getAudience();
/**
- * {@inheritDoc}
- */
- @Override //only for better/targeted JavaDoc
- Claims setAudience(String aud);
-
- /**
- * Returns the JWT
+ * Returns the JWT
* exp (expiration) timestamp or {@code null} if not present.
*
* A JWT obtained after this timestamp should not be used.
@@ -114,13 +109,7 @@
Date getExpiration();
/**
- * {@inheritDoc}
- */
- @Override //only for better/targeted JavaDoc
- Claims setExpiration(Date exp);
-
- /**
- * Returns the JWT
+ * Returns the JWT
* nbf (not before) timestamp or {@code null} if not present.
*
* A JWT obtained before this timestamp should not be used.
@@ -130,13 +119,7 @@
Date getNotBefore();
/**
- * {@inheritDoc}
- */
- @Override //only for better/targeted JavaDoc
- Claims setNotBefore(Date nbf);
-
- /**
- * Returns the JWT
+ * Returns the JWT
* iat (issued at) timestamp or {@code null} if not present.
*
* If present, this value is the timestamp when the JWT was created.
@@ -146,13 +129,7 @@
Date getIssuedAt();
/**
- * {@inheritDoc}
- */
- @Override //only for better/targeted JavaDoc
- Claims setIssuedAt(Date iat);
-
- /**
- * Returns the JWTs
+ * Returns the JWTs
* jti (JWT ID) value or {@code null} if not present.
*
* This value is a CaSe-SenSiTiVe unique identifier for the JWT. If available, this value is expected to be
@@ -162,30 +139,28 @@
*
* @return the JWT {@code jti} value or {@code null} if not present.
*/
+ @Override
+ // just for JavaDoc specific to the JWT spec
String getId();
/**
- * {@inheritDoc}
- */
- @Override //only for better/targeted JavaDoc
- Claims setId(String jti);
-
- /**
- * Returns the JWTs claim ({@code claimName}) value as a type {@code requiredType}, or {@code null} if not present.
+ * Returns the JWTs claim ({@code claimName}) value as a {@code requiredType} instance, or {@code null} if not
+ * present.
*
*
JJWT only converts simple String, Date, Long, Integer, Short and Byte types automatically. Anything more
- * complex is expected to be already converted to your desired type by the JSON
- * {@link io.jsonwebtoken.io.Deserializer Deserializer} implementation. You may specify a custom Deserializer for a
- * JwtParser with the desired conversion configuration via the {@link JwtParserBuilder#deserializeJsonWith} method.
- * See custom JSON processor for more
+ * complex is expected to be already converted to your desired type by the JSON parser. You may specify a custom
+ * JSON processor using the {@code JwtParserBuilder}'s
+ * {@link JwtParserBuilder#json(io.jsonwebtoken.io.Deserializer) json(Deserializer)} method. See the JJWT
+ * documentation on custom JSON processors for more
* information. If using Jackson, you can specify custom claim POJO types as described in
* custom claim types.
*
- * @param claimName name of claim
+ * @param claimName name of claim
* @param requiredType the type of the value expected to be returned
- * @param the type of the value expected to be returned
+ * @param the type of the value expected to be returned
* @return the JWT {@code claimName} value or {@code null} if not present.
* @throws RequiredTypeException throw if the claim value is not null and not of type {@code requiredType}
+ * @see JJWT JSON Support
*/
T get(String claimName, Class requiredType);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ClaimsBuilder.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ClaimsBuilder.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ClaimsBuilder.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,29 @@
+/*
+ * Copyright © 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.lang.Builder;
+import io.jsonwebtoken.lang.MapMutator;
+
+/**
+ * {@link Builder} used to create an immutable {@link Claims} instance.
+ *
+ * @see JwtBuilder
+ * @see Claims
+ * @since 0.12.0
+ */
+public interface ClaimsBuilder extends MapMutator, ClaimsMutator, Builder {
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ClaimsMutator.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ClaimsMutator.java (.../ClaimsMutator.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ClaimsMutator.java (.../ClaimsMutator.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -15,6 +15,9 @@
*/
package io.jsonwebtoken;
+import io.jsonwebtoken.lang.NestedCollection;
+
+import java.util.Collection;
import java.util.Date;
/**
@@ -25,78 +28,243 @@
* @see io.jsonwebtoken.Claims
* @since 0.2
*/
-public interface ClaimsMutator {
+public interface ClaimsMutator> {
/**
- * Sets the JWT
- * iss (issuer) value. A {@code null} value will remove the property from the JSON map.
+ * Sets the JWT
+ * iss (issuer) claim. A {@code null} value will remove the property from the JSON Claims map.
*
* @param iss the JWT {@code iss} value or {@code null} to remove the property from the JSON map.
* @return the {@code Claims} instance for method chaining.
+ * @deprecated since 0.12.0 in favor of the shorter and more modern builder-style named
+ * {@link #issuer(String)}. This method will be removed before the JJWT 1.0 release.
*/
+ @Deprecated
T setIssuer(String iss);
/**
- * Sets the JWT
- * sub (subject) value. A {@code null} value will remove the property from the JSON map.
+ * Sets the JWT
+ * iss (issuer) claim. A {@code null} value will remove the property from the JSON Claims map.
*
+ * @param iss the JWT {@code iss} value or {@code null} to remove the property from the JSON map.
+ * @return the {@code Claims} instance for method chaining.
+ * @since 0.12.0
+ */
+ T issuer(String iss);
+
+ /**
+ * Sets the JWT
+ * sub (subject) claim. A {@code null} value will remove the property from the JSON Claims map.
+ *
* @param sub the JWT {@code sub} value or {@code null} to remove the property from the JSON map.
* @return the {@code Claims} instance for method chaining.
+ * @deprecated since 0.12.0 in favor of the shorter and more modern builder-style named
+ * {@link #subject(String)}. This method will be removed before the JJWT 1.0 release.
*/
+ @Deprecated
T setSubject(String sub);
/**
- * Sets the JWT
- * aud (audience) value. A {@code null} value will remove the property from the JSON map.
+ * Sets the JWT
+ * sub (subject) claim. A {@code null} value will remove the property from the JSON Claims map.
*
+ * @param sub the JWT {@code sub} value or {@code null} to remove the property from the JSON map.
+ * @return the {@code Claims} instance for method chaining.
+ * @since 0.12.0
+ */
+ T subject(String sub);
+
+ /**
+ * Sets the JWT aud (audience)
+ * claim as a single String, NOT a String array. This method exists only for producing
+ * JWTs sent to legacy recipients that are unable to interpret the {@code aud} value as a JSON String Array; it is
+ * strongly recommended to avoid calling this method whenever possible and favor the
+ * {@link #audience()}.{@link AudienceCollection#add(Object) add(String)} and
+ * {@link AudienceCollection#add(Collection) add(Collection)} methods instead, as they ensure a single
+ * deterministic data type for recipients.
+ *
* @param aud the JWT {@code aud} value or {@code null} to remove the property from the JSON map.
* @return the {@code Claims} instance for method chaining.
+ * @deprecated since 0.12.0 in favor of {@link #audience()}. This method will be removed before
+ * the JJWT 1.0 release.
*/
+ @Deprecated
T setAudience(String aud);
/**
- * Sets the JWT
- * exp (expiration) timestamp. A {@code null} value will remove the property from the JSON map.
+ * Configures the JWT
+ * aud (audience) Claim
+ * set, quietly ignoring any null, empty, whitespace-only, or existing value already in the set.
*
+ * When finished, the {@code audience} collection's {@link AudienceCollection#and() and()} method may be used
+ * to continue configuration. For example:
+ *
+ * Jwts.builder() // or Jwts.claims()
+ *
+ * .audience().add("anAudience").and() // return parent
+ *
+ * .subject("Joe") // resume configuration...
+ * // etc...
+ *
+ *
+ * @return the {@link AudienceCollection AudienceCollection} to use for {@code aud} configuration.
+ * @see AudienceCollection AudienceCollection
+ * @see AudienceCollection#single(String) AudienceCollection.single(String)
+ * @since 0.12.0
+ */
+ AudienceCollection audience();
+
+ /**
+ * Sets the JWT
+ * exp (expiration) timestamp claim. A {@code null} value will remove the property from the
+ * JSON Claims map.
+ *
* A JWT obtained after this timestamp should not be used.
*
* @param exp the JWT {@code exp} value or {@code null} to remove the property from the JSON map.
* @return the {@code Claims} instance for method chaining.
+ * @deprecated since 0.12.0 in favor of the shorter and more modern builder-style named
+ * {@link #expiration(Date)}. This method will be removed before the JJWT 1.0 release.
*/
+ @Deprecated
T setExpiration(Date exp);
/**
- * Sets the JWT
- * nbf (not before) timestamp. A {@code null} value will remove the property from the JSON map.
+ * Sets the JWT
+ * exp (expiration) timestamp claim. A {@code null} value will remove the property from the
+ * JSON Claims map.
*
+ * A JWT obtained after this timestamp should not be used.
+ *
+ * @param exp the JWT {@code exp} value or {@code null} to remove the property from the JSON map.
+ * @return the {@code Claims} instance for method chaining.
+ * @since 0.12.0
+ */
+ T expiration(Date exp);
+
+ /**
+ * Sets the JWT
+ * nbf (not before) timestamp claim. A {@code null} value will remove the property from the
+ * JSON Claims map.
+ *
* A JWT obtained before this timestamp should not be used.
*
* @param nbf the JWT {@code nbf} value or {@code null} to remove the property from the JSON map.
* @return the {@code Claims} instance for method chaining.
+ * @deprecated since 0.12.0 in favor of the shorter and more modern builder-style named
+ * {@link #notBefore(Date)}. This method will be removed before the JJWT 1.0 release.
*/
+ @Deprecated
T setNotBefore(Date nbf);
/**
- * Sets the JWT
- * iat (issued at) timestamp. A {@code null} value will remove the property from the JSON map.
+ * Sets the JWT
+ * nbf (not before) timestamp claim. A {@code null} value will remove the property from the
+ * JSON Claims map.
*
+ * A JWT obtained before this timestamp should not be used.
+ *
+ * @param nbf the JWT {@code nbf} value or {@code null} to remove the property from the JSON map.
+ * @return the {@code Claims} instance for method chaining.
+ * @since 0.12.0
+ */
+ T notBefore(Date nbf);
+
+ /**
+ * Sets the JWT
+ * iat (issued at) timestamp claim. A {@code null} value will remove the property from the
+ * JSON Claims map.
+ *
* The value is the timestamp when the JWT was created.
*
* @param iat the JWT {@code iat} value or {@code null} to remove the property from the JSON map.
* @return the {@code Claims} instance for method chaining.
+ * @deprecated since 0.12.0 in favor of the shorter and more modern builder-style named
+ * {@link #issuedAt(Date)}. This method will be removed before the JJWT 1.0 release.
*/
+ @Deprecated
T setIssuedAt(Date iat);
/**
- * Sets the JWT
- * jti (JWT ID) value. A {@code null} value will remove the property from the JSON map.
+ * Sets the JWT
+ * iat (issued at) timestamp claim. A {@code null} value will remove the property from the
+ * JSON Claims map.
*
+ * The value is the timestamp when the JWT was created.
+ *
+ * @param iat the JWT {@code iat} value or {@code null} to remove the property from the JSON map.
+ * @return the {@code Claims} instance for method chaining.
+ * @since 0.12.0
+ */
+ T issuedAt(Date iat);
+
+ /**
+ * Sets the JWT
+ * jti (JWT ID) claim. A {@code null} value will remove the property from the JSON Claims map.
+ *
* This value is a CaSe-SenSiTiVe unique identifier for the JWT. If specified, this value MUST be assigned in a
* manner that ensures that there is a negligible probability that the same value will be accidentally
* assigned to a different data object. The ID can be used to prevent the JWT from being replayed.
*
* @param jti the JWT {@code jti} value or {@code null} to remove the property from the JSON map.
* @return the {@code Claims} instance for method chaining.
+ * @deprecated since 0.12.0 in favor of the shorter and more modern builder-style named
+ * {@link #id(String)}. This method will be removed before the JJWT 1.0 release.
*/
+ @Deprecated
T setId(String jti);
+
+ /**
+ * Sets the JWT
+ * jti (JWT ID) claim. A {@code null} value will remove the property from the JSON Claims map.
+ *
+ * This value is a CaSe-SenSiTiVe unique identifier for the JWT. If specified, this value MUST be assigned in a
+ * manner that ensures that there is a negligible probability that the same value will be accidentally
+ * assigned to a different data object. The ID can be used to prevent the JWT from being replayed.
+ *
+ * @param jti the JWT {@code jti} value or {@code null} to remove the property from the JSON map.
+ * @return the {@code Claims} instance for method chaining.
+ * @since 0.12.0
+ */
+ T id(String jti);
+
+ /**
+ * A {@code NestedCollection} for setting {@link #audience()} values that also allows overriding the collection
+ * to be a {@link #single(String) single string value} for legacy JWT recipients if necessary.
+ *
+ * Because this interface extends {@link NestedCollection}, the {@link #and()} method may be used to continue
+ * parent configuration. For example:
+ *
+ * Jwts.builder() // or Jwts.claims()
+ *
+ * .audience().add("anAudience").and() // return parent
+ *
+ * .subject("Joe") // resume parent configuration...
+ * // etc...
+ *
+ * @param the type of ClaimsMutator to return for method chaining.
+ * @see #single(String)
+ * @since 0.12.0
+ */
+ interface AudienceCollection
extends NestedCollection {
+
+ /**
+ * Sets the JWT aud (audience)
+ * Claim as a single String, NOT a String array. This method exists only for producing
+ * JWTs sent to legacy recipients that are unable to interpret the {@code aud} value as a JSON String Array;
+ * it is strongly recommended to avoid calling this method whenever possible and favor the
+ * {@link #add(Object) add(String)} or {@link #add(Collection)} methods instead, as they ensure a single
+ * deterministic data type for recipients.
+ *
+ * @param aud the value to use as the {@code aud} Claim single-String value (and not an array of Strings), or
+ * {@code null}, empty or whitespace to remove the property from the JSON map.
+ * @return the instance for method chaining
+ * @since 0.12.0
+ * @deprecated This is technically not deprecated because the JWT RFC mandates support for single string values,
+ * but it is marked as deprecated to discourage its use when possible.
+ */
+ // DO NOT REMOVE EVER. This is a required RFC feature, but marked as deprecated to discourage its use
+ @Deprecated
+ P single(String aud);
+ }
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodec.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodec.java (.../CompressionCodec.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodec.java (.../CompressionCodec.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -15,41 +15,56 @@
*/
package io.jsonwebtoken;
+import io.jsonwebtoken.io.CompressionAlgorithm;
+
/**
* Compresses and decompresses byte arrays according to a compression algorithm.
*
- * @see CompressionCodecs#DEFLATE
- * @see CompressionCodecs#GZIP
+ * "zip" identifier
+ *
+ * {@code CompressionCodec} extends {@code Identifiable}; the value returned from
+ * {@link Identifiable#getId() getId()} will be used as the JWT
+ * zip header value.
+ *
+ * @see Jwts.ZIP#DEF
+ * @see Jwts.ZIP#GZIP
* @since 0.6.0
+ * @deprecated since 0.12.0 in favor of {@link io.jsonwebtoken.io.CompressionAlgorithm} to equal the RFC name for this concept.
*/
-public interface CompressionCodec {
+@Deprecated
+public interface CompressionCodec extends CompressionAlgorithm {
/**
- * The compression algorithm name to use as the JWT's {@code zip} header value.
+ * The algorithm name to use as the JWT
+ * zip header value.
*
- * @return the compression algorithm name to use as the JWT's {@code zip} header value.
+ * @return the algorithm name to use as the JWT
+ * zip header value.
+ * @deprecated since 0.12.0 in favor of {@link #getId()} to ensure congruence with
+ * all other identifiable algorithms.
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
String getAlgorithmName();
/**
- * Compresses the specified byte array according to the compression {@link #getAlgorithmName() algorithm}.
+ * Compresses the specified byte array, returning the compressed byte array result.
*
- * @param payload bytes to compress
+ * @param content bytes to compress
* @return compressed bytes
- * @throws CompressionException if the specified byte array cannot be compressed according to the compression
- * {@link #getAlgorithmName() algorithm}.
+ * @throws CompressionException if the specified byte array cannot be compressed.
*/
- byte[] compress(byte[] payload) throws CompressionException;
+ @Deprecated
+ byte[] compress(byte[] content) throws CompressionException;
/**
- * Decompresses the specified compressed byte array according to the compression
- * {@link #getAlgorithmName() algorithm}. The specified byte array must already be in compressed form
- * according to the {@link #getAlgorithmName() algorithm}.
+ * Decompresses the specified compressed byte array, returning the decompressed byte array result. The
+ * specified byte array must already be in compressed form.
*
* @param compressed compressed bytes
* @return decompressed bytes
- * @throws CompressionException if the specified byte array cannot be decompressed according to the compression
- * {@link #getAlgorithmName() algorithm}.
+ * @throws CompressionException if the specified byte array cannot be decompressed.
*/
+ @Deprecated
byte[] decompress(byte[] compressed) throws CompressionException;
-}
\ No newline at end of file
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecResolver.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecResolver.java (.../CompressionCodecResolver.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecResolver.java (.../CompressionCodecResolver.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -20,17 +20,21 @@
* can use to decompress the JWT body.
*
* JJWT's default {@link JwtParser} implementation supports both the
- * {@link CompressionCodecs#DEFLATE DEFLATE}
- * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
+ * {@link Jwts.ZIP#DEF DEFLATE} and {@link Jwts.ZIP#GZIP GZIP} algorithms by default - you do not need to
* specify a {@code CompressionCodecResolver} in these cases.
*
- * However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
+ *
However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you can implement
* your own {@link CompressionCodecResolver} and specify that when
- * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} and
- * {@link io.jsonwebtoken.JwtParser#setCompressionCodecResolver(CompressionCodecResolver) parsing} JWTs.
+ * {@link io.jsonwebtoken.JwtBuilder#compressWith(io.jsonwebtoken.io.CompressionAlgorithm) building} and
+ * {@link io.jsonwebtoken.JwtParserBuilder#setCompressionCodecResolver(CompressionCodecResolver) parsing} JWTs.
*
+ * @see JwtParserBuilder#setCompressionCodecResolver(CompressionCodecResolver)
+ * @see JwtParserBuilder#zip()
* @since 0.6.0
+ * @deprecated in favor of {@link JwtParserBuilder#zip()}
*/
+@SuppressWarnings("DeprecatedIsStillUsed")
+@Deprecated
public interface CompressionCodecResolver {
/**
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecs.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecs.java (.../CompressionCodecs.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionCodecs.java (.../CompressionCodecs.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -15,15 +15,15 @@
*/
package io.jsonwebtoken;
-import io.jsonwebtoken.lang.Classes;
-
/**
* Provides default implementations of the {@link CompressionCodec} interface.
*
- * @see #DEFLATE
- * @see #GZIP
+ * @see Jwts.ZIP#DEF
+ * @see Jwts.ZIP#GZIP
* @since 0.7.0
+ * @deprecated in favor of {@link Jwts.ZIP}.
*/
+@Deprecated //TODO: delete for 1.0
public final class CompressionCodecs {
private CompressionCodecs() {
@@ -32,18 +32,25 @@
/**
* Codec implementing the JWA standard
* deflate compression algorithm
+ *
+ * @deprecated in favor of {@link Jwts.ZIP#DEF}.
*/
- public static final CompressionCodec DEFLATE =
- Classes.newInstance("io.jsonwebtoken.impl.compression.DeflateCompressionCodec");
+ @Deprecated
+ public static final CompressionCodec DEFLATE = (CompressionCodec) Jwts.ZIP.DEF;
/**
* Codec implementing the gzip compression algorithm.
- * Compatibility Warning
+ *
+ * Compatibility Warning
+ *
* This is not a standard JWA compression algorithm. Be sure to use this only when you are confident
* that all parties accessing the token support the gzip algorithm.
- * If you're concerned about compatibility, the {@link #DEFLATE DEFLATE} code is JWA standards-compliant.
+ *
+ * If you're concerned about compatibility, the {@link Jwts.ZIP#DEF DEF} code is JWA standards-compliant.
+ *
+ * @deprecated in favor of {@link Jwts.ZIP#GZIP}
*/
- public static final CompressionCodec GZIP =
- Classes.newInstance("io.jsonwebtoken.impl.compression.GzipCompressionCodec");
+ @Deprecated
+ public static final CompressionCodec GZIP = (CompressionCodec) Jwts.ZIP.GZIP;
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionException.java (.../CompressionException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/CompressionException.java (.../CompressionException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -15,17 +15,30 @@
*/
package io.jsonwebtoken;
+import io.jsonwebtoken.io.IOException;
+
/**
- * Exception indicating that either compressing or decompressing an JWT body failed.
+ * Exception indicating that either compressing or decompressing a JWT body failed.
*
* @since 0.6.0
*/
-public class CompressionException extends JwtException {
+public class CompressionException extends IOException {
+ /**
+ * Creates a new instance with the specified explanation message.
+ *
+ * @param message the message explaining why the exception is thrown.
+ */
public CompressionException(String message) {
super(message);
}
+ /**
+ * Creates a new instance with the specified explanation message and underlying cause.
+ *
+ * @param message the message explaining why the exception is thrown.
+ * @param cause the underlying cause that resulted in this exception being thrown.
+ */
public CompressionException(String message, Throwable cause) {
super(message, cause);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ExpiredJwtException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ExpiredJwtException.java (.../ExpiredJwtException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ExpiredJwtException.java (.../ExpiredJwtException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -22,15 +22,24 @@
*/
public class ExpiredJwtException extends ClaimJwtException {
+ /**
+ * Creates a new instance with the specified header, claims, and explanation message.
+ *
+ * @param header jwt header
+ * @param claims jwt claims (body)
+ * @param message the message explaining why the exception is thrown.
+ */
public ExpiredJwtException(Header header, Claims claims, String message) {
super(header, claims, message);
}
/**
- * @param header jwt header
- * @param claims jwt claims (body)
- * @param message exception message
- * @param cause cause
+ * Creates a new instance with the specified header, claims, explanation message and underlying cause.
+ *
+ * @param message the message explaining why the exception is thrown.
+ * @param cause the underlying cause that resulted in this exception being thrown.
+ * @param header jwt header
+ * @param claims jwt claims (body)
* @since 0.5
*/
public ExpiredJwtException(Header header, Claims claims, String message, Throwable cause) {
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Header.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Header.java (.../Header.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Header.java (.../Header.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -18,115 +18,149 @@
import java.util.Map;
/**
- * A JWT JOSE header.
+ * A JWT JOSE header.
*
- * This is ultimately a JSON map and any values can be added to it, but JWT JOSE standard names are provided as
- * type-safe getters and setters for convenience.
+ * This is an immutable JSON map with convenient type-safe getters for JWT standard header parameter names.
*
- * Because this interface extends {@code Map<String, Object>}, if you would like to add your own properties,
- * you simply use map methods, for example:
+ * Because this interface extends Map<String, Object>, you can use standard {@code Map}
+ * accessor/iterator methods as desired, for example:
*
- *
- * header.{@link Map#put(Object, Object) put}("headerParamName", "headerParamValue");
- *
+ *
+ * header.get("someKey");
*
- * Creation
+ * However, because {@code Header} instances are immutable, calling any of the map mutation methods
+ * (such as {@code Map.}{@link Map#put(Object, Object) put}, etc) will result in a runtime exception.
*
- * It is easiest to create a {@code Header} instance by calling one of the
- * {@link Jwts#header() JWTs.header()} factory methods.
+ * Security
*
+ * The {@code Header} interface itself makes no implications of integrity protection via either digital signatures or
+ * encryption. Instead, {@link JwsHeader} and {@link JweHeader} represent this information for respective
+ * {@link Jws} and {@link Jwe} instances.
+ *
+ * @see ProtectedHeader
+ * @see JwsHeader
+ * @see JweHeader
* @since 0.1
*/
-public interface Header> extends Map {
+public interface Header extends Map {
- /** JWT {@code Type} (typ) value: "JWT" */
- public static final String JWT_TYPE = "JWT";
+ /**
+ * JWT {@code Type} (typ) value: "JWT"
+ *
+ * @deprecated since 0.12.0 - this constant is never used within the JJWT codebase.
+ */
+ @Deprecated
+ String JWT_TYPE = "JWT";
- /** JWT {@code Type} header parameter name: "typ" */
- public static final String TYPE = "typ";
+ /**
+ * JWT {@code Type} header parameter name: "typ"
+ * @deprecated since 0.12.0 in favor of {@link #getType()}.
+ */
+ @Deprecated
+ String TYPE = "typ";
- /** JWT {@code Content Type} header parameter name: "cty" */
- public static final String CONTENT_TYPE = "cty";
+ /**
+ * JWT {@code Content Type} header parameter name: "cty"
+ * @deprecated since 0.12.0 in favor of {@link #getContentType()}.
+ */
+ @Deprecated
+ String CONTENT_TYPE = "cty";
- /** JWT {@code Compression Algorithm} header parameter name: "zip" */
- public static final String COMPRESSION_ALGORITHM = "zip";
+ /**
+ * JWT {@code Algorithm} header parameter name: "alg".
+ *
+ * @see JWS Algorithm Header
+ * @see JWE Algorithm Header
+ * @deprecated since 0.12.0 in favor of {@link #getAlgorithm()}.
+ */
+ @Deprecated
+ String ALGORITHM = "alg";
- /** JJWT legacy/deprecated compression algorithm header parameter name: "calg"
- * @deprecated use {@link #COMPRESSION_ALGORITHM} instead. */
+ /**
+ * JWT {@code Compression Algorithm} header parameter name: "zip"
+ * @deprecated since 0.12.0 in favor of {@link #getCompressionAlgorithm()}
+ */
@Deprecated
- public static final String DEPRECATED_COMPRESSION_ALGORITHM = "calg";
+ String COMPRESSION_ALGORITHM = "zip";
/**
- * Returns the
- * typ (type) header value or {@code null} if not present.
+ * JJWT legacy/deprecated compression algorithm header parameter name: "calg"
*
- * @return the {@code typ} header value or {@code null} if not present.
+ * @deprecated use {@link #COMPRESSION_ALGORITHM} instead.
*/
- String getType();
+ @Deprecated
+ String DEPRECATED_COMPRESSION_ALGORITHM = "calg";
/**
- * Sets the JWT
- * typ (Type) header value. A {@code null} value will remove the property from the JSON map.
+ * Returns the
+ * typ (Type) header value or {@code null} if not present.
*
- * @param typ the JWT JOSE {@code typ} header value or {@code null} to remove the property from the JSON map.
- * @return the {@code Header} instance for method chaining.
+ * @return the {@code typ} header value or {@code null} if not present.
*/
- T setType(String typ);
+ String getType();
/**
- * Returns the
- * cty (Content Type) header value or {@code null} if not present.
+ * Returns the
+ * cty (Content Type) header value or {@code null} if not present.
*
- * In the normal case where nested signing or encryption operations are not employed (i.e. a compact
- * serialization JWT), the use of this header parameter is NOT RECOMMENDED. In the case that nested
- * signing or encryption is employed, this Header Parameter MUST be present; in this case, the value MUST be
- * {@code JWT}, to indicate that a Nested JWT is carried in this JWT. While media type names are not
- * case-sensitive, it is RECOMMENDED that {@code JWT} always be spelled using uppercase characters for
- * compatibility with legacy implementations. See
- * JWT Appendix A.2 for
- * an example of a Nested JWT.
+ * The cty (Content Type) Header Parameter is used by applications to declare the
+ * IANA MediaType of the content
+ * (the payload). This is intended for use by the application when more than
+ * one kind of object could be present in the Payload; the application can use this value to disambiguate among
+ * the different kinds of objects that might be present. It will typically not be used by applications when
+ * the kind of object is already known. This parameter is ignored by JWT implementations (like JJWT); any
+ * processing of this parameter is performed by the JWS application. Use of this Header Parameter is OPTIONAL.
*
+ * To keep messages compact in common situations, it is RECOMMENDED that producers omit an
+ * application/ prefix of a media type value in a {@code cty} Header Parameter when
+ * no other '/' appears in the media type value. A recipient using the media type value MUST
+ * treat it as if application/ were prepended to any {@code cty} value not containing a
+ * '/'. For instance, a {@code cty} value of example SHOULD be used to
+ * represent the application/example media type, whereas the media type
+ * application/example;part="1/2" cannot be shortened to
+ * example;part="1/2".
+ *
* @return the {@code typ} header parameter value or {@code null} if not present.
*/
String getContentType();
/**
- * Sets the JWT
- * cty (Content Type) header parameter value. A {@code null} value will remove the property from
- * the JSON map.
+ * Returns the JWT {@code alg} (Algorithm) header value or {@code null} if not present.
*
- * In the normal case where nested signing or encryption operations are not employed (i.e. a compact
- * serialization JWT), the use of this header parameter is NOT RECOMMENDED. In the case that nested
- * signing or encryption is employed, this Header Parameter MUST be present; in this case, the value MUST be
- * {@code JWT}, to indicate that a Nested JWT is carried in this JWT. While media type names are not
- * case-sensitive, it is RECOMMENDED that {@code JWT} always be spelled using uppercase characters for
- * compatibility with legacy implementations. See
- * JWT Appendix A.2 for
- * an example of a Nested JWT.
+ *
+ * - If the JWT is a Signed JWT (a JWS), the
+ *
alg (Algorithm) header parameter identifies the cryptographic algorithm used to secure the
+ * JWS. Consider using {@link Jwts.SIG}.{@link io.jsonwebtoken.lang.Registry#get(Object) get(id)}
+ * to convert this string value to a type-safe {@code SecureDigestAlgorithm} instance.
+ * - If the JWT is an Encrypted JWT (a JWE), the
+ *
alg (Algorithm) header parameter
+ * identifies the cryptographic key management algorithm used to encrypt or determine the value of the Content
+ * Encryption Key (CEK). The encrypted content is not usable if the alg value does not represent a
+ * supported algorithm, or if the recipient does not have a key that can be used with that algorithm. Consider
+ * using {@link Jwts.KEY}.{@link io.jsonwebtoken.lang.Registry#get(Object) get(id)} to convert this string value
+ * to a type-safe {@link io.jsonwebtoken.security.KeyAlgorithm KeyAlgorithm} instance.
+ *
*
- * @param cty the JWT JOSE {@code cty} header value or {@code null} to remove the property from the JSON map.
+ * @return the {@code alg} header value or {@code null} if not present. This will always be
+ * {@code non-null} on validly constructed JWT instances, but could be {@code null} during construction.
+ * @since 0.12.0
*/
- T setContentType(String cty);
+ String getAlgorithm();
/**
- * Returns the JWT zip (Compression Algorithm) header value or {@code null} if not present.
+ * Returns the JWT zip
+ * (Compression Algorithm) header parameter value or {@code null} if not present.
*
+ * Compatibility Note
+ *
+ * While the JWT family of specifications only defines the zip header in the JWE
+ * (JSON Web Encryption) specification, JJWT will also support compression for JWS as well if you choose to use it.
+ * However, be aware that if you use compression when creating a JWS token, other libraries may not be able to
+ * parse the JWS. However, compression when creating JWE tokens should be universally accepted for any library
+ * that supports JWE.
+ *
* @return the {@code zip} header parameter value or {@code null} if not present.
* @since 0.6.0
*/
String getCompressionAlgorithm();
-
- /**
- * Sets the JWT zip (Compression Algorithm) header parameter value. A {@code null} value will remove
- * the property from the JSON map.
- *
- *
The compression algorithm is NOT part of the JWT specification
- * and must be used carefully since, is not expected that other libraries (including previous versions of this one)
- * be able to deserialize a compressed JTW body correctly.
- *
- * @param zip the JWT compression algorithm {@code zip} value or {@code null} to remove the property from the JSON map.
- * @since 0.6.0
- */
- T setCompressionAlgorithm(String zip);
-
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/HeaderMutator.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/HeaderMutator.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/HeaderMutator.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,131 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.lang.MapMutator;
+
+/**
+ * Mutation (modifications) to a {@link Header Header} instance.
+ *
+ * @param the mutator subtype, for method chaining
+ * @since 0.12.0
+ */
+public interface HeaderMutator> extends MapMutator {
+
+ //IMPLEMENTOR NOTE: if this `algorithm` method ever needs to be exposed in the public API, it might be better to
+ // have it in the Jwts.HeaderBuilder interface and NOT this one: in the context of
+ // JwtBuilder.Header, there is never a reason for an application developer to call algorithm(id)
+ // directly because the KeyAlgorithm or SecureDigestAlgorithm instance must always be provided
+ // via the signWith or encryptWith methods. The JwtBuilder will always set the algorithm
+ // header based on these two instances, so there is no need for an app dev to do so.
+ /*
+ * Sets the JWT {@code alg} (Algorithm) header value. A {@code null} value will remove the property
+ * from the JSON map.
+ *
+ * - If the JWT is a Signed JWT (a JWS), the
+ * {@code alg} (Algorithm) header
+ * parameter identifies the cryptographic algorithm used to secure the JWS.
+ * - If the JWT is an Encrypted JWT (a JWE), the
+ *
alg (Algorithm) header parameter
+ * identifies the cryptographic key management algorithm used to encrypt or determine the value of the Content
+ * Encryption Key (CEK). The encrypted content is not usable if the alg value does not represent a
+ * supported algorithm, or if the recipient does not have a key that can be used with that algorithm.
+ *
+ *
+ * @param alg the {@code alg} header value
+ * @return this header for method chaining
+ * @since 0.12.0
+ *
+ T algorithm(String alg);
+ */
+
+ /**
+ * Sets the JWT
+ * typ (Type) header value. A {@code null} value will remove the property from the JSON map.
+ *
+ * @param typ the JWT JOSE {@code typ} header value or {@code null} to remove the property from the JSON map.
+ * @return the instance for method chaining.
+ */
+ T type(String typ);
+
+ /**
+ * Sets the compact
+ * cty (Content Type) header parameter value, used by applications to declare the
+ * IANA MediaType of the JWT
+ * payload. A {@code null} value will remove the property from the JSON map.
+ *
+ * Compact Media Type Identifier
+ *
+ * This method will automatically remove any application/ prefix from the
+ * {@code cty} string if possible according to the rules defined in the last paragraph of
+ * RFC 7517, Section 4.1.10:
+ *
+ * To keep messages compact in common situations, it is RECOMMENDED that
+ * producers omit an "application/" prefix of a media type value in a
+ * "cty" Header Parameter when no other '/' appears in the media type
+ * value. A recipient using the media type value MUST treat it as if
+ * "application/" were prepended to any "cty" value not containing a
+ * '/'. For instance, a "cty" value of "example" SHOULD be used to
+ * represent the "application/example" media type, whereas the media
+ * type "application/example;part="1/2"" cannot be shortened to
+ * "example;part="1/2"".
+ *
+ * JJWT performs the reverse during JWT parsing: {@link Header#getContentType()} will automatically prepend the
+ * {@code application/} prefix if the parsed {@code cty} value does not contain a '/' character (as
+ * mandated by the RFC language above). This ensures application developers can use and read standard IANA Media
+ * Type identifiers without needing JWT-specific prefix conditional logic in application code.
+ *
+ *
+ * @param cty the JWT {@code cty} header value or {@code null} to remove the property from the JSON map.
+ * @return the instance for method chaining.
+ */
+ T contentType(String cty);
+
+ /**
+ * Deprecated since of 0.12.0, delegates to {@link #type(String)}.
+ *
+ * @param typ the JWT JOSE {@code typ} header value or {@code null} to remove the property from the JSON map.
+ * @return the instance for method chaining.
+ * @see #type(String)
+ * @deprecated since 0.12.0 in favor of the more modern builder-style {@link #type(String)} method.
+ * This method will be removed before the 1.0 release.
+ */
+ @Deprecated
+ T setType(String typ);
+
+ /**
+ * Deprecated as of 0.12.0, delegates to {@link #contentType(String)}.
+ *
+ * @param cty the JWT JOSE {@code cty} header value or {@code null} to remove the property from the JSON map.
+ * @return the instance for method chaining.
+ * @see #contentType(String)
+ * @deprecated since 0.12.0 in favor of the more modern builder-style {@link #contentType(String)}.
+ */
+ @Deprecated
+ T setContentType(String cty);
+
+ /**
+ * Deprecated as of 0.12.0, there is no need to set this any longer as the {@code JwtBuilder} will
+ * always set the {@code zip} header as necessary.
+ *
+ * @param zip the JWT compression algorithm {@code zip} value or {@code null} to remove the property from the JSON map.
+ * @return the instance for method chaining.
+ * @since 0.6.0
+ * @deprecated since 0.12.0 and will be removed before the 1.0 release.
+ */
+ @Deprecated
+ T setCompressionAlgorithm(String zip);
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Identifiable.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Identifiable.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Identifiable.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * An object that may be uniquely identified by an {@link #getId() id} relative to other instances of the same type.
+ *
+ * The following table indicates how various JWT or JWK {@link #getId() getId()} values are used.
+ *
+ *
+ * JWA Identifiable Concepts
+ *
+ *
+ * | JJWT Type |
+ * How {@link #getId()} is Used |
+ *
+ *
+ *
+ *
+ * | {@link io.jsonwebtoken.Claims Claims} |
+ * JWT's {@code jti} (JWT ID)
+ * claim. |
+ *
+ *
+ * | {@link io.jsonwebtoken.security.Jwk Jwk} |
+ * JWK's {@code kid} (Key ID)
+ * parameter value. |
+ *
+ *
+ * | {@link io.jsonwebtoken.security.Curve Curve} |
+ * JWK's {@code crv} (Curve)
+ * parameter value. |
+ *
+ *
+ * | {@link io.jsonwebtoken.io.CompressionAlgorithm CompressionAlgorithm} |
+ * JWE protected header's
+ * {@code zip} (Compression Algorithm)
+ * parameter value. |
+ *
+ *
+ * | {@link io.jsonwebtoken.security.HashAlgorithm HashAlgorithm} |
+ * Within a {@link io.jsonwebtoken.security.JwkThumbprint JwkThumbprint}'s URI value. |
+ *
+ *
+ * | {@link io.jsonwebtoken.security.MacAlgorithm MacAlgorithm} |
+ * JWS protected header's
+ * {@code alg} (Algorithm) parameter value. |
+ *
+ *
+ * | {@link io.jsonwebtoken.security.SignatureAlgorithm SignatureAlgorithm} |
+ * JWS protected header's
+ * {@code alg} (Algorithm) parameter value. |
+ *
+ *
+ * | {@link io.jsonwebtoken.security.KeyAlgorithm KeyAlgorithm} |
+ * JWE protected header's
+ * {@code alg} (Key Management Algorithm)
+ * parameter value. |
+ *
+ *
+ * | {@link io.jsonwebtoken.security.AeadAlgorithm AeadAlgorithm} |
+ * JWE protected header's
+ * {@code enc} (Encryption Algorithm)
+ * parameter value. |
+ *
+ *
+ *
+ *
+ * @since 0.12.0
+ */
+public interface Identifiable {
+
+ /**
+ * Returns the unique string identifier of the associated object.
+ *
+ * @return the unique string identifier of the associated object.
+ */
+ String getId();
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/IncorrectClaimException.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/IncorrectClaimException.java (.../IncorrectClaimException.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/IncorrectClaimException.java (.../IncorrectClaimException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -23,11 +23,30 @@
*/
public class IncorrectClaimException extends InvalidClaimException {
- public IncorrectClaimException(Header header, Claims claims, String message) {
- super(header, claims, message);
+ /**
+ * Creates a new instance with the specified header, claims and explanation message.
+ *
+ * @param header the header inspected
+ * @param claims the claims with the incorrect claim value
+ * @param claimName the name of the claim that could not be validated
+ * @param claimValue the value of the claim that could not be validated
+ * @param message the exception message
+ */
+ public IncorrectClaimException(Header header, Claims claims, String claimName, Object claimValue, String message) {
+ super(header, claims, claimName, claimValue, message);
}
- public IncorrectClaimException(Header header, Claims claims, String message, Throwable cause) {
- super(header, claims, message, cause);
+ /**
+ * Creates a new instance with the specified header, claims, explanation message and underlying cause.
+ *
+ * @param header the header inspected
+ * @param claims the claims with the incorrect claim value
+ * @param claimName the name of the claim that could not be validated
+ * @param claimValue the value of the claim that could not be validated
+ * @param message the exception message
+ * @param cause the underlying cause that resulted in this exception being thrown
+ */
+ public IncorrectClaimException(Header header, Claims claims, String claimName, Object claimValue, String message, Throwable cause) {
+ super(header, claims, claimName, claimValue, message, cause);
}
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/InvalidClaimException.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/InvalidClaimException.java (.../InvalidClaimException.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/InvalidClaimException.java (.../InvalidClaimException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -21,35 +21,66 @@
*
* @see IncorrectClaimException
* @see MissingClaimException
- *
* @since 0.6
*/
public class InvalidClaimException extends ClaimJwtException {
- private String claimName;
- private Object claimValue;
+ /**
+ * The name of the invalid claim.
+ */
+ private final String claimName;
- protected InvalidClaimException(Header header, Claims claims, String message) {
+ /**
+ * The claim value that could not be validated.
+ */
+ private final Object claimValue;
+
+ /**
+ * Creates a new instance with the specified header, claims and explanation message.
+ *
+ * @param header the header inspected
+ * @param claims the claims obtained
+ * @param claimName the name of the claim that could not be validated
+ * @param claimValue the value of the claim that could not be validated
+ * @param message the exception message
+ */
+ protected InvalidClaimException(Header header, Claims claims, String claimName, Object claimValue, String message) {
super(header, claims, message);
+ this.claimName = claimName;
+ this.claimValue = claimValue;
}
- protected InvalidClaimException(Header header, Claims claims, String message, Throwable cause) {
+ /**
+ * Creates a new instance with the specified header, claims, explanation message and underlying cause.
+ *
+ * @param header the header inspected
+ * @param claims the claims obtained
+ * @param claimName the name of the claim that could not be validated
+ * @param claimValue the value of the claim that could not be validated
+ * @param message the exception message
+ * @param cause the underlying cause that resulted in this exception being thrown
+ */
+ protected InvalidClaimException(Header header, Claims claims, String claimName, Object claimValue, String message, Throwable cause) {
super(header, claims, message, cause);
+ this.claimName = claimName;
+ this.claimValue = claimValue;
}
+ /**
+ * Returns the name of the invalid claim.
+ *
+ * @return the name of the invalid claim.
+ */
public String getClaimName() {
return claimName;
}
- public void setClaimName(String claimName) {
- this.claimName = claimName;
- }
-
+ /**
+ * Returns the claim value that could not be validated.
+ *
+ * @return the claim value that could not be validated.
+ */
public Object getClaimValue() {
return claimValue;
}
-
- public void setClaimValue(Object claimValue) {
- this.claimValue = claimValue;
- }
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwe.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwe.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwe.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * An encrypted JWT, called a "JWE", per the
+ * JWE (RFC 7516) Specification.
+ *
+ * @param payload type, either {@link Claims} or {@code byte[]} content.
+ * @since 0.12.0
+ */
+public interface Jwe extends ProtectedJwt {
+
+ /**
+ * Visitor implementation that ensures the visited JWT is a JSON Web Encryption ('JWE') message with an
+ * authenticated and decrypted {@code byte[]} array payload, and rejects all others with an
+ * {@link UnsupportedJwtException}.
+ *
+ * @see SupportedJwtVisitor#onDecryptedContent(Jwe)
+ * @since 0.12.0
+ */
+ @SuppressWarnings("UnnecessaryModifier")
+ public static final JwtVisitor> CONTENT = new SupportedJwtVisitor>() {
+ @Override
+ public Jwe onDecryptedContent(Jwe jwe) {
+ return jwe;
+ }
+ };
+
+ /**
+ * Visitor implementation that ensures the visited JWT is a JSON Web Encryption ('JWE') message with an
+ * authenticated and decrypted {@link Claims} payload, and rejects all others with an
+ * {@link UnsupportedJwtException}.
+ *
+ * @see SupportedJwtVisitor#onDecryptedClaims(Jwe)
+ * @since 0.12.0
+ */
+ @SuppressWarnings("UnnecessaryModifier")
+ public static final JwtVisitor> CLAIMS = new SupportedJwtVisitor>() {
+ @Override
+ public Jwe onDecryptedClaims(Jwe jwe) {
+ return jwe;
+ }
+ };
+
+ /**
+ * Returns the Initialization Vector used during JWE encryption and decryption.
+ *
+ * @return the Initialization Vector used during JWE encryption and decryption.
+ */
+ byte[] getInitializationVector();
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JweHeader.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JweHeader.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JweHeader.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.security.AeadAlgorithm;
+import io.jsonwebtoken.security.KeyAlgorithm;
+import io.jsonwebtoken.security.PublicJwk;
+
+import javax.crypto.SecretKey;
+import java.security.Key;
+
+/**
+ * A JWE header.
+ *
+ * @since 0.12.0
+ */
+public interface JweHeader extends ProtectedHeader {
+
+ /**
+ * Returns the JWE {@code enc} (Encryption
+ * Algorithm) header value or {@code null} if not present.
+ *
+ * The JWE {@code enc} (encryption algorithm) Header Parameter identifies the content encryption algorithm
+ * used to perform authenticated encryption on the plaintext to produce the ciphertext and the JWE
+ * {@code Authentication Tag}.
+ *
+ * Note that there is no corresponding 'setter' method for this 'getter' because JJWT users set this value by
+ * supplying an {@link AeadAlgorithm} to a {@link JwtBuilder} via one of its
+ * {@link JwtBuilder#encryptWith(SecretKey, AeadAlgorithm) encryptWith(SecretKey, AeadAlgorithm)} or
+ * {@link JwtBuilder#encryptWith(Key, KeyAlgorithm, AeadAlgorithm) encryptWith(Key, KeyAlgorithm, AeadAlgorithm)}
+ * methods. JJWT will then set this {@code enc} header value automatically to the {@code AeadAlgorithm}'s
+ * {@link AeadAlgorithm#getId() getId()} value during encryption.
+ *
+ * @return the JWE {@code enc} (Encryption Algorithm) header value or {@code null} if not present. This will
+ * always be {@code non-null} on validly-constructed JWE instances, but could be {@code null} during construction.
+ * @see JwtBuilder#encryptWith(SecretKey, AeadAlgorithm)
+ * @see JwtBuilder#encryptWith(Key, KeyAlgorithm, AeadAlgorithm)
+ */
+ String getEncryptionAlgorithm();
+
+ /**
+ * Returns the {@code epk} (Ephemeral
+ * Public Key) header value created by the JWE originator for use with key agreement algorithms, or
+ * {@code null} if not present.
+ *
+ * Note that there is no corresponding 'setter' method for this 'getter' because JJWT users set this value by
+ * supplying an ECDH-ES {@link KeyAlgorithm} to a {@link JwtBuilder} via its
+ * {@link JwtBuilder#encryptWith(Key, KeyAlgorithm, AeadAlgorithm) encryptWith(Key, KeyAlgorithm, AeadAlgorithm)}
+ * method. The ECDH-ES {@code KeyAlgorithm} implementation will then set this {@code epk} header value
+ * automatically when producing the encryption key.
+ *
+ * @return the {@code epk} (Ephemeral
+ * Public Key) header value created by the JWE originator for use with key agreement algorithms, or
+ * {@code null} if not present.
+ * @see Jwts.KEY
+ * @see Jwts.KEY#ECDH_ES
+ * @see Jwts.KEY#ECDH_ES_A128KW
+ * @see Jwts.KEY#ECDH_ES_A192KW
+ * @see Jwts.KEY#ECDH_ES_A256KW
+ */
+ PublicJwk getEphemeralPublicKey();
+
+ /**
+ * Returns any information about the JWE producer for use with key agreement algorithms, or {@code null} if not
+ * present.
+ *
+ * @return any information about the JWE producer for use with key agreement algorithms, or {@code null} if not
+ * present.
+ * @see JWE apu (Agreement PartyUInfo) Header Parameter
+ * @see Jwts.KEY#ECDH_ES
+ * @see Jwts.KEY#ECDH_ES_A128KW
+ * @see Jwts.KEY#ECDH_ES_A192KW
+ * @see Jwts.KEY#ECDH_ES_A256KW
+ */
+ byte[] getAgreementPartyUInfo();
+
+ /**
+ * Returns any information about the JWE recipient for use with key agreement algorithms, or {@code null} if not
+ * present.
+ *
+ * @return any information about the JWE recipient for use with key agreement algorithms, or {@code null} if not
+ * present.
+ * @see JWE apv (Agreement PartyVInfo) Header Parameter
+ * @see Jwts.KEY#ECDH_ES
+ * @see Jwts.KEY#ECDH_ES_A128KW
+ * @see Jwts.KEY#ECDH_ES_A192KW
+ * @see Jwts.KEY#ECDH_ES_A256KW
+ */
+ byte[] getAgreementPartyVInfo();
+
+ /**
+ * Returns the 96-bit "iv"
+ * (Initialization Vector) generated during key encryption, or {@code null} if not present.
+ * Set by AES GCM {@link io.jsonwebtoken.security.KeyAlgorithm KeyAlgorithm} implementations.
+ *
+ * Note that there is no corresponding 'setter' method for this 'getter' because JJWT users set this value by
+ * supplying an AES GCM Wrap {@link KeyAlgorithm} to a {@link JwtBuilder} via its
+ * {@link JwtBuilder#encryptWith(Key, KeyAlgorithm, AeadAlgorithm) encryptWith(Key, KeyAlgorithm, AeadAlgorithm)}
+ * method. The AES GCM Wrap {@code KeyAlgorithm} implementation will then set this {@code iv} header value
+ * automatically when producing the encryption key.
+ *
+ * @return the 96-bit initialization vector generated during key encryption, or {@code null} if not present.
+ * @see Jwts.KEY#A128GCMKW
+ * @see Jwts.KEY#A192GCMKW
+ * @see Jwts.KEY#A256GCMKW
+ */
+ byte[] getInitializationVector();
+
+ /**
+ * Returns the 128-bit "tag"
+ * (Authentication Tag) resulting from key encryption, or {@code null} if not present.
+ *
+ * Note that there is no corresponding 'setter' method for this 'getter' because JJWT users set this value by
+ * supplying an AES GCM Wrap {@link KeyAlgorithm} to a {@link JwtBuilder} via its
+ * {@link JwtBuilder#encryptWith(Key, KeyAlgorithm, AeadAlgorithm) encryptWith(Key, KeyAlgorithm, AeadAlgorithm)}
+ * method. The AES GCM Wrap {@code KeyAlgorithm} implementation will then set this {@code tag} header value
+ * automatically when producing the encryption key.
+ *
+ * @return the 128-bit authentication tag resulting from key encryption, or {@code null} if not present.
+ * @see Jwts.KEY#A128GCMKW
+ * @see Jwts.KEY#A192GCMKW
+ * @see Jwts.KEY#A256GCMKW
+ */
+ byte[] getAuthenticationTag();
+
+ /**
+ * Returns the number of PBKDF2 iterations necessary to derive the key used during JWE encryption, or {@code null}
+ * if not present. Used with password-based {@link io.jsonwebtoken.security.KeyAlgorithm KeyAlgorithm}s.
+ *
+ * @return the number of PBKDF2 iterations necessary to derive the key used during JWE encryption, or {@code null}
+ * if not present.
+ * @see JWE p2c (PBES2 Count) Header Parameter
+ * @see Jwts.KEY#PBES2_HS256_A128KW
+ * @see Jwts.KEY#PBES2_HS384_A192KW
+ * @see Jwts.KEY#PBES2_HS512_A256KW
+ */
+ Integer getPbes2Count();
+
+ /**
+ * Returns the PBKDF2 {@code Salt Input} value necessary to derive the key used during JWE encryption, or
+ * {@code null} if not present.
+ *
+ * Note that there is no corresponding 'setter' method for this 'getter' because JJWT users set this value by
+ * supplying a password-based {@link KeyAlgorithm} to a {@link JwtBuilder} via its
+ * {@link JwtBuilder#encryptWith(Key, KeyAlgorithm, AeadAlgorithm) encryptWith(Key, KeyAlgorithm, AeadAlgorithm)}
+ * method. The password-based {@code KeyAlgorithm} implementation will then set this {@code p2s} header value
+ * automatically when producing the encryption key.
+ *
+ * @return the PBKDF2 {@code Salt Input} value necessary to derive the key used during JWE encryption, or
+ * {@code null} if not present.
+ * @see JWE p2s (PBES2 Salt Input) Header Parameter
+ * @see Jwts.KEY#PBES2_HS256_A128KW
+ * @see Jwts.KEY#PBES2_HS384_A192KW
+ * @see Jwts.KEY#PBES2_HS512_A256KW
+ */
+ byte[] getPbes2Salt();
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JweHeaderMutator.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JweHeaderMutator.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JweHeaderMutator.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.security.KeyAlgorithm;
+
+/**
+ * Mutation (modifications) to a {@link JweHeader} instance.
+ *
+ * @param the mutator subtype, for method chaining
+ * @since 0.12.0
+ */
+public interface JweHeaderMutator> extends ProtectedHeaderMutator {
+
+ /**
+ * Sets any information about the JWE producer for use with key agreement algorithms. A {@code null} or empty value
+ * removes the property from the JSON map.
+ *
+ * @param info information about the JWE producer to use with key agreement algorithms.
+ * @return the header for method chaining.
+ * @see JWE apu (Agreement PartyUInfo) Header Parameter
+ * @see Jwts.KEY#ECDH_ES
+ * @see Jwts.KEY#ECDH_ES_A128KW
+ * @see Jwts.KEY#ECDH_ES_A192KW
+ * @see Jwts.KEY#ECDH_ES_A256KW
+ */
+ T agreementPartyUInfo(byte[] info);
+
+ /**
+ * Sets any information about the JWE producer for use with key agreement algorithms. A {@code null} value removes
+ * the property from the JSON map.
+ *
+ * If not {@code null}, this is a convenience method that calls the equivalent of the following:
+ *
+ * {@link #agreementPartyUInfo(byte[]) agreementPartyUInfo}(info.getBytes(StandardCharsets.UTF_8))
+ *
+ * @param info information about the JWE producer to use with key agreement algorithms.
+ * @return the header for method chaining.
+ * @see JWE apu (Agreement PartyUInfo) Header Parameter
+ * @see Jwts.KEY#ECDH_ES
+ * @see Jwts.KEY#ECDH_ES_A128KW
+ * @see Jwts.KEY#ECDH_ES_A192KW
+ * @see Jwts.KEY#ECDH_ES_A256KW
+ */
+ T agreementPartyUInfo(String info);
+
+ /**
+ * Sets any information about the JWE recipient for use with key agreement algorithms. A {@code null} value removes
+ * the property from the JSON map.
+ *
+ * @param info information about the JWE recipient to use with key agreement algorithms.
+ * @return the header for method chaining.
+ * @see JWE apv (Agreement PartyVInfo) Header Parameter
+ * @see Jwts.KEY#ECDH_ES
+ * @see Jwts.KEY#ECDH_ES_A128KW
+ * @see Jwts.KEY#ECDH_ES_A192KW
+ * @see Jwts.KEY#ECDH_ES_A256KW
+ */
+ T agreementPartyVInfo(byte[] info);
+
+ /**
+ * Sets any information about the JWE recipient for use with key agreement algorithms. A {@code null} value removes
+ * the property from the JSON map.
+ *
+ * If not {@code null}, this is a convenience method that calls the equivalent of the following:
+ *
+ * {@link #agreementPartyVInfo(byte[]) setAgreementPartVUInfo}(info.getBytes(StandardCharsets.UTF_8))
+ *
+ * @param info information about the JWE recipient to use with key agreement algorithms.
+ * @return the header for method chaining.
+ * @see JWE apv (Agreement PartyVInfo) Header Parameter
+ * @see Jwts.KEY#ECDH_ES
+ * @see Jwts.KEY#ECDH_ES_A128KW
+ * @see Jwts.KEY#ECDH_ES_A192KW
+ * @see Jwts.KEY#ECDH_ES_A256KW
+ */
+ T agreementPartyVInfo(String info);
+
+ /**
+ * Sets the number of PBKDF2 iterations necessary to derive the key used during JWE encryption. If this value
+ * is not set when a password-based {@link KeyAlgorithm} is used, JJWT will automatically choose a suitable
+ * number of iterations based on
+ * OWASP PBKDF2 Iteration Recommendations.
+ *
+ * Minimum Count
+ *
+ * {@code IllegalArgumentException} will be thrown during encryption if a specified {@code count} is
+ * less than 1000 (one thousand), which is the
+ * minimum number recommended by the
+ * JWA specification. Anything less is susceptible to security attacks so the default PBKDF2
+ * {@code KeyAlgorithm} implementations reject such values.
+ *
+ * @param count the number of PBKDF2 iterations necessary to derive the key used during JWE encryption, must be
+ * greater than or equal to 1000 (one thousand).
+ * @return the header for method chaining
+ * @see JWE p2c (PBES2 Count) Header Parameter
+ * @see Jwts.KEY#PBES2_HS256_A128KW
+ * @see Jwts.KEY#PBES2_HS384_A192KW
+ * @see Jwts.KEY#PBES2_HS512_A256KW
+ * @see OWASP PBKDF2 Iteration Recommendations
+ */
+ T pbes2Count(int count);
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jws.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jws.java (.../Jws.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jws.java (.../Jws.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -18,11 +18,49 @@
/**
* An expanded (not compact/serialized) Signed JSON Web Token.
*
- * @param the type of the JWS body contents, either a String or a {@link Claims} instance.
- *
+ * @param the type of the JWS payload, either a byte[] or a {@link Claims} instance.
* @since 0.1
*/
-public interface Jws extends Jwt {
+public interface Jws extends ProtectedJwt {
- String getSignature();
+ /**
+ * Visitor implementation that ensures the visited JWT is a JSON Web Signature ('JWS') message with a
+ * cryptographically authenticated/verified {@code byte[]} array payload, and rejects all others with an
+ * {@link UnsupportedJwtException}.
+ *
+ * @see SupportedJwtVisitor#onVerifiedContent(Jws)
+ * @since 0.12.0
+ */
+ @SuppressWarnings("UnnecessaryModifier")
+ public static final JwtVisitor> CONTENT = new SupportedJwtVisitor>() {
+ @Override
+ public Jws onVerifiedContent(Jws jws) {
+ return jws;
+ }
+ };
+
+ /**
+ * Visitor implementation that ensures the visited JWT is a JSON Web Signature ('JWS') message with a
+ * cryptographically authenticated/verified {@link Claims} payload, and rejects all others with an
+ * {@link UnsupportedJwtException}.
+ *
+ * @see SupportedJwtVisitor#onVerifiedClaims(Jws)
+ * @since 0.12.0
+ */
+ @SuppressWarnings("UnnecessaryModifier")
+ public static final JwtVisitor> CLAIMS = new SupportedJwtVisitor>() {
+ @Override
+ public Jws onVerifiedClaims(Jws jws) {
+ return jws;
+ }
+ };
+
+ /**
+ * Returns the verified JWS signature as a Base64Url string.
+ *
+ * @return the verified JWS signature as a Base64Url string.
+ * @deprecated since 0.12.0 in favor of {@link #getDigest() getDigest()}.
+ */
+ @Deprecated
+ String getSignature(); //TODO for 1.0: return a byte[]
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwsHeader.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwsHeader.java (.../JwsHeader.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwsHeader.java (.../JwsHeader.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -16,92 +16,92 @@
package io.jsonwebtoken;
/**
- * A JWS header.
+ * A JWS header.
*
- * @param header type
* @since 0.1
*/
-public interface JwsHeader> extends Header {
+public interface JwsHeader extends ProtectedHeader {
- /** JWS {@code Algorithm} header parameter name: "alg" */
- public static final String ALGORITHM = "alg";
+ /**
+ * JWS Algorithm Header name: the string literal alg
+ *
+ * @deprecated since 0.12.0 in favor of {@link #getAlgorithm()}
+ */
+ @Deprecated
+ String ALGORITHM = "alg";
- /** JWS {@code JWT Set URL} header parameter name: "jku" */
- public static final String JWK_SET_URL = "jku";
+ /**
+ * JWS JWK Set URL Header name: the string literal jku
+ *
+ * @deprecated since 0.12.0 in favor of {@link #getJwkSetUrl()}
+ */
+ @Deprecated
+ String JWK_SET_URL = "jku";
- /** JWS {@code JSON Web Key} header parameter name: "jwk" */
- public static final String JSON_WEB_KEY = "jwk";
+ /**
+ * JWS JSON Web Key Header name: the string literal jwk
+ *
+ * @deprecated since 0.12.0 in favor of {@link #getJwk()}
+ */
+ @Deprecated
+ String JSON_WEB_KEY = "jwk";
- /** JWS {@code Key ID} header parameter name: "kid" */
- public static final String KEY_ID = "kid";
+ /**
+ * JWS Key ID Header name: the string literal kid
+ *
+ * @deprecated since 0.12.0 in favor of {@link #getKeyId()}
+ */
+ @Deprecated
+ String KEY_ID = "kid";
- /** JWS {@code X.509 URL} header parameter name: "x5u" */
- public static final String X509_URL = "x5u";
+ /**
+ * JWS X.509 URL Header name: the string literal x5u
+ *
+ * @deprecated since 0.12.0 in favor of {@link #getX509Url()}
+ */
+ @Deprecated
+ String X509_URL = "x5u";
- /** JWS {@code X.509 Certificate Chain} header parameter name: "x5c" */
- public static final String X509_CERT_CHAIN = "x5c";
+ /**
+ * JWS X.509 Certificate Chain Header name: the string literal x5c
+ *
+ * @deprecated since 0.12.0 in favor of {@link #getX509Chain()}
+ */
+ @Deprecated
+ String X509_CERT_CHAIN = "x5c";
- /** JWS {@code X.509 Certificate SHA-1 Thumbprint} header parameter name: "x5t" */
- public static final String X509_CERT_SHA1_THUMBPRINT = "x5t";
-
- /** JWS {@code X.509 Certificate SHA-256 Thumbprint} header parameter name: "x5t#S256" */
- public static final String X509_CERT_SHA256_THUMBPRINT = "x5t#S256";
-
- /** JWS {@code Critical} header parameter name: "crit" */
- public static final String CRITICAL = "crit";
-
/**
- * Returns the JWS
- * alg (algorithm) header value or {@code null} if not present.
+ * JWS X.509 Certificate SHA-1 Thumbprint Header name: the string literal x5t
*
- * The algorithm header parameter identifies the cryptographic algorithm used to secure the JWS. Consider
- * using {@link io.jsonwebtoken.SignatureAlgorithm#forName(String) SignatureAlgorithm.forName} to convert this
- * string value to a type-safe enum instance.
- *
- * @return the JWS {@code alg} header value or {@code null} if not present. This will always be
- * {@code non-null} on validly constructed JWS instances, but could be {@code null} during construction.
+ * @deprecated since 0.12.0 in favor of {@link #getX509Sha1Thumbprint()}
*/
- String getAlgorithm();
+ @Deprecated
+ String X509_CERT_SHA1_THUMBPRINT = "x5t";
/**
- * Sets the JWT
- * alg (Algorithm) header value. A {@code null} value will remove the property from the JSON map.
+ * JWS X.509 Certificate SHA-256 Thumbprint Header name: the string literal x5t#S256
*
- * The algorithm header parameter identifies the cryptographic algorithm used to secure the JWS. Consider
- * using a type-safe {@link io.jsonwebtoken.SignatureAlgorithm SignatureAlgorithm} instance and using its
- * {@link io.jsonwebtoken.SignatureAlgorithm#getValue() value} as the argument to this method.
- *
- * @param alg the JWS {@code alg} header value or {@code null} to remove the property from the JSON map.
- * @return the {@code Header} instance for method chaining.
+ * @deprecated since 0.12.0 in favor of {@link #getX509Sha256Thumbprint()}
*/
- T setAlgorithm(String alg);
+ @Deprecated
+ String X509_CERT_SHA256_THUMBPRINT = "x5t#S256";
/**
- * Returns the JWS
- * kid (Key ID) header value or {@code null} if not present.
+ * JWS Critical Header name: the string literal crit
*
- * The keyId header parameter is a hint indicating which key was used to secure the JWS. This parameter allows
- * originators to explicitly signal a change of key to recipients. The structure of the keyId value is
- * unspecified.
- *
- * When used with a JWK, the keyId value is used to match a JWK {@code keyId} parameter value.
- *
- * @return the JWS {@code kid} header value or {@code null} if not present.
+ * @deprecated since 0.12.0 in favor of {@link #getCritical()}
*/
- String getKeyId();
+ @Deprecated
+ String CRITICAL = "crit";
/**
- * Sets the JWT
- * kid (Key ID) header value. A {@code null} value will remove the property from the JSON map.
+ * Returns {@code true} if the payload is Base64Url-encoded per standard JWS rules, or {@code false} if the
+ * RFC 7797: JSON Web Signature (JWS) Unencoded Payload
+ * Option has been specified.
*
- * The keyId header parameter is a hint indicating which key was used to secure the JWS. This parameter allows
- * originators to explicitly signal a change of key to recipients. The structure of the keyId value is
- * unspecified.
- *
- * When used with a JWK, the keyId value is used to match a JWK {@code keyId} parameter value.
- *
- * @param kid the JWS {@code kid} header value or {@code null} to remove the property from the JSON map.
- * @return the {@code Header} instance for method chaining.
+ * @return {@code true} if the payload is Base64Url-encoded per standard JWS rules, or {@code false} if the
+ * RFC 7797: JSON Web Signature (JWS) Unencoded Payload
+ * Option has been specified.
*/
- T setKeyId(String kid);
+ boolean isPayloadEncoded();
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwt.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwt.java (.../Jwt.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwt.java (.../Jwt.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -18,23 +18,79 @@
/**
* An expanded (not compact/serialized) JSON Web Token.
*
- * @param the type of the JWT body contents, either a String or a {@link Claims} instance.
- *
+ * @param the type of the JWT header
+ * @param the type of the JWT payload, either a content byte array or a {@link Claims} instance.
* @since 0.1
*/
-public interface Jwt {
+public interface Jwt {
/**
+ * Visitor implementation that ensures the visited JWT is an unsecured content JWT (one not cryptographically
+ * signed or encrypted) and rejects all others with an {@link UnsupportedJwtException}.
+ *
+ * @see SupportedJwtVisitor#onUnsecuredContent(Jwt)
+ * @since 0.12.0
+ */
+ @SuppressWarnings("UnnecessaryModifier")
+ public static final JwtVisitor> UNSECURED_CONTENT = new SupportedJwtVisitor>() {
+ @Override
+ public Jwt onUnsecuredContent(Jwt jwt) {
+ return jwt;
+ }
+ };
+
+ /**
+ * Visitor implementation that ensures the visited JWT is an unsecured {@link Claims} JWT (one not
+ * cryptographically signed or encrypted) and rejects all others with an {@link UnsupportedJwtException}.
+ *
+ * @see SupportedJwtVisitor#onUnsecuredClaims(Jwt)
+ * @since 0.12.0
+ */
+ @SuppressWarnings("UnnecessaryModifier")
+ public static final JwtVisitor> UNSECURED_CLAIMS = new SupportedJwtVisitor>() {
+ @Override
+ public Jwt onUnsecuredClaims(Jwt jwt) {
+ return jwt;
+ }
+ };
+
+ /**
* Returns the JWT {@link Header} or {@code null} if not present.
*
* @return the JWT {@link Header} or {@code null} if not present.
*/
H getHeader();
/**
- * Returns the JWT body, either a {@code String} or a {@code Claims} instance.
+ * Returns the JWT payload, either a {@code byte[]} or a {@code Claims} instance. Use
+ * {@link #getPayload()} instead, as this method will be removed prior to the 1.0 release.
*
- * @return the JWT body, either a {@code String} or a {@code Claims} instance.
+ * @return the JWT payload, either a {@code byte[]} or a {@code Claims} instance.
+ * @deprecated since 0.12.0 because it has been renamed to {@link #getPayload()}. 'Payload' (not
+ * body) is what the JWT specifications call this property, so it has been renamed to reflect the correct JWT
+ * nomenclature/taxonomy.
*/
- B getBody();
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
+ P getBody(); // TODO: remove for 1.0
+
+ /**
+ * Returns the JWT payload, either a {@code byte[]} or a {@code Claims} instance. If the payload is a byte
+ * array, and if the JWT creator set the (optional) {@link Header#getContentType() contentType} header
+ * value, the application may inspect the {@code contentType} value to determine how to convert the byte array to
+ * the final content type as desired.
+ *
+ * @return the JWT payload, either a {@code byte[]} or a {@code Claims} instance.
+ * @since 0.12.0
+ */
+ P getPayload();
+
+ /**
+ * Invokes the specified {@code visitor}'s appropriate type-specific {@code visit} method based on this JWT's type.
+ *
+ * @param visitor the visitor to invoke.
+ * @param the value type returned from the {@code visit} method.
+ * @return the value returned from visitor's {@code visit} method implementation.
+ */
+ T accept(JwtVisitor visitor);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtBuilder.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtBuilder.java (.../JwtBuilder.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtBuilder.java (.../JwtBuilder.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -15,370 +15,732 @@
*/
package io.jsonwebtoken;
+import io.jsonwebtoken.io.CompressionAlgorithm;
import io.jsonwebtoken.io.Decoder;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.io.Encoder;
import io.jsonwebtoken.io.Serializer;
+import io.jsonwebtoken.lang.Conjunctor;
+import io.jsonwebtoken.lang.MapMutator;
+import io.jsonwebtoken.security.AeadAlgorithm;
import io.jsonwebtoken.security.InvalidKeyException;
+import io.jsonwebtoken.security.KeyAlgorithm;
import io.jsonwebtoken.security.Keys;
+import io.jsonwebtoken.security.Password;
+import io.jsonwebtoken.security.SecureDigestAlgorithm;
+import io.jsonwebtoken.security.WeakKeyException;
+import io.jsonwebtoken.security.X509Builder;
+
+import javax.crypto.SecretKey;
+import java.io.InputStream;
+import java.io.OutputStream;
import java.security.Key;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.SecureRandom;
+import java.security.interfaces.ECKey;
+import java.security.interfaces.RSAKey;
import java.util.Date;
import java.util.Map;
/**
- * A builder for constructing JWTs.
+ * A builder for constructing Unprotected JWTs, Signed JWTs (aka 'JWS's) and Encrypted JWTs (aka 'JWE's).
*
* @since 0.1
*/
public interface JwtBuilder extends ClaimsMutator {
- //replaces any existing header with the specified header.
+ /**
+ * Sets the JCA Provider to use during cryptographic signing or encryption operations, or {@code null} if the
+ * JCA subsystem preferred provider should be used.
+ *
+ * @param provider the JCA Provider to use during cryptographic signing or encryption operations, or {@code null} if the
+ * JCA subsystem preferred provider should be used.
+ * @return the builder for method chaining.
+ * @since 0.12.0
+ */
+ JwtBuilder provider(Provider provider);
/**
- * Sets (and replaces) any existing header with the specified header. If you do not want to replace the existing
- * header and only want to append to it, use the {@link #setHeaderParams(java.util.Map)} method instead.
+ * Sets the {@link SecureRandom} to use during cryptographic signing or encryption operations, or {@code null} if
+ * a default {@link SecureRandom} should be used.
*
- * @param header the header to set (and potentially replace any existing header).
+ * @param secureRandom the {@link SecureRandom} to use during cryptographic signing or encryption operations, or
+ * {@code null} if a default {@link SecureRandom} should be used.
* @return the builder for method chaining.
+ * @since 0.12.0
*/
- JwtBuilder setHeader(Header header);
+ JwtBuilder random(SecureRandom secureRandom);
/**
- * Sets (and replaces) any existing header with the specified header. If you do not want to replace the existing
- * header and only want to append to it, use the {@link #setHeaderParams(java.util.Map)} method instead.
+ * Returns the {@code Header} to use to modify the constructed JWT's header name/value pairs as desired.
+ * When finished, callers may return to JWT construction via the {@link BuilderHeader#and() and()} method.
+ * For example:
*
- * @param header the header to set (and potentially replace any existing header).
+ *
+ * String jwt = Jwts.builder()
+ *
+ * .header()
+ * .keyId("keyId")
+ * .add("aName", aValue)
+ * .add(myHeaderMap)
+ * // ... etc ...
+ * .{@link BuilderHeader#and() and()} //return back to the JwtBuilder
+ *
+ * .subject("Joe") // resume JwtBuilder calls
+ * // ... etc ...
+ * .compact();
+ *
+ * @return the {@link BuilderHeader} to use for header construction.
+ * @since 0.12.0
+ */
+ BuilderHeader header();
+
+ /**
+ * Per standard Java idiom 'setter' conventions, this method sets (and fully replaces) any existing header with the
+ * specified name/value pairs. This is a wrapper method for:
+ *
+ *
+ * {@link #header()}.{@link MapMutator#empty() empty()}.{@link MapMutator#add(Map) add(map)}.{@link BuilderHeader#and() and()}
+ *
+ * If you do not want to replace the existing header and only want to append to it,
+ * call {@link #header()}.{@link io.jsonwebtoken.lang.MapMutator#add(Map) add(map)}.{@link BuilderHeader#and() and()} instead.
+ *
+ * @param map the name/value pairs to set as (and potentially replace) the constructed JWT header.
* @return the builder for method chaining.
+ * @deprecated since 0.12.0 in favor of
+ * {@link #header()}.{@link MapMutator#empty() empty()}.{@link MapMutator#add(Map) add(map)}.{@link BuilderHeader#and() and()}
+ * (to replace all header parameters) or
+ * {@link #header()}.{@link MapMutator#add(Map) add(map)}.{@link BuilderHeader#and() and()}
+ * to only append the {@code map} entries. This method will be removed before the 1.0 release.
*/
- JwtBuilder setHeader(Map header);
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
+ JwtBuilder setHeader(Map map);
/**
- * Applies the specified name/value pairs to the header. If a header does not yet exist at the time this method
- * is called, one will be created automatically before applying the name/value pairs.
+ * Adds the specified name/value pairs to the header. Any parameter with an empty or null value will remove the
+ * entry from the header. This is a wrapper method for:
+ *
+ * {@link #header()}.{@link MapMutator#add(Map) add(map)}.{@link BuilderHeader#and() and()}
*
* @param params the header name/value pairs to append to the header.
* @return the builder for method chaining.
+ * @deprecated since 0.12.0 in favor of
+ * {@link #header()}.{@link MapMutator#add(Map) add(map)}.{@link BuilderHeader#and() and()}.
+ * This method will be removed before the 1.0 release.
*/
- JwtBuilder setHeaderParams(Map params);
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
+ JwtBuilder setHeaderParams(Map params);
- //sets the specified header parameter, overwriting any previous value under the same name.
-
/**
- * Applies the specified name/value pair to the header. If a header does not yet exist at the time this method
- * is called, one will be created automatically before applying the name/value pair.
+ * Adds the specified name/value pair to the header. If the value is {@code null} or empty, the parameter will
+ * be removed from the header entirely. This is a wrapper method for:
+ *
+ * {@link #header()}.{@link MapMutator#add(Object, Object) add(name, value)}.{@link BuilderHeader#and() and()}
*
* @param name the header parameter name
* @param value the header parameter value
* @return the builder for method chaining.
+ * @deprecated since 0.12.0 in favor of
+ * {@link #header()}.{@link MapMutator#add(Object, Object) add(name, value)}.{@link BuilderHeader#and() and()}.
+ * This method will be removed before the 1.0 release.
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
JwtBuilder setHeaderParam(String name, Object value);
/**
- * Sets the JWT's payload to be a plaintext (non-JSON) string. If you want the JWT body to be JSON, use the
- * {@link #setClaims(Claims)} or {@link #setClaims(java.util.Map)} methods instead.
+ * Since JJWT 0.12.0, this is an alias for {@link #content(String)}. This method will be removed
+ * before the 1.0 release.
*
- * The payload and claims properties are mutually exclusive - only one of the two may be used.
- *
- * @param payload the plaintext (non-JSON) string that will be the body of the JWT.
+ * @param payload the string used to set UTF-8-encoded bytes as the JWT payload.
* @return the builder for method chaining.
+ * @see #content(String)
+ * @deprecated since 0.12.0 in favor of {@link #content(String)}
+ * because both Claims and Content are technically 'payloads', so this method name is misleading. This method will
+ * be removed before the 1.0 release.
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
JwtBuilder setPayload(String payload);
/**
- * Sets the JWT payload to be a JSON Claims instance. If you do not want the JWT body to be JSON and instead want
- * it to be a plaintext string, use the {@link #setPayload(String)} method instead.
+ * Sets the JWT payload to be the specified string's UTF-8 bytes. This is a convenience method semantically
+ * equivalent to calling:
*
- * The payload and claims properties are mutually exclusive - only one of the two may be used.
+ *
+ * {@link #content(byte[]) content}(payload.getBytes(StandardCharsets.UTF_8))
*
- * @param claims the JWT claims to be set as the JWT body.
+ * Content Type Recommendation
+ *
+ * Unless you are confident that the JWT recipient will always know to convert the payload bytes
+ * to a UTF-8 string without additional metadata, it is strongly recommended to use the
+ * {@link #content(String, String)} method instead of this one. That method ensures that a JWT recipient can
+ * inspect the {@code cty} header to know how to handle the payload bytes without ambiguity.
+ *
+ * Mutually Exclusive Claims and Content
+ *
+ * This method is mutually exclusive of the {@link #claim(String, Object)} and {@link #claims()}
+ * methods. Either {@code claims} or {@code content} method variants may be used, but not both. If you want the
+ * JWT payload to be JSON claims, use the {@link #claim(String, Object)} or {@link #claims()} methods instead.
+ *
+ * @param content the content string to use for the JWT payload
* @return the builder for method chaining.
+ * @see #content(String, String)
+ * @see #content(byte[], String)
+ * @see #content(InputStream, String)
+ * @since 0.12.0
*/
- JwtBuilder setClaims(Claims claims);
+ JwtBuilder content(String content);
/**
- * Sets the JWT payload to be a JSON Claims instance populated by the specified name/value pairs. If you do not
- * want the JWT body to be JSON and instead want it to be a plaintext string, use the {@link #setPayload(String)}
- * method instead.
+ * Sets the JWT payload to be the specified content byte array. This is a convenience method semantically
+ * equivalent to calling:
+ *
+ * {@link #content(InputStream) content}(new ByteArrayInputStream(content))
*
- * The payload* and claims* properties are mutually exclusive - only one of the two may be used.
+ * Content Type Recommendation
*
- * @param claims the JWT claims to be set as the JWT body.
+ * Unless you are confident that the JWT recipient will always know how to use the payload bytes
+ * without additional metadata, it is strongly recommended to also set the
+ * {@link Header#getContentType() contentType} header. For example:
+ *
+ *
+ * content(bytes).{@link #header() header()}.{@link HeaderMutator#contentType(String) contentType(cty)}.{@link BuilderHeader#and() and()}
+ *
+ * This ensures a JWT recipient can inspect the {@code cty} header to know how to handle the payload bytes
+ * without ambiguity.
+ *
+ * Mutually Exclusive Claims and Content
+ *
+ * This method is mutually exclusive of the {@link #claim(String, Object)} and {@link #claims()}
+ * methods. Either {@code claims} or {@code content} method variants may be used, but not both. If you want the
+ * JWT payload to be JSON claims, use the {@link #claim(String, Object)} or {@link #claims()} methods instead.
+ *
+ * @param content the content byte array to use as the JWT payload
* @return the builder for method chaining.
+ * @see #content(byte[], String)
+ * @since 0.12.0
*/
- JwtBuilder setClaims(Map claims);
+ JwtBuilder content(byte[] content);
/**
- * Adds all given name/value pairs to the JSON Claims in the payload. If a Claims instance does not yet exist at the
- * time this method is called, one will be created automatically before applying the name/value pairs.
+ * Sets the JWT payload to be the bytes in the specified content stream.
*
- * The payload and claims properties are mutually exclusive - only one of the two may be used.
+ * Content Type Recommendation
*
- * @param claims the JWT claims to be added to the JWT body.
+ * Unless you are confident that the JWT recipient will always know how to use the payload bytes
+ * without additional metadata, it is strongly recommended to also set the
+ * {@link HeaderMutator#contentType(String) contentType} header. For example:
+ *
+ *
+ * content(in).{@link #header() header()}.{@link HeaderMutator#contentType(String) contentType(cty)}.{@link BuilderHeader#and() and()}
+ *
+ * This ensures a JWT recipient can inspect the {@code cty} header to know how to handle the payload bytes
+ * without ambiguity.
+ *
+ * Mutually Exclusive Claims and Content
+ *
+ * This method is mutually exclusive of the {@link #claim(String, Object)} and {@link #claims()}
+ * methods. Either {@code claims} or {@code content} method variants may be used, but not both. If you want the
+ * JWT payload to be JSON claims, use the {@link #claim(String, Object)} or {@link #claims()} methods instead.
+ *
+ * @param in the input stream containing the bytes to use as the JWT payload
* @return the builder for method chaining.
- * @since 0.8
+ * @see #content(byte[], String)
+ * @since 0.12.0
*/
- JwtBuilder addClaims(Map claims);
+ JwtBuilder content(InputStream in);
/**
- * Sets the JWT Claims
- * iss (issuer) value. A {@code null} value will remove the property from the Claims.
+ * Sets the JWT payload to be the specified String's UTF-8 bytes, and also sets the
+ * {@link HeaderMutator#contentType(String) contentType} header value to a compact {@code cty} IANA Media Type
+ * identifier to indicate the data format of the resulting byte array. The JWT recipient can inspect the
+ * {@code cty} value to determine how to convert the byte array to the final content type as desired. This is a
+ * convenience method semantically equivalent to:
*
- * This is a convenience method. It will first ensure a Claims instance exists as the JWT body and then set
- * the Claims {@link Claims#setIssuer(String) issuer} field with the specified value. This allows you to write
- * code like this:
+ *
+ * {@link #content(String) content(content)}.{@link #header()}.{@link HeaderMutator#contentType(String) contentType(cty)}.{@link BuilderHeader#and() and()}
*
- *
- * String jwt = Jwts.builder().setIssuer("Joe").compact();
- *
+ * Compact Media Type Identifier
*
- * instead of this:
- *
- * Claims claims = Jwts.claims().setIssuer("Joe");
- * String jwt = Jwts.builder().setClaims(claims).compact();
- *
- * if desired.
+ * This method will automatically remove any application/ prefix from the
+ * {@code cty} string if possible according to the rules defined in the last paragraph of
+ * RFC 7517, Section 4.1.10:
*
- * @param iss the JWT {@code iss} value or {@code null} to remove the property from the Claims map.
- * @return the builder instance for method chaining.
- * @since 0.2
+ *
+ * To keep messages compact in common situations, it is RECOMMENDED that
+ * producers omit an "application/" prefix of a media type value in a
+ * "cty" Header Parameter when no other '/' appears in the media type
+ * value. A recipient using the media type value MUST treat it as if
+ * "application/" were prepended to any "cty" value not containing a
+ * '/'. For instance, a "cty" value of "example" SHOULD be used to
+ * represent the "application/example" media type, whereas the media
+ * type "application/example;part="1/2"" cannot be shortened to
+ * "example;part="1/2"".
+ *
+ * JJWT performs the reverse during JWT parsing: {@link Header#getContentType()} will automatically prepend the
+ * {@code application/} prefix if the parsed {@code cty} value does not contain a '/' character (as
+ * mandated by the RFC language above). This ensures application developers can use and read standard IANA Media
+ * Type identifiers without needing JWT-specific prefix conditional logic in application code.
+ *
+ *
+ * Mutually Exclusive Claims and Content
+ *
+ * This method is mutually exclusive of the {@link #claim(String, Object)} and {@link #claims()}
+ * methods. Either {@code claims} or {@code content} method variants may be used, but not both. If you want the
+ * JWT payload to be JSON claims, use the {@link #claim(String, Object)} or {@link #claims()} methods instead.
+ *
+ * @param content the content byte array that will be the JWT payload. Cannot be null or empty.
+ * @param cty the content type (media type) identifier attributed to the byte array. Cannot be null or empty.
+ * @return the builder for method chaining.
+ * @throws IllegalArgumentException if either {@code content} or {@code cty} are null or empty.
+ * @since 0.12.0
*/
- @Override
- //only for better/targeted JavaDoc
- JwtBuilder setIssuer(String iss);
+ JwtBuilder content(String content, String cty) throws IllegalArgumentException;
/**
- * Sets the JWT Claims
- * sub (subject) value. A {@code null} value will remove the property from the Claims.
+ * Sets the JWT payload to be the specified byte array, and also sets the
+ * {@link HeaderMutator#contentType(String) contentType} header value to a compact {@code cty} IANA Media Type
+ * identifier to indicate the data format of the byte array. The JWT recipient can inspect the
+ * {@code cty} value to determine how to convert the byte array to the final content type as desired. This is a
+ * convenience method semantically equivalent to:
*
- * This is a convenience method. It will first ensure a Claims instance exists as the JWT body and then set
- * the Claims {@link Claims#setSubject(String) subject} field with the specified value. This allows you to write
- * code like this:
+ *
+ * {@link #content(byte[]) content(content)}.{@link #header()}.{@link HeaderMutator#contentType(String) contentType(cty)}.{@link BuilderHeader#and() and()}
*
- *
- * String jwt = Jwts.builder().setSubject("Me").compact();
- *
+ * Compact Media Type Identifier
*
- * instead of this:
- *
- * Claims claims = Jwts.claims().setSubject("Me");
- * String jwt = Jwts.builder().setClaims(claims).compact();
- *
- * if desired.
+ * This method will automatically remove any application/ prefix from the
+ * {@code cty} string if possible according to the rules defined in the last paragraph of
+ * RFC 7517, Section 4.1.10:
+ *
+ * To keep messages compact in common situations, it is RECOMMENDED that
+ * producers omit an "application/" prefix of a media type value in a
+ * "cty" Header Parameter when no other '/' appears in the media type
+ * value. A recipient using the media type value MUST treat it as if
+ * "application/" were prepended to any "cty" value not containing a
+ * '/'. For instance, a "cty" value of "example" SHOULD be used to
+ * represent the "application/example" media type, whereas the media
+ * type "application/example;part="1/2"" cannot be shortened to
+ * "example;part="1/2"".
*
- * @param sub the JWT {@code sub} value or {@code null} to remove the property from the Claims map.
+ * JJWT performs the reverse during JWT parsing: {@link Header#getContentType()} will automatically prepend the
+ * {@code application/} prefix if the parsed {@code cty} value does not contain a '/' character (as
+ * mandated by the RFC language above). This ensures application developers can use and read standard IANA Media
+ * Type identifiers without needing JWT-specific prefix conditional logic in application code.
+ *
+ *
+ * Mutually Exclusive Claims and Content
+ *
+ * This method is mutually exclusive of the {@link #claim(String, Object)} and {@link #claims()}
+ * methods. Either {@code claims} or {@code content} method variants may be used, but not both. If you want the
+ * JWT payload to be JSON claims, use the {@link #claim(String, Object)} or {@link #claims()} methods instead.
+ *
+ * @param content the content byte array that will be the JWT payload. Cannot be null or empty.
+ * @param cty the content type (media type) identifier attributed to the byte array. Cannot be null or empty.
+ * @return the builder for method chaining.
+ * @throws IllegalArgumentException if either {@code content} or {@code cty} are null or empty.
+ * @since 0.12.0
+ */
+ JwtBuilder content(byte[] content, String cty) throws IllegalArgumentException;
+
+ /**
+ * Sets the JWT payload to be the specified content byte stream and also sets the
+ * {@link BuilderHeader#contentType(String) contentType} header value to a compact {@code cty} IANA Media Type
+ * identifier to indicate the data format of the byte array. The JWT recipient can inspect the
+ * {@code cty} value to determine how to convert the byte array to the final content type as desired. This is a
+ * convenience method semantically equivalent to:
+ *
+ *
+ * {@link #content(InputStream) content(content)}.{@link #header()}.{@link HeaderMutator#contentType(String) contentType(cty)}.{@link BuilderHeader#and() and()}
+ *
+ * Compact Media Type Identifier
+ *
+ * This method will automatically remove any application/ prefix from the
+ * {@code cty} string if possible according to the rules defined in the last paragraph of
+ * RFC 7517, Section 4.1.10:
+ *
+ *
+ * To keep messages compact in common situations, it is RECOMMENDED that
+ * producers omit an "application/" prefix of a media type value in a
+ * "cty" Header Parameter when no other '/' appears in the media type
+ * value. A recipient using the media type value MUST treat it as if
+ * "application/" were prepended to any "cty" value not containing a
+ * '/'. For instance, a "cty" value of "example" SHOULD be used to
+ * represent the "application/example" media type, whereas the media
+ * type "application/example;part="1/2"" cannot be shortened to
+ * "example;part="1/2"".
+ *
+ * JJWT performs the reverse during JWT parsing: {@link Header#getContentType()} will automatically prepend the
+ * {@code application/} prefix if the parsed {@code cty} value does not contain a '/' character (as
+ * mandated by the RFC language above). This ensures application developers can use and read standard IANA Media
+ * Type identifiers without needing JWT-specific prefix conditional logic in application code.
+ *
+ *
+ * Mutually Exclusive Claims and Content
+ *
+ * This method is mutually exclusive of the {@link #claim(String, Object)} and {@link #claims()}
+ * methods. Either {@code claims} or {@code content} method variants may be used, but not both. If you want the
+ * JWT payload to be JSON claims, use the {@link #claim(String, Object)} or {@link #claims()} methods instead.
+ *
+ * @param content the content byte array that will be the JWT payload. Cannot be null.
+ * @param cty the content type (media type) identifier attributed to the byte array. Cannot be null or empty.
+ * @return the builder for method chaining.
+ * @throws IllegalArgumentException if either {@code content} or {@code cty} are null or empty.
+ * @since 0.12.0
+ */
+ JwtBuilder content(InputStream content, String cty) throws IllegalArgumentException;
+
+ /**
+ * Returns the JWT {@code Claims} payload to modify as desired. When finished, callers may
+ * return to {@code JwtBuilder} configuration via the {@link BuilderClaims#and() and()} method.
+ * For example:
+ *
+ *
+ * String jwt = Jwts.builder()
+ *
+ * .claims()
+ * .issuer("me")
+ * .subject("Joe")
+ * .audience().add("you").and()
+ * .add("customClaim", customValue)
+ * .add(myClaimsMap)
+ * // ... etc ...
+ * .{@link BuilderClaims#and() and()} //return back to the JwtBuilder
+ *
+ * .signWith(key) // resume JwtBuilder calls
+ * // ... etc ...
+ * .compact();
+ *
+ * @return the {@link BuilderClaims} to use for Claims construction.
+ * @since 0.12.0
+ */
+ BuilderClaims claims();
+
+ /**
+ * Replaces the JWT Claims payload with the specified name/value pairs. This is an alias for:
+ *
+ * {@link #claims()}.{@link MapMutator#empty() empty()}.{@link MapMutator#add(Map) add(claims)}.{@link BuilderClaims#and() and()}
+ *
+ * The {@code content} and {@code claims} properties are mutually exclusive - only one of the two variants
+ * may be used.
+ *
+ * @param claims the JWT Claims to be set as the JWT payload.
+ * @return the builder for method chaining.
+ * @see #claims()
+ * @see #content(String)
+ * @see #content(byte[])
+ * @see #content(InputStream)
+ * @deprecated since 0.12.0 in favor of using the {@link #claims()} builder.
+ */
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
+ JwtBuilder setClaims(Map claims);
+
+ /**
+ * Adds/appends all given name/value pairs to the JSON Claims in the payload. This is an alias for:
+ *
+ *
+ * {@link #claims()}.{@link MapMutator#add(Map) add(claims)}.{@link BuilderClaims#and() and()}
+ *
+ * The content and claims properties are mutually exclusive - only one of the two may be used.
+ *
+ * @param claims the JWT Claims to be added to the JWT payload.
+ * @return the builder for method chaining.
+ * @since 0.8
+ * @deprecated since 0.12.0 in favor of
+ * {@link #claims()}.{@link BuilderClaims#add(Map) add(Map)}.{@link BuilderClaims#and() and()}.
+ * This method will be removed before the 1.0 release.
+ */
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
+ JwtBuilder addClaims(Map claims);
+
+ /**
+ * Sets a JWT claim, overwriting any existing claim with the same name. A {@code null} or empty
+ * value will remove the claim entirely. This is a convenience alias for:
+ *
+ * {@link #claims()}.{@link MapMutator#add(Object, Object) add(name, value)}.{@link BuilderClaims#and() and()}
+ *
+ * @param name the JWT Claims property name
+ * @param value the value to set for the specified Claims property name
* @return the builder instance for method chaining.
* @since 0.2
*/
- @Override
- //only for better/targeted JavaDoc
- JwtBuilder setSubject(String sub);
+ JwtBuilder claim(String name, Object value);
/**
- * Sets the JWT Claims
- * aud (audience) value. A {@code null} value will remove the property from the Claims.
+ * Adds all given name/value pairs to the JSON Claims in the payload, overwriting any existing claims
+ * with the same names. If any name has a {@code null} or empty value, that claim will be removed from the
+ * Claims. This is a convenience alias for:
+ *
+ * {@link #claims()}.{@link MapMutator#add(Map) add(claims)}.{@link BuilderClaims#and() and()}
*
- * This is a convenience method. It will first ensure a Claims instance exists as the JWT body and then set
- * the Claims {@link Claims#setAudience(String) audience} field with the specified value. This allows you to write
- * code like this:
+ * The content and claims properties are mutually exclusive - only one of the two may be used.
*
- *
- * String jwt = Jwts.builder().setAudience("You").compact();
- *
+ * @param claims the JWT Claims to be added to the JWT payload.
+ * @return the builder instance for method chaining
+ * @since 0.12.0
+ */
+ JwtBuilder claims(Map claims);
+
+ /**
+ * Sets the JWT Claims
+ * iss (issuer) claim. A {@code null} value will remove the property from the Claims.
+ * This is a convenience wrapper for:
+ *
+ * {@link #claims()}.{@link ClaimsMutator#issuer(String) issuer(iss)}.{@link BuilderClaims#and() and()}
*
- * instead of this:
- *
- * Claims claims = Jwts.claims().setAudience("You");
- * String jwt = Jwts.builder().setClaims(claims).compact();
- *
- * if desired.
+ * @param iss the JWT {@code iss} value or {@code null} to remove the property from the Claims map.
+ * @return the builder instance for method chaining.
+ */
+ @Override
+ // for better/targeted JavaDoc
+ JwtBuilder issuer(String iss);
+
+ /**
+ * Sets the JWT Claims
+ * sub (subject) claim. A {@code null} value will remove the property from the Claims.
+ * This is a convenience wrapper for:
+ *
+ * {@link #claims()}.{@link ClaimsMutator#subject(String) subject(sub)}.{@link BuilderClaims#and() and()}
*
- * @param aud the JWT {@code aud} value or {@code null} to remove the property from the Claims map.
+ * @param sub the JWT {@code sub} value or {@code null} to remove the property from the Claims map.
* @return the builder instance for method chaining.
- * @since 0.2
*/
@Override
- //only for better/targeted JavaDoc
- JwtBuilder setAudience(String aud);
+ // for better/targeted JavaDoc
+ JwtBuilder subject(String sub);
/**
- * Sets the JWT Claims
- * exp (expiration) value. A {@code null} value will remove the property from the Claims.
+ * Sets the JWT Claims
+ * exp (expiration) claim. A {@code null} value will remove the property from the Claims.
*
* A JWT obtained after this timestamp should not be used.
*
- * This is a convenience method. It will first ensure a Claims instance exists as the JWT body and then set
- * the Claims {@link Claims#setExpiration(java.util.Date) expiration} field with the specified value. This allows
- * you to write code like this:
+ * This is a convenience wrapper for:
+ *
+ * {@link #claims()}.{@link ClaimsMutator#expiration(Date) expiration(exp)}.{@link BuilderClaims#and() and()}
*
- *
- * String jwt = Jwts.builder().setExpiration(new Date(System.currentTimeMillis() + 3600000)).compact();
- *
- *
- * instead of this:
- *
- * Claims claims = Jwts.claims().setExpiration(new Date(System.currentTimeMillis() + 3600000));
- * String jwt = Jwts.builder().setClaims(claims).compact();
- *
- * if desired.
- *
* @param exp the JWT {@code exp} value or {@code null} to remove the property from the Claims map.
* @return the builder instance for method chaining.
- * @since 0.2
*/
@Override
- //only for better/targeted JavaDoc
- JwtBuilder setExpiration(Date exp);
+ // for better/targeted JavaDoc
+ JwtBuilder expiration(Date exp);
/**
- * Sets the JWT Claims
- * nbf (not before) value. A {@code null} value will remove the property from the Claims.
+ * Sets the JWT Claims
+ * nbf (not before) claim. A {@code null} value will remove the property from the Claims.
*
* A JWT obtained before this timestamp should not be used.
*
- * This is a convenience method. It will first ensure a Claims instance exists as the JWT body and then set
- * the Claims {@link Claims#setNotBefore(java.util.Date) notBefore} field with the specified value. This allows
- * you to write code like this:
+ * This is a convenience wrapper for:
+ *
+ * {@link #claims()}.{@link ClaimsMutator#notBefore(Date) notBefore(nbf)}.{@link BuilderClaims#and() and()}
*
- *
- * String jwt = Jwts.builder().setNotBefore(new Date()).compact();
- *
- *
- * instead of this:
- *
- * Claims claims = Jwts.claims().setNotBefore(new Date());
- * String jwt = Jwts.builder().setClaims(claims).compact();
- *
- * if desired.
- *
* @param nbf the JWT {@code nbf} value or {@code null} to remove the property from the Claims map.
* @return the builder instance for method chaining.
- * @since 0.2
*/
@Override
- //only for better/targeted JavaDoc
- JwtBuilder setNotBefore(Date nbf);
+ // for better/targeted JavaDoc
+ JwtBuilder notBefore(Date nbf);
/**
- * Sets the JWT Claims
- * iat (issued at) value. A {@code null} value will remove the property from the Claims.
+ * Sets the JWT Claims
+ * iat (issued at) claim. A {@code null} value will remove the property from the Claims.
*
* The value is the timestamp when the JWT was created.
*
- * This is a convenience method. It will first ensure a Claims instance exists as the JWT body and then set
- * the Claims {@link Claims#setIssuedAt(java.util.Date) issuedAt} field with the specified value. This allows
- * you to write code like this:
+ * This is a convenience wrapper for:
+ *
+ * {@link #claims()}.{@link ClaimsMutator#issuedAt(Date) issuedAt(iat)}.{@link BuilderClaims#and() and()}
*
- *
- * String jwt = Jwts.builder().setIssuedAt(new Date()).compact();
- *
- *
- * instead of this:
- *
- * Claims claims = Jwts.claims().setIssuedAt(new Date());
- * String jwt = Jwts.builder().setClaims(claims).compact();
- *
- * if desired.
- *
* @param iat the JWT {@code iat} value or {@code null} to remove the property from the Claims map.
* @return the builder instance for method chaining.
- * @since 0.2
*/
@Override
- //only for better/targeted JavaDoc
- JwtBuilder setIssuedAt(Date iat);
+ // for better/targeted JavaDoc
+ JwtBuilder issuedAt(Date iat);
/**
- * Sets the JWT Claims
- * jti (JWT ID) value. A {@code null} value will remove the property from the Claims.
+ * Sets the JWT Claims
+ * jti (JWT ID) claim. A {@code null} value will remove the property from the Claims.
*
* The value is a CaSe-SenSiTiVe unique identifier for the JWT. If specified, this value MUST be assigned in a
* manner that ensures that there is a negligible probability that the same value will be accidentally
* assigned to a different data object. The ID can be used to prevent the JWT from being replayed.
*
- * This is a convenience method. It will first ensure a Claims instance exists as the JWT body and then set
- * the Claims {@link Claims#setId(String) id} field with the specified value. This allows
- * you to write code like this:
+ * This is a convenience wrapper for:
+ *
+ * {@link #claims()}.{@link ClaimsMutator#id(String) id(jti)}.{@link BuilderClaims#and() and()}
*
- *
- * String jwt = Jwts.builder().setId(UUID.randomUUID().toString()).compact();
- *
- *
- * instead of this:
- *
- * Claims claims = Jwts.claims().setId(UUID.randomUUID().toString());
- * String jwt = Jwts.builder().setClaims(claims).compact();
- *
- * if desired.
- *
* @param jti the JWT {@code jti} (id) value or {@code null} to remove the property from the Claims map.
* @return the builder instance for method chaining.
- * @since 0.2
*/
@Override
- //only for better/targeted JavaDoc
- JwtBuilder setId(String jti);
+ // for better/targeted JavaDoc
+ JwtBuilder id(String jti);
/**
- * Sets a custom JWT Claims parameter value. A {@code null} value will remove the property from the Claims.
+ * Signs the constructed JWT with the specified key using the key's recommended signature algorithm
+ * as defined below, producing a JWS. If the recommended signature algorithm isn't sufficient for your needs,
+ * consider using {@link #signWith(Key, SecureDigestAlgorithm)} instead.
*
- * This is a convenience method. It will first ensure a Claims instance exists as the JWT body and then set the
- * named property on the Claims instance using the Claims {@link Claims#put(Object, Object) put} method. This allows
- * you to write code like this:
+ * If you are looking to invoke this method with a byte array that you are confident may be used for HMAC-SHA
+ * algorithms, consider using {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
+ * convert the byte array into a valid {@code Key}.
*
- *
- * String jwt = Jwts.builder().claim("aName", "aValue").compact();
- *
+ * Recommended Signature Algorithm
*
- * instead of this:
- *
- * Claims claims = Jwts.claims().put("aName", "aValue");
- * String jwt = Jwts.builder().setClaims(claims).compact();
- *
- * if desired.
+ * The recommended signature algorithm used with a given key is chosen based on the following:
+ *
+ * Key Recommended Signature Algorithm
+ *
+ *
+ * | If the Key is a: |
+ * And: |
+ * With a key size of: |
+ * The SignatureAlgorithm used will be: |
+ *
+ *
+ *
+ *
+ * | {@link SecretKey} |
+ * {@link Key#getAlgorithm() getAlgorithm()}.equals("HmacSHA256")1 |
+ * 256 <= size <= 383 2 |
+ * {@link Jwts.SIG#HS256 HS256} |
+ *
+ *
+ * | {@link SecretKey} |
+ * {@link Key#getAlgorithm() getAlgorithm()}.equals("HmacSHA384")1 |
+ * 384 <= size <= 511 |
+ * {@link Jwts.SIG#HS384 HS384} |
+ *
+ *
+ * | {@link SecretKey} |
+ * {@link Key#getAlgorithm() getAlgorithm()}.equals("HmacSHA512")1 |
+ * 512 <= size |
+ * {@link Jwts.SIG#HS512 HS512} |
+ *
+ *
+ * | {@link ECKey} |
+ * instanceof {@link PrivateKey} |
+ * 256 <= size <= 383 3 |
+ * {@link Jwts.SIG#ES256 ES256} |
+ *
+ *
+ * | {@link ECKey} |
+ * instanceof {@link PrivateKey} |
+ * 384 <= size <= 520 4 |
+ * {@link Jwts.SIG#ES384 ES384} |
+ *
+ *
+ * | {@link ECKey} |
+ * instanceof {@link PrivateKey} |
+ * 521 <= size 4 |
+ * {@link Jwts.SIG#ES512 ES512} |
+ *
+ *
+ * | {@link RSAKey} |
+ * instanceof {@link PrivateKey} |
+ * 2048 <= size <= 3071 5,6 |
+ * {@link Jwts.SIG#RS256 RS256} |
+ *
+ *
+ * | {@link RSAKey} |
+ * instanceof {@link PrivateKey} |
+ * 3072 <= size <= 4095 6 |
+ * {@link Jwts.SIG#RS384 RS384} |
+ *
+ *
+ * | {@link RSAKey} |
+ * instanceof {@link PrivateKey} |
+ * 4096 <= size 5 |
+ * {@link Jwts.SIG#RS512 RS512} |
+ *
+ *
+ * | EdECKey7 |
+ * instanceof {@link PrivateKey} |
+ * 256 || 456 |
+ * {@link Jwts.SIG#EdDSA EdDSA} |
+ *
+ *
+ *
+ * Notes:
+ *
+ * - {@code SecretKey} instances must have an {@link Key#getAlgorithm() algorithm} name equal
+ * to {@code HmacSHA256}, {@code HmacSHA384} or {@code HmacSHA512}. If not, the key bytes might not be
+ * suitable for HMAC signatures will be rejected with a {@link InvalidKeyException}.
+ * - The JWT JWA Specification (RFC 7518,
+ * Section 3.2) mandates that HMAC-SHA-* signing keys MUST be 256 bits or greater.
+ * {@code SecretKey}s with key lengths less than 256 bits will be rejected with an
+ * {@link WeakKeyException}.
+ * - The JWT JWA Specification (RFC 7518,
+ * Section 3.4) mandates that ECDSA signing key lengths MUST be 256 bits or greater.
+ * {@code ECKey}s with key lengths less than 256 bits will be rejected with a
+ * {@link WeakKeyException}.
+ * - The ECDSA {@code P-521} curve does indeed use keys of 521 bits, not 512 as might be expected. ECDSA
+ * keys of 384 < size <= 520 are suitable for ES384, while ES512 requires keys >= 521 bits. The '512' part of the
+ * ES512 name reflects the usage of the SHA-512 algorithm, not the ECDSA key length. ES512 with ECDSA keys less
+ * than 521 bits will be rejected with a {@link WeakKeyException}.
+ * - The JWT JWA Specification (RFC 7518,
+ * Section 3.3) mandates that RSA signing key lengths MUST be 2048 bits or greater.
+ * {@code RSAKey}s with key lengths less than 2048 bits will be rejected with a
+ * {@link WeakKeyException}.
+ * - Technically any RSA key of length >= 2048 bits may be used with the
+ * {@link Jwts.SIG#RS256 RS256}, {@link Jwts.SIG#RS384 RS384}, and
+ * {@link Jwts.SIG#RS512 RS512} algorithms, so we assume an RSA signature algorithm based on the key
+ * length to parallel similar decisions in the JWT specification for HMAC and ECDSA signature algorithms.
+ * This is not required - just a convenience.
+ * - EdECKeys
+ * require JDK >= 15 or BouncyCastle in the runtime classpath.
+ *
*
- * @param name the JWT Claims property name
- * @param value the value to set for the specified Claims property name
- * @return the builder instance for method chaining.
- * @since 0.2
- */
- JwtBuilder claim(String name, Object value);
-
- /**
- * Signs the constructed JWT with the specified key using the key's
- * {@link SignatureAlgorithm#forSigningKey(Key) recommended signature algorithm}, producing a JWS. If the
- * recommended signature algorithm isn't sufficient for your needs, consider using
- * {@link #signWith(Key, SignatureAlgorithm)} instead.
+ * This implementation does not use the {@link Jwts.SIG#PS256 PS256},
+ * {@link Jwts.SIG#PS384 PS384}, or {@link Jwts.SIG#PS512 PS512} RSA variants for any
+ * specified {@link RSAKey} because the the {@link Jwts.SIG#RS256 RS256},
+ * {@link Jwts.SIG#RS384 RS384}, and {@link Jwts.SIG#RS512 RS512} algorithms are
+ * available in the JDK by default while the {@code PS}* variants require either JDK 11 or an additional JCA
+ * Provider (like BouncyCastle). If you wish to use a {@code PS}* variant with your key, use the
+ * {@link #signWith(Key, SecureDigestAlgorithm)} method instead.
*
- * If you are looking to invoke this method with a byte array that you are confident may be used for HMAC-SHA
- * algorithms, consider using {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
- * convert the byte array into a valid {@code Key}.
+ * Finally, this method will throw an {@link InvalidKeyException} for any key that does not match the
+ * heuristics and requirements documented above, since that inevitably means the Key is either insufficient,
+ * unsupported, or explicitly disallowed by the JWT specification.
*
* @param key the key to use for signing
* @return the builder instance for method chaining.
- * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
- * described by {@link SignatureAlgorithm#forSigningKey(Key)}.
- * @see #signWith(Key, SignatureAlgorithm)
+ * @throws InvalidKeyException if the Key is insufficient, unsupported, or explicitly disallowed by the JWT
+ * specification as described above in recommended signature algorithms.
+ * @see Jwts.SIG
+ * @see #signWith(Key, SecureDigestAlgorithm)
* @since 0.10.0
*/
JwtBuilder signWith(Key key) throws InvalidKeyException;
/**
* Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
*
- * Deprecation Notice: Deprecated as of 0.10.0
+ * Deprecation Notice: Deprecated as of 0.10.0
*
* Use {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
- * obtain the {@code Key} and then invoke {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)}.
+ * obtain the {@code Key} and then invoke {@link #signWith(Key)} or
+ * {@link #signWith(Key, SecureDigestAlgorithm)}.
*
* This method will be removed in the 1.0 release.
*
* @param alg the JWS algorithm to use to digitally sign the JWT, thereby producing a JWS.
* @param secretKey the algorithm-specific signing key to use to digitally sign the JWT.
* @return the builder for method chaining.
- * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification as
- * described by {@link SignatureAlgorithm#forSigningKey(Key)}.
+ * @throws InvalidKeyException if the Key is insufficient for the specified algorithm or explicitly disallowed by
+ * the JWT specification.
* @deprecated as of 0.10.0: use {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
- * obtain the {@code Key} and then invoke {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)}.
+ * obtain the {@code Key} and then invoke {@link #signWith(Key)} or
+ * {@link #signWith(Key, SecureDigestAlgorithm)}.
* This method will be removed in the 1.0 release.
*/
@Deprecated
@@ -390,7 +752,7 @@
* This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
* byte array is used to invoke {@link #signWith(SignatureAlgorithm, byte[])}.
*
- * Deprecation Notice: Deprecated as of 0.10.0, will be removed in the 1.0 release.
+ * Deprecation Notice: Deprecated as of 0.10.0, will be removed in the 1.0 release.
*
* This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
* cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
@@ -402,21 +764,20 @@
*
{@code String base64EncodedSecretKey = base64Encode(secretKeyBytes);}
*
* However, a non-trivial number of JJWT users were confused by the method signature and attempted to
- * use raw password strings as the key argument - for example {@code signWith(HS256, myPassword)} - which is
+ * use raw password strings as the key argument - for example {@code with(HS256, myPassword)} - which is
* almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.
*
* See this
*
* StackOverflow answer explaining why raw (non-base64-encoded) strings are almost always incorrect for
* signature operations.
*
- * To perform the correct logic with base64EncodedSecretKey strings with JJWT >= 0.10.0, you may do this:
+ *
To perform the correct logic with base64EncodedSecretKey strings with JJWT >= 0.10.0, you may do this:
*
* byte[] keyBytes = {@link Decoders Decoders}.{@link Decoders#BASE64 BASE64}.{@link Decoder#decode(Object) decode(base64EncodedSecretKey)};
* Key key = {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(keyBytes)};
- * jwtBuilder.signWith(key); //or {@link #signWith(Key, SignatureAlgorithm)}
+ * jwtBuilder.with(key); //or {@link #signWith(Key, SignatureAlgorithm)}
*
- *
*
* This method will be removed in the 1.0 release.
*
@@ -445,15 +806,22 @@
* @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification for
* the specified algorithm.
* @see #signWith(Key)
- * @deprecated since 0.10.0: use {@link #signWith(Key, SignatureAlgorithm)} instead. This method will be removed
- * in the 1.0 release.
+ * @deprecated since 0.10.0. Use {@link #signWith(Key, SecureDigestAlgorithm)} instead.
+ * This method will be removed before the 1.0 release.
*/
@Deprecated
JwtBuilder signWith(SignatureAlgorithm alg, Key key) throws InvalidKeyException;
/**
- * Signs the constructed JWT with the specified key using the specified algorithm, producing a JWS.
+ * Deprecation Notice
*
+ * This has been deprecated since 0.12.0. Use
+ * {@link #signWith(Key, SecureDigestAlgorithm)} instead. Standard JWA algorithms
+ * are represented as instances of this new interface in the {@link Jwts.SIG}
+ * algorithm registry.
+ *
+ * Signs the constructed JWT with the specified key using the specified algorithm, producing a JWS.
+ *
* It is typically recommended to call the {@link #signWith(Key)} instead for simplicity.
* However, this method can be useful if the recommended algorithm heuristics do not meet your needs or if
* you want explicit control over the signature algorithm used with the specified key.
@@ -465,66 +833,224 @@
* the specified algorithm.
* @see #signWith(Key)
* @since 0.10.0
+ * @deprecated since 0.12.0 to use the more flexible {@link #signWith(Key, SecureDigestAlgorithm)}.
*/
+ @Deprecated
JwtBuilder signWith(Key key, SignatureAlgorithm alg) throws InvalidKeyException;
/**
- * Compresses the JWT body using the specified {@link CompressionCodec}.
+ * Signs the constructed JWT with the specified key using the specified algorithm, producing a JWS.
*
+ * The {@link Jwts.SIG} registry makes available all standard signature
+ * algorithms defined in the JWA specification.
+ *
+ * It is typically recommended to call the {@link #signWith(Key)} instead for simplicity.
+ * However, this method can be useful if the recommended algorithm heuristics do not meet your needs or if
+ * you want explicit control over the signature algorithm used with the specified key.
+ *
+ * @param key the signing key to use to digitally sign the JWT.
+ * @param The type of key accepted by the {@code SignatureAlgorithm}.
+ * @param alg the JWS algorithm to use with the key to digitally sign the JWT, thereby producing a JWS.
+ * @return the builder for method chaining.
+ * @throws InvalidKeyException if the Key is insufficient or explicitly disallowed by the JWT specification for
+ * the specified algorithm.
+ * @see #signWith(Key)
+ * @see Jwts.SIG
+ * @since 0.12.0
+ */
+ JwtBuilder signWith(K key, SecureDigestAlgorithm alg) throws InvalidKeyException;
+
+ /**
+ * Encrypts the constructed JWT with the specified symmetric {@code key} using the provided {@code enc}ryption
+ * algorithm, producing a JWE. Because it is a symmetric key, the JWE recipient
+ * must also have access to the same key to decrypt.
+ *
+ * This method is a convenience method that delegates to
+ * {@link #encryptWith(Key, KeyAlgorithm, AeadAlgorithm) encryptWith(Key, KeyAlgorithm, AeadAlgorithm)}
+ * based on the {@code key} argument:
+ *
+ * - If the provided {@code key} is a {@link Password Password} instance,
+ * the {@code KeyAlgorithm} used will be one of the three JWA-standard password-based key algorithms
+ * ({@link Jwts.KEY#PBES2_HS256_A128KW PBES2_HS256_A128KW},
+ * {@link Jwts.KEY#PBES2_HS384_A192KW PBES2_HS384_A192KW}, or
+ * {@link Jwts.KEY#PBES2_HS512_A256KW PBES2_HS512_A256KW}) as determined by the {@code enc} algorithm's
+ * {@link AeadAlgorithm#getKeyBitLength() key length} requirement.
+ * - If the {@code key} is otherwise a standard {@code SecretKey}, the {@code KeyAlgorithm} will be
+ * {@link Jwts.KEY#DIRECT DIRECT}, indicating that {@code key} should be used directly with the
+ * {@code enc} algorithm. In this case, the {@code key} argument MUST be of sufficient strength to
+ * use with the specified {@code enc} algorithm, otherwise an exception will be thrown during encryption. If
+ * desired, secure-random keys suitable for an {@link AeadAlgorithm} may be generated using the algorithm's
+ * {@link AeadAlgorithm#key() key()} builder.
+ *
+ *
+ * @param key the symmetric encryption key to use with the {@code enc} algorithm.
+ * @param enc the {@link AeadAlgorithm} algorithm used to encrypt the JWE, usually one of the JWA-standard
+ * algorithms accessible via {@link Jwts.ENC}.
+ * @return the JWE builder for method chaining.
+ * @see Jwts.ENC
+ */
+ JwtBuilder encryptWith(SecretKey key, AeadAlgorithm enc);
+
+ /**
+ * Encrypts the constructed JWT using the specified {@code enc} algorithm with the symmetric key produced by the
+ * {@code keyAlg} when invoked with the given {@code key}, producing a JWE.
+ *
+ * This behavior can be illustrated by the following pseudocode, a rough example of what happens during
+ * {@link #compact() compact}ion:
+ *
+ * SecretKey encryptionKey = keyAlg.getEncryptionKey(key); // (1)
+ * byte[] jweCiphertext = enc.encrypt(payloadBytes, encryptionKey); // (2)
+ *
+ * - The {@code keyAlg} argument is first invoked with the provided {@code key} argument, resulting in a
+ * {@link SecretKey}.
+ * - This {@code SecretKey} result is used to call the provided {@code enc} encryption algorithm argument,
+ * resulting in the final JWE ciphertext.
+ *
+ *
+ * Most application developers will reference one of the JWA
+ * {@link Jwts.KEY standard key algorithms} and {@link Jwts.ENC standard encryption algorithms}
+ * when invoking this method, but custom implementations are also supported.
+ *
+ * @param the type of key that must be used with the specified {@code keyAlg} instance.
+ * @param key the key used to invoke the provided {@code keyAlg} instance.
+ * @param keyAlg the key management algorithm that will produce the symmetric {@code SecretKey} to use with the
+ * {@code enc} algorithm
+ * @param enc the {@link AeadAlgorithm} algorithm used to encrypt the JWE
+ * @return the JWE builder for method chaining.
+ * @see Jwts.ENC
+ * @see Jwts.KEY
+ */
+ JwtBuilder encryptWith(K key, KeyAlgorithm keyAlg, AeadAlgorithm enc);
+
+ /**
+ * Compresses the JWT payload using the specified {@link CompressionAlgorithm}.
+ *
* If your compact JWTs are large, and you want to reduce their total size during network transmission, this
* can be useful. For example, when embedding JWTs in URLs, some browsers may not support URLs longer than a
* certain length. Using compression can help ensure the compact JWT fits within that length. However, NOTE:
*
- * Compatibility Warning
+ * Compatibility Warning
*
- * The JWT family of specifications defines compression only for JWE (Json Web Encryption)
+ *
The JWT family of specifications defines compression only for JWE (JSON Web Encryption)
* tokens. Even so, JJWT will also support compression for JWS tokens as well if you choose to use it.
* However, be aware that if you use compression when creating a JWS token, other libraries may not be able to
- * parse that JWS token. When using compression for JWS tokens, be sure that that all parties accessing the
+ * parse that JWS token
. When using compression for JWS tokens, be sure that all parties accessing the
* JWS token support compression for JWS.
*
* Compression when creating JWE tokens however should be universally accepted for any
* library that supports JWE.
*
- * @param codec implementation of the {@link CompressionCodec} to be used.
+ * @param alg implementation of the {@link CompressionAlgorithm} to be used.
* @return the builder for method chaining.
- * @see io.jsonwebtoken.CompressionCodecs
- * @since 0.6.0
+ * @see Jwts.ZIP
+ * @since 0.12.0
*/
- JwtBuilder compressWith(CompressionCodec codec);
+ JwtBuilder compressWith(CompressionAlgorithm alg);
/**
- * Perform Base64Url encoding with the specified Encoder.
+ * Perform Base64Url encoding during {@link #compact() compaction} with the specified Encoder.
*
* JJWT uses a spec-compliant encoder that works on all supported JDK versions, but you may call this method
* to specify a different encoder if you desire.
*
* @param base64UrlEncoder the encoder to use when Base64Url-encoding
* @return the builder for method chaining.
+ * @see #b64Url(Encoder)
* @since 0.10.0
+ * @deprecated since 0.12.0 in favor of {@link #b64Url(Encoder)}.
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
JwtBuilder base64UrlEncodeWith(Encoder base64UrlEncoder);
/**
- * Performs object-to-JSON serialization with the specified Serializer. This is used by the builder to convert
- * JWT/JWS/JWT headers and claims Maps to JSON strings as required by the JWT specification.
+ * Perform Base64Url encoding during {@link #compact() compaction} with the specified {@code OutputStream} Encoder.
+ * The Encoder's {@link Encoder#encode(Object) encode} method will be given a target {@code OutputStream} to
+ * wrap, and the resulting (wrapping) {@code OutputStream} will be used for writing, ensuring automatic
+ * Base64URL-encoding during write operations.
*
+ * JJWT uses a spec-compliant encoder that works on all supported JDK versions, but you may call this method
+ * to specify a different stream encoder if desired.
+ *
+ * @param encoder the encoder to use when Base64Url-encoding
+ * @return the builder for method chaining.
+ * @since 0.12.0
+ */
+ JwtBuilder b64Url(Encoder encoder);
+
+ /**
+ * Enables RFC 7797: JSON Web Signature (JWS)
+ * Unencoded Payload Option if {@code false}, or standard JWT/JWS/JWE payload encoding otherwise. The default
+ * value is {@code true} per standard RFC behavior rules.
+ *
+ * This value may only be {@code false} for JWSs (signed JWTs). It may not be used for standard
+ * (unprotected) JWTs or encrypted JWTs (JWEs). The builder will throw an exception during {@link #compact()} if
+ * {@code false} and a JWS is not being created.
+ *
+ * @param b64 whether to Base64URL-encode the JWS payload
+ * @return the builder for method chaining.
+ */
+ JwtBuilder encodePayload(boolean b64);
+
+ /**
+ * Performs Map-to-JSON serialization with the specified Serializer. This is used by the builder to convert
+ * JWT/JWS/JWE headers and claims Maps to JSON strings as required by the JWT specification.
+ *
* If this method is not called, JJWT will use whatever serializer it can find at runtime, checking for the
* presence of well-known implementations such Jackson, Gson, and org.json. If one of these is not found
* in the runtime classpath, an exception will be thrown when the {@link #compact()} method is invoked.
*
* @param serializer the serializer to use when converting Map objects to JSON strings.
* @return the builder for method chaining.
* @since 0.10.0
+ * @deprecated since 0.12.0 in favor of {@link #json(Serializer)}
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
JwtBuilder serializeToJsonWith(Serializer> serializer);
/**
+ * Perform Map-to-JSON serialization with the specified Serializer. This is used by the builder to convert
+ * JWT/JWS/JWE headers and Claims Maps to JSON strings as required by the JWT specification.
+ *
+ * If this method is not called, JJWT will use whatever Serializer it can find at runtime, checking for the
+ * presence of well-known implementations such Jackson, Gson, and org.json. If one of these is not found
+ * in the runtime classpath, an exception will be thrown when the {@link #compact()} method is invoked.
+ *
+ * @param serializer the Serializer to use when converting Map objects to JSON strings.
+ * @return the builder for method chaining.
+ * @since 0.12.0
+ */
+ JwtBuilder json(Serializer> serializer);
+
+ /**
* Actually builds the JWT and serializes it to a compact, URL-safe string according to the
- * JWT Compact Serialization
+ * JWT Compact Serialization
* rules.
*
* @return A compact URL-safe JWT string.
*/
String compact();
+
+ /**
+ * Claims for use with a {@link JwtBuilder} that supports method chaining for standard JWT Claims parameters.
+ * Once claims are configured, the associated {@link JwtBuilder} may be obtained with the {@link #and() and()}
+ * method for continued configuration.
+ *
+ * @since 0.12.0
+ */
+ interface BuilderClaims extends MapMutator, ClaimsMutator,
+ Conjunctor {
+ }
+
+ /**
+ * Header for use with a {@link JwtBuilder} that supports method chaining for
+ * standard JWT, JWS and JWE header parameters. Once header parameters are configured, the associated
+ * {@link JwtBuilder} may be obtained with the {@link #and() and()} method for continued configuration.
+ *
+ * @since 0.12.0
+ */
+ interface BuilderHeader extends JweHeaderMutator, X509Builder,
+ Conjunctor {
+ }
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtException.java (.../JwtException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtException.java (.../JwtException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -22,10 +22,21 @@
*/
public class JwtException extends RuntimeException {
+ /**
+ * Creates a new instance with the specified explanation message.
+ *
+ * @param message the message explaining why the exception is thrown.
+ */
public JwtException(String message) {
super(message);
}
+ /**
+ * Creates a new instance with the specified explanation message and underlying cause.
+ *
+ * @param message the message explaining why the exception is thrown.
+ * @param cause the underlying cause that resulted in this exception being thrown.
+ */
public JwtException(String message, Throwable cause) {
super(message, cause);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtHandler.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtHandler.java (.../JwtHandler.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtHandler.java (.../JwtHandler.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -17,25 +17,31 @@
/**
* A JwtHandler is invoked by a {@link io.jsonwebtoken.JwtParser JwtParser} after parsing a JWT to indicate the exact
- * type of JWT or JWS parsed.
+ * type of JWT, JWS or JWE parsed.
*
* @param the type of object to return to the parser caller after handling the parsed JWT.
* @since 0.2
+ * @deprecated since 0.12.0 in favor of calling {@link Jwt#accept(JwtVisitor)}.
*/
-public interface JwtHandler {
+@SuppressWarnings("DeprecatedIsStillUsed")
+@Deprecated
+public interface JwtHandler extends JwtVisitor {
/**
* This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
- * a plaintext JWT. A plaintext JWT has a String (non-JSON) body payload and it is not cryptographically signed.
+ * an unsecured content JWT. An unsecured content JWT has a byte array payload that is not
+ * cryptographically signed or encrypted. If the JWT creator set the (optional)
+ * {@link Header#getContentType() contentType} header value, the application may inspect that value to determine
+ * how to convert the byte array to the final content type as desired.
*
- * @param jwt the parsed plaintext JWT
+ * @param jwt the parsed unsecured content JWT
* @return any object to be used after inspecting the JWT, or {@code null} if no return value is necessary.
*/
- T onPlaintextJwt(Jwt jwt);
+ T onContentJwt(Jwt jwt);
/**
* This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
- * a Claims JWT. A Claims JWT has a {@link Claims} body and it is not cryptographically signed.
+ * a Claims JWT. A Claims JWT has a {@link Claims} payload that is not cryptographically signed or encrypted.
*
* @param jwt the parsed claims JWT
* @return any object to be used after inspecting the JWT, or {@code null} if no return value is necessary.
@@ -44,19 +50,21 @@
/**
* This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
- * a plaintext JWS. A plaintext JWS is a JWT with a String (non-JSON) body (payload) that has been
- * cryptographically signed.
+ * a content JWS. A content JWS is a JWT with a byte array payload that has been cryptographically signed.
+ * If the JWT creator set the (optional) {@link Header#getContentType() contentType} header value, the
+ * application may inspect that value to determine how to convert the byte array to the final content type
+ * as desired.
*
* This method will only be invoked if the cryptographic signature can be successfully verified.
*
- * @param jws the parsed plaintext JWS
+ * @param jws the parsed content JWS
* @return any object to be used after inspecting the JWS, or {@code null} if no return value is necessary.
*/
- T onPlaintextJws(Jws jws);
+ T onContentJws(Jws jws);
/**
* This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
- * a valid Claims JWS. A Claims JWS is a JWT with a {@link Claims} body that has been cryptographically signed.
+ * a valid Claims JWS. A Claims JWS is a JWT with a {@link Claims} payload that has been cryptographically signed.
*
* This method will only be invoked if the cryptographic signature can be successfully verified.
*
@@ -65,4 +73,30 @@
*/
T onClaimsJws(Jws jws);
+ /**
+ * This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
+ * a content JWE. A content JWE is a JWE with a byte array payload that has been encrypted. If the JWT creator set
+ * the (optional) {@link Header#getContentType() contentType} header value, the application may inspect that
+ * value to determine how to convert the byte array to the final content type as desired.
+ *
+ * This method will only be invoked if the content JWE can be successfully decrypted.
+ *
+ * @param jwe the parsed content jwe
+ * @return any object to be used after inspecting the JWE, or {@code null} if no return value is necessary.
+ * @since 0.12.0
+ */
+ T onContentJwe(Jwe jwe);
+
+ /**
+ * This method is invoked when a {@link io.jsonwebtoken.JwtParser JwtParser} determines that the parsed JWT is
+ * a valid Claims JWE. A Claims JWE is a JWT with a {@link Claims} payload that has been encrypted.
+ *
+ * This method will only be invoked if the Claims JWE can be successfully decrypted.
+ *
+ * @param jwe the parsed claims jwe
+ * @return any object to be used after inspecting the JWE, or {@code null} if no return value is necessary.
+ * @since 0.12.0
+ */
+ T onClaimsJwe(Jwe jwe);
+
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtHandlerAdapter.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtHandlerAdapter.java (.../JwtHandlerAdapter.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtHandlerAdapter.java (.../JwtHandlerAdapter.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -21,32 +21,78 @@
* known/expected for a particular use case.
*
* All of the methods in this implementation throw exceptions: overridden methods represent
- * scenarios expected by calling code in known situations. It would be unexpected to receive a JWS or JWT that did
+ * scenarios expected by calling code in known situations. It would be unexpected to receive a JWT that did
* not match parsing expectations, so all non-overridden methods throw exceptions to indicate that the JWT
* input was unexpected.
*
* @param the type of object to return to the parser caller after handling the parsed JWT.
* @since 0.2
*/
-public class JwtHandlerAdapter implements JwtHandler {
+public abstract class JwtHandlerAdapter extends SupportedJwtVisitor implements JwtHandler {
+ /**
+ * Default constructor, does not initialize any internal state.
+ */
+ public JwtHandlerAdapter() {
+ }
+
@Override
- public T onPlaintextJwt(Jwt jwt) {
- throw new UnsupportedJwtException("Unsigned plaintext JWTs are not supported.");
+ public T onUnsecuredContent(Jwt jwt) {
+ return onContentJwt(jwt); // bridge for existing implementations
}
@Override
+ public T onUnsecuredClaims(Jwt jwt) {
+ return onClaimsJwt(jwt);
+ }
+
+ @Override
+ public T onVerifiedContent(Jws jws) {
+ return onContentJws(jws);
+ }
+
+ @Override
+ public T onVerifiedClaims(Jws jws) {
+ return onClaimsJws(jws);
+ }
+
+ @Override
+ public T onDecryptedContent(Jwe jwe) {
+ return onContentJwe(jwe);
+ }
+
+ @Override
+ public T onDecryptedClaims(Jwe jwe) {
+ return onClaimsJwe(jwe);
+ }
+
+ @Override
+ public T onContentJwt(Jwt jwt) {
+ return super.onUnsecuredContent(jwt);
+ }
+
+ @Override
public T onClaimsJwt(Jwt jwt) {
- throw new UnsupportedJwtException("Unsigned Claims JWTs are not supported.");
+ return super.onUnsecuredClaims(jwt);
}
@Override
- public T onPlaintextJws(Jws jws) {
- throw new UnsupportedJwtException("Signed plaintext JWSs are not supported.");
+ public T onContentJws(Jws jws) {
+ return super.onVerifiedContent(jws);
}
@Override
public T onClaimsJws(Jws jws) {
- throw new UnsupportedJwtException("Signed Claims JWSs are not supported.");
+ return super.onVerifiedClaims(jws);
}
+
+ @Override
+ public T onContentJwe(Jwe jwe) {
+ return super.onDecryptedContent(jwe);
+ }
+
+ @Override
+ public T onClaimsJwe(Jwe jwe) {
+ return super.onDecryptedClaims(jwe);
+ }
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParser.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParser.java (.../JwtParser.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParser.java (.../JwtParser.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -15,582 +15,408 @@
*/
package io.jsonwebtoken;
-import io.jsonwebtoken.io.Decoder;
-import io.jsonwebtoken.io.Deserializer;
+import io.jsonwebtoken.io.Parser;
+import io.jsonwebtoken.security.SecurityException;
import io.jsonwebtoken.security.SignatureException;
-import java.security.Key;
-import java.util.Date;
-import java.util.Map;
+import java.io.InputStream;
/**
* A parser for reading JWT strings, used to convert them into a {@link Jwt} object representing the expanded JWT.
+ * A parser for reading JWT strings, used to convert them into a {@link Jwt} object representing the expanded JWT.
*
* @since 0.1
*/
-public interface JwtParser {
+public interface JwtParser extends Parser> {
- public static final char SEPARATOR_CHAR = '.';
-
/**
- * Ensures that the specified {@code jti} exists in the parsed JWT. If missing or if the parsed
- * value does not equal the specified value, an exception will be thrown indicating that the
- * JWT is invalid and may not be used.
+ * Returns {@code true} if the specified JWT compact string represents a signed JWT (aka a 'JWS'), {@code false}
+ * otherwise.
*
- * @param id
- * @return the parser method for chaining.
- * @see MissingClaimException
- * @see IncorrectClaimException
- * @deprecated see {@link JwtParserBuilder#requireId(String)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
Note that if you are reasonably sure that the token is signed, it is more efficient to attempt to
+ * parse the token (and catching exceptions if necessary) instead of calling this method first before parsing.
+ *
+ * @param compact the compact serialized JWT to check
+ * @return {@code true} if the specified JWT compact string represents a signed JWT (aka a 'JWS'), {@code false}
+ * otherwise.
*/
- @Deprecated
- JwtParser requireId(String id);
+ boolean isSigned(CharSequence compact);
/**
- * Ensures that the specified {@code sub} exists in the parsed JWT. If missing or if the parsed
- * value does not equal the specified value, an exception will be thrown indicating that the
- * JWT is invalid and may not be used.
+ * Parses the specified compact serialized JWT string based on the builder's current configuration state and
+ * returns the resulting JWT, JWS, or JWE instance.
*
- * @param subject
- * @return the parser for method chaining.
- * @see MissingClaimException
- * @see IncorrectClaimException
- * @deprecated see {@link JwtParserBuilder#requireSubject(String)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
Because it is often cumbersome to determine if the result is a JWT, JWS or JWE, or if the payload is a Claims
+ * or {@code byte[]} array with {@code instanceof} checks, it may be useful to call the result's
+ * {@link Jwt#accept(JwtVisitor) accept(JwtVisitor)} method for a type-safe callback approach instead of using if-then-else
+ * {@code instanceof} conditionals. For example, instead of:
+ *
+ *
+ * // NOT RECOMMENDED:
+ * Jwt<?,?> jwt = parser.parse(input);
+ * if (jwt instanceof Jwe<?>) {
+ * Jwe<?> jwe = (Jwe<?>)jwt;
+ * if (jwe.getPayload() instanceof Claims) {
+ * Jwe<Claims> claimsJwe = (Jwe<Claims>)jwe;
+ * // do something with claimsJwe
+ * }
+ * }
+ *
+ * the following alternative is usually preferred:
+ *
+ *
+ * Jwe<Claims> jwe = parser.parse(input).accept({@link Jwe#CLAIMS});
+ *
+ * @param jwt the compact serialized JWT to parse
+ * @return the parsed JWT instance
+ * @throws MalformedJwtException if the specified JWT was incorrectly constructed (and therefore invalid).
+ * Invalid JWTs should not be trusted and should be discarded.
+ * @throws SignatureException if a JWS signature was discovered, but could not be verified. JWTs that fail
+ * signature validation should not be trusted and should be discarded.
+ * @throws SecurityException if the specified JWT string is a JWE and decryption fails
+ * @throws ExpiredJwtException if the specified JWT is a Claims JWT and the Claims has an expiration time
+ * before the time this method is invoked.
+ * @throws IllegalArgumentException if the specified string is {@code null} or empty or only whitespace.
+ * @see Jwt#accept(JwtVisitor)
*/
- @Deprecated
- JwtParser requireSubject(String subject);
+ Jwt parse(CharSequence jwt) throws ExpiredJwtException, MalformedJwtException, SignatureException,
+ SecurityException, IllegalArgumentException;
/**
- * Ensures that the specified {@code aud} exists in the parsed JWT. If missing or if the parsed
- * value does not equal the specified value, an exception will be thrown indicating that the
- * JWT is invalid and may not be used.
+ * Deprecated since 0.12.0 in favor of calling any {@code parse*} method immediately
+ * followed by invoking the parsed JWT's {@link Jwt#accept(JwtVisitor) accept} method with your preferred visitor. For
+ * example:
*
- * @param audience
- * @return the parser for method chaining.
- * @see MissingClaimException
- * @see IncorrectClaimException
- * @deprecated see {@link JwtParserBuilder#requireAudience(String)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
+ * {@link #parse(CharSequence) parse}(jwt).{@link Jwt#accept(JwtVisitor) accept}({@link JwtVisitor visitor});
+ *
+ * This method will be removed before the 1.0 release.
+ *
+ * @param jwt the compact serialized JWT to parse
+ * @param handler the handler to invoke when encountering a specific type of JWT
+ * @param the type of object returned from the {@code handler}
+ * @return the result returned by the {@code JwtHandler}
+ * @throws MalformedJwtException if the specified JWT was incorrectly constructed (and therefore invalid).
+ * Invalid JWTs should not be trusted and should be discarded.
+ * @throws SignatureException if a JWS signature was discovered, but could not be verified. JWTs that fail
+ * signature validation should not be trusted and should be discarded.
+ * @throws SecurityException if the specified JWT string is a JWE and decryption fails
+ * @throws ExpiredJwtException if the specified JWT is a Claims JWT and the Claims has an expiration time
+ * before the time this method is invoked.
+ * @throws IllegalArgumentException if the specified string is {@code null} or empty or only whitespace, or if the
+ * {@code handler} is {@code null}.
+ * @see Jwt#accept(JwtVisitor)
+ * @since 0.2
+ * @deprecated since 0.12.0 in favor of
+ * {@link #parse(CharSequence)}.{@link Jwt#accept(JwtVisitor) accept}({@link JwtVisitor visitor});
*/
@Deprecated
- JwtParser requireAudience(String audience);
+ T parse(CharSequence jwt, JwtHandler handler) throws ExpiredJwtException, UnsupportedJwtException,
+ MalformedJwtException, SignatureException, SecurityException, IllegalArgumentException;
/**
- * Ensures that the specified {@code iss} exists in the parsed JWT. If missing or if the parsed
- * value does not equal the specified value, an exception will be thrown indicating that the
- * JWT is invalid and may not be used.
+ * Deprecated since 0.12.0 in favor of {@link #parseUnsecuredContent(CharSequence)}.
*
- * @param issuer
- * @return the parser for method chaining.
- * @see MissingClaimException
- * @see IncorrectClaimException
- * @deprecated see {@link JwtParserBuilder#requireIssuer(String)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
This method will be removed before the 1.0 release.
+ *
+ * @param jwt a compact serialized unsecured content JWT string.
+ * @return the {@link Jwt Jwt} instance that reflects the specified compact JWT string.
+ * @throws UnsupportedJwtException if the {@code jwt} argument does not represent an unsecured content JWT
+ * @throws MalformedJwtException if the {@code jwt} string is not a valid JWT
+ * @throws SignatureException if the {@code jwt} string is actually a JWS and signature validation fails
+ * @throws SecurityException if the {@code jwt} string is actually a JWE and decryption fails
+ * @throws IllegalArgumentException if the {@code jwt} string is {@code null} or empty or only whitespace
+ * @see #parseUnsecuredContent(CharSequence)
+ * @see Jwt#accept(JwtVisitor)
+ * @since 0.2
+ * @deprecated since 0.12.0 in favor of {@link #parseUnsecuredContent(CharSequence)}.
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
@Deprecated
- JwtParser requireIssuer(String issuer);
+ Jwt parseContentJwt(CharSequence jwt) throws UnsupportedJwtException, MalformedJwtException,
+ SignatureException, SecurityException, IllegalArgumentException;
/**
- * Ensures that the specified {@code iat} exists in the parsed JWT. If missing or if the parsed
- * value does not equal the specified value, an exception will be thrown indicating that the
- * JWT is invalid and may not be used.
+ * Deprecated since 0.12.0 in favor of {@link #parseUnsecuredClaims(CharSequence)}.
*
- * @param issuedAt
- * @return the parser for method chaining.
- * @see MissingClaimException
- * @see IncorrectClaimException
- * @deprecated see {@link JwtParserBuilder#requireIssuedAt(Date)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
This method will be removed before the 1.0 release.
+ *
+ * @param jwt a compact serialized unsecured Claims JWT string.
+ * @return the {@link Jwt Jwt} instance that reflects the specified compact JWT string.
+ * @throws UnsupportedJwtException if the {@code jwt} argument does not represent an unsecured Claims JWT
+ * @throws MalformedJwtException if the {@code jwt} string is not a valid JWT
+ * @throws SignatureException if the {@code jwt} string is actually a JWS and signature validation fails
+ * @throws SecurityException if the {@code jwt} string is actually a JWE and decryption fails
+ * @throws IllegalArgumentException if the {@code jwt} string is {@code null} or empty or only whitespace
+ * @see #parseUnsecuredClaims(CharSequence)
+ * @see Jwt#accept(JwtVisitor)
+ * @since 0.2
+ * @deprecated since 0.12.0 in favor of {@link #parseUnsecuredClaims(CharSequence)}.
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
@Deprecated
- JwtParser requireIssuedAt(Date issuedAt);
+ Jwt parseClaimsJwt(CharSequence jwt) throws ExpiredJwtException, UnsupportedJwtException,
+ MalformedJwtException, SignatureException, SecurityException, IllegalArgumentException;
/**
- * Ensures that the specified {@code exp} exists in the parsed JWT. If missing or if the parsed
- * value does not equal the specified value, an exception will be thrown indicating that the
- * JWT is invalid and may not be used.
+ * Deprecated since 0.12.0 in favor of {@link #parseSignedContent(CharSequence)}.
*
- * @param expiration
- * @return the parser for method chaining.
- * @see MissingClaimException
- * @see IncorrectClaimException
- * @deprecated see {@link JwtParserBuilder#requireExpiration(Date)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
This method will be removed before the 1.0 release.
+ *
+ * @param jws a compact content JWS string
+ * @return the parsed and validated content JWS
+ * @throws UnsupportedJwtException if the {@code jws} argument does not represent a content JWS
+ * @throws MalformedJwtException if the {@code jws} string is not a valid JWS
+ * @throws SignatureException if the {@code jws} JWS signature validation fails
+ * @throws SecurityException if the {@code jws} string is actually a JWE and decryption fails
+ * @throws IllegalArgumentException if the {@code jws} string is {@code null} or empty or only whitespace
+ * @see #parseSignedContent(CharSequence)
+ * @see #parseEncryptedContent(CharSequence)
+ * @see #parse(CharSequence)
+ * @since 0.2
+ * @deprecated since 0.12.0 in favor of {@link #parseSignedContent(CharSequence)}.
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
@Deprecated
- JwtParser requireExpiration(Date expiration);
+ Jws parseContentJws(CharSequence jws) throws UnsupportedJwtException, MalformedJwtException, SignatureException,
+ SecurityException, IllegalArgumentException;
/**
- * Ensures that the specified {@code nbf} exists in the parsed JWT. If missing or if the parsed
- * value does not equal the specified value, an exception will be thrown indicating that the
- * JWT is invalid and may not be used.
+ * Deprecated since 0.12.0 in favor of {@link #parseSignedClaims(CharSequence)}.
*
- * @param notBefore
- * @return the parser for method chaining
- * @see MissingClaimException
- * @see IncorrectClaimException
- * @deprecated see {@link JwtParserBuilder#requireNotBefore(Date)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ * @param jws a compact Claims JWS string.
+ * @return the parsed and validated Claims JWS
+ * @throws UnsupportedJwtException if the {@code claimsJws} argument does not represent an Claims JWS
+ * @throws MalformedJwtException if the {@code claimsJws} string is not a valid JWS
+ * @throws SignatureException if the {@code claimsJws} JWS signature validation fails
+ * @throws SecurityException if the {@code jws} string is actually a JWE and decryption fails
+ * @throws ExpiredJwtException if the specified JWT is a Claims JWT and the Claims has an expiration time
+ * before the time this method is invoked.
+ * @throws IllegalArgumentException if the {@code claimsJws} string is {@code null} or empty or only whitespace
+ * @see #parseSignedClaims(CharSequence)
+ * @see #parseEncryptedClaims(CharSequence)
+ * @see #parse(CharSequence)
+ * @since 0.2
+ * @deprecated since 0.12.0 in favor of {@link #parseSignedClaims(CharSequence)}.
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
@Deprecated
- JwtParser requireNotBefore(Date notBefore);
+ Jws parseClaimsJws(CharSequence jws) throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException,
+ SignatureException, SecurityException, IllegalArgumentException;
/**
- * Ensures that the specified {@code claimName} exists in the parsed JWT. If missing or if the parsed
- * value does not equal the specified value, an exception will be thrown indicating that the
- * JWT is invalid and may not be used.
+ * Parses the {@code jwt} argument, expected to be an unsecured content JWT. If the JWT creator set
+ * the (optional) {@link Header#getContentType() contentType} header value, the application may inspect that
+ * value to determine how to convert the byte array to the final content type as desired.
*
- * @param claimName
- * @param value
- * @return the parser for method chaining.
- * @see MissingClaimException
- * @see IncorrectClaimException
- * @deprecated see {@link JwtParserBuilder#require(String, Object)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
This is a convenience method logically equivalent to the following:
+ *
+ *
+ * {@link #parse(CharSequence) parse}(jwt).{@link Jwt#accept(JwtVisitor) accept}({@link
+ * Jwt#UNSECURED_CONTENT});
+ *
+ * @param jwt a compact unsecured content JWT.
+ * @return the parsed unsecured content JWT.
+ * @throws UnsupportedJwtException if the {@code jwt} argument does not represent an unsecured content JWT
+ * @throws JwtException if the {@code jwt} string cannot be parsed or validated as required.
+ * @throws IllegalArgumentException if the {@code jwt} string is {@code null} or empty or only whitespace
+ * @see #parse(CharSequence)
+ * @see Jwt#accept(JwtVisitor)
+ * @since 0.12.0
*/
- @Deprecated
- JwtParser require(String claimName, Object value);
+ Jwt parseUnsecuredContent(CharSequence jwt) throws JwtException, IllegalArgumentException;
/**
- * Sets the {@link Clock} that determines the timestamp to use when validating the parsed JWT.
- * The parser uses a default Clock implementation that simply returns {@code new Date()} when called.
+ * Parses the {@code jwt} argument, expected to be an unsecured {@code Claims} JWT. This is a
+ * convenience method logically equivalent to the following:
*
- * @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT.
- * @return the parser for method chaining.
- * @since 0.7.0
- * @deprecated see {@link JwtParserBuilder#setClock(Clock)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
+ * {@link #parse(CharSequence) parse}(jwt).{@link Jwt#accept(JwtVisitor) accept}({@link
+ * Jwt#UNSECURED_CLAIMS});
+ *
+ * @param jwt a compact unsecured Claims JWT.
+ * @return the parsed unsecured Claims JWT.
+ * @throws UnsupportedJwtException if the {@code jwt} argument does not represent an unsecured Claims JWT
+ * @throws JwtException if the {@code jwt} string cannot be parsed or validated as required.
+ * @throws IllegalArgumentException if the {@code jwt} string is {@code null} or empty or only whitespace
+ * @see #parse(CharSequence)
+ * @see Jwt#accept(JwtVisitor)
+ * @since 0.12.0
*/
- @Deprecated
- JwtParser setClock(Clock clock);
+ Jwt parseUnsecuredClaims(CharSequence jwt) throws JwtException, IllegalArgumentException;
/**
- * Sets the amount of clock skew in seconds to tolerate when verifying the local time against the {@code exp}
- * and {@code nbf} claims.
+ * Parses the {@code jws} argument, expected to be a cryptographically-signed content JWS. If the JWS
+ * creator set the (optional) {@link Header#getContentType() contentType} header value, the application may
+ * inspect that value to determine how to convert the byte array to the final content type as desired.
*
- * @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims.
- * @return the parser for method chaining.
- * @since 0.7.0
- * @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as
- * any such value would cause numeric overflow when multiplying by 1000 to obtain a millisecond value.
- * @deprecated see {@link JwtParserBuilder#setAllowedClockSkewSeconds(long)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
This is a convenience method logically equivalent to the following:
+ *
+ *
+ * {@link #parse(CharSequence) parse}(jws).{@link Jwt#accept(JwtVisitor) accept}({@link
+ * Jws#CONTENT});
+ *
+ * @param jws a compact cryptographically-signed content JWS.
+ * @return the parsed cryptographically-verified content JWS.
+ * @throws UnsupportedJwtException if the {@code jws} argument does not represent a signed content JWS
+ * @throws JwtException if the {@code jws} string cannot be parsed or validated as required.
+ * @throws IllegalArgumentException if the {@code jws} string is {@code null} or empty or only whitespace
+ * @see #parse(CharSequence)
+ * @see Jwt#accept(JwtVisitor)
+ * @since 0.12.0
*/
- @Deprecated
- JwtParser setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException;
+ Jws parseSignedContent(CharSequence jws) throws JwtException, IllegalArgumentException;
/**
- * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
- * a JWS (no signature), this key is not used.
- *
- *
Note that this key MUST be a valid key for the signature algorithm found in the JWT header
- * (as the {@code alg} header parameter).
- *
- *
This method overwrites any previously set key.
+ * Parses a JWS known to use the
+ * RFC 7797: JSON Web Signature (JWS) Unencoded Payload
+ * Option, using the specified {@code unencodedPayload} for signature verification.
*
- * @param key the algorithm-specific signature verification key used to validate any discovered JWS digital
- * signature.
- * @return the parser for method chaining.
- * @deprecated see {@link JwtParserBuilder#setSigningKey(byte[])}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ *
Unencoded Non-Detached Payload
+ *
+ * Note that if the JWS contains a valid unencoded Payload string (what RFC 7797 calls an
+ * "unencoded non-detached
+ * payload", the {@code unencodedPayload} method argument will be ignored, as the JWS already includes
+ * the payload content necessary for signature verification.
+ *
+ * @param jws the Unencoded Payload JWS to parse.
+ * @param unencodedPayload the JWS's associated required unencoded payload used for signature verification.
+ * @return the parsed Unencoded Payload.
+ * @since 0.12.0
*/
- @Deprecated
- JwtParser setSigningKey(byte[] key);
+ Jws parseSignedContent(CharSequence jws, byte[] unencodedPayload);
/**
- * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
- * a JWS (no signature), this key is not used.
+ * Parses a JWS known to use the
+ * RFC 7797: JSON Web Signature (JWS) Unencoded Payload
+ * Option, using the bytes from the specified {@code unencodedPayload} stream for signature verification.
*
- * Note that this key MUST be a valid key for the signature algorithm found in the JWT header
- * (as the {@code alg} header parameter).
+ * Because it is not possible to know how large the {@code unencodedPayload} stream will be, the stream bytes
+ * will not be buffered in memory, ensuring the resulting {@link Jws} return value's {@link Jws#getPayload()}
+ * is always empty. This is generally not a concern since the caller already has access to the stream bytes and
+ * may obtain them independently before or after calling this method if they are needed otherwise.
*
- * This method overwrites any previously set key.
+ * Unencoded Non-Detached Payload
*
- * This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
- * byte array is used to invoke {@link #setSigningKey(byte[])}.
+ * Note that if the JWS contains a valid unencoded payload String (what RFC 7797 calls an
+ * "unencoded non-detached
+ * payload", the {@code unencodedPayload} method argument will be ignored, as the JWS already includes
+ * the payload content necessary for signature verification. In this case the resulting {@link Jws} return
+ * value's {@link Jws#getPayload()} will contain the embedded payload String's UTF-8 bytes.
*
- * Deprecation Notice: Deprecated as of 0.10.0, will be removed in 1.0.0
- *
- * This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
- * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
- * obtained from the String argument.
- *
- * This method always expected a String argument that was effectively the same as the result of the following
- * (pseudocode):
- *
- * {@code String base64EncodedSecretKey = base64Encode(secretKeyBytes);}
- *
- * However, a non-trivial number of JJWT users were confused by the method signature and attempted to
- * use raw password strings as the key argument - for example {@code setSigningKey(myPassword)} - which is
- * almost always incorrect for cryptographic hashes and can produce erroneous or insecure results.
- *
- * See this
- *
- * StackOverflow answer explaining why raw (non-base64-encoded) strings are almost always incorrect for
- * signature operations.
- *
- * Finally, please use the {@link #setSigningKey(Key) setSigningKey(Key)} instead, as this method and the
- * {@code byte[]} variant will be removed before the 1.0.0 release.
- *
- * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signature verification key to use to validate
- * any discovered JWS digital signature.
- * @return the parser for method chaining.
- * @deprecated see {@link JwtParserBuilder#setSigningKey(String)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ * @param jws the Unencoded Payload JWS to parse.
+ * @param unencodedPayload the JWS's associated required unencoded payload used for signature verification.
+ * @return the parsed Unencoded Payload.
+ * @since 0.12.0
*/
- @Deprecated
- JwtParser setSigningKey(String base64EncodedSecretKey);
+ Jws parseSignedContent(CharSequence jws, InputStream unencodedPayload);
/**
- * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
- * a JWS (no signature), this key is not used.
- *
- *
Note that this key MUST be a valid key for the signature algorithm found in the JWT header
- * (as the {@code alg} header parameter).
- *
- *
This method overwrites any previously set key.
+ * Parses the {@code jws} argument, expected to be a cryptographically-signed {@code Claims} JWS. This is a
+ * convenience method logically equivalent to the following:
*
- * @param key the algorithm-specific signature verification key to use to validate any discovered JWS digital
- * signature.
- * @return the parser for method chaining.
- * @deprecated see {@link JwtParserBuilder#setSigningKey(Key)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
- */
- @Deprecated
- JwtParser setSigningKey(Key key);
-
- /**
- * Sets the {@link SigningKeyResolver} used to acquire the signing key that should be used to verify
- * a JWS's signature. If the parsed String is not a JWS (no signature), this resolver is not used.
- *
- *
Specifying a {@code SigningKeyResolver} is necessary when the signing key is not already known before parsing
- * the JWT and the JWT header or payload (plaintext body or Claims) must be inspected first to determine how to
- * look up the signing key. Once returned by the resolver, the JwtParser will then verify the JWS signature with the
- * returned key. For example:
- *
- *
- * Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
- * @Override
- * public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
- * //inspect the header or claims, lookup and return the signing key
- * return getSigningKey(header, claims); //implement me
- * }})
- * .parseClaimsJws(compact);
- *
- *
- *
A {@code SigningKeyResolver} is invoked once during parsing before the signature is verified.
- *
- *
This method should only be used if a signing key is not provided by the other {@code setSigningKey*} builder
- * methods.
+ *
+ * {@link #parse(CharSequence) parse}(jws).{@link Jwt#accept(JwtVisitor) accept}({@link
+ * Jws#CLAIMS});
*
- * @param signingKeyResolver the signing key resolver used to retrieve the signing key.
- * @return the parser for method chaining.
- * @since 0.4
- * @deprecated see {@link JwtParserBuilder#setSigningKeyResolver(SigningKeyResolver)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ * @param jws a compact cryptographically-signed Claims JWS.
+ * @return the parsed cryptographically-verified Claims JWS.
+ * @throws UnsupportedJwtException if the {@code jwt} argument does not represent a signed Claims JWT
+ * @throws JwtException if the {@code jwt} string cannot be parsed or validated as required.
+ * @throws IllegalArgumentException if the {@code jwt} string is {@code null} or empty or only whitespace
+ * @see #parse(CharSequence)
+ * @see Jwt#accept(JwtVisitor)
+ * @since 0.12.0
*/
- @Deprecated
- JwtParser setSigningKeyResolver(SigningKeyResolver signingKeyResolver);
+ Jws parseSignedClaims(CharSequence jws) throws JwtException, IllegalArgumentException;
/**
- * Sets the {@link CompressionCodecResolver} used to acquire the {@link CompressionCodec} that should be used to
- * decompress the JWT body. If the parsed JWT is not compressed, this resolver is not used.
- * NOTE: Compression is not defined by the JWT Specification, and it is not expected that other libraries
- * (including JJWT versions < 0.6.0) are able to consume a compressed JWT body correctly. This method is only
- * useful if the compact JWT was compressed with JJWT >= 0.6.0 or another library that you know implements
- * the same behavior.
- * Default Support
- * JJWT's default {@link JwtParser} implementation supports both the
- * {@link CompressionCodecs#DEFLATE DEFLATE}
- * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
- * specify a {@code CompressionCodecResolver} in these cases.
- * However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
- * your own {@link CompressionCodecResolver} and specify that via this method and also when
- * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} JWTs.
+ * Parses a JWS known to use the
+ * RFC 7797: JSON Web Signature (JWS) Unencoded Payload
+ * Option, using the specified {@code unencodedPayload} for signature verification.
*
- * @param compressionCodecResolver the compression codec resolver used to decompress the JWT body.
- * @return the parser for method chaining.
- * @since 0.6.0
- * @deprecated see {@link JwtParserBuilder#setCompressionCodecResolver(CompressionCodecResolver)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
- */
- @Deprecated
- JwtParser setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver);
-
- /**
- * Perform Base64Url decoding with the specified Decoder
+ *
Unencoded Non-Detached Payload
*
- * JJWT uses a spec-compliant decoder that works on all supported JDK versions, but you may call this method
- * to specify a different decoder if you desire.
+ * Note that if the JWS contains a valid unencoded payload String (what RFC 7797 calls an
+ * "unencoded non-detached
+ * payload", the {@code unencodedPayload} method argument will be ignored, as the JWS already includes
+ * the payload content necessary for signature verification and claims creation.
*
- * @param base64UrlDecoder the decoder to use when Base64Url-decoding
- * @return the parser for method chaining.
- * @since 0.10.0
- * @deprecated see {@link JwtParserBuilder#base64UrlDecodeWith(Decoder)}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
+ * @param jws the Unencoded Payload JWS to parse.
+ * @param unencodedPayload the JWS's associated required unencoded payload used for signature verification.
+ * @return the parsed and validated Claims JWS.
+ * @throws JwtException if parsing, signature verification, or JWT validation fails.
+ * @throws IllegalArgumentException if either the {@code jws} or {@code unencodedPayload} are null or empty.
+ * @since 0.12.0
*/
- @Deprecated
- JwtParser base64UrlDecodeWith(Decoder base64UrlDecoder);
+ Jws parseSignedClaims(CharSequence jws, byte[] unencodedPayload) throws JwtException, IllegalArgumentException;
/**
- * Uses the specified deserializer to convert JSON Strings (UTF-8 byte arrays) into Java Map objects. This is
- * used by the parser after Base64Url-decoding to convert JWT/JWS/JWT JSON headers and claims into Java Map
- * objects.
+ * Parses a JWS known to use the
+ * RFC 7797: JSON Web Signature (JWS) Unencoded Payload
+ * Option, using the bytes from the specified {@code unencodedPayload} stream for signature verification and
+ * {@link Claims} creation.
*
- * If this method is not called, JJWT will use whatever deserializer it can find at runtime, checking for the
- * presence of well-known implementations such Jackson, Gson, and org.json. If one of these is not found
- * in the runtime classpath, an exception will be thrown when one of the various {@code parse}* methods is
- * invoked.
+ * NOTE: however, because calling this method indicates a completed
+ * {@link Claims} instance is desired, the specified {@code unencodedPayload} JSON stream will be fully
+ * read into a Claims instance. If this will be problematic for your application (perhaps if you expect extremely
+ * large Claims), it is recommended to use the {@link #parseSignedContent(CharSequence, InputStream)} method
+ * instead.
*
- * @param deserializer the deserializer to use when converting JSON Strings (UTF-8 byte arrays) into Map objects.
- * @return the parser for method chaining.
- * @since 0.10.0
- * @deprecated see {@link JwtParserBuilder#deserializeJsonWith(Deserializer)} )}.
- * To construct a JwtParser use the corresponding builder via {@link Jwts#parserBuilder()}. This will construct an
- * immutable JwtParser.
- * NOTE: this method will be removed before version 1.0
- */
- @Deprecated
- JwtParser deserializeJsonWith(Deserializer> deserializer);
-
- /**
- * Returns {@code true} if the specified JWT compact string represents a signed JWT (aka a 'JWS'), {@code false}
- * otherwise.
- *
- *
Note that if you are reasonably sure that the token is signed, it is more efficient to attempt to
- * parse the token (and catching exceptions if necessary) instead of calling this method first before parsing.
+ * Unencoded Non-Detached Payload
*
- * @param jwt the compact serialized JWT to check
- * @return {@code true} if the specified JWT compact string represents a signed JWT (aka a 'JWS'), {@code false}
- * otherwise.
- */
- boolean isSigned(String jwt);
-
- /**
- * Parses the specified compact serialized JWT string based on the builder's current configuration state and
- * returns the resulting JWT or JWS instance.
- *
- *
This method returns a JWT or JWS based on the parsed string. Because it may be cumbersome to determine if it
- * is a JWT or JWS, or if the body/payload is a Claims or String with {@code instanceof} checks, the
- * {@link #parse(String, JwtHandler) parse(String,JwtHandler)} method allows for a type-safe callback approach that
- * may help reduce code or instanceof checks.
+ * Note that if the JWS contains a valid unencoded Payload string (what RFC 7797 calls an
+ * "unencoded non-detached
+ * payload", the {@code unencodedPayload} method argument will be ignored, as the JWS already includes
+ * the payload content necessary for signature verification and Claims creation.
*
- * @param jwt the compact serialized JWT to parse
- * @return the specified compact serialized JWT string based on the builder's current configuration state.
- * @throws MalformedJwtException if the specified JWT was incorrectly constructed (and therefore invalid).
- * Invalid
- * JWTs should not be trusted and should be discarded.
- * @throws SignatureException if a JWS signature was discovered, but could not be verified. JWTs that fail
- * signature validation should not be trusted and should be discarded.
- * @throws ExpiredJwtException if the specified JWT is a Claims JWT and the Claims has an expiration time
- * before the time this method is invoked.
- * @throws IllegalArgumentException if the specified string is {@code null} or empty or only whitespace.
- * @see #parse(String, JwtHandler)
- * @see #parsePlaintextJwt(String)
- * @see #parseClaimsJwt(String)
- * @see #parsePlaintextJws(String)
- * @see #parseClaimsJws(String)
+ * @param jws the Unencoded Payload JWS to parse.
+ * @param unencodedPayload the JWS's associated required unencoded payload used for signature verification.
+ * @return the parsed and validated Claims JWS.
+ * @throws JwtException if parsing, signature verification, or JWT validation fails.
+ * @throws IllegalArgumentException if either the {@code jws} or {@code unencodedPayload} are null or empty.
+ * @since 0.12.0
*/
- Jwt parse(String jwt) throws ExpiredJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+ Jws parseSignedClaims(CharSequence jws, InputStream unencodedPayload) throws JwtException, IllegalArgumentException;
/**
- * Parses the specified compact serialized JWT string based on the builder's current configuration state and
- * invokes the specified {@code handler} with the resulting JWT or JWS instance.
- *
- *
If you are confident of the format of the JWT before parsing, you can create an anonymous subclass using the
- * {@link io.jsonwebtoken.JwtHandlerAdapter JwtHandlerAdapter} and override only the methods you know are relevant
- * for your use case(s), for example:
- *
- *
- * String compactJwt = request.getParameter("jwt"); //we are confident this is a signed JWS
+ * Parses the {@code jwe} argument, expected to be an encrypted content JWE. If the JWE
+ * creator set the (optional) {@link Header#getContentType() contentType} header value, the application may
+ * inspect that value to determine how to convert the byte array to the final content type as desired.
*
- * String subject = Jwts.parser().setSigningKey(key).parse(compactJwt, new JwtHandlerAdapter<String>() {
- * @Override
- * public String onClaimsJws(Jws<Claims> jws) {
- * return jws.getBody().getSubject();
- * }
- * });
- *
- *
- *
If you know the JWT string can be only one type of JWT, then it is even easier to invoke one of the
- * following convenience methods instead of this one:
- *
- *
- * - {@link #parsePlaintextJwt(String)}
- * - {@link #parseClaimsJwt(String)}
- * - {@link #parsePlaintextJws(String)}
- * - {@link #parseClaimsJws(String)}
- *
+ * This is a convenience method logically equivalent to the following:
*
- * @param jwt the compact serialized JWT to parse
- * @return the result returned by the {@code JwtHandler}
- * @throws MalformedJwtException if the specified JWT was incorrectly constructed (and therefore invalid).
- * Invalid JWTs should not be trusted and should be discarded.
- * @throws SignatureException if a JWS signature was discovered, but could not be verified. JWTs that fail
- * signature validation should not be trusted and should be discarded.
- * @throws ExpiredJwtException if the specified JWT is a Claims JWT and the Claims has an expiration time
- * before the time this method is invoked.
- * @throws IllegalArgumentException if the specified string is {@code null} or empty or only whitespace, or if the
- * {@code handler} is {@code null}.
- * @see #parsePlaintextJwt(String)
- * @see #parseClaimsJwt(String)
- * @see #parsePlaintextJws(String)
- * @see #parseClaimsJws(String)
- * @see #parse(String)
- * @since 0.2
- */
- T parse(String jwt, JwtHandler handler)
- throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
-
- /**
- * Parses the specified compact serialized JWT string based on the builder's current configuration state and
- * returns
- * the resulting unsigned plaintext JWT instance.
- *
- *
This is a convenience method that is usable if you are confident that the compact string argument reflects an
- * unsigned plaintext JWT. An unsigned plaintext JWT has a String (non-JSON) body payload and it is not
- * cryptographically signed.
- *
- *
If the compact string presented does not reflect an unsigned plaintext JWT with non-JSON string body,
- * an {@link UnsupportedJwtException} will be thrown.
+ *
+ * {@link #parse(CharSequence) parse}(jwe).{@link Jwt#accept(JwtVisitor) accept}({@link
+ * Jwe#CONTENT});
*
- * @param plaintextJwt a compact serialized unsigned plaintext JWT string.
- * @return the {@link Jwt Jwt} instance that reflects the specified compact JWT string.
- * @throws UnsupportedJwtException if the {@code plaintextJwt} argument does not represent an unsigned plaintext
- * JWT
- * @throws MalformedJwtException if the {@code plaintextJwt} string is not a valid JWT
- * @throws SignatureException if the {@code plaintextJwt} string is actually a JWS and signature validation
- * fails
- * @throws IllegalArgumentException if the {@code plaintextJwt} string is {@code null} or empty or only whitespace
- * @see #parseClaimsJwt(String)
- * @see #parsePlaintextJws(String)
- * @see #parseClaimsJws(String)
- * @see #parse(String, JwtHandler)
- * @see #parse(String)
- * @since 0.2
+ * @param jwe a compact encrypted content JWE.
+ * @return the parsed decrypted content JWE.
+ * @throws UnsupportedJwtException if the {@code jwe} argument does not represent an encrypted content JWE
+ * @throws JwtException if the {@code jwe} string cannot be parsed or validated as required.
+ * @throws IllegalArgumentException if the {@code jwe} string is {@code null} or empty or only whitespace
+ * @see #parse(CharSequence)
+ * @see Jwt#accept(JwtVisitor)
+ * @since 0.12.0
*/
- Jwt parsePlaintextJwt(String plaintextJwt)
- throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+ Jwe parseEncryptedContent(CharSequence jwe) throws JwtException, IllegalArgumentException;
/**
- * Parses the specified compact serialized JWT string based on the builder's current configuration state and
- * returns
- * the resulting unsigned plaintext JWT instance.
- *
- *
This is a convenience method that is usable if you are confident that the compact string argument reflects an
- * unsigned Claims JWT. An unsigned Claims JWT has a {@link Claims} body and it is not cryptographically
- * signed.
- *
- *
If the compact string presented does not reflect an unsigned Claims JWT, an
- * {@link UnsupportedJwtException} will be thrown.
+ * Parses the {@code jwe} argument, expected to be an encrypted {@code Claims} JWE. This is a
+ * convenience method logically equivalent to the following:
*
- * @param claimsJwt a compact serialized unsigned Claims JWT string.
- * @return the {@link Jwt Jwt} instance that reflects the specified compact JWT string.
- * @throws UnsupportedJwtException if the {@code claimsJwt} argument does not represent an unsigned Claims JWT
- * @throws MalformedJwtException if the {@code claimsJwt} string is not a valid JWT
- * @throws SignatureException if the {@code claimsJwt} string is actually a JWS and signature validation
- * fails
- * @throws ExpiredJwtException if the specified JWT is a Claims JWT and the Claims has an expiration time
- * before the time this method is invoked.
- * @throws IllegalArgumentException if the {@code claimsJwt} string is {@code null} or empty or only whitespace
- * @see #parsePlaintextJwt(String)
- * @see #parsePlaintextJws(String)
- * @see #parseClaimsJws(String)
- * @see #parse(String, JwtHandler)
- * @see #parse(String)
- * @since 0.2
- */
- Jwt parseClaimsJwt(String claimsJwt)
- throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
-
- /**
- * Parses the specified compact serialized JWS string based on the builder's current configuration state and
- * returns
- * the resulting plaintext JWS instance.
- *
- *
This is a convenience method that is usable if you are confident that the compact string argument reflects a
- * plaintext JWS. A plaintext JWS is a JWT with a String (non-JSON) body (payload) that has been
- * cryptographically signed.
- *
- *
If the compact string presented does not reflect a plaintext JWS, an {@link UnsupportedJwtException}
- * will be thrown.
+ *
+ * {@link #parse(CharSequence) parse}(jwe).{@link Jwt#accept(JwtVisitor) accept}({@link
+ * Jwe#CLAIMS});
*
- * @param plaintextJws a compact serialized JWS string.
- * @return the {@link Jws Jws} instance that reflects the specified compact JWS string.
- * @throws UnsupportedJwtException if the {@code plaintextJws} argument does not represent an plaintext JWS
- * @throws MalformedJwtException if the {@code plaintextJws} string is not a valid JWS
- * @throws SignatureException if the {@code plaintextJws} JWS signature validation fails
- * @throws IllegalArgumentException if the {@code plaintextJws} string is {@code null} or empty or only whitespace
- * @see #parsePlaintextJwt(String)
- * @see #parseClaimsJwt(String)
- * @see #parseClaimsJws(String)
- * @see #parse(String, JwtHandler)
- * @see #parse(String)
- * @since 0.2
+ * @param jwe a compact encrypted Claims JWE.
+ * @return the parsed decrypted Claims JWE.
+ * @throws UnsupportedJwtException if the {@code jwe} argument does not represent an encrypted Claims JWE.
+ * @throws JwtException if the {@code jwe} string cannot be parsed or validated as required.
+ * @throws IllegalArgumentException if the {@code jwe} string is {@code null} or empty or only whitespace
+ * @see #parse(CharSequence)
+ * @see Jwt#accept(JwtVisitor)
+ * @since 0.12.0
*/
- Jws parsePlaintextJws(String plaintextJws)
- throws UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
-
- /**
- * Parses the specified compact serialized JWS string based on the builder's current configuration state and
- * returns
- * the resulting Claims JWS instance.
- *
- *
This is a convenience method that is usable if you are confident that the compact string argument reflects a
- * Claims JWS. A Claims JWS is a JWT with a {@link Claims} body that has been cryptographically signed.
- *
- *
If the compact string presented does not reflect a Claims JWS, an {@link UnsupportedJwtException} will be
- * thrown.
- *
- * @param claimsJws a compact serialized Claims JWS string.
- * @return the {@link Jws Jws} instance that reflects the specified compact Claims JWS string.
- * @throws UnsupportedJwtException if the {@code claimsJws} argument does not represent an Claims JWS
- * @throws MalformedJwtException if the {@code claimsJws} string is not a valid JWS
- * @throws SignatureException if the {@code claimsJws} JWS signature validation fails
- * @throws ExpiredJwtException if the specified JWT is a Claims JWT and the Claims has an expiration time
- * before the time this method is invoked.
- * @throws IllegalArgumentException if the {@code claimsJws} string is {@code null} or empty or only whitespace
- * @see #parsePlaintextJwt(String)
- * @see #parseClaimsJwt(String)
- * @see #parsePlaintextJws(String)
- * @see #parse(String, JwtHandler)
- * @see #parse(String)
- * @since 0.2
- */
- Jws parseClaimsJws(String claimsJws)
- throws ExpiredJwtException, UnsupportedJwtException, MalformedJwtException, SignatureException, IllegalArgumentException;
+ Jwe parseEncryptedClaims(CharSequence jwe) throws JwtException, IllegalArgumentException;
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParserBuilder.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParserBuilder.java (.../JwtParserBuilder.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtParserBuilder.java (.../JwtParserBuilder.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -15,32 +15,134 @@
*/
package io.jsonwebtoken;
+import io.jsonwebtoken.io.CompressionAlgorithm;
import io.jsonwebtoken.io.Decoder;
import io.jsonwebtoken.io.Deserializer;
+import io.jsonwebtoken.lang.Builder;
+import io.jsonwebtoken.lang.Conjunctor;
+import io.jsonwebtoken.lang.NestedCollection;
+import io.jsonwebtoken.security.AeadAlgorithm;
+import io.jsonwebtoken.security.KeyAlgorithm;
+import io.jsonwebtoken.security.SecureDigestAlgorithm;
+import javax.crypto.SecretKey;
+import java.io.InputStream;
import java.security.Key;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.PublicKey;
import java.util.Date;
import java.util.Map;
/**
* A builder to construct a {@link JwtParser}. Example usage:
* {@code
- * Jwts.parserBuilder()
- * .setSigningKey(...)
+ * Jwts.parser()
* .requireIssuer("https://issuer.example.com")
+ * .verifyWith(...)
* .build()
* .parse(jwtString)
* }
+ *
* @since 0.11.0
*/
-public interface JwtParserBuilder {
+@SuppressWarnings("JavadocLinkAsPlainText")
+public interface JwtParserBuilder extends Builder {
/**
+ * Enables parsing of Unsecured JWTs (JWTs with an 'alg' (Algorithm) header value of
+ * 'none' or missing the 'alg' header entirely). Be careful when calling this method - one should fully understand
+ * Unsecured JWS Security Considerations
+ * before enabling this feature.
+ * If this method is not called, Unsecured JWTs are disabled by default as mandated by
+ * RFC 7518, Section
+ * 3.6.
+ *
+ * @return the builder for method chaining.
+ * @see Unsecured JWS Security Considerations
+ * @see Using the Algorithm "none"
+ * @see Jwts.SIG#NONE
+ * @see #unsecuredDecompression()
+ * @since 0.12.0
+ */
+ JwtParserBuilder unsecured();
+
+ /**
+ * If the parser is {@link #unsecured()}, calling this method additionally enables
+ * payload decompression of Unsecured JWTs (JWTs with an 'alg' (Algorithm) header value of 'none') that also have
+ * a 'zip' (Compression) header. This behavior is disabled by default because using compression
+ * algorithms with data from unverified (unauthenticated) parties can be susceptible to Denial of Service attacks
+ * and other data integrity problems as described in
+ * In the
+ * Compression Hornet’s Nest: A Security Study of Data Compression in Network Services.
+ *
+ * Because this behavior is only relevant if the parser is unsecured,
+ * calling this method without also calling {@link #unsecured()} will result in a build exception, as the
+ * incongruent state could reflect a misunderstanding of both behaviors which should be remedied by the
+ * application developer.
+ *
+ * As is the case for {@link #unsecured()}, be careful when calling this method - one should fully
+ * understand
+ * Unsecured JWS Security Considerations
+ * before enabling this feature.
+ *
+ * @return the builder for method chaining.
+ * @see Unsecured JWS Security Considerations
+ * @see In the
+ * Compression Hornet’s Nest: A Security Study of Data Compression in Network Services
+ * @see Jwts.SIG#NONE
+ * @see #unsecured()
+ * @since 0.12.0
+ */
+ JwtParserBuilder unsecuredDecompression();
+
+ /**
+ * Configures the {@link ProtectedHeader} parameter names used in JWT extensions supported by the application. If
+ * the parser encounters a Protected JWT that {@link ProtectedHeader#getCritical() requires} extensions, and
+ * those extensions' header names are not specified via this method, the parser will reject that JWT.
+ *
+ * The collection's {@link Conjunctor#and() and()} method returns to the builder for continued parser
+ * configuration, for example:
+ *
+ * parserBuilder.critical().add("headerName").{@link Conjunctor#and() and()} // etc...
+ *
+ * Extension Behavior
+ *
+ * The {@code critical} collection only identifies header parameter names that are used in extensions supported
+ * by the application. Application developers, not JJWT, MUST perform the associated extension behavior
+ * using the parsed JWT.
+ *
+ * Continued Parser Configuration
+ * When finished, use the collection's
+ * {@link Conjunctor#and() and()} method to continue parser configuration, for example:
+ *
+ * Jwts.parser()
+ * .critical().add("headerName").{@link Conjunctor#and() and()} // return parent
+ * // resume parser configuration...
+ *
+ * @return the {@link NestedCollection} to use for {@code crit} configuration.
+ * @see ProtectedHeader#getCritical()
+ * @since 0.12.0
+ */
+ NestedCollection critical();
+
+ /**
+ * Sets the JCA Provider to use during cryptographic signature and key decryption operations, or {@code null} if the
+ * JCA subsystem preferred provider should be used.
+ *
+ * @param provider the JCA Provider to use during cryptographic signature and decryption operations, or {@code null}
+ * if the JCA subsystem preferred provider should be used.
+ * @return the builder for method chaining.
+ * @since 0.12.0
+ */
+ JwtParserBuilder provider(Provider provider);
+
+ /**
* Ensures that the specified {@code jti} exists in the parsed JWT. If missing or if the parsed
* value does not equal the specified value, an exception will be thrown indicating that the
* JWT is invalid and may not be used.
*
- * @param id
+ * @param id the required value of the {@code jti} header parameter.
* @return the parser builder for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
@@ -52,7 +154,7 @@
* value does not equal the specified value, an exception will be thrown indicating that the
* JWT is invalid and may not be used.
*
- * @param subject
+ * @param subject the required value of the {@code sub} header parameter.
* @return the parser builder for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
@@ -61,10 +163,10 @@
/**
* Ensures that the specified {@code aud} exists in the parsed JWT. If missing or if the parsed
- * value does not equal the specified value, an exception will be thrown indicating that the
+ * value does not contain the specified value, an exception will be thrown indicating that the
* JWT is invalid and may not be used.
*
- * @param audience
+ * @param audience the required value of the {@code aud} header parameter.
* @return the parser builder for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
@@ -76,7 +178,7 @@
* value does not equal the specified value, an exception will be thrown indicating that the
* JWT is invalid and may not be used.
*
- * @param issuer
+ * @param issuer the required value of the {@code iss} header parameter.
* @return the parser builder for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
@@ -88,7 +190,7 @@
* value does not equal the specified value, an exception will be thrown indicating that the
* JWT is invalid and may not be used.
*
- * @param issuedAt
+ * @param issuedAt the required value of the {@code iat} header parameter.
* @return the parser builder for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
@@ -100,7 +202,7 @@
* value does not equal the specified value, an exception will be thrown indicating that the
* JWT is invalid and may not be used.
*
- * @param expiration
+ * @param expiration the required value of the {@code exp} header parameter.
* @return the parser builder for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
@@ -112,7 +214,7 @@
* value does not equal the specified value, an exception will be thrown indicating that the
* JWT is invalid and may not be used.
*
- * @param notBefore
+ * @param notBefore the required value of the {@code npf} header parameter.
* @return the parser builder for method chaining
* @see MissingClaimException
* @see IncorrectClaimException
@@ -124,8 +226,8 @@
* value does not equal the specified value, an exception will be thrown indicating that the
* JWT is invalid and may not be used.
*
- * @param claimName
- * @param value
+ * @param claimName the name of a claim that must exist
+ * @param value the required value of the specified {@code claimName}
* @return the parser builder for method chaining.
* @see MissingClaimException
* @see IncorrectClaimException
@@ -138,49 +240,78 @@
*
* @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT.
* @return the parser builder for method chaining.
+ * @deprecated since 0.12.0 for the more modern builder-style named {@link #clock(Clock)} method.
+ * This method will be removed before the JJWT 1.0 release.
*/
+ @Deprecated
JwtParserBuilder setClock(Clock clock);
/**
+ * Sets the {@link Clock} that determines the timestamp to use when validating the parsed JWT.
+ * The parser uses a default Clock implementation that simply returns {@code new Date()} when called.
+ *
+ * @param clock a {@code Clock} object to return the timestamp to use when validating the parsed JWT.
+ * @return the parser builder for method chaining.
+ */
+ JwtParserBuilder clock(Clock clock);
+
+ /**
* Sets the amount of clock skew in seconds to tolerate when verifying the local time against the {@code exp}
* and {@code nbf} claims.
*
* @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims.
* @return the parser builder for method chaining.
* @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as
- * any such value would cause numeric overflow when multiplying by 1000 to obtain a millisecond value.
+ * any such value would cause numeric overflow when multiplying by 1000 to obtain
+ * a millisecond value.
+ * @deprecated since 0.12.0 in favor of the shorter and more modern builder-style named
+ * {@link #clockSkewSeconds(long)}. This method will be removed before the JJWT 1.0 release.
*/
+ @Deprecated
JwtParserBuilder setAllowedClockSkewSeconds(long seconds) throws IllegalArgumentException;
/**
- * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
- * a JWS (no signature), this key is not used.
- *
+ * Sets the amount of clock skew in seconds to tolerate when verifying the local time against the {@code exp}
+ * and {@code nbf} claims.
+ *
+ * @param seconds the number of seconds to tolerate for clock skew when verifying {@code exp} or {@code nbf} claims.
+ * @return the parser builder for method chaining.
+ * @throws IllegalArgumentException if {@code seconds} is a value greater than {@code Long.MAX_VALUE / 1000} as
+ * any such value would cause numeric overflow when multiplying by 1000 to obtain
+ * a millisecond value.
+ */
+ JwtParserBuilder clockSkewSeconds(long seconds) throws IllegalArgumentException;
+
+ /**
+ *
Deprecation Notice
+ *
+ * This method has been deprecated since 0.12.0 and will be removed before 1.0. It was not
+ * readily obvious to many JJWT users that this method was for bytes that pertained only to HMAC
+ * {@code SecretKey}s, and could be confused with keys of other types. It is better to obtain a type-safe
+ * {@link SecretKey} instance and call {@link #verifyWith(SecretKey)} instead.
+ *
+ * Previous Documentation
+ *
+ * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
+ * a JWS (no signature), this key is not used.
+ *
* Note that this key MUST be a valid key for the signature algorithm found in the JWT header
* (as the {@code alg} header parameter).
- *
+ *
*
This method overwrites any previously set key.
*
* @param key the algorithm-specific signature verification key used to validate any discovered JWS digital
* signature.
* @return the parser builder for method chaining.
+ * @deprecated since 0.12.0 in favor of {@link #verifyWith(SecretKey)} for type safety and name
+ * congruence with the {@link #decryptWith(SecretKey)} method.
*/
+ @Deprecated
JwtParserBuilder setSigningKey(byte[] key);
/**
- * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
- * a JWS (no signature), this key is not used.
+ * Deprecation Notice: Deprecated as of 0.10.0, will be removed in 1.0.0
*
- * Note that this key MUST be a valid key for the signature algorithm found in the JWT header
- * (as the {@code alg} header parameter).
- *
- * This method overwrites any previously set key.
- *
- * This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
- * byte array is used to invoke {@link #setSigningKey(byte[])}.
- *
- * Deprecation Notice: Deprecated as of 0.10.0, will be removed in 1.0.0
- *
* This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
* cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
* obtained from the String argument.
@@ -199,78 +330,429 @@
* StackOverflow answer explaining why raw (non-base64-encoded) strings are almost always incorrect for
* signature operations.
*
- * Finally, please use the {@link #setSigningKey(Key) setSigningKey(Key)} instead, as this method and the
- * {@code byte[]} variant will be removed before the 1.0.0 release.
+ * Finally, please use the {@link #verifyWith(SecretKey)} method instead, as this method (and likely
+ * {@link #setSigningKey(byte[])}) will be removed before the 1.0.0 release.
*
- * @param base64EncodedSecretKey the BASE64-encoded algorithm-specific signature verification key to use to validate
- * any discovered JWS digital signature.
+ * Previous JavaDoc
+ *
+ * This is a convenience method that equates to the following:
+ *
+ *
+ * byte[] bytes = Decoders.{@link io.jsonwebtoken.io.Decoders#BASE64 BASE64}.decode(base64EncodedSecretKey);
+ * Key key = Keys.{@link io.jsonwebtoken.security.Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor}(bytes);
+ * return {@link #verifyWith(SecretKey) verifyWith}(key);
+ *
+ * @param base64EncodedSecretKey BASE64-encoded HMAC-SHA key bytes used to create a Key which will be used to
+ * verify all encountered JWS digital signatures.
* @return the parser builder for method chaining.
+ * @deprecated in favor of {@link #verifyWith(SecretKey)} as explained in the above Deprecation Notice,
+ * and will be removed in 1.0.0.
*/
+ @Deprecated
JwtParserBuilder setSigningKey(String base64EncodedSecretKey);
/**
- * Sets the signing key used to verify any discovered JWS digital signature. If the specified JWT string is not
- * a JWS (no signature), this key is not used.
- *
- *
Note that this key MUST be a valid key for the signature algorithm found in the JWT header
- * (as the {@code alg} header parameter).
- *
- *
This method overwrites any previously set key.
+ * Deprecation Notice
*
- * @param key the algorithm-specific signature verification key to use to validate any discovered JWS digital
- * signature.
+ * This method is being renamed to accurately reflect its purpose - the key is not technically a signing key,
+ * it is a signature verification key, and the two concepts can be different, especially with asymmetric key
+ * cryptography. The method has been deprecated since 0.12.0 in favor of
+ * {@link #verifyWith(SecretKey)} for type safety, to reflect accurate naming of the concept, and for name
+ * congruence with the {@link #decryptWith(SecretKey)} method.
+ *
+ * This method merely delegates directly to {@link #verifyWith(SecretKey)} or {@link #verifyWith(PublicKey)}}.
+ *
+ * @param key the algorithm-specific signature verification key to use to verify all encountered JWS digital
+ * signatures.
* @return the parser builder for method chaining.
+ * @deprecated since 0.12.0 in favor of {@link #verifyWith(SecretKey)} for naming congruence with the
+ * {@link #decryptWith(SecretKey)} method.
*/
+ @Deprecated
JwtParserBuilder setSigningKey(Key key);
/**
- * Sets the {@link SigningKeyResolver} used to acquire the signing key that should be used to verify
- * a JWS's signature. If the parsed String is not a JWS (no signature), this resolver is not used.
- *
+ * Sets the signature verification SecretKey used to verify all encountered JWS signatures. If the encountered JWT
+ * string is not a JWS (e.g. unsigned or a JWE), this key is not used.
+ *
+ *
This is a convenience method to use in a specific scenario: when the parser will only ever encounter
+ * JWSs with signatures that can always be verified by a single SecretKey. This also implies that this key
+ * MUST be a valid key for the signature algorithm ({@code alg} header) used for the JWS.
+ *
+ * If there is any chance that the parser will also encounter JWEs, or JWSs that need different signature
+ * verification keys based on the JWS being parsed, it is strongly recommended to configure your own
+ * {@link #keyLocator(Locator) keyLocator} instead of calling this method.
+ *
+ * Calling this method overrides any previously set signature verification key.
+ *
+ * @param key the signature verification key to use to verify all encountered JWS digital signatures.
+ * @return the parser builder for method chaining.
+ * @see #verifyWith(PublicKey)
+ * @since 0.12.0
+ */
+ JwtParserBuilder verifyWith(SecretKey key);
+
+ /**
+ * Sets the signature verification PublicKey used to verify all encountered JWS signatures. If the encountered JWT
+ * string is not a JWS (e.g. unsigned or a JWE), this key is not used.
+ *
+ * This is a convenience method to use in a specific scenario: when the parser will only ever encounter
+ * JWSs with signatures that can always be verified by a single PublicKey. This also implies that this key
+ * MUST be a valid key for the signature algorithm ({@code alg} header) used for the JWS.
+ *
+ * If there is any chance that the parser will also encounter JWEs, or JWSs that need different signature
+ * verification keys based on the JWS being parsed, it is strongly recommended to configure your own
+ * {@link #keyLocator(Locator) keyLocator} instead of calling this method.
+ *
+ * Calling this method overrides any previously set signature verification key.
+ *
+ * @param key the signature verification key to use to verify all encountered JWS digital signatures.
+ * @return the parser builder for method chaining.
+ * @see #verifyWith(SecretKey)
+ * @since 0.12.0
+ */
+ JwtParserBuilder verifyWith(PublicKey key);
+
+ /**
+ * Sets the decryption SecretKey used to decrypt all encountered JWEs. If the encountered JWT string is not a
+ * JWE (e.g. a JWS), this key is not used.
+ *
+ * This is a convenience method to use in specific circumstances: when the parser will only ever encounter
+ * JWEs that can always be decrypted by a single SecretKey. This also implies that this key MUST be a valid
+ * key for both the key management algorithm ({@code alg} header) and the content encryption algorithm
+ * ({@code enc} header) used for the JWE.
+ *
+ * If there is any chance that the parser will also encounter JWSs, or JWEs that need different decryption
+ * keys based on the JWE being parsed, it is strongly recommended to configure your own
+ * {@link #keyLocator(Locator) keyLocator} instead of calling this method.
+ *
+ * Calling this method overrides any previously set decryption key.
+ *
+ * @param key the algorithm-specific decryption key to use to decrypt all encountered JWEs.
+ * @return the parser builder for method chaining.
+ * @see #decryptWith(PrivateKey)
+ * @since 0.12.0
+ */
+ JwtParserBuilder decryptWith(SecretKey key);
+
+ /**
+ * Sets the decryption PrivateKey used to decrypt all encountered JWEs. If the encountered JWT string is not a
+ * JWE (e.g. a JWS), this key is not used.
+ *
+ * This is a convenience method to use in specific circumstances: when the parser will only ever encounter JWEs
+ * that can always be decrypted by a single PrivateKey. This also implies that this key MUST be a valid
+ * key for the JWE's key management algorithm ({@code alg} header).
+ *
+ * If there is any chance that the parser will also encounter JWSs, or JWEs that need different decryption
+ * keys based on the JWE being parsed, it is strongly recommended to configure your own
+ * {@link #keyLocator(Locator) keyLocator} instead of calling this method.
+ *
+ * Calling this method overrides any previously set decryption key.
+ *
+ * @param key the algorithm-specific decryption key to use to decrypt all encountered JWEs.
+ * @return the parser builder for method chaining.
+ * @see #decryptWith(SecretKey)
+ * @since 0.12.0
+ */
+ JwtParserBuilder decryptWith(PrivateKey key);
+
+ /**
+ * Sets the {@link Locator} used to acquire any signature verification or decryption key needed during parsing.
+ *
+ * - If the parsed String is a JWS, the {@code Locator} will be called to find the appropriate key
+ * necessary to verify the JWS signature.
+ * - If the parsed String is a JWE, it will be called to find the appropriate decryption key.
+ *
+ *
+ * A key {@code Locator} is necessary when the signature verification or decryption key is not
+ * already known before parsing the JWT and the JWT header must be inspected first to determine how to
+ * look up the verification or decryption key. Once returned by the locator, the JwtParser will then either
+ * verify the JWS signature or decrypt the JWE payload with the returned key. For example:
+ *
+ *
+ * Jws<Claims> jws = Jwts.parser().keyLocator(new Locator<Key>() {
+ * @Override
+ * public Key locate(Header<?> header) {
+ * if (header instanceof JwsHeader) {
+ * return getSignatureVerificationKey((JwsHeader)header); // implement me
+ * } else {
+ * return getDecryptionKey((JweHeader)header); // implement me
+ * }
+ * }})
+ * .build()
+ * .parseSignedClaims(compact);
+ *
+ *
+ * A Key {@code Locator} is invoked once during parsing before performing decryption or signature verification.
+ *
+ * Provider-constrained Keys
+ *
+ * If any verification or decryption key returned from a Key {@code Locator} must be used with a specific
+ * security {@link Provider} (such as for PKCS11 or Hardware Security Module (HSM) keys), you must make that
+ * Provider available for JWT parsing in one of 3 ways, listed in order of recommendation and simplicity:
+ *
+ *
+ * -
+ * Configure the Provider in the JVM, either by modifying the {@code java.security} file or by
+ * registering the Provider dynamically via
+ * {@link java.security.Security#addProvider(Provider) Security.addProvider(Provider)}. This is the
+ * recommended approach so you do not need to modify code anywhere that may need to parse JWTs.
+ * - Specify the {@code Provider} as the {@code JwtParser} default via {@link #provider(Provider)}. This will
+ * ensure the provider is used by default with all located keys unless overridden by a
+ * key-specific Provider. This is only recommended when you are confident that all JWTs encountered by the
+ * parser instance will use keys attributed to the same {@code Provider}, unless overridden by a specific
+ * key.
+ * - Associate the {@code Provider} with a specific key so it is used for that key only. This option
+ * is useful if some located keys require a specific provider, while other located keys can assume a
+ * default provider.
+ *
+ *
+ * If you need to use option #3, you associate a key for the {@code JwtParser}'s needs by using a
+ * key builder before returning the key as the {@code Locator} return value. For example:
+ *
+ * public Key locate(Header<?> header) {
+ * PrivateKey key = findKey(header); // or SecretKey
+ * Provider keySpecificProvider = getKeyProvider(key); // implement me
+ * // associate the key with its required provider:
+ * return Keys.builder(key).provider(keySpecificProvider).build();
+ * }
+ *
+ * @param keyLocator the locator used to retrieve decryption or signature verification keys.
+ * @return the parser builder for method chaining.
+ * @since 0.12.0
+ */
+ JwtParserBuilder keyLocator(Locator keyLocator);
+
+ /**
+ * Deprecation Notice
+ *
+ * This method has been deprecated as of JJWT version 0.12.0 because it only supports key location
+ * for JWSs (signed JWTs) instead of both signed (JWS) and encrypted (JWE) scenarios. Use the
+ * {@link #keyLocator(Locator) keyLocator} method instead to ensure a locator that can work for both JWS and
+ * JWE inputs. This method will be removed for the 1.0 release.
+ *
+ * Previous Documentation
+ *
+ * Sets the {@link SigningKeyResolver} used to acquire the signing key that should be used to verify
+ * a JWS's signature. If the parsed String is not a JWS (no signature), this resolver is not used.
+ *
* Specifying a {@code SigningKeyResolver} is necessary when the signing key is not already known before parsing
- * the JWT and the JWT header or payload (plaintext body or Claims) must be inspected first to determine how to
+ * the JWT and the JWT header or payload (content byte array or Claims) must be inspected first to determine how to
* look up the signing key. Once returned by the resolver, the JwtParser will then verify the JWS signature with the
* returned key. For example:
- *
+ *
*
* Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
* @Override
* public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
* //inspect the header or claims, lookup and return the signing key
* return getSigningKey(header, claims); //implement me
* }})
- * .parseClaimsJws(compact);
+ * .build().parseSignedClaims(compact);
*
- *
+ *
*
A {@code SigningKeyResolver} is invoked once during parsing before the signature is verified.
- *
- *
This method should only be used if a signing key is not provided by the other {@code setSigningKey*} builder
- * methods.
*
* @param signingKeyResolver the signing key resolver used to retrieve the signing key.
* @return the parser builder for method chaining.
+ * @deprecated since 0.12.0 in favor of {@link #keyLocator(Locator)}
*/
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated
JwtParserBuilder setSigningKeyResolver(SigningKeyResolver signingKeyResolver);
/**
+ * Configures the parser's supported {@link AeadAlgorithm}s used to decrypt JWE payloads. If the parser
+ * encounters a JWE {@link JweHeader#getEncryptionAlgorithm() enc} header value that equals an
+ * AEAD algorithm's {@link Identifiable#getId() id}, that algorithm will be used to decrypt the JWT
+ * payload.
+ *
+ * The collection's {@link Conjunctor#and() and()} method returns to the builder for continued parser
+ * configuration, for example:
+ *
+ * parserBuilder.enc().add(anAeadAlgorithm).{@link Conjunctor#and() and()} // etc...
+ *
+ * Standard Algorithms and Overrides
+ *
+ * All JWA-standard AEAD encryption algorithms in the {@link Jwts.ENC} registry are supported by default and
+ * do not need to be added. The collection may be useful however for removing some algorithms (for example,
+ * any algorithms not used by the application, or those not compatible with application security requirements),
+ * or for adding custom implementations.
+ *
+ * Custom Implementations
+ *
+ * There may be only one registered {@code AeadAlgorithm} per algorithm {@code id}, and any algorithm
+ * instances that are {@link io.jsonwebtoken.lang.CollectionMutator#add(Object) add}ed to this collection with a
+ * duplicate ID will evict any existing or previously-added algorithm with the same {@code id}. But beware:
+ *
+ *
+ * Any algorithm instance added to this collection with a JWA-standard {@link Identifiable#getId() id} will
+ * replace (override) the JJWT standard algorithm implementation.
+ *
+ * This is to allow application developers to favor their
+ * own implementations over JJWT's default implementations if necessary (for example, to support legacy or
+ * custom behavior).
+ *
+ * @return the {@link NestedCollection} to use to configure the AEAD encryption algorithms available when parsing.
+ * @see JwtBuilder#encryptWith(Key, KeyAlgorithm, AeadAlgorithm)
+ * @see Jwts.ENC
+ * @see "enc" (Encryption Algorithm) Header Parameter
+ * @see Encryption Algorithm Name (id) requirements
+ * @since 0.12.0
+ */
+ NestedCollection enc();
+
+ /**
+ * Configures the parser's supported {@link KeyAlgorithm}s used to obtain a JWE's decryption key. If the
+ * parser encounters a JWE {@link JweHeader#getAlgorithm()} alg} header value that equals a {@code KeyAlgorithm}'s
+ * {@link Identifiable#getId() id}, that key algorithm will be used to obtain the JWE's decryption key.
+ *
+ * The collection's {@link Conjunctor#and() and()} method returns to the builder for continued parser
+ * configuration, for example:
+ *
+ * parserBuilder.key().add(aKeyAlgorithm).{@link Conjunctor#and() and()} // etc...
+ *
+ * Standard Algorithms and Overrides
+ *
+ * All JWA-standard key encryption algorithms in the {@link Jwts.KEY} registry are supported by default and
+ * do not need to be added. The collection may be useful however for removing some algorithms (for example,
+ * any algorithms not used by the application, or those not compatible with application security requirements),
+ * or for adding custom implementations.
+ *
+ * Custom Implementations
+ *
+ * There may be only one registered {@code KeyAlgorithm} per algorithm {@code id}, and any algorithm
+ * instances that are {@link io.jsonwebtoken.lang.CollectionMutator#add(Object) add}ed to this collection with a
+ * duplicate ID will evict any existing or previously-added algorithm with the same {@code id}. But beware:
+ *
+ *
+ * Any algorithm instance added to this collection with a JWA-standard {@link Identifiable#getId() id} will
+ * replace (override) the JJWT standard algorithm implementation.
+ *
+ * This is to allow application developers to favor their
+ * own implementations over JJWT's default implementations if necessary (for example, to support legacy or
+ * custom behavior).
+ *
+ * @return the {@link NestedCollection} to use to configure the key algorithms available when parsing.
+ * @see JwtBuilder#encryptWith(Key, KeyAlgorithm, AeadAlgorithm)
+ * @see Jwts.KEY
+ * @see JWE "alg" (Algorithm) Header Parameter
+ * @see Key Algorithm Name (id) requirements
+ * @since 0.12.0
+ */
+ NestedCollection, JwtParserBuilder> key();
+
+ /**
+ * Configures the parser's supported
+ * {@link io.jsonwebtoken.security.SignatureAlgorithm SignatureAlgorithm} and
+ * {@link io.jsonwebtoken.security.MacAlgorithm MacAlgorithm}s used to verify JWS signatures. If the parser
+ * encounters a JWS {@link ProtectedHeader#getAlgorithm() alg} header value that equals a signature or MAC
+ * algorithm's {@link Identifiable#getId() id}, that algorithm will be used to verify the JWS signature.
+ *
+ * The collection's {@link Conjunctor#and() and()} method returns to the builder for continued parser
+ * configuration, for example:
+ *
+ * parserBuilder.sig().add(aSignatureAlgorithm).{@link Conjunctor#and() and()} // etc...
+ *
+ * Standard Algorithms and Overrides
+ *
+ * All JWA-standard signature and MAC algorithms in the {@link Jwts.SIG} registry are supported by default and
+ * do not need to be added. The collection may be useful however for removing some algorithms (for example,
+ * any algorithms not used by the application, or those not compatible with application security requirements), or
+ * for adding custom implementations.
+ *
+ * Custom Implementations
+ *
+ * There may be only one registered {@code SecureDigestAlgorithm} per algorithm {@code id}, and any algorithm
+ * instances that are {@link io.jsonwebtoken.lang.CollectionMutator#add(Object) add}ed to this collection with a
+ * duplicate ID will evict any existing or previously-added algorithm with the same {@code id}. But beware:
+ *
+ *
+ * Any algorithm instance added to this collection with a JWA-standard {@link Identifiable#getId() id} will
+ * replace (override) the JJWT standard algorithm implementation.
+ *
+ * This is to allow application developers to favor their
+ * own implementations over JJWT's default implementations if necessary (for example, to support legacy or
+ * custom behavior).
+ *
+ * @return the {@link NestedCollection} to use to configure the signature and MAC algorithms available when parsing.
+ * @see JwtBuilder#signWith(Key, SecureDigestAlgorithm)
+ * @see Jwts.SIG
+ * @see JWS "alg" (Algorithm) Header Parameter
+ * @see Algorithm Name (id) requirements
+ * @since 0.12.0
+ */
+ NestedCollection, JwtParserBuilder> sig();
+
+ /**
+ * Configures the parser's supported {@link CompressionAlgorithm}s used to decompress JWT payloads. If the parser
+ * encounters a JWT {@link ProtectedHeader#getCompressionAlgorithm() zip} header value that equals a
+ * compression algorithm's {@link Identifiable#getId() id}, that algorithm will be used to decompress the JWT
+ * payload.
+ *
+ * The collection's {@link Conjunctor#and() and()} method returns to the builder for continued parser
+ * configuration, for example:
+ *
+ * parserBuilder.zip().add(aCompressionAlgorithm).{@link Conjunctor#and() and()} // etc...
+ *
+ * Standard Algorithms and Overrides
+ *
+ * All JWA-standard compression algorithms in the {@link Jwts.ZIP} registry are supported by default and
+ * do not need to be added. The collection may be useful however for removing some algorithms (for example,
+ * any algorithms not used by the application), or for adding custom implementations.
+ *
+ * Custom Implementations
+ *
+ * There may be only one registered {@code CompressionAlgorithm} per algorithm {@code id}, and any algorithm
+ * instances that are {@link io.jsonwebtoken.lang.CollectionMutator#add(Object) add}ed to this collection with a
+ * duplicate ID will evict any existing or previously-added algorithm with the same {@code id}. But beware:
+ *
+ *
+ * Any algorithm instance added to this collection with a JWA-standard {@link Identifiable#getId() id} will
+ * replace (override) the JJWT standard algorithm implementation.
+ *
+ * This is to allow application developers to favor their
+ * own implementations over JJWT's default implementations if necessary (for example, to support legacy or
+ * custom behavior).
+ *
+ * @return the {@link NestedCollection} to use to configure the compression algorithms available when parsing.
+ * @see JwtBuilder#compressWith(CompressionAlgorithm)
+ * @see Jwts.ZIP
+ * @see "zip" (Compression Algorithm) Header Parameter
+ * @see Compression Algorithm Name (id) requirements
+ * @since 0.12.0
+ */
+ NestedCollection zip();
+
+ /**
+ * Deprecated as of JJWT 0.12.0. This method will be removed before the 1.0 release.
+ *
+ * This method has been deprecated as of JJWT version 0.12.0 because it imposed unnecessary
+ * implementation requirements on application developers when simply adding to a compression algorithm collection
+ * would suffice. Use the {@link #zip()} method instead to add
+ * any custom algorithm implementations without needing to also implement a Locator implementation.
+ *
+ * Previous Documentation
+ *
* Sets the {@link CompressionCodecResolver} used to acquire the {@link CompressionCodec} that should be used to
* decompress the JWT body. If the parsed JWT is not compressed, this resolver is not used.
- *
NOTE: Compression is not defined by the JWT Specification, and it is not expected that other libraries
- * (including JJWT versions < 0.6.0) are able to consume a compressed JWT body correctly. This method is only
- * useful if the compact JWT was compressed with JJWT >= 0.6.0 or another library that you know implements
- * the same behavior.
- * Default Support
- * JJWT's default {@link JwtParser} implementation supports both the
- * {@link CompressionCodecs#DEFLATE DEFLATE}
- * and {@link CompressionCodecs#GZIP GZIP} algorithms by default - you do not need to
+ *
+ *
WARNING: Compression is not defined by the JWS Specification - only the JWE Specification - and it is
+ * not expected that other libraries (including JJWT versions < 0.6.0) are able to consume a compressed JWS
+ * body correctly.
+ *
+ * Default Support
+ *
+ * JJWT's default {@link JwtParser} implementation supports both the {@link Jwts.ZIP#DEF DEF}
+ * and {@link Jwts.ZIP#GZIP GZIP} algorithms by default - you do not need to
* specify a {@code CompressionCodecResolver} in these cases.
- * However, if you want to use a compression algorithm other than {@code DEF} or {@code GZIP}, you must implement
- * your own {@link CompressionCodecResolver} and specify that via this method and also when
- * {@link io.jsonwebtoken.JwtBuilder#compressWith(CompressionCodec) building} JWTs.
*
* @param compressionCodecResolver the compression codec resolver used to decompress the JWT body.
* @return the parser builder for method chaining.
+ * @deprecated since 0.12.0 in favor of {@link #zip()}. This method will be removed before the
+ * 1.0 release.
*/
+ @Deprecated
JwtParserBuilder setCompressionCodecResolver(CompressionCodecResolver compressionCodecResolver);
/**
@@ -281,10 +763,27 @@
*
* @param base64UrlDecoder the decoder to use when Base64Url-decoding
* @return the parser builder for method chaining.
+ * @deprecated since 0.12.0 in favor of {@link #b64Url(Decoder)}. This method will be removed
+ * before the JJWT 1.0 release.
*/
- JwtParserBuilder base64UrlDecodeWith(Decoder base64UrlDecoder);
+ @Deprecated
+ JwtParserBuilder base64UrlDecodeWith(Decoder base64UrlDecoder);
/**
+ * Perform Base64Url decoding during parsing with the specified {@code InputStream} Decoder.
+ * The Decoder's {@link Decoder#decode(Object) decode} method will be given a source {@code InputStream} to
+ * wrap, and the resulting (wrapping) {@code InputStream} will be used for reading , ensuring automatic
+ * Base64URL-decoding during read operations.
+ *
+ * JJWT uses a spec-compliant decoder that works on all supported JDK versions, but you may call this method
+ * to specify a different stream decoder if desired.
+ *
+ * @param base64UrlDecoder the stream decoder to use when Base64Url-decoding
+ * @return the parser builder for method chaining.
+ */
+ JwtParserBuilder b64Url(Decoder base64UrlDecoder);
+
+ /**
* Uses the specified deserializer to convert JSON Strings (UTF-8 byte arrays) into Java Map objects. This is
* used by the parser after Base64Url-decoding to convert JWT/JWS/JWT JSON headers and claims into Java Map
* objects.
@@ -296,11 +795,31 @@
*
* @param deserializer the deserializer to use when converting JSON Strings (UTF-8 byte arrays) into Map objects.
* @return the builder for method chaining.
+ * @deprecated since 0.12.0 in favor of {@link #json(Deserializer)}.
+ * This method will be removed before the JJWT 1.0 release.
*/
- JwtParserBuilder deserializeJsonWith(Deserializer> deserializer);
+ @Deprecated
+ JwtParserBuilder deserializeJsonWith(Deserializer> deserializer);
/**
+ * Uses the specified JSON {@link Deserializer} to deserialize JSON (UTF-8 byte streams) into Java Map objects.
+ * This is used by the parser after Base64Url-decoding to convert JWT/JWS/JWT headers and Claims into Java Map
+ * instances.
+ *
+ * If this method is not called, JJWT will use whatever Deserializer it can find at runtime, checking for the
+ * presence of well-known implementations such Jackson, Gson, and org.json. If one of these is not found
+ * in the runtime classpath, an exception will be thrown when one of the various {@code parse}* methods is
+ * invoked.
+ *
+ * @param deserializer the deserializer to use to deserialize JSON (UTF-8 byte streams) into Map instances.
+ * @return the builder for method chaining.
+ * @since 0.12.0
+ */
+ JwtParserBuilder json(Deserializer> deserializer);
+
+ /**
* Returns an immutable/thread-safe {@link JwtParser} created from the configuration from this JwtParserBuilder.
+ *
* @return an immutable/thread-safe JwtParser created from the configuration from this JwtParserBuilder.
*/
JwtParser build();
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtVisitor.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtVisitor.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/JwtVisitor.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,68 @@
+/*
+ * Copyright © 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+/**
+ * A JwtVisitor supports the Visitor design pattern for
+ * {@link Jwt} instances. Visitor implementations define logic for a specific JWT subtype or payload subtype
+ * avoiding type-checking if-then-else conditionals in favor of type-safe method dispatch when encountering a JWT.
+ *
+ * @param the type of object to return after invoking the {@link Jwt#accept(JwtVisitor)} method.
+ * @since 0.12.0
+ */
+public interface JwtVisitor {
+
+ /**
+ * Handles an encountered Unsecured JWT that has not been cryptographically secured at all. Implementations can
+ * check the {@link Jwt#getPayload()} to determine if it is a {@link Claims} instance or a {@code byte[]} array.
+ *
+ * If the payload is a {@code byte[]} array, and the JWT creator has set the (optional)
+ * {@link Header#getContentType()} value, the application may inspect that value to determine how to convert
+ * the byte array to the final type as desired.
+ *
+ * @param jwt the parsed Unsecured JWT.
+ * @return any object to be used after inspecting the JWT, or {@code null} if no return value is necessary.
+ */
+ T visit(Jwt jwt);
+
+ /**
+ * Handles an encountered JSON Web Signature (aka 'JWS') message that has been cryptographically
+ * verified/authenticated. Implementations can check the {@link Jwt#getPayload()} determine if it is a
+ * {@link Claims} instance or a {@code byte[]} array.
+ *
+ * If the payload is a {@code byte[]} array, and the JWS creator has set the (optional)
+ * {@link Header#getContentType()} value, the application may inspect that value to determine how to convert
+ * the byte array to the final type as desired.
+ *
+ * @param jws the parsed verified/authenticated JWS.
+ * @return any object to be used after inspecting the JWS, or {@code null} if no return value is necessary.
+ */
+ T visit(Jws jws);
+
+ /**
+ * Handles an encountered JSON Web Encryption (aka 'JWE') message that has been authenticated and decrypted.
+ * Implementations can check the (decrypted) {@link Jwt#getPayload()} to determine if it is a {@link Claims}
+ * instance or a {@code byte[]} array.
+ *
+ * If the payload is a {@code byte[]} array, and the JWE creator has set the (optional)
+ * {@link Header#getContentType()} value, the application may inspect that value to determine how to convert
+ * the byte array to the final type as desired.
+ *
+ * @param jwe the parsed authenticated and decrypted JWE.
+ * @return any object to be used after inspecting the JWE, or {@code null} if no return value is necessary.
+ */
+ T visit(Jwe jwe);
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwts.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwts.java (.../Jwts.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Jwts.java (.../Jwts.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -15,119 +15,1038 @@
*/
package io.jsonwebtoken;
+import io.jsonwebtoken.io.CompressionAlgorithm;
+import io.jsonwebtoken.lang.Builder;
import io.jsonwebtoken.lang.Classes;
+import io.jsonwebtoken.lang.Registry;
+import io.jsonwebtoken.security.AeadAlgorithm;
+import io.jsonwebtoken.security.KeyAlgorithm;
+import io.jsonwebtoken.security.KeyPairBuilderSupplier;
+import io.jsonwebtoken.security.MacAlgorithm;
+import io.jsonwebtoken.security.Password;
+import io.jsonwebtoken.security.SecretKeyAlgorithm;
+import io.jsonwebtoken.security.SecureDigestAlgorithm;
+import io.jsonwebtoken.security.SignatureAlgorithm;
+import io.jsonwebtoken.security.X509Builder;
+import javax.crypto.SecretKey;
+import java.security.Key;
+import java.security.PrivateKey;
+import java.security.PublicKey;
import java.util.Map;
/**
* Factory class useful for creating instances of JWT interfaces. Using this factory class can be a good
* alternative to tightly coupling your code to implementation classes.
*
+ * Standard Algorithm References
+ * Standard JSON Web Token algorithms used during JWS or JWE building or parsing are available organized by
+ * algorithm type. Each organized collection of algorithms is available via a constant to allow
+ * for easy code-completion in IDEs, showing available algorithm instances. For example, when typing:
+ *
+ * Jwts.// press code-completion hotkeys to suggest available algorithm registry fields
+ * Jwts.{@link SIG SIG}.// press hotkeys to suggest individual Digital Signature or MAC algorithms or utility methods
+ * Jwts.{@link ENC ENC}.// press hotkeys to suggest individual encryption algorithms or utility methods
+ * Jwts.{@link KEY KEY}.// press hotkeys to suggest individual key algorithms or utility methods
+ *
* @since 0.1
*/
public final class Jwts {
- private static final Class[] MAP_ARG = new Class[]{Map.class};
- private Jwts() {
+ // do not change this visibility. Raw type method signature not be publicly exposed:
+ @SuppressWarnings("unchecked")
+ private static T get(Registry registry, String id) {
+ return (T) registry.forKey(id);
}
/**
- * Creates a new {@link Header} instance suitable for plaintext (not digitally signed) JWTs. As this
- * is a less common use of JWTs, consider using the {@link #jwsHeader()} factory method instead if you will later
- * digitally sign the JWT.
+ * Constants for all standard JWA
+ * Cryptographic Algorithms for Content
+ * Encryption defined in the JSON
+ * Web Signature and Encryption Algorithms Registry. Each standard algorithm is available as a
+ * ({@code public static final}) constant for direct type-safe reference in application code. For example:
+ *
+ * Jwts.builder()
+ * // ... etc ...
+ * .encryptWith(aKey, Jwts.ENC.A256GCM) // or A128GCM, A192GCM, etc...
+ * .build();
+ * They are also available together as a {@link Registry} instance via the {@link #get()} method.
*
- * @return a new {@link Header} instance suitable for plaintext (not digitally signed) JWTs.
+ * @see #get()
+ * @since 0.12.0
*/
- public static Header header() {
- return Classes.newInstance("io.jsonwebtoken.impl.DefaultHeader");
+ public static final class ENC {
+
+ private static final String IMPL_CLASSNAME = "io.jsonwebtoken.impl.security.StandardEncryptionAlgorithms";
+ private static final Registry REGISTRY = Classes.newInstance(IMPL_CLASSNAME);
+
+ /**
+ * Returns all standard JWA Cryptographic
+ * Algorithms for Content Encryption defined in the
+ * JSON Web Signature and Encryption
+ * Algorithms Registry.
+ *
+ * @return all standard JWA content encryption algorithms.
+ */
+ public static Registry get() {
+ return REGISTRY;
+ }
+
+ // prevent instantiation
+ private ENC() {
+ }
+
+ /**
+ * {@code AES_128_CBC_HMAC_SHA_256} authenticated encryption algorithm as defined by
+ * RFC 7518, Section 5.2.3. This algorithm
+ * requires a 256-bit (32 byte) key.
+ */
+ public static final AeadAlgorithm A128CBC_HS256 = get().forKey("A128CBC-HS256");
+
+ /**
+ * {@code AES_192_CBC_HMAC_SHA_384} authenticated encryption algorithm, as defined by
+ * RFC 7518, Section 5.2.4. This algorithm
+ * requires a 384-bit (48 byte) key.
+ */
+ public static final AeadAlgorithm A192CBC_HS384 = get().forKey("A192CBC-HS384");
+
+ /**
+ * {@code AES_256_CBC_HMAC_SHA_512} authenticated encryption algorithm, as defined by
+ * RFC 7518, Section 5.2.5. This algorithm
+ * requires a 512-bit (64 byte) key.
+ */
+ public static final AeadAlgorithm A256CBC_HS512 = get().forKey("A256CBC-HS512");
+
+ /**
+ * "AES GCM using 128-bit key" as defined by
+ * RFC 7518, Section 5.31. This
+ * algorithm requires a 128-bit (16 byte) key.
+ *
+ * 1 Requires Java 8 or a compatible JCA Provider (like BouncyCastle) in the runtime
+ * classpath. If on Java 7 or earlier, BouncyCastle will be used automatically if found in the runtime
+ * classpath.
+ */
+ public static final AeadAlgorithm A128GCM = get().forKey("A128GCM");
+
+ /**
+ * "AES GCM using 192-bit key" as defined by
+ * RFC 7518, Section 5.31. This
+ * algorithm requires a 192-bit (24 byte) key.
+ *
+ * 1 Requires Java 8 or a compatible JCA Provider (like BouncyCastle) in the runtime
+ * classpath. If on Java 7 or earlier, BouncyCastle will be used automatically if found in the runtime
+ * classpath.
+ */
+ public static final AeadAlgorithm A192GCM = get().forKey("A192GCM");
+
+ /**
+ * "AES GCM using 256-bit key" as defined by
+ * RFC 7518, Section 5.31. This
+ * algorithm requires a 256-bit (32 byte) key.
+ *
+ * 1 Requires Java 8 or a compatible JCA Provider (like BouncyCastle) in the runtime
+ * classpath. If on Java 7 or earlier, BouncyCastle will be used automatically if found in the runtime
+ * classpath.
+ */
+ public static final AeadAlgorithm A256GCM = get().forKey("A256GCM");
}
/**
- * Creates a new {@link Header} instance suitable for plaintext (not digitally signed) JWTs, populated
- * with the specified name/value pairs. As this is a less common use of JWTs, consider using the
- * {@link #jwsHeader(java.util.Map)} factory method instead if you will later digitally sign the JWT.
+ * Constants for all JWA (RFC 7518) standard
+ * Cryptographic Algorithms for Digital Signatures and MACs defined in the
+ * JSON Web Signature and Encryption Algorithms
+ * Registry. Each standard algorithm is available as a ({@code public static final}) constant for
+ * direct type-safe reference in application code. For example:
+ *
+ * Jwts.builder()
+ * // ... etc ...
+ * .signWith(aKey, Jwts.SIG.HS512) // or RS512, PS256, EdDSA, etc...
+ * .build();
+ * They are also available together as a {@link Registry} instance via the {@link #get()} method.
*
- * @return a new {@link Header} instance suitable for plaintext (not digitally signed) JWTs.
+ * @see #get()
+ * @since 0.12.0
*/
- public static Header header(Map header) {
- return Classes.newInstance("io.jsonwebtoken.impl.DefaultHeader", MAP_ARG, header);
+ public static final class SIG {
+
+ private static final String IMPL_CLASSNAME = "io.jsonwebtoken.impl.security.StandardSecureDigestAlgorithms";
+ private static final Registry> REGISTRY = Classes.newInstance(IMPL_CLASSNAME);
+
+ //prevent instantiation
+ private SIG() {
+ }
+
+ /**
+ * Returns all standard JWA Cryptographic
+ * Algorithms for Digital Signatures and MACs defined in the
+ * JSON Web Signature and Encryption
+ * Algorithms Registry.
+ *
+ * @return all standard JWA digital signature and MAC algorithms.
+ */
+ public static Registry> get() {
+ return REGISTRY;
+ }
+
+ /**
+ * The "none" signature algorithm as defined by
+ * RFC 7518, Section 3.6. This algorithm
+ * is used only when creating unsecured (not integrity protected) JWSs and is not usable in any other scenario.
+ * Any attempt to call its methods will result in an exception being thrown.
+ */
+ public static final SecureDigestAlgorithm NONE = Jwts.get(REGISTRY, "none");
+
+ /**
+ * {@code HMAC using SHA-256} message authentication algorithm as defined by
+ * RFC 7518, Section 3.2. This algorithm
+ * requires a 256-bit (32 byte) key.
+ */
+ public static final MacAlgorithm HS256 = Jwts.get(REGISTRY, "HS256");
+
+ /**
+ * {@code HMAC using SHA-384} message authentication algorithm as defined by
+ * RFC 7518, Section 3.2. This algorithm
+ * requires a 384-bit (48 byte) key.
+ */
+ public static final MacAlgorithm HS384 = Jwts.get(REGISTRY, "HS384");
+
+ /**
+ * {@code HMAC using SHA-512} message authentication algorithm as defined by
+ * RFC 7518, Section 3.2. This algorithm
+ * requires a 512-bit (64 byte) key.
+ */
+ public static final MacAlgorithm HS512 = Jwts.get(REGISTRY, "HS512");
+
+ /**
+ * {@code RSASSA-PKCS1-v1_5 using SHA-256} signature algorithm as defined by
+ * RFC 7518, Section 3.3. This algorithm
+ * requires a 2048-bit key.
+ */
+ public static final SignatureAlgorithm RS256 = Jwts.get(REGISTRY, "RS256");
+
+ /**
+ * {@code RSASSA-PKCS1-v1_5 using SHA-384} signature algorithm as defined by
+ * RFC 7518, Section 3.3. This algorithm
+ * requires a 2048-bit key, but the JJWT team recommends a 3072-bit key.
+ */
+ public static final SignatureAlgorithm RS384 = Jwts.get(REGISTRY, "RS384");
+
+ /**
+ * {@code RSASSA-PKCS1-v1_5 using SHA-512} signature algorithm as defined by
+ * RFC 7518, Section 3.3. This algorithm
+ * requires a 2048-bit key, but the JJWT team recommends a 4096-bit key.
+ */
+ public static final SignatureAlgorithm RS512 = Jwts.get(REGISTRY, "RS512");
+
+ /**
+ * {@code RSASSA-PSS using SHA-256 and MGF1 with SHA-256} signature algorithm as defined by
+ * RFC 7518, Section 3.51.
+ * This algorithm requires a 2048-bit key.
+ *
+ * 1 Requires Java 11 or a compatible JCA Provider (like BouncyCastle) in the runtime
+ * classpath. If on Java 10 or earlier, BouncyCastle will be used automatically if found in the runtime
+ * classpath.
+ */
+ public static final SignatureAlgorithm PS256 = Jwts.get(REGISTRY, "PS256");
+
+ /**
+ * {@code RSASSA-PSS using SHA-384 and MGF1 with SHA-384} signature algorithm as defined by
+ * RFC 7518, Section 3.51.
+ * This algorithm requires a 2048-bit key, but the JJWT team recommends a 3072-bit key.
+ *
+ * 1 Requires Java 11 or a compatible JCA Provider (like BouncyCastle) in the runtime
+ * classpath. If on Java 10 or earlier, BouncyCastle will be used automatically if found in the runtime
+ * classpath.
+ */
+ public static final SignatureAlgorithm PS384 = Jwts.get(REGISTRY, "PS384");
+
+ /**
+ * {@code RSASSA-PSS using SHA-512 and MGF1 with SHA-512} signature algorithm as defined by
+ * RFC 7518, Section 3.51.
+ * This algorithm requires a 2048-bit key, but the JJWT team recommends a 4096-bit key.
+ *
+ * 1 Requires Java 11 or a compatible JCA Provider (like BouncyCastle) in the runtime
+ * classpath. If on Java 10 or earlier, BouncyCastle will be used automatically if found in the runtime
+ * classpath.
+ */
+ public static final SignatureAlgorithm PS512 = Jwts.get(REGISTRY, "PS512");
+
+ /**
+ * {@code ECDSA using P-256 and SHA-256} signature algorithm as defined by
+ * RFC 7518, Section 3.4. This algorithm
+ * requires a 256-bit key.
+ */
+ public static final SignatureAlgorithm ES256 = Jwts.get(REGISTRY, "ES256");
+
+ /**
+ * {@code ECDSA using P-384 and SHA-384} signature algorithm as defined by
+ * RFC 7518, Section 3.4. This algorithm
+ * requires a 384-bit key.
+ */
+ public static final SignatureAlgorithm ES384 = Jwts.get(REGISTRY, "ES384");
+
+ /**
+ * {@code ECDSA using P-521 and SHA-512} signature algorithm as defined by
+ * RFC 7518, Section 3.4. This algorithm
+ * requires a 521-bit key.
+ */
+ public static final SignatureAlgorithm ES512 = Jwts.get(REGISTRY, "ES512");
+
+ /**
+ * {@code EdDSA} signature algorithm defined by
+ * RFC 8037, Section 3.1 that requires
+ * either {@code Ed25519} or {@code Ed448} Edwards Elliptic Curve1 keys.
+ *
+ * KeyPair Generation
+ *
+ * This instance's {@link KeyPairBuilderSupplier#keyPair() keyPair()} builder creates {@code Ed448} keys,
+ * and is essentially an alias for
+ * {@link io.jsonwebtoken.security.Jwks.CRV Jwks.CRV}.{@link io.jsonwebtoken.security.Jwks.CRV#Ed448 Ed448}.{@link KeyPairBuilderSupplier#keyPair() keyPair()}.
+ *
+ * If you would like to generate an {@code Ed25519} {@code KeyPair} for use with the {@code EdDSA} algorithm,
+ * you may use the
+ * {@link io.jsonwebtoken.security.Jwks.CRV Jwks.CRV}.{@link io.jsonwebtoken.security.Jwks.CRV#Ed25519 Ed25519}.{@link KeyPairBuilderSupplier#keyPair() keyPair()}
+ * builder instead.
+ *
+ * 1This algorithm requires at least JDK 15 or a compatible JCA Provider (like BouncyCastle) in the runtime
+ * classpath.
+ */
+ public static final SignatureAlgorithm EdDSA = Jwts.get(REGISTRY, "EdDSA");
}
/**
- * Returns a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's).
+ * Constants for all standard JWA (RFC 7518)
+ * Cryptographic Algorithms for Key Management. Each standard algorithm is available as a
+ * ({@code public static final}) constant for direct type-safe reference in application code. For example:
+ *
+ * Jwts.builder()
+ * // ... etc ...
+ * .encryptWith(aKey, Jwts.KEY.ECDH_ES_A256KW, Jwts.ENC.A256GCM)
+ * .build();
+ * They are also available together as a {@link Registry} instance via the {@link #get()} method.
*
- * @return a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's).
- * @see JwtBuilder#setHeader(Header)
+ * @see #get()
+ * @since 0.12.0
*/
- public static JwsHeader jwsHeader() {
- return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwsHeader");
+ public static final class KEY {
+
+ private static final String IMPL_CLASSNAME = "io.jsonwebtoken.impl.security.StandardKeyAlgorithms";
+ private static final Registry> REGISTRY = Classes.newInstance(IMPL_CLASSNAME);
+
+ /**
+ * Returns all standard JWA standard Cryptographic
+ * Algorithms for Key Management..
+ *
+ * @return all standard JWA Key Management algorithms.
+ */
+ public static Registry> get() {
+ return REGISTRY;
+ }
+
+ /**
+ * Key algorithm reflecting direct use of a shared symmetric key as the JWE AEAD encryption key, as defined
+ * by RFC 7518 (JWA), Section 4.5. This
+ * algorithm does not produce encrypted key ciphertext.
+ */
+ public static final KeyAlgorithm DIRECT = Jwts.get(REGISTRY, "dir");
+
+ /**
+ * AES Key Wrap algorithm with default initial value using a 128-bit key, as defined by
+ * RFC 7518 (JWA), Section 4.4.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated {@code SecretKey} with a 128-bit shared symmetric key using the
+ * AES Key Wrap algorithm, producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with the 128-bit shared symmetric key,
+ * using the AES Key Unwrap algorithm, producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final SecretKeyAlgorithm A128KW = Jwts.get(REGISTRY, "A128KW");
+
+ /**
+ * AES Key Wrap algorithm with default initial value using a 192-bit key, as defined by
+ * RFC 7518 (JWA), Section 4.4.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated {@code SecretKey} with a 192-bit shared symmetric key using the
+ * AES Key Wrap algorithm, producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with the 192-bit shared symmetric key,
+ * using the AES Key Unwrap algorithm, producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final SecretKeyAlgorithm A192KW = Jwts.get(REGISTRY, "A192KW");
+
+ /**
+ * AES Key Wrap algorithm with default initial value using a 256-bit key, as defined by
+ * RFC 7518 (JWA), Section 4.4.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated {@code SecretKey} with a 256-bit shared symmetric key using the
+ * AES Key Wrap algorithm, producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with the 256-bit shared symmetric key,
+ * using the AES Key Unwrap algorithm, producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final SecretKeyAlgorithm A256KW = Jwts.get(REGISTRY, "A256KW");
+
+ /**
+ * Key wrap algorithm with AES GCM using a 128-bit key, as defined by
+ * RFC 7518 (JWA), Section 4.7.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Generates a new secure-random 96-bit Initialization Vector to use during key wrap/encryption.
+ * - Encrypts this newly-generated {@code SecretKey} with a 128-bit shared symmetric key using the
+ * AES GCM Key Wrap algorithm with the generated Initialization Vector, producing encrypted key ciphertext
+ * and GCM authentication tag.
+ * - Sets the generated initialization vector as the required
+ * "iv"
+ * (Initialization Vector) Header Parameter
+ * - Sets the resulting GCM authentication tag as the required
+ * "tag"
+ * (Authentication Tag) Header Parameter
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Obtains the required initialization vector from the
+ * "iv"
+ * (Initialization Vector) Header Parameter
+ * - Obtains the required GCM authentication tag from the
+ * "tag"
+ * (Authentication Tag) Header Parameter
+ * - Decrypts the encrypted key ciphertext with the 128-bit shared symmetric key, the initialization vector
+ * and GCM authentication tag using the AES GCM Key Unwrap algorithm, producing the decryption key
+ * plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final SecretKeyAlgorithm A128GCMKW = Jwts.get(REGISTRY, "A128GCMKW");
+
+ /**
+ * Key wrap algorithm with AES GCM using a 192-bit key, as defined by
+ * RFC 7518 (JWA), Section 4.7.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Generates a new secure-random 96-bit Initialization Vector to use during key wrap/encryption.
+ * - Encrypts this newly-generated {@code SecretKey} with a 192-bit shared symmetric key using the
+ * AES GCM Key Wrap algorithm with the generated Initialization Vector, producing encrypted key ciphertext
+ * and GCM authentication tag.
+ * - Sets the generated initialization vector as the required
+ * "iv"
+ * (Initialization Vector) Header Parameter
+ * - Sets the resulting GCM authentication tag as the required
+ * "tag"
+ * (Authentication Tag) Header Parameter
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Obtains the required initialization vector from the
+ * "iv"
+ * (Initialization Vector) Header Parameter
+ * - Obtains the required GCM authentication tag from the
+ * "tag"
+ * (Authentication Tag) Header Parameter
+ * - Decrypts the encrypted key ciphertext with the 192-bit shared symmetric key, the initialization vector
+ * and GCM authentication tag using the AES GCM Key Unwrap algorithm, producing the decryption key \
+ * plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final SecretKeyAlgorithm A192GCMKW = Jwts.get(REGISTRY, "A192GCMKW");
+
+ /**
+ * Key wrap algorithm with AES GCM using a 256-bit key, as defined by
+ * RFC 7518 (JWA), Section 4.7.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Generates a new secure-random 96-bit Initialization Vector to use during key wrap/encryption.
+ * - Encrypts this newly-generated {@code SecretKey} with a 256-bit shared symmetric key using the
+ * AES GCM Key Wrap algorithm with the generated Initialization Vector, producing encrypted key ciphertext
+ * and GCM authentication tag.
+ * - Sets the generated initialization vector as the required
+ * "iv"
+ * (Initialization Vector) Header Parameter
+ * - Sets the resulting GCM authentication tag as the required
+ * "tag"
+ * (Authentication Tag) Header Parameter
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Obtains the required initialization vector from the
+ * "iv"
+ * (Initialization Vector) Header Parameter
+ * - Obtains the required GCM authentication tag from the
+ * "tag"
+ * (Authentication Tag) Header Parameter
+ * - Decrypts the encrypted key ciphertext with the 256-bit shared symmetric key, the initialization vector
+ * and GCM authentication tag using the AES GCM Key Unwrap algorithm, producing the decryption key \
+ * plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final SecretKeyAlgorithm A256GCMKW = Jwts.get(REGISTRY, "A256GCMKW");
+
+ /**
+ * Key encryption algorithm using PBES2 with HMAC SHA-256 and "A128KW" wrapping
+ * as defined by
+ * RFC 7518 (JWA), Section 4.8.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Determines the number of PBDKF2 iterations via the JWE header's
+ * {@link JweHeader#getPbes2Count() pbes2Count} value. If that value is not set, a suitable number of
+ * iterations will be chosen based on
+ * OWASP
+ * PBKDF2 recommendations and then that value is set as the JWE header {@code pbes2Count} value.
+ * - Generates a new secure-random salt input and sets it as the JWE header
+ * {@link JweHeader#getPbes2Salt() pbes2Salt} value.
+ * - Derives a 128-bit Key Encryption Key with the PBES2-HS256 password-based key derivation algorithm,
+ * using the provided password, iteration count, and input salt as arguments.
+ * - Generates a new secure-random Content Encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated Content Encryption {@code SecretKey} with the {@code A128KW} key wrap
+ * algorithm using the 128-bit derived password-based Key Encryption Key from step {@code #3},
+ * producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * Content Encryption {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated
+ * {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the required PBKDF2 input salt from the
+ * "p2s"
+ * (PBES2 Salt Input) Header Parameter
+ * - Obtains the required PBKDF2 iteration count from the
+ * "p2c"
+ * (PBES2 Count) Header Parameter
+ * - Derives the 128-bit Key Encryption Key with the PBES2-HS256 password-based key derivation algorithm,
+ * using the provided password, obtained salt input, and obtained iteration count as arguments.
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with with the {@code A128KW} key unwrap
+ * algorithm using the 128-bit derived password-based Key Encryption Key from step {@code #3},
+ * producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm PBES2_HS256_A128KW = Jwts.get(REGISTRY, "PBES2-HS256+A128KW");
+
+ /**
+ * Key encryption algorithm using PBES2 with HMAC SHA-384 and "A192KW" wrapping
+ * as defined by
+ * RFC 7518 (JWA), Section 4.8.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Determines the number of PBDKF2 iterations via the JWE header's
+ * {@link JweHeader#getPbes2Count() pbes2Count} value. If that value is not set, a suitable number of
+ * iterations will be chosen based on
+ * OWASP
+ * PBKDF2 recommendations and then that value is set as the JWE header {@code pbes2Count} value.
+ * - Generates a new secure-random salt input and sets it as the JWE header
+ * {@link JweHeader#getPbes2Salt() pbes2Salt} value.
+ * - Derives a 192-bit Key Encryption Key with the PBES2-HS384 password-based key derivation algorithm,
+ * using the provided password, iteration count, and input salt as arguments.
+ * - Generates a new secure-random Content Encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated Content Encryption {@code SecretKey} with the {@code A192KW} key wrap
+ * algorithm using the 192-bit derived password-based Key Encryption Key from step {@code #3},
+ * producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * Content Encryption {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated
+ * {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the required PBKDF2 input salt from the
+ * "p2s"
+ * (PBES2 Salt Input) Header Parameter
+ * - Obtains the required PBKDF2 iteration count from the
+ * "p2c"
+ * (PBES2 Count) Header Parameter
+ * - Derives the 192-bit Key Encryption Key with the PBES2-HS384 password-based key derivation algorithm,
+ * using the provided password, obtained salt input, and obtained iteration count as arguments.
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with with the {@code A192KW} key unwrap
+ * algorithm using the 192-bit derived password-based Key Encryption Key from step {@code #3},
+ * producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm PBES2_HS384_A192KW = Jwts.get(REGISTRY, "PBES2-HS384+A192KW");
+
+ /**
+ * Key encryption algorithm using PBES2 with HMAC SHA-512 and "A256KW" wrapping
+ * as defined by
+ * RFC 7518 (JWA), Section 4.8.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Determines the number of PBDKF2 iterations via the JWE header's
+ * {@link JweHeader#getPbes2Count() pbes2Count} value. If that value is not set, a suitable number of
+ * iterations will be chosen based on
+ * OWASP
+ * PBKDF2 recommendations and then that value is set as the JWE header {@code pbes2Count} value.
+ * - Generates a new secure-random salt input and sets it as the JWE header
+ * {@link JweHeader#getPbes2Salt() pbes2Salt} value.
+ * - Derives a 256-bit Key Encryption Key with the PBES2-HS512 password-based key derivation algorithm,
+ * using the provided password, iteration count, and input salt as arguments.
+ * - Generates a new secure-random Content Encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated Content Encryption {@code SecretKey} with the {@code A256KW} key wrap
+ * algorithm using the 256-bit derived password-based Key Encryption Key from step {@code #3},
+ * producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * Content Encryption {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated
+ * {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the required PBKDF2 input salt from the
+ * "p2s"
+ * (PBES2 Salt Input) Header Parameter
+ * - Obtains the required PBKDF2 iteration count from the
+ * "p2c"
+ * (PBES2 Count) Header Parameter
+ * - Derives the 256-bit Key Encryption Key with the PBES2-HS512 password-based key derivation algorithm,
+ * using the provided password, obtained salt input, and obtained iteration count as arguments.
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with with the {@code A256KW} key unwrap
+ * algorithm using the 256-bit derived password-based Key Encryption Key from step {@code #3},
+ * producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm PBES2_HS512_A256KW = Jwts.get(REGISTRY, "PBES2-HS512+A256KW");
+
+ /**
+ * Key Encryption with {@code RSAES-PKCS1-v1_5}, as defined by
+ * RFC 7518 (JWA), Section 4.2.
+ * This algorithm requires a key size of 2048 bits or larger.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated {@code SecretKey} with the RSA key wrap algorithm, using the JWE
+ * recipient's RSA Public Key, producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Receives the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with the RSA key unwrap algorithm, using the JWE recipient's
+ * RSA Private Key, producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm RSA1_5 = Jwts.get(REGISTRY, "RSA1_5");
+
+ /**
+ * Key Encryption with {@code RSAES OAEP using default parameters}, as defined by
+ * RFC 7518 (JWA), Section 4.3.
+ * This algorithm requires a key size of 2048 bits or larger.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated {@code SecretKey} with the RSA OAEP with SHA-1 and MGF1 key wrap algorithm,
+ * using the JWE recipient's RSA Public Key, producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Receives the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with the RSA OAEP with SHA-1 and MGF1 key unwrap algorithm,
+ * using the JWE recipient's RSA Private Key, producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm RSA_OAEP = Jwts.get(REGISTRY, "RSA-OAEP");
+
+ /**
+ * Key Encryption with {@code RSAES OAEP using SHA-256 and MGF1 with SHA-256}, as defined by
+ * RFC 7518 (JWA), Section 4.3.
+ * This algorithm requires a key size of 2048 bits or larger.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated {@code SecretKey} with the RSA OAEP with SHA-256 and MGF1 key wrap
+ * algorithm, using the JWE recipient's RSA Public Key, producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Receives the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with the RSA OAEP with SHA-256 and MGF1 key unwrap algorithm,
+ * using the JWE recipient's RSA Private Key, producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm RSA_OAEP_256 = Jwts.get(REGISTRY, "RSA-OAEP-256");
+
+ /**
+ * Key Agreement with {@code ECDH-ES using Concat KDF} as defined by
+ * RFC 7518 (JWA), Section 4.6.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random Elliptic Curve public/private key pair on the same curve as the
+ * JWE recipient's EC Public Key.
+ * - Generates a shared secret with the ECDH key agreement algorithm using the generated EC Private Key
+ * and the JWE recipient's EC Public Key.
+ * - Derives a symmetric Content
+ * Encryption {@code SecretKey} with the Concat KDF algorithm using the
+ * generated shared secret and any available
+ * {@link JweHeader#getAgreementPartyUInfo() PartyUInfo} and
+ * {@link JweHeader#getAgreementPartyVInfo() PartyVInfo}.
+ * - Sets the generated EC key pair's Public Key as the required
+ * "epk"
+ * (Ephemeral Public Key) Header Parameter to be transmitted in the JWE.
+ * - Returns the derived symmetric {@code SecretKey} for JJWT to use to encrypt the entire JWE with the
+ * associated {@link AeadAlgorithm}. Encrypted key ciphertext is not produced with this algorithm, so
+ * the resulting JWE will not contain any embedded key ciphertext.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the required ephemeral Elliptic Curve Public Key from the
+ * "epk"
+ * (Ephemeral Public Key) Header Parameter.
+ * - Validates that the ephemeral Public Key is on the same curve as the recipient's EC Private Key.
+ * - Obtains the shared secret with the ECDH key agreement algorithm using the obtained EC Public Key
+ * and the JWE recipient's EC Private Key.
+ * - Derives the symmetric Content
+ * Encryption {@code SecretKey} with the Concat KDF algorithm using the
+ * obtained shared secret and any available
+ * {@link JweHeader#getAgreementPartyUInfo() PartyUInfo} and
+ * {@link JweHeader#getAgreementPartyVInfo() PartyVInfo}.
+ * - Returns the derived symmetric {@code SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm ECDH_ES = Jwts.get(REGISTRY, "ECDH-ES");
+
+ /**
+ * Key Agreement with Key Wrapping via
+ * ECDH-ES using Concat KDF and CEK wrapped with "A128KW" as defined by
+ * RFC 7518 (JWA), Section 4.6.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random Elliptic Curve public/private key pair on the same curve as the
+ * JWE recipient's EC Public Key.
+ * - Generates a shared secret with the ECDH key agreement algorithm using the generated EC Private Key
+ * and the JWE recipient's EC Public Key.
+ * - Derives a 128-bit symmetric Key
+ * Encryption {@code SecretKey} with the Concat KDF algorithm using the
+ * generated shared secret and any available
+ * {@link JweHeader#getAgreementPartyUInfo() PartyUInfo} and
+ * {@link JweHeader#getAgreementPartyVInfo() PartyVInfo}.
+ * - Sets the generated EC key pair's Public Key as the required
+ * "epk"
+ * (Ephemeral Public Key) Header Parameter to be transmitted in the JWE.
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated {@code SecretKey} with the {@code A128KW} key wrap
+ * algorithm using the derived symmetric Key Encryption Key from step {@code #3}, producing encrypted key ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the required ephemeral Elliptic Curve Public Key from the
+ * "epk"
+ * (Ephemeral Public Key) Header Parameter.
+ * - Validates that the ephemeral Public Key is on the same curve as the recipient's EC Private Key.
+ * - Obtains the shared secret with the ECDH key agreement algorithm using the obtained EC Public Key
+ * and the JWE recipient's EC Private Key.
+ * - Derives the symmetric Key
+ * Encryption {@code SecretKey} with the Concat KDF algorithm using the
+ * obtained shared secret and any available
+ * {@link JweHeader#getAgreementPartyUInfo() PartyUInfo} and
+ * {@link JweHeader#getAgreementPartyVInfo() PartyVInfo}.
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with the AES Key Unwrap algorithm using the
+ * 128-bit derived symmetric key from step {@code #4}, producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm ECDH_ES_A128KW = Jwts.get(REGISTRY, "ECDH-ES+A128KW");
+
+ /**
+ * Key Agreement with Key Wrapping via
+ * ECDH-ES using Concat KDF and CEK wrapped with "A192KW" as defined by
+ * RFC 7518 (JWA), Section 4.6.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random Elliptic Curve public/private key pair on the same curve as the
+ * JWE recipient's EC Public Key.
+ * - Generates a shared secret with the ECDH key agreement algorithm using the generated EC Private Key
+ * and the JWE recipient's EC Public Key.
+ * - Derives a 192-bit symmetric Key
+ * Encryption {@code SecretKey} with the Concat KDF algorithm using the
+ * generated shared secret and any available
+ * {@link JweHeader#getAgreementPartyUInfo() PartyUInfo} and
+ * {@link JweHeader#getAgreementPartyVInfo() PartyVInfo}.
+ * - Sets the generated EC key pair's Public Key as the required
+ * "epk"
+ * (Ephemeral Public Key) Header Parameter to be transmitted in the JWE.
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated {@code SecretKey} with the {@code A192KW} key wrap
+ * algorithm using the derived symmetric Key Encryption Key from step {@code #3}, producing encrypted key
+ * ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the required ephemeral Elliptic Curve Public Key from the
+ * "epk"
+ * (Ephemeral Public Key) Header Parameter.
+ * - Validates that the ephemeral Public Key is on the same curve as the recipient's EC Private Key.
+ * - Obtains the shared secret with the ECDH key agreement algorithm using the obtained EC Public Key
+ * and the JWE recipient's EC Private Key.
+ * - Derives the 192-bit symmetric
+ * Key Encryption {@code SecretKey} with the Concat KDF algorithm using the
+ * obtained shared secret and any available
+ * {@link JweHeader#getAgreementPartyUInfo() PartyUInfo} and
+ * {@link JweHeader#getAgreementPartyVInfo() PartyVInfo}.
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with the AES Key Unwrap algorithm using the
+ * 192-bit derived symmetric key from step {@code #4}, producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm ECDH_ES_A192KW = Jwts.get(REGISTRY, "ECDH-ES+A192KW");
+
+ /**
+ * Key Agreement with Key Wrapping via
+ * ECDH-ES using Concat KDF and CEK wrapped with "A256KW" as defined by
+ * RFC 7518 (JWA), Section 4.6.
+ *
+ * During JWE creation, this algorithm:
+ *
+ * - Generates a new secure-random Elliptic Curve public/private key pair on the same curve as the
+ * JWE recipient's EC Public Key.
+ * - Generates a shared secret with the ECDH key agreement algorithm using the generated EC Private Key
+ * and the JWE recipient's EC Public Key.
+ * - Derives a 256-bit symmetric Key
+ * Encryption {@code SecretKey} with the Concat KDF algorithm using the
+ * generated shared secret and any available
+ * {@link JweHeader#getAgreementPartyUInfo() PartyUInfo} and
+ * {@link JweHeader#getAgreementPartyVInfo() PartyVInfo}.
+ * - Sets the generated EC key pair's Public Key as the required
+ * "epk"
+ * (Ephemeral Public Key) Header Parameter to be transmitted in the JWE.
+ * - Generates a new secure-random content encryption {@link SecretKey} suitable for use with a
+ * specified {@link AeadAlgorithm} (using {@link AeadAlgorithm#key()}).
+ * - Encrypts this newly-generated {@code SecretKey} with the {@code A256KW} key wrap
+ * algorithm using the derived symmetric Key Encryption Key from step {@code #3}, producing encrypted key
+ * ciphertext.
+ * - Returns the encrypted key ciphertext for inclusion in the final JWE as well as the newly-generated
+ * {@code SecretKey} for JJWT to use to encrypt the entire JWE with associated {@link AeadAlgorithm}.
+ *
+ * For JWE decryption, this algorithm:
+ *
+ * - Obtains the required ephemeral Elliptic Curve Public Key from the
+ * "epk"
+ * (Ephemeral Public Key) Header Parameter.
+ * - Validates that the ephemeral Public Key is on the same curve as the recipient's EC Private Key.
+ * - Obtains the shared secret with the ECDH key agreement algorithm using the obtained EC Public Key
+ * and the JWE recipient's EC Private Key.
+ * - Derives the 256-bit symmetric
+ * Key Encryption {@code SecretKey} with the Concat KDF algorithm using the
+ * obtained shared secret and any available
+ * {@link JweHeader#getAgreementPartyUInfo() PartyUInfo} and
+ * {@link JweHeader#getAgreementPartyVInfo() PartyVInfo}.
+ * - Obtains the encrypted key ciphertext embedded in the received JWE.
+ * - Decrypts the encrypted key ciphertext with the AES Key Unwrap algorithm using the
+ * 256-bit derived symmetric key from step {@code #4}, producing the decryption key plaintext.
+ * - Returns the decryption key plaintext as a {@link SecretKey} for JJWT to use to decrypt the entire
+ * JWE using the JWE's identified "enc" {@link AeadAlgorithm}.
+ *
+ */
+ public static final KeyAlgorithm ECDH_ES_A256KW = Jwts.get(REGISTRY, "ECDH-ES+A256KW");
+
+ //prevent instantiation
+ private KEY() {
+ }
}
/**
- * Returns a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's), populated with the
- * specified name/value pairs.
+ * Constants for JWA (RFC 7518) compression algorithms referenced in the {@code zip} header defined in the
+ * JSON Web Encryption Compression Algorithms
+ * Registry. Each algorithm is available as a ({@code public static final}) constant for
+ * direct type-safe reference in application code. For example:
+ *
+ * Jwts.builder()
+ * // ... etc ...
+ * .compressWith(Jwts.ZIP.DEF)
+ * .build();
+ * They are also available together as a {@link Registry} instance via the {@link #get()} method.
*
- * @return a new {@link JwsHeader} instance suitable for digitally signed JWTs (aka 'JWS's), populated with the
- * specified name/value pairs.
- * @see JwtBuilder#setHeader(Header)
+ * @see #get()
+ * @since 0.12.0
*/
- public static JwsHeader jwsHeader(Map header) {
- return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwsHeader", MAP_ARG, header);
+ public static final class ZIP {
+
+ private static final String IMPL_CLASSNAME = "io.jsonwebtoken.impl.io.StandardCompressionAlgorithms";
+ private static final Registry REGISTRY = Classes.newInstance(IMPL_CLASSNAME);
+
+ /**
+ * Returns various useful
+ * Compression Algorithms.
+ *
+ * @return various standard and non-standard useful compression algorithms.
+ */
+ public static Registry get() {
+ return REGISTRY;
+ }
+
+ /**
+ * The JWE-standard DEFLATE
+ * compression algorithm with a {@code zip} header value of {@code "DEF"}.
+ *
+ * @see JWE RFC 7516, Section 4.1.3
+ */
+ public static final CompressionAlgorithm DEF = get().forKey("DEF");
+
+ /**
+ * A commonly used, but NOT JWA-STANDARD
+ * gzip compression algorithm with a {@code zip} header value
+ * of {@code "GZIP"}.
+ *
+ * Compatibility Warning
+ *
+ * This is not a standard JWE compression algorithm. Be sure to use this only when you are confident
+ * that all parties accessing the token support the "GZIP" identifier and associated algorithm.
+ *
+ * If you're concerned about compatibility, {@link #DEF DEF} is the only JWA standards-compliant algorithm.
+ *
+ * @see #DEF
+ */
+ public static final CompressionAlgorithm GZIP = get().forKey("GZIP");
+
+ //prevent instantiation
+ private ZIP() {
+ }
}
/**
- * Returns a new {@link Claims} instance to be used as a JWT body.
+ * A {@link Builder} that dynamically determines the type of {@link Header} to create based on builder state.
*
- * @return a new {@link Claims} instance to be used as a JWT body.
+ * @since 0.12.0
*/
- public static Claims claims() {
- return Classes.newInstance("io.jsonwebtoken.impl.DefaultClaims");
+ public interface HeaderBuilder extends JweHeaderMutator, X509Builder, Builder {
}
/**
- * Returns a new {@link Claims} instance populated with the specified name/value pairs.
+ * Returns a new {@link HeaderBuilder} that can build any type of {@link Header} instance depending on
+ * which builder properties are set.
*
- * @param claims the name/value pairs to populate the new Claims instance.
- * @return a new {@link Claims} instance populated with the specified name/value pairs.
+ * @return a new {@link HeaderBuilder} that can build any type of {@link Header} instance depending on
+ * which builder properties are set.
+ * @since 0.12.0
*/
- public static Claims claims(Map claims) {
- return Classes.newInstance("io.jsonwebtoken.impl.DefaultClaims", MAP_ARG, claims);
+ public static HeaderBuilder header() {
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtHeaderBuilder");
}
/**
- * Returns a new {@link JwtParser} instance that can be configured and then used to parse JWT strings.
+ * Returns a new {@link Claims} builder instance to be used to populate JWT claims, which in aggregate will be
+ * the JWT payload.
*
- * @return a new {@link JwtParser} instance that can be configured and then used to parse JWT strings.
- * @deprecated use {@link Jwts#parserBuilder()} instead. See {@link JwtParserBuilder} for usage details.
- * Migration to new method structure is minimal, for example:
- *
Old code:
- *
{@code
- * Jwts.parser()
- * .requireAudience("string")
- * .parse(jwtString)
- * }
- * New code:
- *
{@code
- * Jwts.parserBuilder()
- * .requireAudience("string")
- * .build()
- * .parse(jwtString)
- * }
- * NOTE: this method will be removed before version 1.0
+ * @return a new {@link Claims} builder instance to be used to populate JWT claims, which in aggregate will be
+ * the JWT payload.
*/
- @Deprecated
- public static JwtParser parser() {
- return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtParser");
+ public static ClaimsBuilder claims() {
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultClaimsBuilder");
}
/**
- * Returns a new {@link JwtParserBuilder} instance that can be configured to create an immutable/thread-safe {@link JwtParser).
+ *
Deprecated since 0.12.0 in favor of
+ * {@code Jwts.}{@link #claims()}{@code .add(map).build()}.
+ * This method will be removed before 1.0.
*
- * @return a new {@link JwtParser} instance that can be configured create an immutable/thread-safe {@link JwtParser).
+ * Returns a new {@link Claims} instance populated with the specified name/value pairs.
+ *
+ * @param claims the name/value pairs to populate the new Claims instance.
+ * @return a new {@link Claims} instance populated with the specified name/value pairs.
+ * @deprecated since 0.12.0 in favor of {@code Jwts.}{@link #claims()}{@code .putAll(map).build()}.
+ * This method will be removed before 1.0.
*/
- public static JwtParserBuilder parserBuilder() {
- return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtParserBuilder");
+ @Deprecated
+ public static Claims claims(Map claims) {
+ return claims().add(claims).build();
}
/**
@@ -140,4 +1059,19 @@
public static JwtBuilder builder() {
return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtBuilder");
}
+
+ /**
+ * Returns a new {@link JwtParserBuilder} instance that can be configured to create an immutable/thread-safe {@link JwtParser}.
+ *
+ * @return a new {@link JwtParser} instance that can be configured create an immutable/thread-safe {@link JwtParser}.
+ */
+ public static JwtParserBuilder parser() {
+ return Classes.newInstance("io.jsonwebtoken.impl.DefaultJwtParserBuilder");
+ }
+
+ /**
+ * Private constructor, prevent instantiation.
+ */
+ private Jwts() {
+ }
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Locator.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Locator.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/Locator.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import java.security.Key;
+
+/**
+ * A {@link Locator} can return an object referenced in a JWT {@link Header} that is necessary to process
+ * the associated JWT.
+ *
+ * For example, a {@code Locator} implementation can inspect a header's {@code kid} (Key ID) parameter, and use the
+ * discovered {@code kid} value to lookup and return the associated {@link Key} instance. JJWT could then use this
+ * {@code key} to decrypt a JWE or verify a JWS signature.
+ *
+ * @param the type of object that may be returned from the {@link #locate(Header)} method
+ * @since 0.12.0
+ */
+public interface Locator {
+
+ /**
+ * Returns an object referenced in the specified {@code header}, or {@code null} if the object couldn't be found.
+ *
+ * @param header the JWT header to inspect; may be an instance of {@link Header}, {@link JwsHeader} or
+ * {@link JweHeader} depending on if the respective JWT is an unprotected JWT, JWS or JWE.
+ * @return an object referenced in the specified {@code header}, or {@code null} if the object couldn't be found.
+ */
+ T locate(Header header);
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/LocatorAdapter.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/LocatorAdapter.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/LocatorAdapter.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.lang.Assert;
+
+/**
+ * Adapter pattern implementation for the {@link Locator} interface. Subclasses can override any of the
+ * {@link #doLocate(Header)}, {@link #locate(ProtectedHeader)}, {@link #locate(JwsHeader)}, or
+ * {@link #locate(JweHeader)} methods for type-specific logic if desired when the encountered header is an
+ * unprotected JWT, or an integrity-protected JWT (either a JWS or JWE).
+ *
+ * @param the type of object to locate
+ * @since 0.12.0
+ */
+public abstract class LocatorAdapter implements Locator {
+
+ /**
+ * Constructs a new instance, where all default method implementations return {@code null}.
+ */
+ public LocatorAdapter() {
+ }
+
+ /**
+ * Inspects the specified header, and delegates to the {@link #locate(ProtectedHeader)} method if the header
+ * is protected (either a {@link JwsHeader} or {@link JweHeader}), or the {@link #doLocate(Header)} method
+ * if the header is not integrity protected.
+ *
+ * @param header the JWT header to inspect; may be an instance of {@link Header}, {@link JwsHeader}, or
+ * {@link JweHeader} depending on if the respective JWT is an unprotected JWT, JWS or JWE.
+ * @return an object referenced in the specified header, or {@code null} if the referenced object cannot be found
+ * or does not exist.
+ */
+ @Override
+ public final T locate(Header header) {
+ Assert.notNull(header, "Header cannot be null.");
+ if (header instanceof ProtectedHeader) {
+ ProtectedHeader protectedHeader = (ProtectedHeader) header;
+ return locate(protectedHeader);
+ }
+ return doLocate(header);
+ }
+
+ /**
+ * Returns an object referenced in the specified {@link ProtectedHeader}, or {@code null} if the referenced
+ * object cannot be found or does not exist. This is a convenience method that delegates to
+ * {@link #locate(JwsHeader)} if the {@code header} is a {@link JwsHeader} or {@link #locate(JweHeader)} if the
+ * {@code header} is a {@link JweHeader}.
+ *
+ * @param header the protected header of an encountered JWS or JWE.
+ * @return an object referenced in the specified {@link ProtectedHeader}, or {@code null} if the referenced
+ * object cannot be found or does not exist.
+ */
+ protected T locate(ProtectedHeader header) {
+ if (header instanceof JwsHeader) {
+ return locate((JwsHeader) header);
+ } else {
+ Assert.isInstanceOf(JweHeader.class, header, "Unrecognized ProtectedHeader type.");
+ return locate((JweHeader) header);
+ }
+ }
+
+ /**
+ * Returns an object referenced in the specified JWE header, or {@code null} if the referenced
+ * object cannot be found or does not exist. Default implementation simply returns {@code null}.
+ *
+ * @param header the header of an encountered JWE.
+ * @return an object referenced in the specified JWE header, or {@code null} if the referenced
+ * object cannot be found or does not exist.
+ */
+ protected T locate(JweHeader header) {
+ return null;
+ }
+
+ /**
+ * Returns an object referenced in the specified JWS header, or {@code null} if the referenced
+ * object cannot be found or does not exist. Default implementation simply returns {@code null}.
+ *
+ * @param header the header of an encountered JWS.
+ * @return an object referenced in the specified JWS header, or {@code null} if the referenced
+ * object cannot be found or does not exist.
+ */
+ protected T locate(JwsHeader header) {
+ return null;
+ }
+
+ /**
+ * Returns an object referenced in the specified unprotected JWT header, or {@code null} if the referenced
+ * object cannot be found or does not exist. Default implementation simply returns {@code null}.
+ *
+ * @param header the header of an encountered JWT.
+ * @return an object referenced in the specified unprotected JWT header, or {@code null} if the referenced
+ * object cannot be found or does not exist.
+ */
+ @SuppressWarnings("unused")
+ protected T doLocate(Header header) {
+ return null;
+ }
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/MalformedJwtException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/MalformedJwtException.java (.../MalformedJwtException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/MalformedJwtException.java (.../MalformedJwtException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -22,10 +22,21 @@
*/
public class MalformedJwtException extends JwtException {
+ /**
+ * Creates a new instance with the specified explanation message.
+ *
+ * @param message the message explaining why the exception is thrown.
+ */
public MalformedJwtException(String message) {
super(message);
}
+ /**
+ * Creates a new instance with the specified explanation message and underlying cause.
+ *
+ * @param message the message explaining why the exception is thrown.
+ * @param cause the underlying cause that resulted in this exception being thrown.
+ */
public MalformedJwtException(String message, Throwable cause) {
super(message, cause);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/MissingClaimException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/MissingClaimException.java (.../MissingClaimException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/MissingClaimException.java (.../MissingClaimException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -22,11 +22,34 @@
* @since 0.6
*/
public class MissingClaimException extends InvalidClaimException {
- public MissingClaimException(Header header, Claims claims, String message) {
- super(header, claims, message);
+
+ /**
+ * Creates a new instance with the specified explanation message.
+ *
+ * @param header the header associated with the claims that did not contain the required claim
+ * @param claims the claims that did not contain the required claim
+ * @param claimName the name of the claim that could not be validated
+ * @param claimValue the value of the claim that could not be validated
+ * @param message the message explaining why the exception is thrown.
+ */
+ public MissingClaimException(Header header, Claims claims, String claimName, Object claimValue, String message) {
+ super(header, claims, claimName, claimValue, message);
}
- public MissingClaimException(Header header, Claims claims, String message, Throwable cause) {
- super(header, claims, message, cause);
+
+ /**
+ * Creates a new instance with the specified explanation message and underlying cause.
+ *
+ * @param header the header associated with the claims that did not contain the required claim
+ * @param claims the claims that did not contain the required claim
+ * @param claimName the name of the claim that could not be validated
+ * @param claimValue the value of the claim that could not be validated
+ * @param message the message explaining why the exception is thrown.
+ * @param cause the underlying cause that resulted in this exception being thrown.
+ * @deprecated since 0.12.0 since it is not used in JJWT's codebase
+ */
+ @Deprecated
+ public MissingClaimException(Header header, Claims claims, String claimName, Object claimValue, String message, Throwable cause) {
+ super(header, claims, claimName, claimValue, message, cause);
}
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/PrematureJwtException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/PrematureJwtException.java (.../PrematureJwtException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/PrematureJwtException.java (.../PrematureJwtException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -22,17 +22,28 @@
*/
public class PrematureJwtException extends ClaimJwtException {
+ /**
+ * Creates a new instance with the specified explanation message.
+ *
+ * @param header jwt header
+ * @param claims jwt claims (body)
+ * @param message the message explaining why the exception is thrown.
+ */
public PrematureJwtException(Header header, Claims claims, String message) {
super(header, claims, message);
}
/**
- * @param header jwt header
- * @param claims jwt claims (body)
+ * Creates a new instance with the specified explanation message and underlying cause.
+ *
+ * @param header jwt header
+ * @param claims jwt claims (body)
* @param message exception message
- * @param cause cause
+ * @param cause cause
* @since 0.5
+ * @deprecated since 0.12.0 since it is not used in JJWT's codebase
*/
+ @Deprecated
public PrematureJwtException(Header header, Claims claims, String message, Throwable cause) {
super(header, claims, message, cause);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ProtectedHeader.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ProtectedHeader.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ProtectedHeader.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.security.PublicJwk;
+import io.jsonwebtoken.security.X509Accessor;
+
+import java.net.URI;
+import java.util.Set;
+
+/**
+ * A JWT header that is integrity protected, either by JWS digital signature or JWE AEAD encryption.
+ *
+ * @see JwsHeader
+ * @see JweHeader
+ * @since 0.12.0
+ */
+public interface ProtectedHeader extends Header, X509Accessor {
+
+ /**
+ * Returns the {@code jku} (JWK Set URL) value that refers to a
+ * JWK Set
+ * resource containing JSON-encoded Public Keys, or {@code null} if not present. When present in a
+ * {@link JwsHeader}, the first public key in the JWK Set must be the public key complement of the private
+ * key used to sign the JWS. When present in a {@link JweHeader}, the first public key in the JWK Set must
+ * be the public key used during encryption.
+ *
+ * @return a URI that refers to a JWK Set
+ * resource for a set of JSON-encoded Public Keys, or {@code null} if not present.
+ * @see JWS JWK Set URL
+ * @see JWE JWK Set URL
+ */
+ URI getJwkSetUrl();
+
+ /**
+ * Returns the {@code jwk} (JSON Web Key) associated with the JWT. When present in a {@link JwsHeader}, the
+ * {@code jwk} is the public key complement of the private key used to digitally sign the JWS. When present in a
+ * {@link JweHeader}, the {@code jwk} is the public key to which the JWE was encrypted, and may be used to
+ * determine the private key needed to decrypt the JWE.
+ *
+ * @return the {@code jwk} (JSON Web Key) associated with the header.
+ * @see JWS {@code jwk} (JSON Web Key) Header Parameter
+ * @see JWE {@code jwk} (JSON Web Key) Header Parameter
+ */
+ PublicJwk getJwk();
+
+ /**
+ * Returns the JWT case-sensitive {@code kid} (Key ID) header value or {@code null} if not present.
+ *
+ * The keyId header parameter is a hint indicating which key was used to secure a JWS or JWE. This
+ * parameter allows originators to explicitly signal a change of key to recipients. The structure of the keyId
+ * value is unspecified. Its value is a CaSe-SeNsItIvE string.
+ *
+ * When used with a JWK, the keyId value is used to match a JWK {@code keyId} parameter value.
+ *
+ * @return the case-sensitive {@code kid} header value or {@code null} if not present.
+ * @see JWS Key ID
+ * @see JWE Key ID
+ */
+ String getKeyId();
+
+ /**
+ * Returns the header parameter names that use extensions to the JWT or JWA specification(s) that MUST
+ * be understood and supported by the JWT recipient, or {@code null} if not present.
+ *
+ * @return the header parameter names that use extensions to the JWT or JWA specification(s) that MUST
+ * be understood and supported by the JWT recipient, or {@code null} if not present.
+ * @see JWS {@code crit} (Critical) Header Parameter
+ * @see JWS {@code crit} (Critical) Header Parameter
+ */
+ Set getCritical();
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ProtectedHeaderMutator.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ProtectedHeaderMutator.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ProtectedHeaderMutator.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.lang.Conjunctor;
+import io.jsonwebtoken.lang.NestedCollection;
+import io.jsonwebtoken.security.PublicJwk;
+import io.jsonwebtoken.security.X509Mutator;
+
+import java.net.URI;
+
+/**
+ * Mutation (modifications) to a {@link ProtectedHeader Header} instance.
+ *
+ * @param the mutator subtype, for method chaining
+ * @since 0.12.0
+ */
+public interface ProtectedHeaderMutator> extends HeaderMutator, X509Mutator {
+
+ /**
+ * Configures names of header parameters used by JWT or JWA specification extensions that MUST be
+ * understood and supported by the JWT recipient. When finished, use the collection's
+ * {@link Conjunctor#and() and()} method to continue header configuration, for example:
+ *
+ * headerBuilder
+ * .critical().add("headerName").{@link Conjunctor#and() and()} // return parent
+ * // resume header configuration...
+ *
+ * @return the {@link NestedCollection} to use for {@code crit} configuration.
+ * @see JWS crit (Critical) Header Parameter
+ * @see JWS crit (Critical) Header Parameter
+ */
+ NestedCollection critical();
+
+ /**
+ * Sets the {@code jwk} (JSON Web Key) associated with the JWT. When set for a {@link JwsHeader}, the
+ * {@code jwk} is the public key complement of the private key used to digitally sign the JWS. When set for a
+ * {@link JweHeader}, the {@code jwk} is the public key to which the JWE was encrypted, and may be used to
+ * determine the private key needed to decrypt the JWE.
+ *
+ * @param jwk the {@code jwk} (JSON Web Key) associated with the header.
+ * @return the header for method chaining
+ * @see JWS jwk (JSON Web Key) Header Parameter
+ * @see JWE jwk (JSON Web Key) Header Parameter
+ */
+ T jwk(PublicJwk jwk);
+
+ /**
+ * Sets the {@code jku} (JWK Set URL) value that refers to a
+ * JWK Set
+ * resource containing JSON-encoded Public Keys, or {@code null} if not present. When set for a
+ * {@link JwsHeader}, the first public key in the JWK Set must be the public key complement of the
+ * private key used to sign the JWS. When set for a {@link JweHeader}, the first public key in the JWK Set
+ * must be the public key used during encryption.
+ *
+ * @param uri a URI that refers to a JWK Set
+ * resource containing JSON-encoded Public Keys
+ * @return the header for method chaining
+ * @see JWS JWK Set URL
+ * @see JWE JWK Set URL
+ */
+ T jwkSetUrl(URI uri);
+
+ /**
+ * Sets the JWT case-sensitive {@code kid} (Key ID) header value. A {@code null} value will remove the property
+ * from the JSON map.
+ *
+ * The keyId header parameter is a hint indicating which key was used to secure a JWS or JWE. This parameter
+ * allows originators to explicitly signal a change of key to recipients. The structure of the keyId value is
+ * unspecified. Its value MUST be a case-sensitive string.
+ *
+ * When used with a JWK, the keyId value is used to match a JWK {@code keyId} parameter value.
+ *
+ * @param kid the case-sensitive JWS {@code kid} header value or {@code null} to remove the property from the JSON map.
+ * @return the header instance for method chaining.
+ * @see JWS Key ID
+ * @see JWE Key ID
+ */
+ T keyId(String kid);
+
+ /**
+ * Deprecated since 0.12.0, delegates to {@link #keyId(String)}.
+ *
+ * @param kid the case-sensitive JWS {@code kid} header value or {@code null} to remove the property from the JSON map.
+ * @return the instance for method chaining.
+ * @see JWS Key ID
+ * @see JWE Key ID
+ * @deprecated since 0.12.0 in favor of the more modern builder-style {@link #keyId(String)} method.
+ */
+ @Deprecated
+ T setKeyId(String kid);
+
+ /**
+ * Deprecated as of 0.12.0, there is no need to set this any longer as the {@code JwtBuilder} will
+ * always set the {@code alg} header as necessary.
+ *
+ * @param alg the JWS or JWE algorithm {@code alg} value or {@code null} to remove the property from the JSON map.
+ * @return the instance for method chaining.
+ * @since 0.1
+ * @deprecated since 0.12.0 and will be removed before the 1.0 release.
+ */
+ @Deprecated
+ T setAlgorithm(String alg);
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ProtectedJwt.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ProtectedJwt.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/ProtectedJwt.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,37 @@
+/*
+ * Copyright © 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.security.DigestSupplier;
+
+/**
+ * A {@code ProtectedJwt} is a {@link Jwt} that is integrity protected via a cryptographic algorithm that produces
+ * a cryptographic digest, such as a MAC, Digital Signature or Authentication Tag.
+ *
+ * Cryptographic Digest
+ * This interface extends DigestSupplier to make available the {@code ProtectedJwt}'s associated cryptographic
+ * digest:
+ *
+ * - If the JWT is a {@link Jws}, {@link #getDigest() getDigest() } returns the JWS signature.
+ * - If the JWT is a {@link Jwe}, {@link #getDigest() getDigest() } returns the AAD Authentication Tag.
+ *
+ *
+ * @param the type of the JWT protected header
+ * @param the type of the JWT payload, either a content byte array or a {@link Claims} instance.
+ * @since 0.12.0
+ */
+public interface ProtectedJwt extends Jwt, DigestSupplier {
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/RequiredTypeException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/RequiredTypeException.java (.../RequiredTypeException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/RequiredTypeException.java (.../RequiredTypeException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -16,16 +16,28 @@
package io.jsonwebtoken;
/**
- * Exception thrown when {@link Claims#get(String, Class)} is called and the value does not match the type of the
- * {@code Class} argument.
+ * Exception thrown when attempting to obtain a value from a JWT or JWK and the existing value does not match the
+ * expected type.
*
* @since 0.6
*/
public class RequiredTypeException extends JwtException {
+
+ /**
+ * Creates a new instance with the specified explanation message.
+ *
+ * @param message the message explaining why the exception is thrown.
+ */
public RequiredTypeException(String message) {
super(message);
}
+ /**
+ * Creates a new instance with the specified explanation message and underlying cause.
+ *
+ * @param message the message explaining why the exception is thrown.
+ * @param cause the underlying cause that resulted in this exception being thrown.
+ */
public RequiredTypeException(String message, Throwable cause) {
super(message, cause);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureAlgorithm.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureAlgorithm.java (.../SignatureAlgorithm.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureAlgorithm.java (.../SignatureAlgorithm.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -34,7 +34,9 @@
* JSON Web Algorithms specification.
*
* @since 0.1
+ * @deprecated since 0.12.0; use {@link Jwts.SIG} instead.
*/
+@Deprecated
public enum SignatureAlgorithm {
/**
@@ -110,10 +112,10 @@
//purposefully ordered higher to lower:
private static final List PREFERRED_HMAC_ALGS = Collections.unmodifiableList(Arrays.asList(
- SignatureAlgorithm.HS512, SignatureAlgorithm.HS384, SignatureAlgorithm.HS256));
+ SignatureAlgorithm.HS512, SignatureAlgorithm.HS384, SignatureAlgorithm.HS256));
//purposefully ordered higher to lower:
private static final List PREFERRED_EC_ALGS = Collections.unmodifiableList(Arrays.asList(
- SignatureAlgorithm.ES512, SignatureAlgorithm.ES384, SignatureAlgorithm.ES256));
+ SignatureAlgorithm.ES512, SignatureAlgorithm.ES384, SignatureAlgorithm.ES256));
private final String value;
private final String description;
@@ -132,7 +134,7 @@
SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
int digestLength, int minKeyLength) {
- this(value, description,familyName, jcaName, jdkStandard, digestLength, minKeyLength, jcaName);
+ this(value, description, familyName, jcaName, jdkStandard, digestLength, minKeyLength, jcaName);
}
SignatureAlgorithm(String value, String description, String familyName, String jcaName, boolean jdkStandard,
@@ -365,25 +367,25 @@
// These next checks use equalsIgnoreCase per https://github.com/jwtk/jjwt/issues/381#issuecomment-412912272
if (!HS256.jcaName.equalsIgnoreCase(alg) &&
- !HS384.jcaName.equalsIgnoreCase(alg) &&
- !HS512.jcaName.equalsIgnoreCase(alg) &&
- !HS256.pkcs12Name.equals(alg) &&
- !HS384.pkcs12Name.equals(alg) &&
- !HS512.pkcs12Name.equals(alg)) {
+ !HS384.jcaName.equalsIgnoreCase(alg) &&
+ !HS512.jcaName.equalsIgnoreCase(alg) &&
+ !HS256.pkcs12Name.equals(alg) &&
+ !HS384.pkcs12Name.equals(alg) &&
+ !HS512.pkcs12Name.equals(alg)) {
throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm '" + alg +
- "' does not equal a valid HmacSHA* algorithm name and cannot be used with " + name() + ".");
+ "' does not equal a valid HmacSHA* algorithm name and cannot be used with " + name() + ".");
}
int size = encoded.length * 8; //size in bits
if (size < this.minKeyLength) {
String msg = "The " + keyType(signing) + " key's size is " + size + " bits which " +
- "is not secure enough for the " + name() + " algorithm. The JWT " +
- "JWA Specification (RFC 7518, Section 3.2) states that keys used with " + name() + " MUST have a " +
- "size >= " + minKeyLength + " bits (the key size must be greater than or equal to the hash " +
- "output size). Consider using the " + Keys.class.getName() + " class's " +
- "'secretKeyFor(SignatureAlgorithm." + name() + ")' method to create a key guaranteed to be " +
- "secure enough for " + name() + ". See " +
- "https://tools.ietf.org/html/rfc7518#section-3.2 for more information.";
+ "is not secure enough for the " + name() + " algorithm. The JWT " +
+ "JWA Specification (RFC 7518, Section 3.2) states that keys used with " + name() + " MUST have a " +
+ "size >= " + minKeyLength + " bits (the key size must be greater than or equal to the hash " +
+ "output size). Consider using the " + Keys.class.getName() + " class's " +
+ "'secretKeyFor(SignatureAlgorithm." + name() + ")' method to create a key guaranteed to be " +
+ "secure enough for " + name() + ". See " +
+ "https://tools.ietf.org/html/rfc7518#section-3.2 for more information.";
throw new WeakKeyException(msg);
}
@@ -407,13 +409,13 @@
int size = ecKey.getParams().getOrder().bitLength();
if (size < this.minKeyLength) {
String msg = "The " + keyType(signing) + " key's size (ECParameterSpec order) is " + size +
- " bits which is not secure enough for the " + name() + " algorithm. The JWT " +
- "JWA Specification (RFC 7518, Section 3.4) states that keys used with " +
- name() + " MUST have a size >= " + this.minKeyLength +
- " bits. Consider using the " + Keys.class.getName() + " class's " +
- "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
- "to be secure enough for " + name() + ". See " +
- "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
+ " bits which is not secure enough for the " + name() + " algorithm. The JWT " +
+ "JWA Specification (RFC 7518, Section 3.4) states that keys used with " +
+ name() + " MUST have a size >= " + this.minKeyLength +
+ " bits. Consider using the " + Keys.class.getName() + " class's " +
+ "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
+ "to be secure enough for " + name() + ". See " +
+ "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
throw new WeakKeyException(msg);
}
@@ -431,12 +433,12 @@
String section = name().startsWith("P") ? "3.5" : "3.3";
String msg = "The " + keyType(signing) + " key's size is " + size + " bits which is not secure " +
- "enough for the " + name() + " algorithm. The JWT JWA Specification (RFC 7518, Section " +
- section + ") states that keys used with " + name() + " MUST have a size >= " +
- this.minKeyLength + " bits. Consider using the " + Keys.class.getName() + " class's " +
- "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
- "to be secure enough for " + name() + ". See " +
- "https://tools.ietf.org/html/rfc7518#section-" + section + " for more information.";
+ "enough for the " + name() + " algorithm. The JWT JWA Specification (RFC 7518, Section " +
+ section + ") states that keys used with " + name() + " MUST have a size >= " +
+ this.minKeyLength + " bits. Consider using the " + Keys.class.getName() + " class's " +
+ "'keyPairFor(SignatureAlgorithm." + name() + ")' method to create a key pair guaranteed " +
+ "to be secure enough for " + name() + ". See " +
+ "https://tools.ietf.org/html/rfc7518#section-" + section + " for more information.";
throw new WeakKeyException(msg);
}
}
@@ -531,7 +533,7 @@
* Section 3.3) mandates that RSA signing key lengths MUST be 2048 bits or greater.
* {@code RSAKey}s with key lengths less than 2048 bits will be rejected with a
* {@link WeakKeyException}.
- * Technically any RSA key of length >= 2048 bits may be used with the {@link #RS256}, {@link #RS384}, and
+ * Technically any RSA key of length >= 2048 bits may be used with the {@link #RS256}, {@link #RS384}, and
* {@link #RS512} algorithms, so we assume an RSA signature algorithm based on the key length to
* parallel similar decisions in the JWT specification for HMAC and ECDSA signature algorithms.
* This is not required - just a convenience.
@@ -545,7 +547,6 @@
* The {@link #RS256}, {@link #RS384}, and {@link #RS512} algorithms are available in the JDK by default
* while the {@code PS}* variants require an additional JCA Provider (like BouncyCastle).
*
- *
*
* Finally, this method will throw an {@link InvalidKeyException} for any key that does not match the
* heuristics and requirements documented above, since that inevitably means the Key is either insufficient or
@@ -564,29 +565,29 @@
}
if (!(key instanceof SecretKey ||
- (key instanceof PrivateKey && (key instanceof ECKey || key instanceof RSAKey)))) {
+ (key instanceof PrivateKey && (key instanceof ECKey || key instanceof RSAKey)))) {
String msg = "JWT standard signing algorithms require either 1) a SecretKey for HMAC-SHA algorithms or " +
- "2) a private RSAKey for RSA algorithms or 3) a private ECKey for Elliptic Curve algorithms. " +
- "The specified key is of type " + key.getClass().getName();
+ "2) a private RSAKey for RSA algorithms or 3) a private ECKey for Elliptic Curve algorithms. " +
+ "The specified key is of type " + key.getClass().getName();
throw new InvalidKeyException(msg);
}
if (key instanceof SecretKey) {
- SecretKey secretKey = (SecretKey)key;
+ SecretKey secretKey = (SecretKey) key;
int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;
- for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
+ for (SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
// ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
if (bitLength >= alg.minKeyLength) {
return alg;
}
}
String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
- "algorithms. The JWT specification requires HMAC keys to be >= 256 bits long. The specified " +
- "key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
- "information.";
+ "algorithms. The JWT specification requires HMAC keys to be >= 256 bits long. The specified " +
+ "key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
+ "information.";
throw new WeakKeyException(msg);
}
@@ -607,9 +608,9 @@
}
String msg = "The specified RSA signing key is not strong enough to be used with JWT RSA signature " +
- "algorithms. The JWT specification requires RSA keys to be >= 2048 bits long. The specified RSA " +
- "key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.3 for more " +
- "information.";
+ "algorithms. The JWT specification requires RSA keys to be >= 2048 bits long. The specified RSA " +
+ "key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.3 for more " +
+ "information.";
throw new WeakKeyException(msg);
}
@@ -627,9 +628,9 @@
}
String msg = "The specified Elliptic Curve signing key is not strong enough to be used with JWT ECDSA " +
- "signature algorithms. The JWT specification requires ECDSA keys to be >= 256 bits long. " +
- "The specified ECDSA key is " + bitLength + " bits. See " +
- "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
+ "signature algorithms. The JWT specification requires ECDSA keys to be >= 256 bits long. " +
+ "The specified ECDSA key is " + bitLength + " bits. See " +
+ "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.";
throw new WeakKeyException(msg);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureException.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureException.java (.../SignatureException.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SignatureException.java (.../SignatureException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -21,15 +21,26 @@
* Exception indicating that either calculating a signature or verifying an existing signature of a JWT failed.
*
* @since 0.1
- * @deprecated in favor of {@link io.jsonwebtoken.security.SecurityException}; this class will be removed before 1.0
+ * @deprecated in favor of {@link io.jsonwebtoken.security.SignatureException}; this class will be removed before 1.0
*/
@Deprecated
public class SignatureException extends SecurityException {
+ /**
+ * Creates a new instance with the specified explanation message.
+ *
+ * @param message the message explaining why the exception is thrown.
+ */
public SignatureException(String message) {
super(message);
}
+ /**
+ * Creates a new instance with the specified explanation message and underlying cause.
+ *
+ * @param message the message explaining why the exception is thrown.
+ * @param cause the underlying cause that resulted in this exception being thrown.
+ */
public SignatureException(String message, Throwable cause) {
super(message, cause);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SigningKeyResolver.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SigningKeyResolver.java (.../SigningKeyResolver.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SigningKeyResolver.java (.../SigningKeyResolver.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -22,7 +22,7 @@
* should be used to verify a JWS signature.
*
*
A {@code SigningKeyResolver} is necessary when the signing key is not already known before parsing the JWT and the
- * JWT header or payload (plaintext body or Claims) must be inspected first to determine how to look up the signing key.
+ * JWT header or payload (byte array or Claims) must be inspected first to determine how to look up the signing key.
* Once returned by the resolver, the JwtParser will then verify the JWS signature with the returned key. For
* example:
*
@@ -33,41 +33,43 @@
* //inspect the header or claims, lookup and return the signing key
* return getSigningKeyBytes(header, claims); //implement me
* }})
- * .parseClaimsJws(compact);
+ * .build().parseSignedClaims(compact);
*
*
* A {@code SigningKeyResolver} is invoked once during parsing before the signature is verified.
*
- * SigningKeyResolverAdapter
+ * Using an Adapter
*
- * If you only need to resolve a signing key for a particular JWS (either a plaintext or Claims JWS), consider using
+ *
If you only need to resolve a signing key for a particular JWS (either a content or Claims JWS), consider using
* the {@link io.jsonwebtoken.SigningKeyResolverAdapter} and overriding only the method you need to support instead of
* implementing this interface directly.
*
- * @see io.jsonwebtoken.SigningKeyResolverAdapter
+ * @see io.jsonwebtoken.JwtParserBuilder#keyLocator(Locator)
* @since 0.4
+ * @deprecated since 0.12.0. Implement {@link Locator} instead.
*/
+@Deprecated
public interface SigningKeyResolver {
/**
* Returns the signing key that should be used to validate a digital signature for the Claims JWS with the specified
* header and claims.
*
* @param header the header of the JWS to validate
- * @param claims the claims (body) of the JWS to validate
+ * @param claims the Claims payload of the JWS to validate
* @return the signing key that should be used to validate a digital signature for the Claims JWS with the specified
* header and claims.
*/
Key resolveSigningKey(JwsHeader header, Claims claims);
/**
- * Returns the signing key that should be used to validate a digital signature for the Plaintext JWS with the
- * specified header and plaintext payload.
+ * Returns the signing key that should be used to validate a digital signature for the content JWS with the
+ * specified header and byte array payload.
*
- * @param header the header of the JWS to validate
- * @param plaintext the plaintext body of the JWS to validate
- * @return the signing key that should be used to validate a digital signature for the Plaintext JWS with the
- * specified header and plaintext payload.
+ * @param header the header of the JWS to validate
+ * @param content the byte array payload of the JWS to validate
+ * @return the signing key that should be used to validate a digital signature for the content JWS with the
+ * specified header and byte array payload.
*/
- Key resolveSigningKey(JwsHeader header, String plaintext);
+ Key resolveSigningKey(JwsHeader header, byte[] content);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SigningKeyResolverAdapter.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SigningKeyResolverAdapter.java (.../SigningKeyResolverAdapter.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SigningKeyResolverAdapter.java (.../SigningKeyResolverAdapter.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -21,44 +21,67 @@
import java.security.Key;
/**
- * An Adapter implementation of the
+ * Deprecation Notice
+ *
+ * As of JJWT 0.12.0, various Resolver concepts (including the {@code SigningKeyResolver}) have been
+ * unified into a single {@link Locator} interface. For key location, (for both signing and encryption keys),
+ * use the {@link JwtParserBuilder#keyLocator(Locator)} to configure a parser with your desired Key locator instead
+ * of using a {@code SigningKeyResolver}. Also see {@link LocatorAdapter} for the Adapter pattern parallel of this
+ * class. This {@code SigningKeyResolverAdapter} class will be removed before the 1.0 release.
+ *
+ * Previous Documentation
+ *
+ * An Adapter implementation of the
* {@link SigningKeyResolver} interface that allows subclasses to process only the type of JWS body that
- * is known/expected for a particular case.
+ * is known/expected for a particular case.
*
- * The {@link #resolveSigningKey(JwsHeader, Claims)} and {@link #resolveSigningKey(JwsHeader, String)} method
+ *
The {@link #resolveSigningKey(JwsHeader, Claims)} and {@link #resolveSigningKey(JwsHeader, byte[])} method
* implementations delegate to the
- * {@link #resolveSigningKeyBytes(JwsHeader, Claims)} and {@link #resolveSigningKeyBytes(JwsHeader, String)} methods
+ * {@link #resolveSigningKeyBytes(JwsHeader, Claims)} and {@link #resolveSigningKeyBytes(JwsHeader, byte[])} methods
* respectively. The latter two methods simply throw exceptions: they represent scenarios expected by
* calling code in known situations, and it is expected that you override the implementation in those known situations;
* non-overridden *KeyBytes methods indicates that the JWS input was unexpected.
*
- * If either {@link #resolveSigningKey(JwsHeader, String)} or {@link #resolveSigningKey(JwsHeader, Claims)}
+ *
If either {@link #resolveSigningKey(JwsHeader, byte[])} or {@link #resolveSigningKey(JwsHeader, Claims)}
* are not overridden, one (or both) of the *KeyBytes variants must be overridden depending on your expected
* use case. You do not have to override any method that does not represent an expected condition.
*
+ * @see io.jsonwebtoken.JwtParserBuilder#keyLocator(Locator)
+ * @see LocatorAdapter
* @since 0.4
+ * @deprecated since 0.12.0. Use {@link LocatorAdapter LocatorAdapter} with
+ * {@link JwtParserBuilder#keyLocator(Locator)}
*/
+@SuppressWarnings("DeprecatedIsStillUsed")
+@Deprecated
public class SigningKeyResolverAdapter implements SigningKeyResolver {
+ /**
+ * Default constructor.
+ */
+ public SigningKeyResolverAdapter() {
+
+ }
+
@Override
public Key resolveSigningKey(JwsHeader header, Claims claims) {
SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
- Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, Claims) implementation cannot be " +
- "used for asymmetric key algorithms (RSA, Elliptic Curve). " +
- "Override the resolveSigningKey(JwsHeader, Claims) method instead and return a " +
- "Key instance appropriate for the " + alg.name() + " algorithm.");
+ Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, Claims) implementation cannot " +
+ "be used for asymmetric key algorithms (RSA, Elliptic Curve). " +
+ "Override the resolveSigningKey(JwsHeader, Claims) method instead and return a " +
+ "Key instance appropriate for the " + alg.name() + " algorithm.");
byte[] keyBytes = resolveSigningKeyBytes(header, claims);
return new SecretKeySpec(keyBytes, alg.getJcaName());
}
@Override
- public Key resolveSigningKey(JwsHeader header, String plaintext) {
+ public Key resolveSigningKey(JwsHeader header, byte[] content) {
SignatureAlgorithm alg = SignatureAlgorithm.forName(header.getAlgorithm());
- Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, String) implementation cannot be " +
- "used for asymmetric key algorithms (RSA, Elliptic Curve). " +
- "Override the resolveSigningKey(JwsHeader, String) method instead and return a " +
- "Key instance appropriate for the " + alg.name() + " algorithm.");
- byte[] keyBytes = resolveSigningKeyBytes(header, plaintext);
+ Assert.isTrue(alg.isHmac(), "The default resolveSigningKey(JwsHeader, byte[]) implementation cannot " +
+ "be used for asymmetric key algorithms (RSA, Elliptic Curve). " +
+ "Override the resolveSigningKey(JwsHeader, byte[]) method instead and return a " +
+ "Key instance appropriate for the " + alg.name() + " algorithm.");
+ byte[] keyBytes = resolveSigningKeyBytes(header, content);
return new SecretKeySpec(keyBytes, alg.getJcaName());
}
@@ -76,24 +99,25 @@
*/
public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
- "Claims JWS signing key resolution. Consider overriding either the " +
- "resolveSigningKey(JwsHeader, Claims) method or, for HMAC algorithms, the " +
- "resolveSigningKeyBytes(JwsHeader, Claims) method.");
+ "Claims JWS signing key resolution. Consider overriding either the " +
+ "resolveSigningKey(JwsHeader, Claims) method or, for HMAC algorithms, the " +
+ "resolveSigningKeyBytes(JwsHeader, Claims) method.");
}
/**
- * Convenience method invoked by {@link #resolveSigningKey(JwsHeader, String)} that obtains the necessary signing
- * key bytes. This implementation simply throws an exception: if the JWS parsed is a plaintext JWS, you must
- * override this method or the {@link #resolveSigningKey(JwsHeader, String)} method instead.
+ * Convenience method invoked by {@link #resolveSigningKey(JwsHeader, byte[])} that obtains the necessary signing
+ * key bytes. This implementation simply throws an exception: if the JWS parsed is a content JWS, you must
+ * override this method or the {@link #resolveSigningKey(JwsHeader, byte[])} method instead.
*
- * @param header the parsed {@link JwsHeader}
- * @param payload the parsed String plaintext payload
+ * @param header the parsed {@link JwsHeader}
+ * @param content the byte array payload
* @return the signing key bytes to use to verify the JWS signature.
*/
- public byte[] resolveSigningKeyBytes(JwsHeader header, String payload) {
+ @SuppressWarnings("unused")
+ public byte[] resolveSigningKeyBytes(JwsHeader header, byte[] content) {
throw new UnsupportedJwtException("The specified SigningKeyResolver implementation does not support " +
- "plaintext JWS signing key resolution. Consider overriding either the " +
- "resolveSigningKey(JwsHeader, String) method or, for HMAC algorithms, the " +
- "resolveSigningKeyBytes(JwsHeader, String) method.");
+ "content JWS signing key resolution. Consider overriding either the " +
+ "resolveSigningKey(JwsHeader, byte[]) method or, for HMAC algorithms, the " +
+ "resolveSigningKeyBytes(JwsHeader, byte[]) method.");
}
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SupportedJwtVisitor.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SupportedJwtVisitor.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/SupportedJwtVisitor.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,200 @@
+/*
+ * Copyright © 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken;
+
+import io.jsonwebtoken.lang.Assert;
+
+/**
+ * A {@code JwtVisitor} that guarantees only supported JWT instances are handled, rejecting
+ * all other (unsupported) JWTs with {@link UnsupportedJwtException}s. A JWT is considered supported
+ * only if the type-specific handler method is overridden by a subclass.
+ *
+ * @param the type of value returned from the subclass handler method implementation.
+ * @since 0.12.0
+ */
+public class SupportedJwtVisitor implements JwtVisitor {
+
+ /**
+ * Default constructor, does not initialize any internal state.
+ */
+ public SupportedJwtVisitor() {
+ }
+
+ /**
+ * Handles an encountered unsecured JWT by delegating to either {@link #onUnsecuredContent(Jwt)} or
+ * {@link #onUnsecuredClaims(Jwt)} depending on the payload type.
+ *
+ * @param jwt the parsed unsecured JWT
+ * @return the value returned by either {@link #onUnsecuredContent(Jwt)} or {@link #onUnsecuredClaims(Jwt)}
+ * depending on the payload type.
+ * @throws UnsupportedJwtException if the payload is neither a {@code byte[]} nor {@code Claims}, or either
+ * delegate method throws the same.
+ */
+ @SuppressWarnings("unchecked")
+ @Override
+ public T visit(Jwt jwt) {
+ Assert.notNull(jwt, "JWT cannot be null.");
+ Object payload = jwt.getPayload();
+ if (payload instanceof byte[]) {
+ return onUnsecuredContent((Jwt) jwt);
+ } else {
+ // only other type we support:
+ Assert.stateIsInstance(Claims.class, payload, "Unexpected payload data type: ");
+ return onUnsecuredClaims((Jwt) jwt);
+ }
+ }
+
+ /**
+ * Handles an encountered unsecured content JWT - one that is not cryptographically signed nor
+ * encrypted, and has a byte[] array payload. If the JWT creator has set the (optional)
+ * {@link Header#getContentType()} value, the application may inspect that value to determine how to convert
+ * the byte array to the final type as desired.
+ *
+ * The default implementation immediately throws an {@link UnsupportedJwtException}; it is expected that
+ * subclasses will override this method if the application needs to support this type of JWT.
+ *
+ * @param jwt the parsed unsecured content JWT
+ * @return any object to be used after inspecting the JWT, or {@code null} if no return value is necessary.
+ * @throws UnsupportedJwtException by default, expecting the subclass implementation to override as necessary.
+ */
+ public T onUnsecuredContent(Jwt jwt) throws UnsupportedJwtException {
+ throw new UnsupportedJwtException("Unexpected unsecured content JWT.");
+ }
+
+ /**
+ * Handles an encountered unsecured Claims JWT - one that is not cryptographically signed nor
+ * encrypted, and has a {@link Claims} payload.
+ *
+ * The default implementation immediately throws an {@link UnsupportedJwtException}; it is expected that
+ * subclasses will override this method if the application needs to support this type of JWT.
+ *
+ * @param jwt the parsed unsecured content JWT
+ * @return any object to be used after inspecting the JWT, or {@code null} if no return value is necessary.
+ * @throws UnsupportedJwtException by default, expecting the subclass implementation to override as necessary.
+ */
+ public T onUnsecuredClaims(Jwt jwt) {
+ throw new UnsupportedJwtException("Unexpected unsecured Claims JWT.");
+ }
+
+ /**
+ * Handles an encountered JSON Web Token (aka 'JWS') message that has been cryptographically verified/authenticated
+ * by delegating to either {@link #onVerifiedContent(Jws)} or {@link #onVerifiedClaims(Jws)} depending on the payload
+ * type.
+ *
+ * @param jws the parsed verified/authenticated JWS.
+ * @return the value returned by either {@link #onVerifiedContent(Jws)} or {@link #onVerifiedClaims(Jws)}
+ * depending on the payload type.
+ * @throws UnsupportedJwtException if the payload is neither a {@code byte[]} nor {@code Claims}, or either
+ * delegate method throws the same.
+ */
+ @SuppressWarnings("unchecked")
+ @Override
+ public T visit(Jws jws) {
+ Assert.notNull(jws, "JWS cannot be null.");
+ Object payload = jws.getPayload();
+ if (payload instanceof byte[]) {
+ return onVerifiedContent((Jws) jws);
+ } else {
+ Assert.stateIsInstance(Claims.class, payload, "Unexpected payload data type: ");
+ return onVerifiedClaims((Jws) jws);
+ }
+ }
+
+ /**
+ * Handles an encountered JWS message that has been cryptographically verified/authenticated and has
+ * a byte[] array payload. If the JWT creator has set the (optional) {@link Header#getContentType()} value, the
+ * application may inspect that value to determine how to convert the byte array to the final type as desired.
+ *
+ * The default implementation immediately throws an {@link UnsupportedJwtException}; it is expected that
+ * subclasses will override this method if the application needs to support this type of JWT.
+ *
+ * @param jws the parsed verified/authenticated JWS.
+ * @return any object to be used after inspecting the JWS, or {@code null} if no return value is necessary.
+ * @throws UnsupportedJwtException by default, expecting the subclass implementation to override as necessary.
+ */
+ public T onVerifiedContent(Jws jws) {
+ throw new UnsupportedJwtException("Unexpected content JWS.");
+ }
+
+ /**
+ * Handles an encountered JWS message that has been cryptographically verified/authenticated and has a
+ * {@link Claims} payload.
+ *
+ * The default implementation immediately throws an {@link UnsupportedJwtException}; it is expected that
+ * subclasses will override this method if the application needs to support this type of JWT.
+ *
+ * @param jws the parsed signed (and verified) Claims JWS
+ * @return any object to be used after inspecting the JWS, or {@code null} if no return value is necessary.
+ * @throws UnsupportedJwtException by default, expecting the subclass implementation to override as necessary.
+ */
+ public T onVerifiedClaims(Jws jws) {
+ throw new UnsupportedJwtException("Unexpected Claims JWS.");
+ }
+
+ /**
+ * Handles an encountered JSON Web Encryption (aka 'JWE') message that has been authenticated and decrypted by
+ * delegating to either {@link #onDecryptedContent(Jwe)} or {@link #onDecryptedClaims(Jwe)} depending on the
+ * payload type.
+ *
+ * @param jwe the parsed authenticated and decrypted JWE.
+ * @return the value returned by either {@link #onDecryptedContent(Jwe)} or {@link #onDecryptedClaims(Jwe)}
+ * depending on the payload type.
+ * @throws UnsupportedJwtException if the payload is neither a {@code byte[]} nor {@code Claims}, or either
+ * delegate method throws the same.
+ */
+ @SuppressWarnings("unchecked")
+ @Override
+ public T visit(Jwe jwe) {
+ Assert.notNull(jwe, "JWE cannot be null.");
+ Object payload = jwe.getPayload();
+ if (payload instanceof byte[]) {
+ return onDecryptedContent((Jwe) jwe);
+ } else {
+ Assert.stateIsInstance(Claims.class, payload, "Unexpected payload data type: ");
+ return onDecryptedClaims((Jwe) jwe);
+ }
+ }
+
+ /**
+ * Handles an encountered JWE message that has been authenticated and decrypted, and has byte[] array payload. If
+ * the JWT creator has set the (optional) {@link Header#getContentType()} value, the application may inspect that
+ * value to determine how to convert the byte array to the final type as desired.
+ *
+ * The default implementation immediately throws an {@link UnsupportedJwtException}; it is expected that
+ * subclasses will override this method if the application needs to support this type of JWT.
+ *
+ * @param jwe the parsed authenticated and decrypted content JWE.
+ * @return any object to be used after inspecting the JWS, or {@code null} if no return value is necessary.
+ * @throws UnsupportedJwtException by default, expecting the subclass implementation to override as necessary.
+ */
+ public T onDecryptedContent(Jwe jwe) {
+ throw new UnsupportedJwtException("Unexpected content JWE.");
+ }
+
+ /**
+ * Handles an encountered JWE message that has been authenticated and decrypted, and has a {@link Claims} payload.
+ *
+ * The default implementation immediately throws an {@link UnsupportedJwtException}; it is expected that
+ * subclasses will override this method if the application needs to support this type of JWT.
+ *
+ * @param jwe the parsed authenticated and decrypted content JWE.
+ * @return any object to be used after inspecting the JWE, or {@code null} if no return value is necessary.
+ * @throws UnsupportedJwtException by default, expecting the subclass implementation to override as necessary.
+ */
+ public T onDecryptedClaims(Jwe jwe) {
+ throw new UnsupportedJwtException("Unexpected Claims JWE.");
+ }
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/UnsupportedJwtException.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/UnsupportedJwtException.java (.../UnsupportedJwtException.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/UnsupportedJwtException.java (.../UnsupportedJwtException.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -19,17 +19,28 @@
* Exception thrown when receiving a JWT in a particular format/configuration that does not match the format expected
* by the application.
*
- * For example, this exception would be thrown if parsing an unsigned plaintext JWT when the application
+ *
For example, this exception would be thrown if parsing an unprotected content JWT when the application
* requires a cryptographically signed Claims JWS instead.
*
* @since 0.2
*/
public class UnsupportedJwtException extends JwtException {
+ /**
+ * Creates a new instance with the specified explanation message.
+ *
+ * @param message the message explaining why the exception is thrown.
+ */
public UnsupportedJwtException(String message) {
super(message);
}
+ /**
+ * Creates a new instance with the specified explanation message and underlying cause.
+ *
+ * @param message the message explaining why the exception is thrown.
+ * @param cause the underlying cause that resulted in this exception being thrown.
+ */
public UnsupportedJwtException(String message, Throwable cause) {
super(message, cause);
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AbstractAudienceCollection.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AbstractAudienceCollection.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AbstractAudienceCollection.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,34 @@
+/*
+ * Copyright © 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.ClaimsMutator;
+import io.jsonwebtoken.impl.lang.DefaultNestedCollection;
+
+import java.util.Collection;
+
+/**
+ * Abstract NestedCollection that requires the AudienceCollection interface to be implemented.
+ *
+ * @param type of parent to return
+ * @since 0.12.0
+ */
+abstract class AbstractAudienceCollection
extends DefaultNestedCollection
+ implements ClaimsMutator.AudienceCollection {
+ protected AbstractAudienceCollection(P parent, Collection seed) {
+ super(parent, seed);
+ }
+}
\ No newline at end of file
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AbstractX509Context.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AbstractX509Context.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/AbstractX509Context.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.impl.lang.Parameter;
+import io.jsonwebtoken.impl.security.AbstractAsymmetricJwk;
+import io.jsonwebtoken.security.X509Mutator;
+
+import java.net.URI;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Set;
+
+public class AbstractX509Context> extends ParameterMap implements X509Context {
+
+ public AbstractX509Context(Set> params) {
+ super(params);
+ }
+
+ @SuppressWarnings("unchecked")
+ protected T self() {
+ return (T) this;
+ }
+
+ @Override
+ public URI getX509Url() {
+ return get(AbstractAsymmetricJwk.X5U);
+ }
+
+ @Override
+ public T x509Url(URI uri) {
+ put(AbstractAsymmetricJwk.X5U, uri);
+ return self();
+ }
+
+ @Override
+ public List getX509Chain() {
+ return get(AbstractAsymmetricJwk.X5C);
+ }
+
+ @Override
+ public T x509Chain(List chain) {
+ put(AbstractAsymmetricJwk.X5C, chain);
+ return self();
+ }
+
+ @Override
+ public byte[] getX509Sha1Thumbprint() {
+ return get(AbstractAsymmetricJwk.X5T);
+ }
+
+ @Override
+ public T x509Sha1Thumbprint(byte[] thumbprint) {
+ put(AbstractAsymmetricJwk.X5T, thumbprint);
+ return self();
+ }
+
+ @Override
+ public byte[] getX509Sha256Thumbprint() {
+ return get(AbstractAsymmetricJwk.X5T_S256);
+ }
+
+ @Override
+ public T x509Sha256Thumbprint(byte[] thumbprint) {
+ put(AbstractAsymmetricJwk.X5T_S256, thumbprint);
+ return self();
+ }
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/CompressionCodecLocator.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/CompressionCodecLocator.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/CompressionCodecLocator.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.CompressionCodecResolver;
+import io.jsonwebtoken.Header;
+import io.jsonwebtoken.Locator;
+import io.jsonwebtoken.impl.lang.Function;
+import io.jsonwebtoken.io.CompressionAlgorithm;
+import io.jsonwebtoken.lang.Assert;
+
+//TODO: delete when deleting CompressionCodecResolver
+public class CompressionCodecLocator implements Function, Locator {
+
+ private final CompressionCodecResolver resolver;
+
+ public CompressionCodecLocator(CompressionCodecResolver resolver) {
+ this.resolver = Assert.notNull(resolver, "CompressionCodecResolver cannot be null.");
+ }
+
+ @Override
+ public CompressionAlgorithm apply(Header header) {
+ return locate(header);
+ }
+
+ @Override
+ public CompressionAlgorithm locate(Header header) {
+ return resolver.resolveCompressionCodec(header);
+ }
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClaims.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClaims.java (.../DefaultClaims.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClaims.java (.../DefaultClaims.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -17,154 +17,137 @@
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.RequiredTypeException;
+import io.jsonwebtoken.impl.lang.JwtDateConverter;
+import io.jsonwebtoken.impl.lang.Parameter;
+import io.jsonwebtoken.impl.lang.Parameters;
+import io.jsonwebtoken.lang.Assert;
+import io.jsonwebtoken.lang.Registry;
+
import java.util.Date;
import java.util.Map;
+import java.util.Set;
-public class DefaultClaims extends JwtMap implements Claims {
+public class DefaultClaims extends ParameterMap implements Claims {
private static final String CONVERSION_ERROR_MSG = "Cannot convert existing claim value of type '%s' to desired type " +
"'%s'. JJWT only converts simple String, Date, Long, Integer, Short and Byte types automatically. " +
"Anything more complex is expected to be already converted to your desired type by the JSON Deserializer " +
"implementation. You may specify a custom Deserializer for a JwtParser with the desired conversion " +
- "configuration via the JwtParserBuilder.deserializeJsonWith() method. " +
+ "configuration via the JwtParserBuilder.deserializer() method. " +
"See https://github.com/jwtk/jjwt#custom-json-processor for more information. If using Jackson, you can " +
"specify custom claim POJO types as described in https://github.com/jwtk/jjwt#json-jackson-custom-types";
- public DefaultClaims() {
- super();
- }
+ static final Parameter ISSUER = Parameters.string(Claims.ISSUER, "Issuer");
+ static final Parameter SUBJECT = Parameters.string(Claims.SUBJECT, "Subject");
+ static final Parameter> AUDIENCE = Parameters.stringSet(Claims.AUDIENCE, "Audience");
+ static final Parameter EXPIRATION = Parameters.rfcDate(Claims.EXPIRATION, "Expiration Time");
+ static final Parameter NOT_BEFORE = Parameters.rfcDate(Claims.NOT_BEFORE, "Not Before");
+ static final Parameter ISSUED_AT = Parameters.rfcDate(Claims.ISSUED_AT, "Issued At");
+ static final Parameter JTI = Parameters.string(Claims.ID, "JWT ID");
- public DefaultClaims(Map map) {
- super(map);
+ static final Registry> PARAMS =
+ Parameters.registry(ISSUER, SUBJECT, AUDIENCE, EXPIRATION, NOT_BEFORE, ISSUED_AT, JTI);
+
+ protected DefaultClaims() { // visibility for testing
+ super(PARAMS);
}
- @Override
- public String getIssuer() {
- return getString(ISSUER);
+ public DefaultClaims(ParameterMap m) {
+ super(m.PARAMS, m);
}
- @Override
- public Claims setIssuer(String iss) {
- setValue(ISSUER, iss);
- return this;
+ public DefaultClaims(Map map) {
+ super(PARAMS, map);
}
@Override
- public String getSubject() {
- return getString(SUBJECT);
+ public String getName() {
+ return "JWT Claims";
}
@Override
- public Claims setSubject(String sub) {
- setValue(SUBJECT, sub);
- return this;
+ public String getIssuer() {
+ return get(ISSUER);
}
@Override
- public String getAudience() {
- return getString(AUDIENCE);
+ public String getSubject() {
+ return get(SUBJECT);
}
@Override
- public Claims setAudience(String aud) {
- setValue(AUDIENCE, aud);
- return this;
+ public Set getAudience() {
+ return get(AUDIENCE);
}
@Override
public Date getExpiration() {
- return get(Claims.EXPIRATION, Date.class);
+ return get(EXPIRATION);
}
@Override
- public Claims setExpiration(Date exp) {
- setDateAsSeconds(Claims.EXPIRATION, exp);
- return this;
- }
-
- @Override
public Date getNotBefore() {
- return get(Claims.NOT_BEFORE, Date.class);
+ return get(NOT_BEFORE);
}
@Override
- public Claims setNotBefore(Date nbf) {
- setDateAsSeconds(Claims.NOT_BEFORE, nbf);
- return this;
- }
-
- @Override
public Date getIssuedAt() {
- return get(Claims.ISSUED_AT, Date.class);
+ return get(ISSUED_AT);
}
@Override
- public Claims setIssuedAt(Date iat) {
- setDateAsSeconds(Claims.ISSUED_AT, iat);
- return this;
- }
-
- @Override
public String getId() {
- return getString(ID);
+ return get(JTI);
}
@Override
- public Claims setId(String jti) {
- setValue(Claims.ID, jti);
- return this;
- }
+ public T get(String claimName, Class requiredType) {
+ Assert.notNull(requiredType, "requiredType argument cannot be null.");
- /**
- * @since 0.10.0
- */
- private static boolean isSpecDate(String claimName) {
- return Claims.EXPIRATION.equals(claimName) ||
- Claims.ISSUED_AT.equals(claimName) ||
- Claims.NOT_BEFORE.equals(claimName);
- }
-
- @Override
- public Object put(String s, Object o) {
- if (o instanceof Date && isSpecDate(s)) { //since 0.10.0
- Date date = (Date)o;
- return setDateAsSeconds(s, date);
+ Object value = this.idiomaticValues.get(claimName);
+ if (requiredType.isInstance(value)) {
+ return requiredType.cast(value);
}
- return super.put(s, o);
- }
- @Override
- public T get(String claimName, Class requiredType) {
-
- Object value = get(claimName);
+ value = get(claimName);
if (value == null) {
return null;
}
if (Date.class.equals(requiredType)) {
- if (isSpecDate(claimName)) {
- value = toSpecDate(value, claimName);
- } else {
- value = toDate(value, claimName);
+ try {
+ value = JwtDateConverter.toDate(value); // NOT specDate logic
+ } catch (Exception e) {
+ String msg = "Cannot create Date from '" + claimName + "' value '" + value + "'. Cause: " + e.getMessage();
+ throw new IllegalArgumentException(msg, e);
}
}
- return castClaimValue(value, requiredType);
+ return castClaimValue(claimName, value, requiredType);
}
- private T castClaimValue(Object value, Class requiredType) {
+ private T castClaimValue(String name, Object value, Class requiredType) {
- if (value instanceof Integer) {
- int intValue = (Integer) value;
- if (requiredType == Long.class) {
- value = (long) intValue;
- } else if (requiredType == Short.class && Short.MIN_VALUE <= intValue && intValue <= Short.MAX_VALUE) {
- value = (short) intValue;
- } else if (requiredType == Byte.class && Byte.MIN_VALUE <= intValue && intValue <= Byte.MAX_VALUE) {
- value = (byte) intValue;
+ if (value instanceof Long || value instanceof Integer || value instanceof Short || value instanceof Byte) {
+ long longValue = ((Number) value).longValue();
+ if (Long.class.equals(requiredType)) {
+ value = longValue;
+ } else if (Integer.class.equals(requiredType) && Integer.MIN_VALUE <= longValue && longValue <= Integer.MAX_VALUE) {
+ value = (int) longValue;
+ } else if (requiredType == Short.class && Short.MIN_VALUE <= longValue && longValue <= Short.MAX_VALUE) {
+ value = (short) longValue;
+ } else if (requiredType == Byte.class && Byte.MIN_VALUE <= longValue && longValue <= Byte.MAX_VALUE) {
+ value = (byte) longValue;
}
}
+ if (value instanceof Long &&
+ (requiredType.equals(Integer.class) || requiredType.equals(Short.class) || requiredType.equals(Byte.class))) {
+ String msg = "Claim '" + name + "' value is too large or too small to be represented as a " +
+ requiredType.getName() + " instance (would cause numeric overflow).";
+ throw new RequiredTypeException(msg);
+ }
+
if (!requiredType.isInstance(value)) {
throw new RequiredTypeException(String.format(CONVERSION_ERROR_MSG, value.getClass(), requiredType));
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClaimsBuilder.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClaimsBuilder.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultClaimsBuilder.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,37 @@
+/*
+ * Copyright © 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.ClaimsBuilder;
+
+/**
+ * @since 0.12.0
+ */
+@SuppressWarnings("unused") // used via reflection via Jwts.claims()
+public final class DefaultClaimsBuilder extends DelegatingClaimsMutator
+ implements ClaimsBuilder {
+
+ public DefaultClaimsBuilder() {
+ super();
+ }
+
+ @Override
+ public Claims build() {
+ // ensure a new instance is returned so that the builder may be re-used:
+ return new DefaultClaims(this.DELEGATE);
+ }
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultHeader.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultHeader.java (.../DefaultHeader.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultHeader.java (.../DefaultHeader.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -16,57 +16,65 @@
package io.jsonwebtoken.impl;
import io.jsonwebtoken.Header;
+import io.jsonwebtoken.impl.lang.CompactMediaTypeIdConverter;
+import io.jsonwebtoken.impl.lang.Parameter;
+import io.jsonwebtoken.impl.lang.Parameters;
+import io.jsonwebtoken.lang.Registry;
import io.jsonwebtoken.lang.Strings;
import java.util.Map;
-@SuppressWarnings("unchecked")
-public class DefaultHeader> extends JwtMap implements Header {
+public class DefaultHeader extends ParameterMap implements Header {
- public DefaultHeader() {
- super();
+ static final Parameter TYPE = Parameters.string(Header.TYPE, "Type");
+ static final Parameter CONTENT_TYPE = Parameters.builder(String.class)
+ .setId(Header.CONTENT_TYPE).setName("Content Type")
+ .setConverter(CompactMediaTypeIdConverter.INSTANCE).build();
+ static final Parameter ALGORITHM = Parameters.string(Header.ALGORITHM, "Algorithm");
+ static final Parameter COMPRESSION_ALGORITHM =
+ Parameters.string(Header.COMPRESSION_ALGORITHM, "Compression Algorithm");
+ @SuppressWarnings("DeprecatedIsStillUsed")
+ @Deprecated // TODO: remove for 1.0.0:
+ static final Parameter DEPRECATED_COMPRESSION_ALGORITHM =
+ Parameters.string(Header.DEPRECATED_COMPRESSION_ALGORITHM, "Deprecated Compression Algorithm");
+
+ static final Registry> PARAMS =
+ Parameters.registry(TYPE, CONTENT_TYPE, ALGORITHM, COMPRESSION_ALGORITHM, DEPRECATED_COMPRESSION_ALGORITHM);
+
+ public DefaultHeader(Map values) {
+ super(PARAMS, values);
}
- public DefaultHeader(Map map) {
- super(map);
+ protected DefaultHeader(Registry> registry, Map values) {
+ super(registry, values);
}
@Override
- public String getType() {
- return getString(TYPE);
+ public String getName() {
+ return "JWT header";
}
@Override
- public T setType(String typ) {
- setValue(TYPE, typ);
- return (T)this;
+ public String getType() {
+ return get(TYPE);
}
@Override
public String getContentType() {
- return getString(CONTENT_TYPE);
+ return get(CONTENT_TYPE);
}
@Override
- public T setContentType(String cty) {
- setValue(CONTENT_TYPE, cty);
- return (T)this;
+ public String getAlgorithm() {
+ return get(ALGORITHM);
}
- @SuppressWarnings("deprecation")
@Override
public String getCompressionAlgorithm() {
- String alg = getString(COMPRESSION_ALGORITHM);
- if (!Strings.hasText(alg)) {
- alg = getString(DEPRECATED_COMPRESSION_ALGORITHM);
+ String s = get(COMPRESSION_ALGORITHM);
+ if (!Strings.hasText(s)) {
+ s = get(DEPRECATED_COMPRESSION_ALGORITHM);
}
- return alg;
+ return s;
}
-
- @Override
- public T setCompressionAlgorithm(String compressionAlgorithm) {
- setValue(COMPRESSION_ALGORITHM, compressionAlgorithm);
- return (T) this;
- }
-
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwe.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwe.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwe.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.Jwe;
+import io.jsonwebtoken.JweHeader;
+import io.jsonwebtoken.JwtVisitor;
+import io.jsonwebtoken.io.Encoders;
+import io.jsonwebtoken.lang.Assert;
+import io.jsonwebtoken.lang.Objects;
+
+import java.security.MessageDigest;
+
+public class DefaultJwe extends DefaultProtectedJwt implements Jwe {
+
+ private static final String DIGEST_NAME = "tag";
+
+ private final byte[] iv;
+
+ public DefaultJwe(JweHeader header, P payload, byte[] iv, byte[] aadTag) {
+ super(header, payload, aadTag, DIGEST_NAME);
+ this.iv = Assert.notEmpty(iv, "Initialization vector cannot be null or empty.");
+ }
+
+ @Override
+ public byte[] getInitializationVector() {
+ return this.iv.clone();
+ }
+
+ @Override
+ protected StringBuilder toStringBuilder() {
+ return super.toStringBuilder().append(",iv=").append(Encoders.BASE64URL.encode(this.iv));
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (obj instanceof Jwe) {
+ Jwe jwe = (Jwe) obj;
+ return super.equals(jwe) && MessageDigest.isEqual(this.iv, jwe.getInitializationVector());
+ }
+ return false;
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.nullSafeHashCode(getHeader(), getPayload(), this.iv, this.digest);
+ }
+
+ @Override
+ public T accept(JwtVisitor v) {
+ return v.visit(this);
+ }
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJweHeader.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJweHeader.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJweHeader.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2021 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.JweHeader;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.impl.lang.Converters;
+import io.jsonwebtoken.impl.lang.Parameter;
+import io.jsonwebtoken.impl.lang.Parameters;
+import io.jsonwebtoken.impl.lang.PositiveIntegerConverter;
+import io.jsonwebtoken.impl.lang.RequiredBitLengthConverter;
+import io.jsonwebtoken.impl.security.JwkConverter;
+import io.jsonwebtoken.lang.Registry;
+import io.jsonwebtoken.lang.Strings;
+import io.jsonwebtoken.security.PublicJwk;
+
+import java.util.Map;
+
+/**
+ * Header implementation satisfying JWE header parameter requirements.
+ *
+ * @since 0.12.0
+ */
+public class DefaultJweHeader extends DefaultProtectedHeader implements JweHeader {
+
+ static final Parameter ENCRYPTION_ALGORITHM = Parameters.string("enc", "Encryption Algorithm");
+
+ public static final Parameter> EPK = Parameters.builder(JwkConverter.PUBLIC_JWK_CLASS)
+ .setId("epk").setName("Ephemeral Public Key")
+ .setConverter(JwkConverter.PUBLIC_JWK).build();
+ static final Parameter APU = Parameters.bytes("apu", "Agreement PartyUInfo").build();
+ static final Parameter APV = Parameters.bytes("apv", "Agreement PartyVInfo").build();
+
+ // https://www.rfc-editor.org/rfc/rfc7518.html#section-4.7.1.1 says 96 bits required:
+ public static final Parameter IV = Parameters.bytes("iv", "Initialization Vector")
+ .setConverter(new RequiredBitLengthConverter(Converters.BASE64URL_BYTES, 96)).build();
+
+ // https://www.rfc-editor.org/rfc/rfc7518.html#section-4.7.1.2 says 128 bits required:
+ public static final Parameter TAG = Parameters.bytes("tag", "Authentication Tag")
+ .setConverter(new RequiredBitLengthConverter(Converters.BASE64URL_BYTES, 128)).build();
+
+ // https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.1 says at least 64 bits (8 bytes) is required:
+ public static final Parameter P2S = Parameters.bytes("p2s", "PBES2 Salt Input")
+ .setConverter(new RequiredBitLengthConverter(Converters.BASE64URL_BYTES, 64, false)).build();
+ public static final Parameter P2C = Parameters.builder(Integer.class)
+ .setConverter(PositiveIntegerConverter.INSTANCE).setId("p2c").setName("PBES2 Count").build();
+
+ static final Registry> PARAMS =
+ Parameters.registry(DefaultProtectedHeader.PARAMS, ENCRYPTION_ALGORITHM, EPK, APU, APV, IV, TAG, P2S, P2C);
+
+ static boolean isCandidate(ParameterMap map) {
+ String id = map.get(DefaultHeader.ALGORITHM);
+ return Strings.hasText(id) && !id.equalsIgnoreCase(Jwts.SIG.NONE.getId()) && // alg cannot be empty or 'none'
+ Strings.hasText(map.get(ENCRYPTION_ALGORITHM)); // enc cannot be empty
+// return Strings.hasText(map.get(ENCRYPTION_ALGORITHM)) || // MUST have at least an `enc` header
+// !Collections.isEmpty(map.get(EPK)) ||
+// !Bytes.isEmpty(map.get(APU)) ||
+// !Bytes.isEmpty(map.get(APV)) ||
+// !Bytes.isEmpty(map.get(IV)) ||
+// !Bytes.isEmpty(map.get(TAG)) ||
+// !Bytes.isEmpty(map.get(P2S)) ||
+// (map.get(P2C) != null && map.get(P2C) > 0);
+
+ }
+
+ public DefaultJweHeader(Map map) {
+ super(PARAMS, map);
+ }
+
+ @Override
+ public String getName() {
+ return "JWE header";
+ }
+
+ @Override
+ public String getEncryptionAlgorithm() {
+ return get(ENCRYPTION_ALGORITHM);
+ }
+
+ @Override
+ public PublicJwk getEphemeralPublicKey() {
+ return get(EPK);
+ }
+
+ @Override
+ public byte[] getAgreementPartyUInfo() {
+ return get(APU);
+ }
+
+ @Override
+ public byte[] getAgreementPartyVInfo() {
+ return get(APV);
+ }
+
+ @Override
+ public byte[] getInitializationVector() {
+ return get(IV);
+ }
+
+ @Override
+ public byte[] getAuthenticationTag() {
+ return get(TAG);
+ }
+
+ public byte[] getPbes2Salt() {
+ return get(P2S);
+ }
+
+ @Override
+ public Integer getPbes2Count() {
+ return get(P2C);
+ }
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJweHeaderBuilder.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJweHeaderBuilder.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJweHeaderBuilder.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.JweHeaderMutator;
+import io.jsonwebtoken.security.X509Builder;
+
+/**
+ * @param return type for method chaining
+ * @since 0.12.0
+ */
+public class DefaultJweHeaderBuilder & X509Builder>
+ extends DefaultJweHeaderMutator implements X509Builder {
+
+ protected DefaultJweHeaderBuilder() {
+ super();
+ }
+
+ protected DefaultJweHeaderBuilder(DefaultJweHeaderMutator src) {
+ super(src);
+ }
+
+ @Override
+ public T x509Sha1Thumbprint(boolean enable) {
+ this.x509.x509Sha1Thumbprint(enable);
+ return self();
+ }
+
+ @Override
+ public T x509Sha256Thumbprint(boolean enable) {
+ this.x509.x509Sha256Thumbprint(enable);
+ return self();
+ }
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJweHeaderMutator.java
===================================================================
diff -u
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJweHeaderMutator.java (revision 0)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJweHeaderMutator.java (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -0,0 +1,197 @@
+/*
+ * Copyright (C) 2023 jsonwebtoken.io
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.jsonwebtoken.impl;
+
+import io.jsonwebtoken.JweHeaderMutator;
+import io.jsonwebtoken.impl.lang.DefaultNestedCollection;
+import io.jsonwebtoken.impl.lang.DelegatingMapMutator;
+import io.jsonwebtoken.impl.lang.Parameter;
+import io.jsonwebtoken.impl.security.X509BuilderSupport;
+import io.jsonwebtoken.lang.Collections;
+import io.jsonwebtoken.lang.NestedCollection;
+import io.jsonwebtoken.lang.Strings;
+import io.jsonwebtoken.security.PublicJwk;
+
+import java.net.URI;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+/**
+ * @param return type for method chaining
+ * @since 0.12.0
+ */
+public class DefaultJweHeaderMutator>
+ extends DelegatingMapMutator implements JweHeaderMutator {
+
+ protected X509BuilderSupport x509;
+
+ public DefaultJweHeaderMutator() {
+ // Any type of header can be created, but JWE parameters reflect all potential standard ones, so we use those
+ // params to catch any value being set, especially through generic 'put' or 'putAll' methods:
+ super(new ParameterMap(DefaultJweHeader.PARAMS));
+ clear(); // initialize new X509Builder
+ }
+
+ public DefaultJweHeaderMutator(DefaultJweHeaderMutator src) {
+ super(src.DELEGATE);
+ this.x509 = src.x509;
+ }
+
+ // =============================================================
+ // MapMutator methods
+ // =============================================================
+
+ private T put(Parameter param, F value) {
+ this.DELEGATE.put(param, value);
+ return self();
+ }
+
+ @Override
+ public void clear() {
+ super.clear();
+ this.x509 = new X509BuilderSupport(this.DELEGATE, IllegalStateException.class);
+ }
+
+ // =============================================================
+ // JWT Header methods
+ // =============================================================
+
+// @Override
+// public T algorithm(String alg) {
+// return put(DefaultHeader.ALGORITHM, alg);
+// }
+
+ @Override
+ public T contentType(String cty) {
+ return put(DefaultHeader.CONTENT_TYPE, cty);
+ }
+
+ @Override
+ public T type(String typ) {
+ return put(DefaultHeader.TYPE, typ);
+ }
+
+ @Override
+ public T setType(String typ) {
+ return type(typ);
+ }
+
+ @Override
+ public T setContentType(String cty) {
+ return contentType(cty);
+ }
+
+ @Override
+ public T setCompressionAlgorithm(String zip) {
+ return put(DefaultHeader.COMPRESSION_ALGORITHM, zip);
+ }
+
+ // =============================================================
+ // Protected Header methods
+ // =============================================================
+
+ @Override
+ public NestedCollection critical() {
+ return new DefaultNestedCollection(self(), this.DELEGATE.get(DefaultProtectedHeader.CRIT)) {
+ @Override
+ protected void changed() {
+ put(DefaultProtectedHeader.CRIT, Collections.asSet(getCollection()));
+ }
+ };
+ }
+
+ @Override
+ public T jwk(PublicJwk jwk) {
+ return put(DefaultProtectedHeader.JWK, jwk);
+ }
+
+ @Override
+ public T jwkSetUrl(URI uri) {
+ return put(DefaultProtectedHeader.JKU, uri);
+ }
+
+ @Override
+ public T keyId(String kid) {
+ return put(DefaultProtectedHeader.KID, kid);
+ }
+
+ @Override
+ public T setKeyId(String kid) {
+ return keyId(kid);
+ }
+
+ @Override
+ public T setAlgorithm(String alg) {
+ return put(DefaultHeader.ALGORITHM, alg);
+ }
+
+ // =============================================================
+ // X.509 methods
+ // =============================================================
+
+ @Override
+ public T x509Url(URI uri) {
+ this.x509.x509Url(uri);
+ return self();
+ }
+
+ @Override
+ public T x509Chain(List chain) {
+ this.x509.x509Chain(chain);
+ return self();
+ }
+
+ @Override
+ public T x509Sha1Thumbprint(byte[] thumbprint) {
+ this.x509.x509Sha1Thumbprint(thumbprint);
+ return self();
+ }
+
+ @Override
+ public T x509Sha256Thumbprint(byte[] thumbprint) {
+ this.x509.x509Sha256Thumbprint(thumbprint);
+ return self();
+ }
+
+ // =============================================================
+ // JWE Header methods
+ // =============================================================
+
+ @Override
+ public T agreementPartyUInfo(byte[] info) {
+ return put(DefaultJweHeader.APU, info);
+ }
+
+ @Override
+ public T agreementPartyUInfo(String info) {
+ return agreementPartyUInfo(Strings.utf8(Strings.clean(info)));
+ }
+
+ @Override
+ public T agreementPartyVInfo(byte[] info) {
+ return put(DefaultJweHeader.APV, info);
+ }
+
+ @Override
+ public T agreementPartyVInfo(String info) {
+ return agreementPartyVInfo(Strings.utf8(Strings.clean(info)));
+ }
+
+ @Override
+ public T pbes2Count(int count) {
+ return put(DefaultJweHeader.P2C, count);
+ }
+}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJws.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJws.java (.../DefaultJws.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJws.java (.../DefaultJws.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -17,36 +17,27 @@
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.JwtVisitor;
+import io.jsonwebtoken.io.Decoders;
-public class DefaultJws implements Jws {
+public class DefaultJws extends DefaultProtectedJwt implements Jws {
- private final JwsHeader header;
- private final B body;
+ private static final String DIGEST_NAME = "signature";
+
private final String signature;
- public DefaultJws(JwsHeader header, B body, String signature) {
- this.header = header;
- this.body = body;
+ public DefaultJws(JwsHeader header, P payload, String signature) {
+ super(header, payload, Decoders.BASE64URL.decode(signature), DIGEST_NAME);
this.signature = signature;
}
@Override
- public JwsHeader getHeader() {
- return this.header;
- }
-
- @Override
- public B getBody() {
- return this.body;
- }
-
- @Override
public String getSignature() {
return this.signature;
}
@Override
- public String toString() {
- return "header=" + header + ",body=" + body + ",signature=" + signature;
+ public T accept(JwtVisitor v) {
+ return v.visit(this);
}
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwsHeader.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwsHeader.java (.../DefaultJwsHeader.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwsHeader.java (.../DefaultJwsHeader.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -16,39 +16,35 @@
package io.jsonwebtoken.impl;
import io.jsonwebtoken.JwsHeader;
+import io.jsonwebtoken.impl.lang.Parameter;
+import io.jsonwebtoken.impl.lang.Parameters;
+import io.jsonwebtoken.lang.Collections;
+import io.jsonwebtoken.lang.Registry;
import java.util.Map;
+import java.util.Set;
-public class DefaultJwsHeader extends DefaultHeader implements JwsHeader {
+public class DefaultJwsHeader extends DefaultProtectedHeader implements JwsHeader {
- public DefaultJwsHeader() {
- super();
- }
+ // https://datatracker.ietf.org/doc/html/rfc7797#section-3 :
+ static final Parameter B64 = Parameters.builder(Boolean.class)
+ .setId("b64").setName("Base64url-Encode Payload").build();
- public DefaultJwsHeader(Map map) {
- super(map);
- }
+ static final Registry> PARAMS = Parameters.registry(DefaultProtectedHeader.PARAMS, B64);
- @Override
- public String getAlgorithm() {
- return getString(ALGORITHM);
+ public DefaultJwsHeader(Map map) {
+ super(PARAMS, map);
}
@Override
- public JwsHeader setAlgorithm(String alg) {
- setValue(ALGORITHM, alg);
- return this;
+ public String getName() {
+ return "JWS header";
}
@Override
- public String getKeyId() {
- return getString(KEY_ID);
+ public boolean isPayloadEncoded() {
+ Set crit = Collections.nullSafe(getCritical());
+ Boolean b64 = get(B64);
+ return b64 == null || b64 || !crit.contains(B64.getId());
}
-
- @Override
- public JwsHeader setKeyId(String kid) {
- setValue(KEY_ID, kid);
- return this;
- }
-
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwt.java
===================================================================
diff -u -rdd64f16fdf89f789b8c2179d421290dcabf15835 -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwt.java (.../DefaultJwt.java) (revision dd64f16fdf89f789b8c2179d421290dcabf15835)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwt.java (.../DefaultJwt.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -17,29 +17,73 @@
import io.jsonwebtoken.Header;
import io.jsonwebtoken.Jwt;
+import io.jsonwebtoken.JwtVisitor;
+import io.jsonwebtoken.io.Encoders;
+import io.jsonwebtoken.lang.Assert;
+import io.jsonwebtoken.lang.Objects;
-public class DefaultJwt implements Jwt {
+public class DefaultJwt implements Jwt {
- private final Header header;
- private final B body;
+ private final H header;
+ private final P payload;
- public DefaultJwt(Header header, B body) {
- this.header = header;
- this.body = body;
+ public DefaultJwt(H header, P payload) {
+ this.header = Assert.notNull(header, "header cannot be null.");
+ this.payload = Assert.notNull(payload, "payload cannot be null.");
}
@Override
- public Header getHeader() {
+ public H getHeader() {
return header;
}
@Override
- public B getBody() {
- return body;
+ public P getBody() {
+ return getPayload();
}
@Override
- public String toString() {
- return "header=" + header + ",body=" + body;
+ public P getPayload() {
+ return this.payload;
}
+
+ protected StringBuilder toStringBuilder() {
+ StringBuilder sb = new StringBuilder(100);
+ sb.append("header=").append(header).append(",payload=");
+ if (payload instanceof byte[]) {
+ String encoded = Encoders.BASE64URL.encode((byte[]) payload);
+ sb.append(encoded);
+ } else {
+ sb.append(payload);
+ }
+ return sb;
+ }
+
+ @Override
+ public final String toString() {
+ return toStringBuilder().toString();
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (obj == this) {
+ return true;
+ }
+ if (obj instanceof Jwt) {
+ Jwt jwt = (Jwt) obj;
+ return Objects.nullSafeEquals(header, jwt.getHeader()) &&
+ Objects.nullSafeEquals(payload, jwt.getPayload());
+ }
+ return false;
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.nullSafeHashCode(header, payload);
+ }
+
+ @Override
+ public T accept(JwtVisitor v) {
+ return v.visit(this);
+ }
}
Index: 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwtBuilder.java
===================================================================
diff -u -r0761df64c22d4bca1649836fda23e4526282498b -rca3e06f3b65d2880d69fd5278773c5c71e1ca3e7
--- 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwtBuilder.java (.../DefaultJwtBuilder.java) (revision 0761df64c22d4bca1649836fda23e4526282498b)
+++ 3rdParty_sources/jsonwebtoken/io/jsonwebtoken/impl/DefaultJwtBuilder.java (.../DefaultJwtBuilder.java) (revision ca3e06f3b65d2880d69fd5278773c5c71e1ca3e7)
@@ -16,378 +16,808 @@
package io.jsonwebtoken.impl;
import io.jsonwebtoken.Claims;
-import io.jsonwebtoken.CompressionCodec;
import io.jsonwebtoken.Header;
+import io.jsonwebtoken.JweHeader;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtBuilder;
-import io.jsonwebtoken.JwtParser;
-import io.jsonwebtoken.SignatureAlgorithm;
-import io.jsonwebtoken.impl.crypto.DefaultJwtSigner;
-import io.jsonwebtoken.impl.crypto.JwtSigner;
-import io.jsonwebtoken.impl.lang.LegacyServices;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.impl.io.Base64UrlStreamEncoder;
+import io.jsonwebtoken.impl.io.ByteBase64UrlStreamEncoder;
+import io.jsonwebtoken.impl.io.CountingInputStream;
+import io.jsonwebtoken.impl.io.EncodingOutputStream;
+import io.jsonwebtoken.impl.io.NamedSerializer;
+import io.jsonwebtoken.impl.io.Streams;
+import io.jsonwebtoken.impl.io.UncloseableInputStream;
+import io.jsonwebtoken.impl.lang.Bytes;
+import io.jsonwebtoken.impl.lang.Function;
+import io.jsonwebtoken.impl.lang.Functions;
+import io.jsonwebtoken.impl.lang.Parameter;
+import io.jsonwebtoken.impl.lang.Services;
+import io.jsonwebtoken.impl.security.DefaultAeadRequest;
+import io.jsonwebtoken.impl.security.DefaultAeadResult;
+import io.jsonwebtoken.impl.security.DefaultKeyRequest;
+import io.jsonwebtoken.impl.security.DefaultSecureRequest;
+import io.jsonwebtoken.impl.security.Pbes2HsAkwAlgorithm;
+import io.jsonwebtoken.impl.security.ProviderKey;
+import io.jsonwebtoken.impl.security.StandardSecureDigestAlgorithms;
+import io.jsonwebtoken.io.CompressionAlgorithm;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.io.Encoder;
-import io.jsonwebtoken.io.Encoders;
-import io.jsonwebtoken.io.SerializationException;
import io.jsonwebtoken.io.Serializer;
import io.jsonwebtoken.lang.Assert;
import io.jsonwebtoken.lang.Collections;
+import io.jsonwebtoken.lang.Objects;
import io.jsonwebtoken.lang.Strings;
+import io.jsonwebtoken.security.AeadAlgorithm;
+import io.jsonwebtoken.security.AeadRequest;
+import io.jsonwebtoken.security.AeadResult;
import io.jsonwebtoken.security.InvalidKeyException;
+import io.jsonwebtoken.security.KeyAlgorithm;
+import io.jsonwebtoken.security.KeyRequest;
+import io.jsonwebtoken.security.KeyResult;
+import io.jsonwebtoken.security.Password;
+import io.jsonwebtoken.security.SecureDigestAlgorithm;
+import io.jsonwebtoken.security.SecureRequest;
+import io.jsonwebtoken.security.SecurityException;
+import io.jsonwebtoken.security.SignatureException;
+import io.jsonwebtoken.security.UnsupportedKeyException;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.SequenceInputStream;
import java.security.Key;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.SecureRandom;
import java.util.Date;
+import java.util.LinkedHashSet;
import java.util.Map;
+import java.util.Set;
public class DefaultJwtBuilder implements JwtBuilder {
- private Header header;
- private Claims claims;
- private String payload;
+ private static final String PUB_KEY_SIGN_MSG = "PublicKeys may not be used to create digital signatures. " +
+ "PrivateKeys are used to sign, and PublicKeys are used to verify.";
- private SignatureAlgorithm algorithm;
+ private static final String PRIV_KEY_ENC_MSG = "PrivateKeys may not be used to encrypt data. PublicKeys are " +
+ "used to encrypt, and PrivateKeys are used to decrypt.";
+
+ protected Provider provider;
+ protected SecureRandom secureRandom;
+
+ private final DefaultBuilderHeader headerBuilder;
+ private final DefaultBuilderClaims claimsBuilder;
+
+ private Payload payload = Payload.EMPTY;
+
+ private SecureDigestAlgorithm sigAlg = Jwts.SIG.NONE;
+ private Function, byte[]> signFunction;
+
+ private AeadAlgorithm enc; // MUST be Symmetric AEAD per https://tools.ietf.org/html/rfc7516#section-4.1.2
+
+ private KeyAlgorithm