sign(byte[] contentBytes) throws SignatureGenerationException {
         try {
-            return crypto.createSignatureFor(getDescription(), secret.getBytes(), contentBytes);
+            return crypto.createSignatureFor(getDescription(), secret, contentBytes);
         } catch (NoSuchAlgorithmException | InvalidKeyException e) {
             throw new SignatureGenerationException(this, e);
         }

diff --git a/lib/src/test/java/com/auth0/jwt/algorithms/AlgorithmTest.java b/lib/src/test/java/com/auth0/jwt/algorithms/AlgorithmTest.java
@@ -17,25 +17,52 @@ public class AlgorithmTest {
     public ExpectedException exception = ExpectedException.none();
 
 
+    @Test
+    public void shouldThrowHMAC256VerificationWithNullSecretBytes() throws Exception {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("The Secret cannot be null");
+        byte[] secret = null;
+        Algorithm.HMAC256(secret);
+    }
+
+    @Test
+    public void shouldThrowHMAC384VerificationWithNullSecretBytes() throws Exception {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("The Secret cannot be null");
+        byte[] secret = null;
+        Algorithm.HMAC384(secret);
+    }
+
+    @Test
+    public void shouldThrowHMAC512VerificationWithNullSecretBytes() throws Exception {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("The Secret cannot be null");
+        byte[] secret = null;
+        Algorithm.HMAC512(secret);
+    }
+
     @Test
     public void shouldThrowHMAC256VerificationWithNullSecret() throws Exception {
         exception.expect(IllegalArgumentException.class);
         exception.expectMessage("The Secret cannot be null");
-        Algorithm.HMAC256(null);
+        String secret = null;
+        Algorithm.HMAC256(secret);
     }
 
     @Test
     public void shouldThrowHMAC384VerificationWithNullSecret() throws Exception {
         exception.expect(IllegalArgumentException.class);
         exception.expectMessage("The Secret cannot be null");
-        Algorithm.HMAC384(null);
+        String secret = null;
+        Algorithm.HMAC384(secret);
     }
 
     @Test
     public void shouldThrowHMAC512VerificationWithNullSecret() throws Exception {
         exception.expect(IllegalArgumentException.class);
         exception.expectMessage("The Secret cannot be null");
-        Algorithm.HMAC512(null);
+        String secret = null;
+        Algorithm.HMAC512(secret);
     }
 
     @Test
@@ -81,36 +108,69 @@ public void shouldThrowECDSA512VerificationWithNullPublicKey() throws Exception
     }
 
     @Test
-    public void shouldCreateHMAC256Algorithm() throws Exception {
+    public void shouldCreateHMAC256AlgorithmWithBytes() throws Exception {
+        Algorithm algorithm = Algorithm.HMAC256("secret".getBytes());
+
+        assertThat(algorithm, is(notNullValue()));
+        assertThat(algorithm, is(instanceOf(HMACAlgorithm.class)));
+        assertThat(algorithm.getDescription(), is("HmacSHA256"));
+        assertThat(algorithm.getName(), is("HS256"));
+        assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes()));
+    }
+
+    @Test
+    public void shouldCreateHMAC384AlgorithmWithBytes() throws Exception {
+        Algorithm algorithm = Algorithm.HMAC384("secret".getBytes());
+
+        assertThat(algorithm, is(notNullValue()));
+        assertThat(algorithm, is(instanceOf(HMACAlgorithm.class)));
+        assertThat(algorithm.getDescription(), is("HmacSHA384"));
+        assertThat(algorithm.getName(), is("HS384"));
+        assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes()));
+    }
+
+    @Test
+    public void shouldCreateHMAC512AlgorithmWithBytes() throws Exception {
+        Algorithm algorithm = Algorithm.HMAC512("secret".getBytes());
+
+        assertThat(algorithm, is(notNullValue()));
+        assertThat(algorithm, is(instanceOf(HMACAlgorithm.class)));
+        assertThat(algorithm.getDescription(), is("HmacSHA512"));
+        assertThat(algorithm.getName(), is("HS512"));
+        assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes()));
+    }
+
+    @Test
+    public void shouldCreateHMAC256AlgorithmWithString() throws Exception {
         Algorithm algorithm = Algorithm.HMAC256("secret");
 
         assertThat(algorithm, is(notNullValue()));
         assertThat(algorithm, is(instanceOf(HMACAlgorithm.class)));
         assertThat(algorithm.getDescription(), is("HmacSHA256"));
         assertThat(algorithm.getName(), is("HS256"));
-        assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret"));
+        assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes()));
     }
 
     @Test
-    public void shouldCreateHMAC384Algorithm() throws Exception {
+    public void shouldCreateHMAC384AlgorithmWithString() throws Exception {
         Algorithm algorithm = Algorithm.HMAC384("secret");
 
         assertThat(algorithm, is(notNullValue()));
         assertThat(algorithm, is(instanceOf(HMACAlgorithm.class)));
         assertThat(algorithm.getDescription(), is("HmacSHA384"));
         assertThat(algorithm.getName(), is("HS384"));
-        assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret"));
+        assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes()));
     }
 
     @Test
-    public void shouldCreateHMAC512Algorithm() throws Exception {
+    public void shouldCreateHMAC512AlgorithmWithString() throws Exception {
         Algorithm algorithm = Algorithm.HMAC512("secret");
 
         assertThat(algorithm, is(notNullValue()));
         assertThat(algorithm, is(instanceOf(HMACAlgorithm.class)));
         assertThat(algorithm.getDescription(), is("HmacSHA512"));
         assertThat(algorithm.getName(), is("HS512"));
-        assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret"));
+        assertThat(((HMACAlgorithm) algorithm).getSecret(), is("secret".getBytes()));
     }
 
     @Test