If present, this value is the timestamp when the JWT was created.
*
- * @return the JWT {@code nbf} value or {@code null} if not present.
+ * @return the JWT {@code iat} value or {@code null} if not present.
*/
Date getIssuedAt();
@@ -170,5 +170,22 @@
@Override //only for better/targeted JavaDoc
Claims setId(String jti);
+ /**
+ * Returns the JWTs claim ({@code claimName}) value as a type {@code requiredType}, or {@code null} if not present.
+ *
+ *
JJWT only converts simple String, Date, Long, Integer, Short and Byte types automatically. Anything more
+ * complex is expected to be already converted to your desired type by the JSON
+ * {@link io.jsonwebtoken.io.Deserializer Deserializer} implementation. You may specify a custom Deserializer for a
+ * JwtParser with the desired conversion configuration via the {@link JwtParserBuilder#deserializeJsonWith} method.
+ * See custom JSON processor for more
+ * information. If using Jackson, you can specify custom claim POJO types as described in
+ * custom claim types.
+ *
+ * @param claimName name of claim
+ * @param requiredType the type of the value expected to be returned
+ * @param the type of the value expected to be returned
+ * @return the JWT {@code claimName} value or {@code null} if not present.
+ * @throws RequiredTypeException throw if the claim value is not null and not of type {@code requiredType}
+ */
T get(String claimName, Class requiredType);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Clock.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Clock.java (.../Clock.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Clock.java (.../Clock.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package io.jsonwebtoken;
import java.util.Date;
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodec.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodec.java (.../CompressionCodec.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodec.java (.../CompressionCodec.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -18,16 +18,16 @@
/**
* Compresses and decompresses byte arrays according to a compression algorithm.
*
- * @see io.jsonwebtoken.impl.compression.DeflateCompressionCodec
- * @see io.jsonwebtoken.impl.compression.GzipCompressionCodec
+ * @see CompressionCodecs#DEFLATE
+ * @see CompressionCodecs#GZIP
* @since 0.6.0
*/
public interface CompressionCodec {
/**
- * The algorithm name to use as the JWT's {@code calg} header value.
+ * The compression algorithm name to use as the JWT's {@code zip} header value.
*
- * @return the algorithm name to use as the JWT's {@code calg} header value.
+ * @return the compression algorithm name to use as the JWT's {@code zip} header value.
*/
String getAlgorithmName();
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecResolver.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecResolver.java (.../CompressionCodecResolver.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecResolver.java (.../CompressionCodecResolver.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -16,12 +16,12 @@
package io.jsonwebtoken;
/**
- * Looks for a JWT {@code calg} header, and if found, returns the corresponding {@link CompressionCodec} the parser
+ * Looks for a JWT {@code zip} header, and if found, returns the corresponding {@link CompressionCodec} the parser
* can use to decompress the JWT body.
*
*
JJWT's default {@link JwtParser} implementation supports both the
- * {@link io.jsonwebtoken.impl.compression.DeflateCompressionCodec DEFLATE}
- * and {@link io.jsonwebtoken.impl.compression.GzipCompressionCodec GZIP} algorithms by default - you do not need to
+ * {@link CompressionCodecs#DEFLATE DEFLATE}
+ * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
* specify a {@code CompressionCodecResolver} in these cases.
*
*
However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
@@ -34,12 +34,12 @@
public interface CompressionCodecResolver {
/**
- * Looks for a JWT {@code calg} header, and if found, returns the corresponding {@link CompressionCodec} the parser
+ * Looks for a JWT {@code zip} header, and if found, returns the corresponding {@link CompressionCodec} the parser
* can use to decompress the JWT body.
*
* @param header of the JWT
- * @return CompressionCodec matching the {@code calg} header, or null if there is no {@code calg} header.
- * @throws CompressionException if a {@code calg} header value is found and not supported.
+ * @return CompressionCodec matching the {@code zip} header, or null if there is no {@code zip} header.
+ * @throws CompressionException if a {@code zip} header value is found and not supported.
*/
CompressionCodec resolveCompressionCodec(Header header) throws CompressionException;
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecs.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecs.java (.../CompressionCodecs.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecs.java (.../CompressionCodecs.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -1,7 +1,21 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package io.jsonwebtoken;
-import io.jsonwebtoken.impl.compression.DeflateCompressionCodec;
-import io.jsonwebtoken.impl.compression.GzipCompressionCodec;
+import io.jsonwebtoken.lang.Classes;
/**
* Provides default implementations of the {@link CompressionCodec} interface.
@@ -12,15 +26,15 @@
*/
public final class CompressionCodecs {
- private static final CompressionCodecs INSTANCE = new CompressionCodecs();
+ private CompressionCodecs() {
+ } //prevent external instantiation
- private CompressionCodecs() {} //prevent external instantiation
-
/**
* Codec implementing the JWA standard
* deflate compression algorithm
*/
- public static final CompressionCodec DEFLATE = new DeflateCompressionCodec();
+ public static final CompressionCodec DEFLATE =
+ Classes.newInstance("io.jsonwebtoken.impl.compression.DeflateCompressionCodec");
/**
* Codec implementing the gzip compression algorithm.
@@ -29,6 +43,7 @@
* that all parties accessing the token support the gzip algorithm.
*
If you're concerned about compatibility, the {@link #DEFLATE DEFLATE} code is JWA standards-compliant.
*/
- public static final CompressionCodec GZIP = new GzipCompressionCodec();
+ public static final CompressionCodec GZIP =
+ Classes.newInstance("io.jsonwebtoken.impl.compression.GzipCompressionCodec");
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Header.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Header.java (.../Header.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Header.java (.../Header.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -109,24 +109,24 @@
T setContentType(String cty);
/**
- * Returns the JWT calg (Compression Algorithm) header value or {@code null} if not present.
+ * Returns the JWT zip (Compression Algorithm) header value or {@code null} if not present.
*
- * @return the {@code calg} header parameter value or {@code null} if not present.
+ * @return the {@code zip} header parameter value or {@code null} if not present.
* @since 0.6.0
*/
String getCompressionAlgorithm();
/**
- * Sets the JWT calg (Compression Algorithm) header parameter value. A {@code null} value will remove
+ * Sets the JWT zip (Compression Algorithm) header parameter value. A {@code null} value will remove
* the property from the JSON map.
*
*
The compression algorithm is NOT part of the JWT specification
* and must be used carefully since, is not expected that other libraries (including previous versions of this one)
* be able to deserialize a compressed JTW body correctly.
*
- * @param calg the JWT compression algorithm {@code calg} value or {@code null} to remove the property from the JSON map.
+ * @param zip the JWT compression algorithm {@code zip} value or {@code null} to remove the property from the JSON map.
* @since 0.6.0
*/
- T setCompressionAlgorithm(String calg);
+ T setCompressionAlgorithm(String zip);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/IncorrectClaimException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/IncorrectClaimException.java (.../IncorrectClaimException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/IncorrectClaimException.java (.../IncorrectClaimException.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -22,6 +22,7 @@
* @since 0.6
*/
public class IncorrectClaimException extends InvalidClaimException {
+
public IncorrectClaimException(Header header, Claims claims, String message) {
super(header, claims, message);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/InvalidClaimException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/InvalidClaimException.java (.../InvalidClaimException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/InvalidClaimException.java (.../InvalidClaimException.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -25,6 +25,7 @@
* @since 0.6
*/
public class InvalidClaimException extends ClaimJwtException {
+
private String claimName;
private Object claimValue;
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtBuilder.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtBuilder.java (.../JwtBuilder.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtBuilder.java (.../JwtBuilder.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,6 +15,12 @@
*/
package io.jsonwebtoken;
+import io.jsonwebtoken.io.Decoder;
+import io.jsonwebtoken.io.Decoders;
+import io.jsonwebtoken.io.Encoder;
+import io.jsonwebtoken.io.Serializer;
+import io.jsonwebtoken.security.InvalidKeyException;
+import io.jsonwebtoken.security.Keys;
import java.security.Key;
import java.util.Date;
import java.util.Map;
@@ -99,7 +105,7 @@
* @param claims the JWT claims to be set as the JWT body.
* @return the builder for method chaining.
*/
- JwtBuilder setClaims(Map claims);
+ JwtBuilder setClaims(Map claims);
/**
* Adds all given name/value pairs to the JSON Claims in the payload. If a Claims instance does not yet exist at the
@@ -136,7 +142,8 @@
* @return the builder instance for method chaining.
* @since 0.2
*/
- @Override //only for better/targeted JavaDoc
+ @Override
+ //only for better/targeted JavaDoc
JwtBuilder setIssuer(String iss);
/**
@@ -162,7 +169,8 @@
* @return the builder instance for method chaining.
* @since 0.2
*/
- @Override //only for better/targeted JavaDoc
+ @Override
+ //only for better/targeted JavaDoc
JwtBuilder setSubject(String sub);
/**
@@ -179,7 +187,7 @@
*
*
@@ -302,7 +314,8 @@
* @return the builder instance for method chaining.
* @since 0.2
*/
- @Override //only for better/targeted JavaDoc
+ @Override
+ //only for better/targeted JavaDoc
JwtBuilder setId(String jti);
/**
@@ -323,45 +336,139 @@
*
*
if desired.
*
- * @param name the JWT Claims property name
+ * @param name the JWT Claims property name
* @param value the value to set for the specified Claims property name
* @return the builder instance for method chaining.
* @since 0.2
*/
JwtBuilder claim(String name, Object value);
/**
+ * Signs the constructed JWT with the specified key using the key's
+ * {@link SignatureAlgorithm#forSigningKey(Key) recommended signature algorithm}, producing a JWS. If the
+ * recommended signature algorithm isn't sufficient for your needs, consider using
+ * {@link #signWith(Key, SignatureAlgorithm)} instead.
+ *
+ *
If you are looking to invoke this method with a byte array that you are confident may be used for HMAC-SHA
+ * algorithms, consider using {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
+ * convert the byte array into a valid {@code Key}.
+ *
+ * @param key the key to use for signing
+ * @return the builder instance for method chaining.
+ * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
+ * described by {@link SignatureAlgorithm#forSigningKey(Key)}.
+ * @see #signWith(Key, SignatureAlgorithm)
+ * @since 0.10.0
+ */
+ JwtBuilder signWith(Key key) throws InvalidKeyException;
+
+ /**
* Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
*
+ *
Deprecation Notice: Deprecated as of 0.10.0
+ *
+ *
Use {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
+ * obtain the {@code Key} and then invoke {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)}.
+ *
+ *
This method will be removed in the 1.0 release.
+ *
* @param alg the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
* @param secretKey the algorithm-specific signing key to use to digitally sign the JWT.
* @return the builder for method chaining.
+ * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
+ * described by {@link SignatureAlgorithm#forSigningKey(Key)}.
+ * @deprecated as of 0.10.0: use {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
+ * obtain the {@code Key} and then invoke {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)}.
+ * This method will be removed in the 1.0 release.
*/
- JwtBuilder signWith(SignatureAlgorithm alg, byte[] secretKey);
+ @Deprecated
+ JwtBuilder signWith(SignatureAlgorithm alg, byte[] secretKey) throws InvalidKeyException;
/**
* Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
*
*
This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
* byte array is used to invoke {@link #signWith(SignatureAlgorithm, byte[])}.
*
+ *
Deprecation Notice: Deprecated as of 0.10.0, will be removed in the 1.0 release.
+ *
+ *
This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
+ * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
+ * obtained from the String argument.
+ *
+ *
This method always expected a String argument that was effectively the same as the result of the following
+ * (pseudocode):
However, a non-trivial number of JJWT users were confused by the method signature and attempted to
+ * use raw password strings as the key argument - for example {@code signWith(HS256, myPassword)} - which is
+ * almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.
+ *
+ *
See this
+ *
+ * StackOverflow answer explaining why raw (non-base64-encoded) strings are almost always incorrect for
+ * signature operations.
+ *
+ *
To perform the correct logic with base64EncodedSecretKey strings with JJWT >= 0.10.0, you may do this:
+ *
+ *
* @param alg the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
* @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signing key to use to digitally sign the
* JWT.
* @return the builder for method chaining.
+ * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
+ * described by {@link SignatureAlgorithm#forSigningKey(Key)}.
+ * @deprecated as of 0.10.0: use {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)} instead. This
+ * method will be removed in the 1.0 release.
*/
- JwtBuilder signWith(SignatureAlgorithm alg, String base64EncodedSecretKey);
+ @Deprecated
+ JwtBuilder signWith(SignatureAlgorithm alg, String base64EncodedSecretKey) throws InvalidKeyException;
/**
* Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
*
+ *
It is typically recommended to call the {@link #signWith(Key)} instead for simplicity.
+ * However, this method can be useful if the recommended algorithm heuristics do not meet your needs or if
+ * you want explicit control over the signature algorithm used with the specified key.
+ *
* @param alg the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
* @param key the algorithm-specific signing key to use to digitally sign the JWT.
* @return the builder for method chaining.
+ * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification for
+ * the specified algorithm.
+ * @see #signWith(Key)
+ * @deprecated since 0.10.0: use {@link #signWith(Key, SignatureAlgorithm)} instead. This method will be removed
+ * in the 1.0 release.
*/
- JwtBuilder signWith(SignatureAlgorithm alg, Key key);
+ @Deprecated
+ JwtBuilder signWith(SignatureAlgorithm alg, Key key) throws InvalidKeyException;
/**
+ * Signs the constructed JWT with the specified key using the specified algorithm, producing a JWS.
+ *
+ *
It is typically recommended to call the {@link #signWith(Key)} instead for simplicity.
+ * However, this method can be useful if the recommended algorithm heuristics do not meet your needs or if
+ * you want explicit control over the signature algorithm used with the specified key.
+ *
+ * @param key the signing key to use to digitally sign the JWT.
+ * @param alg the JWS algorithm to use with the key to digitally sign the JWT, thereby producing a JWS.
+ * @return the builder for method chaining.
+ * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification for
+ * the specified algorithm.
+ * @see #signWith(Key)
+ * @since 0.10.0
+ */
+ JwtBuilder signWith(Key key, SignatureAlgorithm alg) throws InvalidKeyException;
+
+ /**
* Compresses the JWT body using the specified {@link CompressionCodec}.
*
*
If your compact JWTs are large, and you want to reduce their total size during network transmission, this
@@ -379,15 +486,40 @@
*
Compression when creating JWE tokens however should be universally accepted for any
* library that supports JWE.
*
- * @see io.jsonwebtoken.CompressionCodecs
- *
* @param codec implementation of the {@link CompressionCodec} to be used.
* @return the builder for method chaining.
+ * @see io.jsonwebtoken.CompressionCodecs
* @since 0.6.0
*/
JwtBuilder compressWith(CompressionCodec codec);
/**
+ * Perform Base64Url encoding with the specified Encoder.
+ *
+ *
JJWT uses a spec-compliant encoder that works on all supported JDK versions, but you may call this method
+ * to specify a different encoder if you desire.
+ *
+ * @param base64UrlEncoder the encoder to use when Base64Url-encoding
+ * @return the builder for method chaining.
+ * @since 0.10.0
+ */
+ JwtBuilder base64UrlEncodeWith(Encoder base64UrlEncoder);
+
+ /**
+ * Performs object-to-JSON serialization with the specified Serializer. This is used by the builder to convert
+ * JWT/JWS/JWT headers and claims Maps to JSON strings as required by the JWT specification.
+ *
+ *
If this method is not called, JJWT will use whatever serializer it can find at runtime, checking for the
+ * presence of well-known implementations such Jackson, Gson, and org.json. If one of these is not found
+ * in the runtime classpath, an exception will be thrown when the {@link #compact()} method is invoked.
+ *
+ * @param serializer the serializer to use when converting Map objects to JSON strings.
+ * @return the builder for method chaining.
+ * @since 0.10.0
+ */
+ JwtBuilder serializeToJsonWith(Serializer> serializer);
+
+ /**
* Actually builds the JWT and serializes it to a compact, URL-safe string according to the
* JWT Compact Serialization
* rules.
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParser.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParser.java (.../JwtParser.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParser.java (.../JwtParser.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,10 +15,13 @@
*/
package io.jsonwebtoken;
-import io.jsonwebtoken.impl.DefaultClock;
+import io.jsonwebtoken.io.Decoder;
+import io.jsonwebtoken.io.Deserializer;
+import io.jsonwebtoken.security.SignatureException;
import java.security.Key;
import java.util.Date;
+import java.util.Map;
/**
* A parser for reading JWT strings, used to convert them into a {@link Jwt} object representing the expanded JWT.
@@ -38,7 +41,12 @@
* @return the parser method for chaining.
* @see MissingClaimException
* @see IncorrectClaimException
+ * @deprecated see {@link JwtParserBuilder#requireId(String)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser requireId(String id);
/**
@@ -50,7 +58,12 @@
* @return the parser for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
+ * @deprecated see {@link JwtParserBuilder#requireSubject(String)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser requireSubject(String subject);
/**
@@ -62,7 +75,12 @@
* @return the parser for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
+ * @deprecated see {@link JwtParserBuilder#requireAudience(String)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser requireAudience(String audience);
/**
@@ -74,7 +92,12 @@
* @return the parser for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
+ * @deprecated see {@link JwtParserBuilder#requireIssuer(String)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser requireIssuer(String issuer);
/**
@@ -86,7 +109,12 @@
* @return the parser for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
+ * @deprecated see {@link JwtParserBuilder#requireIssuedAt(Date)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser requireIssuedAt(Date issuedAt);
/**
@@ -98,7 +126,12 @@
* @return the parser for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
+ * @deprecated see {@link JwtParserBuilder#requireExpiration(Date)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser requireExpiration(Date expiration);
/**
@@ -110,7 +143,12 @@
* @return the parser for method chaining
* @see MissingClaimException
* @see IncorrectClaimException
+ * @deprecated see {@link JwtParserBuilder#requireNotBefore(Date)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser requireNotBefore(Date notBefore);
/**
@@ -123,17 +161,27 @@
* @return the parser for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
+ * @deprecated see {@link JwtParserBuilder#require(String, Object)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser require(String claimName, Object value);
/**
* Sets the {@link Clock} that determines the timestamp to use when validating the parsed JWT.
- * The parser uses a {@link DefaultClock DefaultClock} instance by default.
+ * The parser uses a default Clock implementation that simply returns {@code new Date()} when called.
*
* @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT.
* @return the parser for method chaining.
* @since 0.7.0
+ * @deprecated see {@link JwtParserBuilder#setClock(Clock)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser setClock(Clock clock);
/**
@@ -143,8 +191,15 @@
* @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims.
* @return the parser for method chaining.
* @since 0.7.0
+ * @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as
+ * any such value would cause numeric overflow when multiplying by 1000 to obtain a millisecond value.
+ * @deprecated see {@link JwtParserBuilder#setAllowedClockSkewSeconds(long)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
- JwtParser setAllowedClockSkewSeconds(long seconds);
+ @Deprecated
+ JwtParser setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException;
/**
* Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
@@ -158,26 +213,59 @@
* @param key the algorithm-specific signature verification key used to validate any discovered JWS digital
* signature.
* @return the parser for method chaining.
+ * @deprecated see {@link JwtParserBuilder#setSigningKey(byte[])}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser setSigningKey(byte[] key);
/**
* Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
* a JWS (no signature), this key is not used.
- *
+ *
*
Note that this key MUST be a valid key for the signature algorithm found in the JWT header
* (as the {@code alg} header parameter).
- *
+ *
*
This method overwrites any previously set key.
- *
+ *
*
This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
* byte array is used to invoke {@link #setSigningKey(byte[])}.
*
- * @param base64EncodedKeyBytes the BASE64-encoded algorithm-specific signature verification key to use to validate
- * any discovered JWS digital signature.
+ *
Deprecation Notice: Deprecated as of 0.10.0, will be removed in 1.0.0
+ *
+ *
This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
+ * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
+ * obtained from the String argument.
+ *
+ *
This method always expected a String argument that was effectively the same as the result of the following
+ * (pseudocode):
However, a non-trivial number of JJWT users were confused by the method signature and attempted to
+ * use raw password strings as the key argument - for example {@code setSigningKey(myPassword)} - which is
+ * almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.
+ *
+ *
See this
+ *
+ * StackOverflow answer explaining why raw (non-base64-encoded) strings are almost always incorrect for
+ * signature operations.
+ *
+ *
Finally, please use the {@link #setSigningKey(Key) setSigningKey(Key)} instead, as this method and the
+ * {@code byte[]} variant will be removed before the 1.0.0 release.
+ *
+ * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signature verification key to use to validate
+ * any discovered JWS digital signature.
* @return the parser for method chaining.
+ * @deprecated see {@link JwtParserBuilder#setSigningKey(String)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
- JwtParser setSigningKey(String base64EncodedKeyBytes);
+ @Deprecated
+ JwtParser setSigningKey(String base64EncodedSecretKey);
/**
* Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
@@ -191,7 +279,12 @@
* @param key the algorithm-specific signature verification key to use to validate any discovered JWS digital
* signature.
* @return the parser for method chaining.
+ * @deprecated see {@link JwtParserBuilder#setSigningKey(Key)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser setSigningKey(Key key);
/**
@@ -221,7 +314,12 @@
* @param signingKeyResolver the signing key resolver used to retrieve the signing key.
* @return the parser for method chaining.
* @since 0.4
+ * @deprecated see {@link JwtParserBuilder#setSigningKeyResolver(SigningKeyResolver)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser setSigningKeyResolver(SigningKeyResolver signingKeyResolver);
/**
@@ -233,8 +331,8 @@
* the same behavior.
*
Default Support
*
JJWT's default {@link JwtParser} implementation supports both the
- * {@link io.jsonwebtoken.impl.compression.DeflateCompressionCodec DEFLATE}
- * and {@link io.jsonwebtoken.impl.compression.GzipCompressionCodec GZIP} algorithms by default - you do not need to
+ * {@link CompressionCodecs#DEFLATE DEFLATE}
+ * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
* specify a {@code CompressionCodecResolver} in these cases.
*
However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
* your own {@link CompressionCodecResolver} and specify that via this method and also when
@@ -243,10 +341,53 @@
* @param compressionCodecResolver the compression codec resolver used to decompress the JWT body.
* @return the parser for method chaining.
* @since 0.6.0
+ * @deprecated see {@link JwtParserBuilder#setCompressionCodecResolver(CompressionCodecResolver)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
JwtParser setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver);
/**
+ * Perform Base64Url decoding with the specified Decoder
+ *
+ *
JJWT uses a spec-compliant decoder that works on all supported JDK versions, but you may call this method
+ * to specify a different decoder if you desire.
+ *
+ * @param base64UrlDecoder the decoder to use when Base64Url-decoding
+ * @return the parser for method chaining.
+ * @since 0.10.0
+ * @deprecated see {@link JwtParserBuilder#base64UrlDecodeWith(Decoder)}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
+ */
+ @Deprecated
+ JwtParser base64UrlDecodeWith(Decoder base64UrlDecoder);
+
+ /**
+ * Uses the specified deserializer to convert JSON Strings (UTF-8 byte arrays) into Java Map objects. This is
+ * used by the parser after Base64Url-decoding to convert JWT/JWS/JWT JSON headers and claims into Java Map
+ * objects.
+ *
+ *
If this method is not called, JJWT will use whatever deserializer it can find at runtime, checking for the
+ * presence of well-known implementations such Jackson, Gson, and org.json. If one of these is not found
+ * in the runtime classpath, an exception will be thrown when one of the various {@code parse}* methods is
+ * invoked.
+ *
+ * @param deserializer the deserializer to use when converting JSON Strings (UTF-8 byte arrays) into Map objects.
+ * @return the parser for method chaining.
+ * @since 0.10.0
+ * @deprecated see {@link JwtParserBuilder#deserializeJsonWith(Deserializer)} )}.
+ * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
+ * immutable JwtParser.
+ *
NOTE: this method will be removed before version 1.0
+ */
+ @Deprecated
+ JwtParser deserializeJsonWith(Deserializer> deserializer);
+
+ /**
* Returns {@code true} if the specified JWT compact string represents a signed JWT (aka a 'JWS'), {@code false}
* otherwise.
*
@@ -333,7 +474,7 @@
* @since 0.2
*/
T parse(String jwt, JwtHandler handler)
- throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+ throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
/**
* Parses the specified compact serialized JWT string based on the builder's current configuration state and
@@ -363,7 +504,7 @@
* @since 0.2
*/
Jwt parsePlaintextJwt(String plaintextJwt)
- throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+ throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
/**
* Parses the specified compact serialized JWT string based on the builder's current configuration state and
@@ -394,7 +535,7 @@
* @since 0.2
*/
Jwt parseClaimsJwt(String claimsJwt)
- throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+ throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
/**
* Parses the specified compact serialized JWS string based on the builder's current configuration state and
@@ -422,7 +563,7 @@
* @since 0.2
*/
Jws parsePlaintextJws(String plaintextJws)
- throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+ throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
/**
* Parses the specified compact serialized JWS string based on the builder's current configuration state and
@@ -451,5 +592,5 @@
* @since 0.2
*/
Jws parseClaimsJws(String claimsJws)
- throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+ throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParserBuilder.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParserBuilder.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParserBuilder.java (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -0,0 +1,307 @@
+/*
+ * Copyright (C) 2019 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.io.Decoder;
+import io.jsonwebtoken.io.Deserializer;
+
+import java.security.Key;
+import java.util.Date;
+import java.util.Map;
+
+/**
+ * A builder to construct a {@link JwtParser}. Example usage:
+ *
+ * @since 0.11.0
+ */
+public interface JwtParserBuilder {
+
+ /**
+ * Ensures that the specified {@code jti} exists in the parsed JWT. If missing or if the parsed
+ * value does not equal the specified value, an exception will be thrown indicating that the
+ * JWT is invalid and may not be used.
+ *
+ * @param id
+ * @return the parser builder for method chaining.
+ * @see MissingClaimException
+ * @see IncorrectClaimException
+ */
+ JwtParserBuilder requireId(String id);
+
+ /**
+ * Ensures that the specified {@code sub} exists in the parsed JWT. If missing or if the parsed
+ * value does not equal the specified value, an exception will be thrown indicating that the
+ * JWT is invalid and may not be used.
+ *
+ * @param subject
+ * @return the parser builder for method chaining.
+ * @see MissingClaimException
+ * @see IncorrectClaimException
+ */
+ JwtParserBuilder requireSubject(String subject);
+
+ /**
+ * Ensures that the specified {@code aud} exists in the parsed JWT. If missing or if the parsed
+ * value does not equal the specified value, an exception will be thrown indicating that the
+ * JWT is invalid and may not be used.
+ *
+ * @param audience
+ * @return the parser builder for method chaining.
+ * @see MissingClaimException
+ * @see IncorrectClaimException
+ */
+ JwtParserBuilder requireAudience(String audience);
+
+ /**
+ * Ensures that the specified {@code iss} exists in the parsed JWT. If missing or if the parsed
+ * value does not equal the specified value, an exception will be thrown indicating that the
+ * JWT is invalid and may not be used.
+ *
+ * @param issuer
+ * @return the parser builder for method chaining.
+ * @see MissingClaimException
+ * @see IncorrectClaimException
+ */
+ JwtParserBuilder requireIssuer(String issuer);
+
+ /**
+ * Ensures that the specified {@code iat} exists in the parsed JWT. If missing or if the parsed
+ * value does not equal the specified value, an exception will be thrown indicating that the
+ * JWT is invalid and may not be used.
+ *
+ * @param issuedAt
+ * @return the parser builder for method chaining.
+ * @see MissingClaimException
+ * @see IncorrectClaimException
+ */
+ JwtParserBuilder requireIssuedAt(Date issuedAt);
+
+ /**
+ * Ensures that the specified {@code exp} exists in the parsed JWT. If missing or if the parsed
+ * value does not equal the specified value, an exception will be thrown indicating that the
+ * JWT is invalid and may not be used.
+ *
+ * @param expiration
+ * @return the parser builder for method chaining.
+ * @see MissingClaimException
+ * @see IncorrectClaimException
+ */
+ JwtParserBuilder requireExpiration(Date expiration);
+
+ /**
+ * Ensures that the specified {@code nbf} exists in the parsed JWT. If missing or if the parsed
+ * value does not equal the specified value, an exception will be thrown indicating that the
+ * JWT is invalid and may not be used.
+ *
+ * @param notBefore
+ * @return the parser builder for method chaining
+ * @see MissingClaimException
+ * @see IncorrectClaimException
+ */
+ JwtParserBuilder requireNotBefore(Date notBefore);
+
+ /**
+ * Ensures that the specified {@code claimName} exists in the parsed JWT. If missing or if the parsed
+ * value does not equal the specified value, an exception will be thrown indicating that the
+ * JWT is invalid and may not be used.
+ *
+ * @param claimName
+ * @param value
+ * @return the parser builder for method chaining.
+ * @see MissingClaimException
+ * @see IncorrectClaimException
+ */
+ JwtParserBuilder require(String claimName, Object value);
+
+ /**
+ * Sets the {@link Clock} that determines the timestamp to use when validating the parsed JWT.
+ * The parser uses a default Clock implementation that simply returns {@code new Date()} when called.
+ *
+ * @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT.
+ * @return the parser builder for method chaining.
+ */
+ JwtParserBuilder setClock(Clock clock);
+
+ /**
+ * Sets the amount of clock skew in seconds to tolerate when verifying the local time against the {@code exp}
+ * and {@code nbf} claims.
+ *
+ * @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims.
+ * @return the parser builder for method chaining.
+ * @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as
+ * any such value would cause numeric overflow when multiplying by 1000 to obtain a millisecond value.
+ */
+ JwtParserBuilder setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException;
+
+ /**
+ * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
+ * a JWS (no signature), this key is not used.
+ *
+ *
Note that this key MUST be a valid key for the signature algorithm found in the JWT header
+ * (as the {@code alg} header parameter).
+ *
+ *
This method overwrites any previously set key.
+ *
+ * @param key the algorithm-specific signature verification key used to validate any discovered JWS digital
+ * signature.
+ * @return the parser builder for method chaining.
+ */
+ JwtParserBuilder setSigningKey(byte[] key);
+
+ /**
+ * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
+ * a JWS (no signature), this key is not used.
+ *
+ *
Note that this key MUST be a valid key for the signature algorithm found in the JWT header
+ * (as the {@code alg} header parameter).
+ *
+ *
This method overwrites any previously set key.
+ *
+ *
This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
+ * byte array is used to invoke {@link #setSigningKey(byte[])}.
+ *
+ *
Deprecation Notice: Deprecated as of 0.10.0, will be removed in 1.0.0
+ *
+ *
This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
+ * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
+ * obtained from the String argument.
+ *
+ *
This method always expected a String argument that was effectively the same as the result of the following
+ * (pseudocode):
However, a non-trivial number of JJWT users were confused by the method signature and attempted to
+ * use raw password strings as the key argument - for example {@code setSigningKey(myPassword)} - which is
+ * almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.
+ *
+ *
See this
+ *
+ * StackOverflow answer explaining why raw (non-base64-encoded) strings are almost always incorrect for
+ * signature operations.
+ *
+ *
Finally, please use the {@link #setSigningKey(Key) setSigningKey(Key)} instead, as this method and the
+ * {@code byte[]} variant will be removed before the 1.0.0 release.
+ *
+ * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signature verification key to use to validate
+ * any discovered JWS digital signature.
+ * @return the parser builder for method chaining.
+ */
+ JwtParserBuilder setSigningKey(String base64EncodedSecretKey);
+
+ /**
+ * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
+ * a JWS (no signature), this key is not used.
+ *
+ *
Note that this key MUST be a valid key for the signature algorithm found in the JWT header
+ * (as the {@code alg} header parameter).
+ *
+ *
This method overwrites any previously set key.
+ *
+ * @param key the algorithm-specific signature verification key to use to validate any discovered JWS digital
+ * signature.
+ * @return the parser builder for method chaining.
+ */
+ JwtParserBuilder setSigningKey(Key key);
+
+ /**
+ * Sets the {@link SigningKeyResolver} used to acquire the signing key that should be used to verify
+ * a JWS's signature. If the parsed String is not a JWS (no signature), this resolver is not used.
+ *
+ *
Specifying a {@code SigningKeyResolver} is necessary when the signing key is not already known before parsing
+ * the JWT and the JWT header or payload (plaintext body or Claims) must be inspected first to determine how to
+ * look up the signing key. Once returned by the resolver, the JwtParser will then verify the JWS signature with the
+ * returned key. For example:
+ *
+ *
+ * Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
+ * @Override
+ * public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+ * //inspect the header or claims, lookup and return the signing key
+ * return getSigningKey(header, claims); //implement me
+ * }})
+ * .parseClaimsJws(compact);
+ *
+ *
+ *
A {@code SigningKeyResolver} is invoked once during parsing before the signature is verified.
+ *
+ *
This method should only be used if a signing key is not provided by the other {@code setSigningKey*} builder
+ * methods.
+ *
+ * @param signingKeyResolver the signing key resolver used to retrieve the signing key.
+ * @return the parser builder for method chaining.
+ */
+ JwtParserBuilder setSigningKeyResolver(SigningKeyResolver signingKeyResolver);
+
+ /**
+ * Sets the {@link CompressionCodecResolver} used to acquire the {@link CompressionCodec} that should be used to
+ * decompress the JWT body. If the parsed JWT is not compressed, this resolver is not used.
+ *
NOTE: Compression is not defined by the JWT Specification, and it is not expected that other libraries
+ * (including JJWT versions < 0.6.0) are able to consume a compressed JWT body correctly. This method is only
+ * useful if the compact JWT was compressed with JJWT >= 0.6.0 or another library that you know implements
+ * the same behavior.
+ *
Default Support
+ *
JJWT's default {@link JwtParser} implementation supports both the
+ * {@link CompressionCodecs#DEFLATE DEFLATE}
+ * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
+ * specify a {@code CompressionCodecResolver} in these cases.
+ *
However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
+ * your own {@link CompressionCodecResolver} and specify that via this method and also when
+ * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} JWTs.
+ *
+ * @param compressionCodecResolver the compression codec resolver used to decompress the JWT body.
+ * @return the parser builder for method chaining.
+ */
+ JwtParserBuilder setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver);
+
+ /**
+ * Perform Base64Url decoding with the specified Decoder
+ *
+ *
JJWT uses a spec-compliant decoder that works on all supported JDK versions, but you may call this method
+ * to specify a different decoder if you desire.
+ *
+ * @param base64UrlDecoder the decoder to use when Base64Url-decoding
+ * @return the parser builder for method chaining.
+ */
+ JwtParserBuilder base64UrlDecodeWith(Decoder base64UrlDecoder);
+
+ /**
+ * Uses the specified deserializer to convert JSON Strings (UTF-8 byte arrays) into Java Map objects. This is
+ * used by the parser after Base64Url-decoding to convert JWT/JWS/JWT JSON headers and claims into Java Map
+ * objects.
+ *
+ *
If this method is not called, JJWT will use whatever deserializer it can find at runtime, checking for the
+ * presence of well-known implementations such Jackson, Gson, and org.json. If one of these is not found
+ * in the runtime classpath, an exception will be thrown when one of the various {@code parse}* methods is
+ * invoked.
+ *
+ * @param deserializer the deserializer to use when converting JSON Strings (UTF-8 byte arrays) into Map objects.
+ * @return the builder for method chaining.
+ */
+ JwtParserBuilder deserializeJsonWith(Deserializer> deserializer);
+
+ /**
+ * Returns an immutable/thread-safe {@link JwtParser} created from the configuration from this JwtParserBuilder.
+ * @return an immutable/thread-safe JwtParser created from the configuration from this JwtParserBuilder.
+ */
+ JwtParser build();
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwts.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwts.java (.../Jwts.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwts.java (.../Jwts.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,11 +15,7 @@
*/
package io.jsonwebtoken;
-import io.jsonwebtoken.impl.DefaultClaims;
-import io.jsonwebtoken.impl.DefaultHeader;
-import io.jsonwebtoken.impl.DefaultJwsHeader;
-import io.jsonwebtoken.impl.DefaultJwtBuilder;
-import io.jsonwebtoken.impl.DefaultJwtParser;
+import io.jsonwebtoken.lang.Classes;
import java.util.Map;
@@ -31,8 +27,11 @@
*/
public final class Jwts {
- private Jwts(){}
+ private static final Class[] MAP_ARG = new Class[]{Map.class};
+ private Jwts() {
+ }
+
/**
* Creates a new {@link Header} instance suitable for plaintext (not digitally signed) JWTs. As this
* is a less common use of JWTs, consider using the {@link #jwsHeader()} factory method instead if you will later
@@ -41,7 +40,7 @@
* @return a new {@link Header} instance suitable for plaintext (not digitally signed) JWTs.
*/
public static Header header() {
- return new DefaultHeader();
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultHeader");
}
/**
@@ -52,7 +51,7 @@
* @return a new {@link Header} instance suitable for plaintext (not digitally signed) JWTs.
*/
public static Header header(Map header) {
- return new DefaultHeader(header);
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultHeader", MAP_ARG, header);
}
/**
@@ -62,7 +61,7 @@
* @see JwtBuilder#setHeader(Header)
*/
public static JwsHeader jwsHeader() {
- return new DefaultJwsHeader();
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwsHeader");
}
/**
@@ -74,7 +73,7 @@
* @see JwtBuilder#setHeader(Header)
*/
public static JwsHeader jwsHeader(Map header) {
- return new DefaultJwsHeader(header);
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwsHeader", MAP_ARG, header);
}
/**
@@ -83,7 +82,7 @@
* @return a new {@link Claims} instance to be used as a JWT body.
*/
public static Claims claims() {
- return new DefaultClaims();
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultClaims");
}
/**
@@ -93,26 +92,52 @@
* @return a new {@link Claims} instance populated with the specified name/value pairs.
*/
public static Claims claims(Map claims) {
- return new DefaultClaims(claims);
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultClaims", MAP_ARG, claims);
}
/**
* Returns a new {@link JwtParser} instance that can be configured and then used to parse JWT strings.
*
* @return a new {@link JwtParser} instance that can be configured and then used to parse JWT strings.
+ * @deprecated use {@link Jwts#parserBuilder()} instead. See {@link JwtParserBuilder} for usage details.
+ *
Migration to new method structure is minimal, for example:
+ *
NOTE: this method will be removed before version 1.0
*/
+ @Deprecated
public static JwtParser parser() {
- return new DefaultJwtParser();
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtParser");
}
/**
+ * Returns a new {@link JwtParserBuilder} instance that can be configured to create an immutable/thread-safe {@link JwtParser).
+ *
+ * @return a new {@link JwtParser} instance that can be configured create an immutable/thread-safe {@link JwtParser).
+ */
+ public static JwtParserBuilder parserBuilder() {
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtParserBuilder");
+ }
+
+ /**
* Returns a new {@link JwtBuilder} instance that can be configured and then used to create JWT compact serialized
* strings.
*
* @return a new {@link JwtBuilder} instance that can be configured and then used to create JWT compact serialized
* strings.
*/
public static JwtBuilder builder() {
- return new DefaultJwtBuilder();
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtBuilder");
}
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureAlgorithm.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureAlgorithm.java (.../SignatureAlgorithm.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureAlgorithm.java (.../SignatureAlgorithm.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,8 +15,20 @@
*/
package io.jsonwebtoken;
-import io.jsonwebtoken.lang.RuntimeEnvironment;
+import io.jsonwebtoken.security.InvalidKeyException;
+import io.jsonwebtoken.security.Keys;
+import io.jsonwebtoken.security.SignatureException;
+import io.jsonwebtoken.security.WeakKeyException;
+import javax.crypto.SecretKey;
+import java.security.Key;
+import java.security.PrivateKey;
+import java.security.interfaces.ECKey;
+import java.security.interfaces.RSAKey;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
/**
* Type-safe representation of standard JWT signature algorithm names as defined in the
* JSON Web Algorithms specification.
@@ -25,85 +37,114 @@
*/
public enum SignatureAlgorithm {
- /** JWA name for {@code No digital signature or MAC performed} */
- NONE("none", "No digital signature or MAC performed", "None", null, false),
+ /**
+ * JWA name for {@code No digital signature or MAC performed}
+ */
+ NONE("none", "No digital signature or MAC performed", "None", null, false, 0, 0),
- /** JWA algorithm name for {@code HMAC using SHA-256} */
- HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true),
+ /**
+ * JWA algorithm name for {@code HMAC using SHA-256}
+ */
+ HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true, 256, 256, "1.2.840.113549.2.9"),
- /** JWA algorithm name for {@code HMAC using SHA-384} */
- HS384("HS384", "HMAC using SHA-384", "HMAC", "HmacSHA384", true),
+ /**
+ * JWA algorithm name for {@code HMAC using SHA-384}
+ */
+ HS384("HS384", "HMAC using SHA-384", "HMAC", "HmacSHA384", true, 384, 384, "1.2.840.113549.2.10"),
- /** JWA algorithm name for {@code HMAC using SHA-512} */
- HS512("HS512", "HMAC using SHA-512", "HMAC", "HmacSHA512", true),
+ /**
+ * JWA algorithm name for {@code HMAC using SHA-512}
+ */
+ HS512("HS512", "HMAC using SHA-512", "HMAC", "HmacSHA512", true, 512, 512, "1.2.840.113549.2.11"),
- /** JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-256} */
- RS256("RS256", "RSASSA-PKCS-v1_5 using SHA-256", "RSA", "SHA256withRSA", true),
+ /**
+ * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-256}
+ */
+ RS256("RS256", "RSASSA-PKCS-v1_5 using SHA-256", "RSA", "SHA256withRSA", true, 256, 2048),
- /** JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-384} */
- RS384("RS384", "RSASSA-PKCS-v1_5 using SHA-384", "RSA", "SHA384withRSA", true),
+ /**
+ * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-384}
+ */
+ RS384("RS384", "RSASSA-PKCS-v1_5 using SHA-384", "RSA", "SHA384withRSA", true, 384, 2048),
- /** JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-512} */
- RS512("RS512", "RSASSA-PKCS-v1_5 using SHA-512", "RSA", "SHA512withRSA", true),
+ /**
+ * JWA algorithm name for {@code RSASSA-PKCS-v1_5 using SHA-512}
+ */
+ RS512("RS512", "RSASSA-PKCS-v1_5 using SHA-512", "RSA", "SHA512withRSA", true, 512, 2048),
/**
- * JWA algorithm name for {@code ECDSA using P-256 and SHA-256}. This is not a JDK standard algorithm and
- * requires that a JCA provider like BouncyCastle be in the runtime classpath. BouncyCastle will be used
- * automatically if found in the runtime classpath.
+ * JWA algorithm name for {@code ECDSA using P-256 and SHA-256}
*/
- ES256("ES256", "ECDSA using P-256 and SHA-256", "Elliptic Curve", "SHA256withECDSA", false),
+ ES256("ES256", "ECDSA using P-256 and SHA-256", "ECDSA", "SHA256withECDSA", true, 256, 256),
/**
- * JWA algorithm name for {@code ECDSA using P-384 and SHA-384}. This is not a JDK standard algorithm and
- * requires that a JCA provider like BouncyCastle be in the runtime classpath. BouncyCastle will be used
- * automatically if found in the runtime classpath.
+ * JWA algorithm name for {@code ECDSA using P-384 and SHA-384}
*/
- ES384("ES384", "ECDSA using P-384 and SHA-384", "Elliptic Curve", "SHA384withECDSA", false),
+ ES384("ES384", "ECDSA using P-384 and SHA-384", "ECDSA", "SHA384withECDSA", true, 384, 384),
/**
- * JWA algorithm name for {@code ECDSA using P-512 and SHA-512}. This is not a JDK standard algorithm and
- * requires that a JCA provider like BouncyCastle be in the runtime classpath. BouncyCastle will be used
- * automatically if found in the runtime classpath.
+ * JWA algorithm name for {@code ECDSA using P-521 and SHA-512}
*/
- ES512("ES512", "ECDSA using P-512 and SHA-512", "Elliptic Curve", "SHA512withECDSA", false),
+ ES512("ES512", "ECDSA using P-521 and SHA-512", "ECDSA", "SHA512withECDSA", true, 512, 521),
/**
- * JWA algorithm name for {@code RSASSA-PSS using SHA-256 and MGF1 with SHA-256}. This is not a JDK standard
- * algorithm and requires that a JCA provider like BouncyCastle be in the runtime classpath. BouncyCastle
- * will be used automatically if found in the runtime classpath.
+ * JWA algorithm name for {@code RSASSA-PSS using SHA-256 and MGF1 with SHA-256}. This algorithm requires
+ * Java 11 or later or a JCA provider like BouncyCastle to be in the runtime classpath. If on Java 10 or
+ * earlier, BouncyCastle will be used automatically if found in the runtime classpath.
*/
- PS256("PS256", "RSASSA-PSS using SHA-256 and MGF1 with SHA-256", "RSA", "SHA256withRSAandMGF1", false),
+ PS256("PS256", "RSASSA-PSS using SHA-256 and MGF1 with SHA-256", "RSA", "RSASSA-PSS", false, 256, 2048),
/**
- * JWA algorithm name for {@code RSASSA-PSS using SHA-384 and MGF1 with SHA-384}. This is not a JDK standard
- * algorithm and requires that a JCA provider like BouncyCastle be in the runtime classpath. BouncyCastle
- * will be used automatically if found in the runtime classpath.
+ * JWA algorithm name for {@code RSASSA-PSS using SHA-384 and MGF1 with SHA-384}. This algorithm requires
+ * Java 11 or later or a JCA provider like BouncyCastle to be in the runtime classpath. If on Java 10 or
+ * earlier, BouncyCastle will be used automatically if found in the runtime classpath.
*/
- PS384("PS384", "RSASSA-PSS using SHA-384 and MGF1 with SHA-384", "RSA", "SHA384withRSAandMGF1", false),
+ PS384("PS384", "RSASSA-PSS using SHA-384 and MGF1 with SHA-384", "RSA", "RSASSA-PSS", false, 384, 2048),
/**
- * JWA algorithm name for {@code RSASSA-PSS using SHA-512 and MGF1 with SHA-512}. This is not a JDK standard
- * algorithm and requires that a JCA provider like BouncyCastle be in the classpath. BouncyCastle will be used
- * automatically if found in the runtime classpath.
+ * JWA algorithm name for {@code RSASSA-PSS using SHA-512 and MGF1 with SHA-512}. This algorithm requires
+ * Java 11 or later or a JCA provider like BouncyCastle to be in the runtime classpath. If on Java 10 or
+ * earlier, BouncyCastle will be used automatically if found in the runtime classpath.
*/
- PS512("PS512", "RSASSA-PSS using SHA-512 and MGF1 with SHA-512", "RSA", "SHA512withRSAandMGF1", false);
+ PS512("PS512", "RSASSA-PSS using SHA-512 and MGF1 with SHA-512", "RSA", "RSASSA-PSS", false, 512, 2048);
- static {
- RuntimeEnvironment.enableBouncyCastleIfPossible();
- }
+ //purposefully ordered higher to lower:
+ private static final List PREFERRED_HMAC_ALGS = Collections.unmodifiableList(Arrays.asList(
+ SignatureAlgorithm.HS512, SignatureAlgorithm.HS384, SignatureAlgorithm.HS256));
+ //purposefully ordered higher to lower:
+ private static final List PREFERRED_EC_ALGS = Collections.unmodifiableList(Arrays.asList(
+ SignatureAlgorithm.ES512, SignatureAlgorithm.ES384, SignatureAlgorithm.ES256));
- private final String value;
- private final String description;
- private final String familyName;
- private final String jcaName;
+ private final String value;
+ private final String description;
+ private final String familyName;
+ private final String jcaName;
private final boolean jdkStandard;
+ private final int digestLength;
+ private final int minKeyLength;
+ /**
+ * Algorithm name as given by {@link Key#getAlgorithm()} if the key was loaded from a pkcs12 Keystore.
+ *
+ * @deprecated This is just a workaround for https://bugs.openjdk.java.net/browse/JDK-8243551
+ */
+ @Deprecated
+ private final String pkcs12Name;
- SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard) {
+ SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
+ int digestLength, int minKeyLength) {
+ this(value, description,familyName, jcaName, jdkStandard, digestLength, minKeyLength, jcaName);
+ }
+
+ SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
+ int digestLength, int minKeyLength, String pkcs12Name) {
this.value = value;
this.description = description;
this.familyName = familyName;
this.jcaName = jcaName;
this.jdkStandard = jdkStandard;
+ this.digestLength = digestLength;
+ this.minKeyLength = minKeyLength;
+ this.pkcs12Name = pkcs12Name;
}
/**
@@ -130,67 +171,66 @@
* following table:
*
*
- *
Crypto Family
- *
- *
- *
SignatureAlgorithm
- *
Family Name
- *
- *
- *
- *
- *
HS256
- *
HMAC
- *
- *
- *
HS384
- *
HMAC
- *
- *
- *
HS512
- *
HMAC
- *
- *
- *
RS256
- *
RSA
- *
- *
- *
RS384
- *
RSA
- *
- *
- *
RS512
- *
RSA
- *
- *
- *
PS256
- *
RSA
- *
- *
- *
PS384
- *
RSA
- *
- *
- *
PS512
- *
RSA
- *
- *
- *
ES256
- *
Elliptic Curve
- *
- *
- *
ES384
- *
Elliptic Curve
- *
- *
- *
ES512
- *
Elliptic Curve
- *
- *
+ *
Crypto Family
+ *
+ *
+ *
SignatureAlgorithm
+ *
Family Name
+ *
+ *
+ *
+ *
+ *
HS256
+ *
HMAC
+ *
+ *
+ *
HS384
+ *
HMAC
+ *
+ *
+ *
HS512
+ *
HMAC
+ *
+ *
+ *
RS256
+ *
RSA
+ *
+ *
+ *
RS384
+ *
RSA
+ *
+ *
+ *
RS512
+ *
RSA
+ *
+ *
+ *
PS256
+ *
RSA
+ *
+ *
+ *
PS384
+ *
RSA
+ *
+ *
+ *
PS512
+ *
RSA
+ *
+ *
+ *
ES256
+ *
ECDSA
+ *
+ *
+ *
ES384
+ *
ECDSA
+ *
+ *
+ *
ES512
+ *
ECDSA
+ *
+ *
*
*
* @return Returns the cryptographic family name of the signature algorithm.
- *
* @since 0.5
*/
public String getFamilyName() {
@@ -225,7 +265,7 @@
* @return {@code true} if the enum instance represents an HMAC signature algorithm, {@code false} otherwise.
*/
public boolean isHmac() {
- return name().startsWith("HS");
+ return familyName.equals("HMAC");
}
/**
@@ -236,21 +276,364 @@
* {@code false} otherwise.
*/
public boolean isRsa() {
- return getDescription().startsWith("RSASSA");
+ return familyName.equals("RSA");
}
/**
- * Returns {@code true} if the enum instance represents an Elliptic Curve signature algorithm, {@code false}
+ * Returns {@code true} if the enum instance represents an Elliptic Curve ECDSA signature algorithm, {@code false}
* otherwise.
*
- * @return {@code true} if the enum instance represents an Elliptic Curve signature algorithm, {@code false}
+ * @return {@code true} if the enum instance represents an Elliptic Curve ECDSA signature algorithm, {@code false}
* otherwise.
*/
public boolean isEllipticCurve() {
- return name().startsWith("ES");
+ return familyName.equals("ECDSA");
}
/**
+ * Returns the minimum key length in bits (not bytes) that may be used with this algorithm according to the
+ * JWT JWA Specification (RFC 7518).
+ *
+ * @return the minimum key length in bits (not bytes) that may be used with this algorithm according to the
+ * JWT JWA Specification (RFC 7518).
+ * @since 0.10.0
+ */
+ public int getMinKeyLength() {
+ return this.minKeyLength;
+ }
+
+ /**
+ * Returns quietly if the specified key is allowed to create signatures using this algorithm
+ * according to the JWT JWA Specification (RFC 7518) or throws an
+ * {@link InvalidKeyException} if the key is not allowed or not secure enough for this algorithm.
+ *
+ * @param key the key to check for validity.
+ * @throws InvalidKeyException if the key is not allowed or not secure enough for this algorithm.
+ * @since 0.10.0
+ */
+ public void assertValidSigningKey(Key key) throws InvalidKeyException {
+ assertValid(key, true);
+ }
+
+ /**
+ * Returns quietly if the specified key is allowed to verify signatures using this algorithm
+ * according to the JWT JWA Specification (RFC 7518) or throws an
+ * {@link InvalidKeyException} if the key is not allowed or not secure enough for this algorithm.
+ *
+ * @param key the key to check for validity.
+ * @throws InvalidKeyException if the key is not allowed or not secure enough for this algorithm.
+ * @since 0.10.0
+ */
+ public void assertValidVerificationKey(Key key) throws InvalidKeyException {
+ assertValid(key, false);
+ }
+
+ /**
+ * @since 0.10.0 to support assertValid(Key, boolean)
+ */
+ private static String keyType(boolean signing) {
+ return signing ? "signing" : "verification";
+ }
+
+ /**
+ * @since 0.10.0
+ */
+ private void assertValid(Key key, boolean signing) throws InvalidKeyException {
+
+ if (this == NONE) {
+
+ String msg = "The 'NONE' signature algorithm does not support cryptographic keys.";
+ throw new InvalidKeyException(msg);
+
+ } else if (isHmac()) {
+
+ if (!(key instanceof SecretKey)) {
+ String msg = this.familyName + " " + keyType(signing) + " keys must be SecretKey instances.";
+ throw new InvalidKeyException(msg);
+ }
+ SecretKey secretKey = (SecretKey) key;
+
+ byte[] encoded = secretKey.getEncoded();
+ if (encoded == null) {
+ throw new InvalidKeyException("The " + keyType(signing) + " key's encoded bytes cannot be null.");
+ }
+
+ String alg = secretKey.getAlgorithm();
+ if (alg == null) {
+ throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm cannot be null.");
+ }
+
+ // These next checks use equalsIgnoreCase per https://github.com/jwtk/jjwt/issues/381#issuecomment-412912272
+ if (!HS256.jcaName.equalsIgnoreCase(alg) &&
+ !HS384.jcaName.equalsIgnoreCase(alg) &&
+ !HS512.jcaName.equalsIgnoreCase(alg) &&
+ !HS256.pkcs12Name.equals(alg) &&
+ !HS384.pkcs12Name.equals(alg) &&
+ !HS512.pkcs12Name.equals(alg)) {
+ throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm '" + alg +
+ "' does not equal a valid HmacSHA* algorithm name and cannot be used with " + name() + ".");
+ }
+
+ int size = encoded.length * 8; //size in bits
+ if (size < this.minKeyLength) {
+ String msg = "The " + keyType(signing) + " key's size is " + size + " bits which " +
+ "is not secure enough for the " + name() + " algorithm. The JWT " +
+ "JWA Specification (RFC 7518, Section 3.2) states that keys used with " + name() + " MUST have a " +
+ "size >= " + minKeyLength + " bits (the key size must be greater than or equal to the hash " +
+ "output size). Consider using the " + Keys.class.getName() + " class's " +
+ "'secretKeyFor(SignatureAlgorithm." + name() + ")' method to create a key guaranteed to be " +
+ "secure enough for " + name() + ". See " +
+ "https://tools.ietf.org/html/rfc7518#section-3.2 for more information.";
+ throw new WeakKeyException(msg);
+ }
+
+ } else { //EC or RSA
+
+ if (signing) {
+ if (!(key instanceof PrivateKey)) {
+ String msg = familyName + " signing keys must be PrivateKey instances.";
+ throw new InvalidKeyException(msg);
+ }
+ }
+
+ if (isEllipticCurve()) {
+
+ if (!(key instanceof ECKey)) {
+ String msg = familyName + " " + keyType(signing) + " keys must be ECKey instances.";
+ throw new InvalidKeyException(msg);
+ }
+
+ ECKey ecKey = (ECKey) key;
+ int size = ecKey.getParams().getOrder().bitLength();
+ if (size < this.minKeyLength) {
+ String msg = "The " + keyType(signing) + " key's size (ECParameterSpec order) is " + size +
+ " bits which is not secure enough for the " + name() + " algorithm. The JWT " +
+ "JWA Specification (RFC 7518, Section 3.4) states that keys used with " +
+ name() + " MUST have a size >= " + this.minKeyLength +
+ " bits. Consider using the " + Keys.class.getName() + " class's " +
+ "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
+ "to be secure enough for " + name() + ". See " +
+ "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
+ throw new WeakKeyException(msg);
+ }
+
+ } else { //RSA
+
+ if (!(key instanceof RSAKey)) {
+ String msg = familyName + " " + keyType(signing) + " keys must be RSAKey instances.";
+ throw new InvalidKeyException(msg);
+ }
+
+ RSAKey rsaKey = (RSAKey) key;
+ int size = rsaKey.getModulus().bitLength();
+ if (size < this.minKeyLength) {
+
+ String section = name().startsWith("P") ? "3.5" : "3.3";
+
+ String msg = "The " + keyType(signing) + " key's size is " + size + " bits which is not secure " +
+ "enough for the " + name() + " algorithm. The JWT JWA Specification (RFC 7518, Section " +
+ section + ") states that keys used with " + name() + " MUST have a size >= " +
+ this.minKeyLength + " bits. Consider using the " + Keys.class.getName() + " class's " +
+ "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
+ "to be secure enough for " + name() + ". See " +
+ "https://tools.ietf.org/html/rfc7518#section-" + section + " for more information.";
+ throw new WeakKeyException(msg);
+ }
+ }
+ }
+ }
+
+ /**
+ * Returns the recommended signature algorithm to be used with the specified key according to the following
+ * heuristics:
+ *
+ *
{@code SecretKey} instances must have an {@link Key#getAlgorithm() algorithm} name equal
+ * to {@code HmacSHA256}, {@code HmacSHA384} or {@code HmacSHA512}. If not, the key bytes might not be
+ * suitable for HMAC signatures will be rejected with a {@link InvalidKeyException}.
+ *
The JWT JWA Specification (RFC 7518,
+ * Section 3.2) mandates that HMAC-SHA-* signing keys MUST be 256 bits or greater.
+ * {@code SecretKey}s with key lengths less than 256 bits will be rejected with an
+ * {@link WeakKeyException}.
+ *
The JWT JWA Specification (RFC 7518,
+ * Section 3.4) mandates that ECDSA signing key lengths MUST be 256 bits or greater.
+ * {@code ECKey}s with key lengths less than 256 bits will be rejected with a
+ * {@link WeakKeyException}.
+ *
The JWT JWA Specification (RFC 7518,
+ * Section 3.3) mandates that RSA signing key lengths MUST be 2048 bits or greater.
+ * {@code RSAKey}s with key lengths less than 2048 bits will be rejected with a
+ * {@link WeakKeyException}.
+ *
Technically any RSA key of length >= 2048 bits may be used with the {@link #RS256}, {@link #RS384}, and
+ * {@link #RS512} algorithms, so we assume an RSA signature algorithm based on the key length to
+ * parallel similar decisions in the JWT specification for HMAC and ECDSA signature algorithms.
+ * This is not required - just a convenience.
+ *
+ *
This implementation does not return the {@link #PS256}, {@link #PS256}, {@link #PS256} RSA variant for any
+ * specified {@link RSAKey} because:
+ *
+ *
The JWT JWA Specification (RFC 7518,
+ * Section 3.1) indicates that {@link #RS256}, {@link #RS384}, and {@link #RS512} are
+ * recommended algorithms while the {@code PS}* variants are simply marked as optional.
+ *
The {@link #RS256}, {@link #RS384}, and {@link #RS512} algorithms are available in the JDK by default
+ * while the {@code PS}* variants require an additional JCA Provider (like BouncyCastle).
+ *
+ *
+ *
+ *
Finally, this method will throw an {@link InvalidKeyException} for any key that does not match the
+ * heuristics and requirements documented above, since that inevitably means the Key is either insufficient or
+ * explicitly disallowed by the JWT specification.
+ *
+ * @param key the key to inspect
+ * @return the recommended signature algorithm to be used with the specified key
+ * @throws InvalidKeyException for any key that does not match the heuristics and requirements documented above,
+ * since that inevitably means the Key is either insufficient or explicitly disallowed by the JWT specification.
+ * @since 0.10.0
+ */
+ public static SignatureAlgorithm forSigningKey(Key key) throws InvalidKeyException {
+
+ if (key == null) {
+ throw new InvalidKeyException("Key argument cannot be null.");
+ }
+
+ if (!(key instanceof SecretKey ||
+ (key instanceof PrivateKey && (key instanceof ECKey || key instanceof RSAKey)))) {
+ String msg = "JWT standard signing algorithms require either 1) a SecretKey for HMAC-SHA algorithms or " +
+ "2) a private RSAKey for RSA algorithms or 3) a private ECKey for Elliptic Curve algorithms. " +
+ "The specified key is of type " + key.getClass().getName();
+ throw new InvalidKeyException(msg);
+ }
+
+ if (key instanceof SecretKey) {
+
+ SecretKey secretKey = (SecretKey)key;
+ int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;
+
+ for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
+ // ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
+ if (bitLength >= alg.minKeyLength) {
+ return alg;
+ }
+ }
+
+ String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
+ "algorithms. The JWT specification requires HMAC keys to be >= 256 bits long. The specified " +
+ "key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
+ "information.";
+ throw new WeakKeyException(msg);
+ }
+
+ if (key instanceof RSAKey) {
+
+ RSAKey rsaKey = (RSAKey) key;
+ int bitLength = rsaKey.getModulus().bitLength();
+
+ if (bitLength >= 4096) {
+ RS512.assertValidSigningKey(key);
+ return RS512;
+ } else if (bitLength >= 3072) {
+ RS384.assertValidSigningKey(key);
+ return RS384;
+ } else if (bitLength >= RS256.minKeyLength) {
+ RS256.assertValidSigningKey(key);
+ return RS256;
+ }
+
+ String msg = "The specified RSA signing key is not strong enough to be used with JWT RSA signature " +
+ "algorithms. The JWT specification requires RSA keys to be >= 2048 bits long. The specified RSA " +
+ "key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.3 for more " +
+ "information.";
+ throw new WeakKeyException(msg);
+ }
+
+ // if we've made it this far in the method, the key is an ECKey due to the instanceof assertions at the
+ // top of the method
+
+ ECKey ecKey = (ECKey) key;
+ int bitLength = ecKey.getParams().getOrder().bitLength();
+
+ for (SignatureAlgorithm alg : PREFERRED_EC_ALGS) {
+ if (bitLength >= alg.minKeyLength) {
+ alg.assertValidSigningKey(key);
+ return alg;
+ }
+ }
+
+ String msg = "The specified Elliptic Curve signing key is not strong enough to be used with JWT ECDSA " +
+ "signature algorithms. The JWT specification requires ECDSA keys to be >= 256 bits long. " +
+ "The specified ECDSA key is " + bitLength + " bits. See " +
+ "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
+ throw new WeakKeyException(msg);
+ }
+
+ /**
* Looks up and returns the corresponding {@code SignatureAlgorithm} enum instance based on a
* case-insensitive name comparison.
*
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureException.java (.../SignatureException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureException.java (.../SignatureException.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,12 +15,16 @@
*/
package io.jsonwebtoken;
+import io.jsonwebtoken.security.SecurityException;
+
/**
* Exception indicating that either calculating a signature or verifying an existing signature of a JWT failed.
*
* @since 0.1
+ * @deprecated in favor of {@link io.jsonwebtoken.security.SecurityException}; this class will be removed before 1.0
*/
-public class SignatureException extends JwtException {
+@Deprecated
+public class SignatureException extends SecurityException {
public SignatureException(String message) {
super(message);
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AbstractTextCodec.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AbstractTextCodec.java (.../AbstractTextCodec.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AbstractTextCodec.java (.../AbstractTextCodec.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,13 +15,19 @@
*/
package io.jsonwebtoken.impl;
+import io.jsonwebtoken.io.Decoder;
+import io.jsonwebtoken.io.Encoder;
import io.jsonwebtoken.lang.Assert;
import java.nio.charset.Charset;
+/**
+ * @deprecated since 0.10.0 - will be removed before 1.0.0. Use {@link Encoder} orr {@link Decoder} instead.
+ */
+@Deprecated
public abstract class AbstractTextCodec implements TextCodec {
- protected static final Charset UTF8 = Charset.forName("UTF-8");
+ protected static final Charset UTF8 = Charset.forName("UTF-8");
protected static final Charset US_ASCII = Charset.forName("US-ASCII");
@Override
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AndroidBase64Codec.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AndroidBase64Codec.java (.../AndroidBase64Codec.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AndroidBase64Codec.java (.../AndroidBase64Codec.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,16 +15,23 @@
*/
package io.jsonwebtoken.impl;
+import io.jsonwebtoken.io.Decoders;
+import io.jsonwebtoken.io.Encoders;
+
+/**
+ * @deprecated since 0.10.0 - will be removed before 1.0.0. Use {@code io.jsonwebtoken.io.Encoders#BASE64}
+ * or {@code io.jsonwebtoken.io.Decoders#BASE64} instead.
+ */
+@Deprecated
public class AndroidBase64Codec extends AbstractTextCodec {
@Override
public String encode(byte[] data) {
- int flags = android.util.Base64.NO_PADDING | android.util.Base64.NO_WRAP;
- return android.util.Base64.encodeToString(data, flags);
+ return Encoders.BASE64.encode(data);
}
@Override
public byte[] decode(String encoded) {
- return android.util.Base64.decode(encoded, android.util.Base64.DEFAULT);
+ return Decoders.BASE64.decode(encoded);
}
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/Base64Codec.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/Base64Codec.java (.../Base64Codec.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/Base64Codec.java (.../Base64Codec.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,14 +15,22 @@
*/
package io.jsonwebtoken.impl;
+import io.jsonwebtoken.io.Decoders;
+import io.jsonwebtoken.io.Encoders;
+
+/**
+ * @deprecated since 0.10.0 - will be removed before 1.0.0. Use {@code io.jsonwebtoken.io.Encoders#BASE64}
+ * or {@code io.jsonwebtoken.io.Decoders#BASE64}
+ */
+@Deprecated
public class Base64Codec extends AbstractTextCodec {
public String encode(byte[] data) {
- return javax.xml.bind.DatatypeConverter.printBase64Binary(data);
+ return Encoders.BASE64.encode(data);
}
@Override
public byte[] decode(String encoded) {
- return javax.xml.bind.DatatypeConverter.parseBase64Binary(encoded);
+ return Decoders.BASE64.decode(encoded);
}
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/Base64UrlCodec.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/Base64UrlCodec.java (.../Base64UrlCodec.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/Base64UrlCodec.java (.../Base64UrlCodec.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,90 +15,23 @@
*/
package io.jsonwebtoken.impl;
+import io.jsonwebtoken.io.Decoders;
+import io.jsonwebtoken.io.Encoders;
+
+/**
+ * @deprecated since 0.10.0 - will be removed before 1.0.0. Use {@link Encoders#BASE64URL Encoder.BASE64URL}
+ * or {@link Decoders#BASE64URL Decoder.BASE64URL} instead.
+ */
+@Deprecated
public class Base64UrlCodec extends AbstractTextCodec {
@Override
public String encode(byte[] data) {
- String base64Text = TextCodec.BASE64.encode(data);
- byte[] bytes = base64Text.getBytes(US_ASCII);
-
- //base64url encoding doesn't use padding chars:
- bytes = removePadding(bytes);
-
- //replace URL-unfriendly Base64 chars to url-friendly ones:
- for (int i = 0; i < bytes.length; i++) {
- if (bytes[i] == '+') {
- bytes[i] = '-';
- } else if (bytes[i] == '/') {
- bytes[i] = '_';
- }
- }
-
- return new String(bytes, US_ASCII);
+ return Encoders.BASE64URL.encode(data);
}
- protected byte[] removePadding(byte[] bytes) {
-
- byte[] result = bytes;
-
- int paddingCount = 0;
- for (int i = bytes.length - 1; i > 0; i--) {
- if (bytes[i] == '=') {
- paddingCount++;
- } else {
- break;
- }
- }
- if (paddingCount > 0) {
- result = new byte[bytes.length - paddingCount];
- System.arraycopy(bytes, 0, result, 0, bytes.length - paddingCount);
- }
-
- return result;
- }
-
@Override
public byte[] decode(String encoded) {
- char[] chars = encoded.toCharArray(); //always ASCII - one char == 1 byte
-
- //Base64 requires padding to be in place before decoding, so add it if necessary:
- chars = ensurePadding(chars);
-
- //Replace url-friendly chars back to normal Base64 chars:
- for (int i = 0; i < chars.length; i++) {
- if (chars[i] == '-') {
- chars[i] = '+';
- } else if (chars[i] == '_') {
- chars[i] = '/';
- }
- }
-
- String base64Text = new String(chars);
-
- return TextCodec.BASE64.decode(base64Text);
+ return Decoders.BASE64URL.decode(encoded);
}
-
- protected char[] ensurePadding(char[] chars) {
-
- char[] result = chars; //assume argument in case no padding is necessary
-
- int paddingCount = 0;
-
- //fix for https://github.com/jwtk/jjwt/issues/31
- int remainder = chars.length % 4;
- if (remainder == 2 || remainder == 3) {
- paddingCount = 4 - remainder;
- }
-
- if (paddingCount > 0) {
- result = new char[chars.length + paddingCount];
- System.arraycopy(chars, 0, result, 0, chars.length);
- for (int i = 0; i < paddingCount; i++) {
- result[chars.length + i] = '=';
- }
- }
-
- return result;
- }
-
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClaims.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClaims.java (.../DefaultClaims.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClaims.java (.../DefaultClaims.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -17,17 +17,24 @@
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.RequiredTypeException;
-
import java.util.Date;
import java.util.Map;
public class DefaultClaims extends JwtMap implements Claims {
+ private static final String CONVERSION_ERROR_MSG = "Cannot convert existing claim value of type '%s' to desired type " +
+ "'%s'. JJWT only converts simple String, Date, Long, Integer, Short and Byte types automatically. " +
+ "Anything more complex is expected to be already converted to your desired type by the JSON Deserializer " +
+ "implementation. You may specify a custom Deserializer for a JwtParser with the desired conversion " +
+ "configuration via the JwtParserBuilder.deserializeJsonWith() method. " +
+ "See https://github.com/jwtk/jjwt#custom-json-processor for more information. If using Jackson, you can " +
+ "specify custom claim POJO types as described in https://github.com/jwtk/jjwt#json-jackson-custom-types";
+
public DefaultClaims() {
super();
}
- public DefaultClaims(Map map) {
+ public DefaultClaims(Map map) {
super(map);
}
@@ -71,7 +78,7 @@
@Override
public Claims setExpiration(Date exp) {
- setDate(Claims.EXPIRATION, exp);
+ setDateAsSeconds(Claims.EXPIRATION, exp);
return this;
}
@@ -82,7 +89,7 @@
@Override
public Claims setNotBefore(Date nbf) {
- setDate(Claims.NOT_BEFORE, nbf);
+ setDateAsSeconds(Claims.NOT_BEFORE, nbf);
return this;
}
@@ -93,7 +100,7 @@
@Override
public Claims setIssuedAt(Date iat) {
- setDate(Claims.ISSUED_AT, iat);
+ setDateAsSeconds(Claims.ISSUED_AT, iat);
return this;
}
@@ -108,25 +115,44 @@
return this;
}
+ /**
+ * @since 0.10.0
+ */
+ private static boolean isSpecDate(String claimName) {
+ return Claims.EXPIRATION.equals(claimName) ||
+ Claims.ISSUED_AT.equals(claimName) ||
+ Claims.NOT_BEFORE.equals(claimName);
+ }
+
@Override
+ public Object put(String s, Object o) {
+ if (o instanceof Date && isSpecDate(s)) { //since 0.10.0
+ Date date = (Date)o;
+ return setDateAsSeconds(s, date);
+ }
+ return super.put(s, o);
+ }
+
+ @Override
public T get(String claimName, Class requiredType) {
+
Object value = get(claimName);
- if (value == null) { return null; }
+ if (value == null) {
+ return null;
+ }
- if (Claims.EXPIRATION.equals(claimName) ||
- Claims.ISSUED_AT.equals(claimName) ||
- Claims.NOT_BEFORE.equals(claimName)
- ) {
- value = getDate(claimName);
+ if (Date.class.equals(requiredType)) {
+ if (isSpecDate(claimName)) {
+ value = toSpecDate(value, claimName);
+ } else {
+ value = toDate(value, claimName);
+ }
}
return castClaimValue(value, requiredType);
}
private T castClaimValue(Object value, Class requiredType) {
- if (requiredType == Date.class && value instanceof Long) {
- value = new Date((Long)value);
- }
if (value instanceof Integer) {
int intValue = (Integer) value;
@@ -140,7 +166,7 @@
}
if (!requiredType.isInstance(value)) {
- throw new RequiredTypeException("Expected value to be of type: " + requiredType + ", but was " + value.getClass());
+ throw new RequiredTypeException(String.format(CONVERSION_ERROR_MSG, value.getClass(), requiredType));
}
return requiredType.cast(value);
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClock.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClock.java (.../DefaultClock.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClock.java (.../DefaultClock.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -1,3 +1,18 @@
+/*
+ * Copyright (C) 2014 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
package io.jsonwebtoken.impl;
import io.jsonwebtoken.Clock;
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwtBuilder.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwtBuilder.java (.../DefaultJwtBuilder.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwtBuilder.java (.../DefaultJwtBuilder.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,36 +15,62 @@
*/
package io.jsonwebtoken.impl;
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import io.jsonwebtoken.*;
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.CompressionCodec;
+import io.jsonwebtoken.Header;
+import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.JwtBuilder;
+import io.jsonwebtoken.JwtParser;
+import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.crypto.DefaultJwtSigner;
import io.jsonwebtoken.impl.crypto.JwtSigner;
+import io.jsonwebtoken.impl.lang.LegacyServices;
+import io.jsonwebtoken.io.Decoders;
+import io.jsonwebtoken.io.Encoder;
+import io.jsonwebtoken.io.Encoders;
+import io.jsonwebtoken.io.SerializationException;
+import io.jsonwebtoken.io.Serializer;
import io.jsonwebtoken.lang.Assert;
import io.jsonwebtoken.lang.Collections;
-import io.jsonwebtoken.lang.Objects;
import io.jsonwebtoken.lang.Strings;
+import io.jsonwebtoken.security.InvalidKeyException;
+import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
import java.util.Date;
import java.util.Map;
public class DefaultJwtBuilder implements JwtBuilder {
- private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
-
private Header header;
private Claims claims;
private String payload;
private SignatureAlgorithm algorithm;
- private Key key;
- private byte[] keyBytes;
+ private Key key;
+ private Serializer> serializer;
+
+ private Encoder base64UrlEncoder = Encoders.BASE64URL;
+
private CompressionCodec compressionCodec;
@Override
+ public JwtBuilder serializeToJsonWith(Serializer> serializer) {
+ Assert.notNull(serializer, "Serializer cannot be null.");
+ this.serializer = serializer;
+ return this;
+ }
+
+ @Override
+ public JwtBuilder base64UrlEncodeWith(Encoder base64UrlEncoder) {
+ Assert.notNull(base64UrlEncoder, "base64UrlEncoder cannot be null.");
+ this.base64UrlEncoder = base64UrlEncoder;
+ return this;
+ }
+
+ @Override
public JwtBuilder setHeader(Header header) {
this.header = header;
return this;
@@ -83,30 +109,42 @@
}
@Override
- public JwtBuilder signWith(SignatureAlgorithm alg, byte[] secretKey) {
+ public JwtBuilder signWith(Key key) throws InvalidKeyException {
+ Assert.notNull(key, "Key argument cannot be null.");
+ SignatureAlgorithm alg = SignatureAlgorithm.forSigningKey(key);
+ return signWith(key, alg);
+ }
+
+ @Override
+ public JwtBuilder signWith(Key key, SignatureAlgorithm alg) throws InvalidKeyException {
+ Assert.notNull(key, "Key argument cannot be null.");
Assert.notNull(alg, "SignatureAlgorithm cannot be null.");
- Assert.notEmpty(secretKey, "secret key byte array cannot be null or empty.");
- Assert.isTrue(alg.isHmac(), "Key bytes may only be specified for HMAC signatures. If using RSA or Elliptic Curve, use the signWith(SignatureAlgorithm, Key) method instead.");
+ alg.assertValidSigningKey(key); //since 0.10.0 for https://github.com/jwtk/jjwt/issues/334
this.algorithm = alg;
- this.keyBytes = secretKey;
+ this.key = key;
return this;
}
@Override
- public JwtBuilder signWith(SignatureAlgorithm alg, String base64EncodedSecretKey) {
+ public JwtBuilder signWith(SignatureAlgorithm alg, byte[] secretKeyBytes) throws InvalidKeyException {
+ Assert.notNull(alg, "SignatureAlgorithm cannot be null.");
+ Assert.notEmpty(secretKeyBytes, "secret key byte array cannot be null or empty.");
+ Assert.isTrue(alg.isHmac(), "Key bytes may only be specified for HMAC signatures. If using RSA or Elliptic Curve, use the signWith(SignatureAlgorithm, Key) method instead.");
+ SecretKey key = new SecretKeySpec(secretKeyBytes, alg.getJcaName());
+ return signWith(key, alg);
+ }
+
+ @Override
+ public JwtBuilder signWith(SignatureAlgorithm alg, String base64EncodedSecretKey) throws InvalidKeyException {
Assert.hasText(base64EncodedSecretKey, "base64-encoded secret key cannot be null or empty.");
Assert.isTrue(alg.isHmac(), "Base64-encoded key bytes may only be specified for HMAC signatures. If using RSA or Elliptic Curve, use the signWith(SignatureAlgorithm, Key) method instead.");
- byte[] bytes = TextCodec.BASE64.decode(base64EncodedSecretKey);
+ byte[] bytes = Decoders.BASE64.decode(base64EncodedSecretKey);
return signWith(alg, bytes);
}
@Override
public JwtBuilder signWith(SignatureAlgorithm alg, Key key) {
- Assert.notNull(alg, "SignatureAlgorithm cannot be null.");
- Assert.notNull(key, "Key argument cannot be null.");
- this.algorithm = alg;
- this.key = key;
- return this;
+ return signWith(key, alg);
}
@Override
@@ -136,8 +174,8 @@
}
@Override
- public JwtBuilder setClaims(Map claims) {
- this.claims = Jwts.claims(claims);
+ public JwtBuilder setClaims(Map claims) {
+ this.claims = new DefaultClaims(claims);
return this;
}
@@ -254,30 +292,29 @@
@Override
public String compact() {
+
+ if (this.serializer == null) {
+ // try to find one based on the services available
+ // TODO: This util class will throw a UnavailableImplementationException here to retain behavior of previous version, remove in v1.0
+ // use the previous commented out line instead
+ this.serializer = LegacyServices.loadFirst(Serializer.class);
+ }
+
if (payload == null && Collections.isEmpty(claims)) {
- throw new IllegalStateException("Either 'payload' or 'claims' must be specified.");
+ payload = "";
}
if (payload != null && !Collections.isEmpty(claims)) {
throw new IllegalStateException("Both 'payload' and 'claims' cannot both be specified. Choose either one.");
}
- if (key != null && keyBytes != null) {
- throw new IllegalStateException("A key object and key bytes cannot both be specified. Choose either one.");
- }
-
Header header = ensureHeader();
- Key key = this.key;
- if (key == null && !Objects.isEmpty(keyBytes)) {
- key = new SecretKeySpec(keyBytes, algorithm.getJcaName());
- }
-
JwsHeader jwsHeader;
-
if (header instanceof JwsHeader) {
- jwsHeader = (JwsHeader)header;
+ jwsHeader = (JwsHeader) header;
} else {
+ //noinspection unchecked
jwsHeader = new DefaultJwsHeader(header);
}
@@ -294,25 +331,19 @@
String base64UrlEncodedHeader = base64UrlEncode(jwsHeader, "Unable to serialize header to json.");
- String base64UrlEncodedBody;
+ byte[] bytes;
+ try {
+ bytes = this.payload != null ? payload.getBytes(Strings.UTF_8) : toJson(claims);
+ } catch (SerializationException e) {
+ throw new IllegalArgumentException("Unable to serialize claims object to json: " + e.getMessage(), e);
+ }
if (compressionCodec != null) {
-
- byte[] bytes;
- try {
- bytes = this.payload != null ? payload.getBytes(Strings.UTF_8) : toJson(claims);
- } catch (JsonProcessingException e) {
- throw new IllegalArgumentException("Unable to serialize claims object to json.");
- }
-
- base64UrlEncodedBody = TextCodec.BASE64URL.encode(compressionCodec.compress(bytes));
-
- } else {
- base64UrlEncodedBody = this.payload != null ?
- TextCodec.BASE64URL.encode(this.payload) :
- base64UrlEncode(claims, "Unable to serialize claims object to json.");
+ bytes = compressionCodec.compress(bytes);
}
+ String base64UrlEncodedBody = base64UrlEncoder.encode(bytes);
+
String jwt = base64UrlEncodedHeader + JwtParser.SEPARATOR_CHAR + base64UrlEncodedBody;
if (key != null) { //jwt must be signed:
@@ -335,22 +366,28 @@
* @since 0.5 mostly to allow testing overrides
*/
protected JwtSigner createSigner(SignatureAlgorithm alg, Key key) {
- return new DefaultJwtSigner(alg, key);
+ return new DefaultJwtSigner(alg, key, base64UrlEncoder);
}
+ @Deprecated // remove before 1.0 - call the serializer and base64UrlEncoder directly
protected String base64UrlEncode(Object o, String errMsg) {
+ Assert.isInstanceOf(Map.class, o, "object argument must be a map.");
+ Map m = (Map)o;
byte[] bytes;
try {
- bytes = toJson(o);
- } catch (JsonProcessingException e) {
+ bytes = toJson(m);
+ } catch (SerializationException e) {
throw new IllegalStateException(errMsg, e);
}
- return TextCodec.BASE64URL.encode(bytes);
+ return base64UrlEncoder.encode(bytes);
}
-
- protected byte[] toJson(Object object) throws JsonProcessingException {
- return OBJECT_MAPPER.writeValueAsBytes(object);
+ @SuppressWarnings("unchecked")
+ @Deprecated //remove before 1.0 - call the serializer directly
+ protected byte[] toJson(Object object) throws SerializationException {
+ Assert.isInstanceOf(Map.class, object, "object argument must be a map.");
+ Map m = (Map)object;
+ return serializer.serialize(m);
}
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwtParser.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -r0761df64c22d4bca1649836fda23e4526282498b
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwtParser.java (.../DefaultJwtParser.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwtParser.java (.../DefaultJwtParser.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
@@ -15,7 +15,6 @@
*/
package io.jsonwebtoken.impl;
-import com.fasterxml.jackson.databind.ObjectMapper;
import io.jsonwebtoken.ClaimJwtException;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Clock;
@@ -35,32 +34,35 @@
import io.jsonwebtoken.MissingClaimException;
import io.jsonwebtoken.PrematureJwtException;
import io.jsonwebtoken.SignatureAlgorithm;
-import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.SigningKeyResolver;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.impl.compression.DefaultCompressionCodecResolver;
import io.jsonwebtoken.impl.crypto.DefaultJwtSignatureValidator;
import io.jsonwebtoken.impl.crypto.JwtSignatureValidator;
+import io.jsonwebtoken.impl.lang.LegacyServices;
+import io.jsonwebtoken.io.Decoder;
+import io.jsonwebtoken.io.Decoders;
+import io.jsonwebtoken.io.DeserializationException;
+import io.jsonwebtoken.io.Deserializer;
import io.jsonwebtoken.lang.Assert;
+import io.jsonwebtoken.lang.DateFormats;
import io.jsonwebtoken.lang.Objects;
import io.jsonwebtoken.lang.Strings;
+import io.jsonwebtoken.security.InvalidKeyException;
+import io.jsonwebtoken.security.SignatureException;
+import io.jsonwebtoken.security.WeakKeyException;
import javax.crypto.spec.SecretKeySpec;
-import java.io.IOException;
import java.security.Key;
-import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map;
@SuppressWarnings("unchecked")
public class DefaultJwtParser implements JwtParser {
- //don't need millis since JWT date fields are only second granularity:
- private static final String ISO_8601_FORMAT = "yyyy-MM-dd'T'HH:mm:ss'Z'";
private static final int MILLISECONDS_PER_SECOND = 1000;
- private ObjectMapper objectMapper = new ObjectMapper();
-
+ // TODO: make the folling fields final for v1.0
private byte[] keyBytes;
private Key key;
@@ -69,13 +71,58 @@
private CompressionCodecResolver compressionCodecResolver = new DefaultCompressionCodecResolver();
- Claims expectedClaims = new DefaultClaims();
+ private Decoder base64UrlDecoder = Decoders.BASE64URL;
+ private Deserializer> deserializer;
+
+ private Claims expectedClaims = new DefaultClaims();
+
private Clock clock = DefaultClock.INSTANCE;
private long allowedClockSkewMillis = 0;
+ /**
+ * TODO: remove this constructor before 1.0
+ * @deprecated for backward compatibility only, see other constructors.
+ */
+ @Deprecated
+ public DefaultJwtParser() { }
+
+ DefaultJwtParser(SigningKeyResolver signingKeyResolver,
+ Key key,
+ byte[] keyBytes,
+ Clock clock,
+ long allowedClockSkewMillis,
+ Claims expectedClaims,
+ Decoder base64UrlDecoder,
+ Deserializer> deserializer,
+ CompressionCodecResolver compressionCodecResolver) {
+ this.signingKeyResolver = signingKeyResolver;
+ this.key = key;
+ this.keyBytes = keyBytes;
+ this.clock = clock;
+ this.allowedClockSkewMillis = allowedClockSkewMillis;
+ this.expectedClaims = expectedClaims;
+ this.base64UrlDecoder = base64UrlDecoder;
+ this.deserializer = deserializer;
+ this.compressionCodecResolver = compressionCodecResolver;
+ }
+
@Override
+ public JwtParser deserializeJsonWith(Deserializer> deserializer) {
+ Assert.notNull(deserializer, "deserializer cannot be null.");
+ this.deserializer = deserializer;
+ return this;
+ }
+
+ @Override
+ public JwtParser base64UrlDecodeWith(Decoder base64UrlDecoder) {
+ Assert.notNull(base64UrlDecoder, "base64UrlDecoder cannot be null.");
+ this.base64UrlDecoder = base64UrlDecoder;
+ return this;
+ }
+
+ @Override
public JwtParser requireIssuedAt(Date issuedAt) {
expectedClaims.setIssuedAt(issuedAt);
return this;
@@ -133,7 +180,8 @@
}
@Override
- public JwtParser setAllowedClockSkewSeconds(long seconds) {
+ public JwtParser setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException {
+ Assert.isTrue(seconds <= DefaultJwtParserBuilder.MAX_CLOCK_SKEW_MILLIS, DefaultJwtParserBuilder.MAX_CLOCK_SKEW_ILLEGAL_MSG);
this.allowedClockSkewMillis = Math.max(0, seconds * MILLISECONDS_PER_SECOND);
return this;
}
@@ -146,9 +194,9 @@
}
@Override
- public JwtParser setSigningKey(String base64EncodedKeyBytes) {
- Assert.hasText(base64EncodedKeyBytes, "signing key cannot be null or empty.");
- this.keyBytes = TextCodec.BASE64.decode(base64EncodedKeyBytes);
+ public JwtParser setSigningKey(String base64EncodedSecretKey) {
+ Assert.hasText(base64EncodedSecretKey, "signing key cannot be null or empty.");
+ this.keyBytes = Decoders.BASE64.decode(base64EncodedSecretKey);
return this;
}
@@ -200,8 +248,21 @@
@Override
public Jwt parse(String jwt) throws ExpiredJwtException, MalformedJwtException, SignatureException {
+ // TODO, this logic is only need for a now deprecated code path
+ // remove this block in v1.0 (the equivalent is already in DefaultJwtParserBuilder)
+ if (this.deserializer == null) {
+ // try to find one based on the services available
+ // TODO: This util class will throw a UnavailableImplementationException here to retain behavior of previous version, remove in v1.0
+ this.deserializer = LegacyServices.loadFirst(Deserializer.class);
+ }
+
Assert.hasText(jwt, "JWT String argument cannot be null or empty.");
+ if ("..".equals(jwt)) {
+ String msg = "JWT string '..' is missing a header.";
+ throw new MalformedJwtException(msg);
+ }
+
String base64UrlEncodedHeader = null;
String base64UrlEncodedPayload = null;
String base64UrlEncodedDigest = null;
@@ -215,7 +276,7 @@
if (c == SEPARATOR_CHAR) {
CharSequence tokenSeq = Strings.clean(sb);
- String token = tokenSeq!=null?tokenSeq.toString():null;
+ String token = tokenSeq != null ? tokenSeq.toString() : null;
if (delimiterCount == 0) {
base64UrlEncodedHeader = token;
@@ -238,18 +299,16 @@
base64UrlEncodedDigest = sb.toString();
}
- if (base64UrlEncodedPayload == null) {
- throw new MalformedJwtException("JWT string '" + jwt + "' is missing a body/payload.");
- }
// =============== Header =================
Header header = null;
CompressionCodec compressionCodec = null;
if (base64UrlEncodedHeader != null) {
- String origValue = TextCodec.BASE64URL.decodeToString(base64UrlEncodedHeader);
- Map m = readValue(origValue);
+ byte[] bytes = base64UrlDecoder.decode(base64UrlEncodedHeader);
+ String origValue = new String(bytes, Strings.UTF_8);
+ Map m = (Map) readValue(origValue);
if (base64UrlEncodedDigest != null) {
header = new DefaultJwsHeader(m);
@@ -261,18 +320,19 @@
}
// =============== Body =================
- String payload;
- if (compressionCodec != null) {
- byte[] decompressed = compressionCodec.decompress(TextCodec.BASE64URL.decode(base64UrlEncodedPayload));
- payload = new String(decompressed, Strings.UTF_8);
- } else {
- payload = TextCodec.BASE64URL.decodeToString(base64UrlEncodedPayload);
+ String payload = ""; // https://github.com/jwtk/jjwt/pull/540
+ if (base64UrlEncodedPayload != null) {
+ byte[] bytes = base64UrlDecoder.decode(base64UrlEncodedPayload);
+ if (compressionCodec != null) {
+ bytes = compressionCodec.decompress(bytes);
+ }
+ payload = new String(bytes, Strings.UTF_8);
}
Claims claims = null;
- if (payload.charAt(0) == '{' && payload.charAt(payload.length() - 1) == '}') { //likely to be json, parse it:
- Map claimsMap = readValue(payload);
+ if (!payload.isEmpty() && payload.charAt(0) == '{' && payload.charAt(payload.length() - 1) == '}') { //likely to be json, parse it:
+ Map claimsMap = (Map) readValue(payload);
claims = new DefaultClaims(claimsMap);
}
@@ -293,7 +353,7 @@
if (algorithm == null || algorithm == SignatureAlgorithm.NONE) {
//it is plaintext, but it has a signature. This is invalid:
String msg = "JWT string has a digest/signature, but the header does not reference a valid signature " +
- "algorithm.";
+ "algorithm.";
throw new MalformedJwtException(msg);
}
@@ -322,7 +382,7 @@
if (!Objects.isEmpty(keyBytes)) {
Assert.isTrue(algorithm.isHmac(),
- "Key bytes can only be specified for HMAC signatures. Please specify a PublicKey or PrivateKey instance.");
+ "Key bytes can only be specified for HMAC signatures. Please specify a PublicKey or PrivateKey instance.");
key = new SecretKeySpec(keyBytes, algorithm.getJcaName());
}
@@ -331,26 +391,32 @@
Assert.notNull(key, "A signing key must be specified if the specified JWT is digitally signed.");
//re-create the jwt part without the signature. This is what needs to be signed for verification:
- String jwtWithoutSignature = base64UrlEncodedHeader + SEPARATOR_CHAR + base64UrlEncodedPayload;
+ String jwtWithoutSignature = base64UrlEncodedHeader + SEPARATOR_CHAR;
+ if (base64UrlEncodedPayload != null) {
+ jwtWithoutSignature += base64UrlEncodedPayload;
+ }
JwtSignatureValidator validator;
try {
+ algorithm.assertValidVerificationKey(key); //since 0.10.0: https://github.com/jwtk/jjwt/issues/334
validator = createSignatureValidator(algorithm, key);
- } catch (IllegalArgumentException e) {
+ } catch (WeakKeyException e) {
+ throw e;
+ } catch (InvalidKeyException | IllegalArgumentException e) {
String algName = algorithm.getValue();
- String msg = "The parsed JWT indicates it was signed with the " + algName + " signature " +
- "algorithm, but the specified signing key of type " + key.getClass().getName() +
- " may not be used to validate " + algName + " signatures. Because the specified " +
- "signing key reflects a specific and expected algorithm, and the JWT does not reflect " +
- "this algorithm, it is likely that the JWT was not expected and therefore should not be " +
- "trusted. Another possibility is that the parser was configured with the incorrect " +
- "signing key, but this cannot be assumed for security reasons.";
+ String msg = "The parsed JWT indicates it was signed with the " + algName + " signature " +
+ "algorithm, but the specified signing key of type " + key.getClass().getName() +
+ " may not be used to validate " + algName + " signatures. Because the specified " +
+ "signing key reflects a specific and expected algorithm, and the JWT does not reflect " +
+ "this algorithm, it is likely that the JWT was not expected and therefore should not be " +
+ "trusted. Another possibility is that the parser was configured with the incorrect " +
+ "signing key, but this cannot be assumed for security reasons.";
throw new UnsupportedJwtException(msg, e);
}
if (!validator.isValid(jwtWithoutSignature, base64UrlEncodedDigest)) {
String msg = "JWT signature does not match locally computed signature. JWT validity cannot be " +
- "asserted and should not be trusted.";
+ "asserted and should not be trusted.";
throw new SignatureException(msg);
}
}
@@ -360,8 +426,6 @@
//since 0.3:
if (claims != null) {
- SimpleDateFormat sdf;
-
final Date now = this.clock.now();
long nowTime = now.getTime();
@@ -373,9 +437,8 @@
long maxTime = nowTime - this.allowedClockSkewMillis;
Date max = allowSkew ? new Date(maxTime) : now;
if (max.after(exp)) {
- sdf = new SimpleDateFormat(ISO_8601_FORMAT);
- String expVal = sdf.format(exp);
- String nowVal = sdf.format(now);
+ String expVal = DateFormats.formatIso8601(exp, false);
+ String nowVal = DateFormats.formatIso8601(now, false);
long differenceMillis = maxTime - exp.getTime();
@@ -394,9 +457,8 @@
long minTime = nowTime + this.allowedClockSkewMillis;
Date min = allowSkew ? new Date(minTime) : now;
if (min.before(nbf)) {
- sdf = new SimpleDateFormat(ISO_8601_FORMAT);
- String nbfVal = sdf.format(nbf);
- String nowVal = sdf.format(now);
+ String nbfVal = DateFormats.formatIso8601(nbf, false);
+ String nowVal = DateFormats.formatIso8601(now, false);
long differenceMillis = nbf.getTime() - minTime;
@@ -414,46 +476,53 @@
Object body = claims != null ? claims : payload;
if (base64UrlEncodedDigest != null) {
- return new DefaultJws