|
4 | 4 | import com.auth0.jwt.exceptions.SignatureVerificationException; |
5 | 5 | import org.bouncycastle.jce.provider.BouncyCastleProvider; |
6 | 6 | import org.junit.AfterClass; |
| 7 | +import org.junit.Assume; |
7 | 8 | import org.junit.BeforeClass; |
8 | 9 | import org.junit.Rule; |
9 | 10 | import org.junit.Test; |
@@ -128,4 +129,53 @@ public void shouldFailPS256VerificationWithInvalidPublicKey() throws Exception { |
128 | 129 | Algorithm verifier = Algorithm.RSA256PSS((RSAKey) readPublicKeyFromFile(INVALID_PUBLIC_KEY_FILE, "RSA")); |
129 | 130 | verifier.verify(JWT.decode(jwt)); |
130 | 131 | } |
| 132 | + |
| 133 | + @Test |
| 134 | + public void shouldRejectPS256TokenWhenVerifiedWithPS384() throws Exception { |
| 135 | + exception.expect(SignatureVerificationException.class); |
| 136 | + exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: RSASSA-PSS"); |
| 137 | + |
| 138 | + Algorithm signer = Algorithm.RSA256PSS((RSAKey) readPrivateKeyFromFile(PRIVATE_KEY_FILE, "RSA")); |
| 139 | + String jwt = asJWT(signer, PS256Header, auth0IssPayload); |
| 140 | + |
| 141 | + Algorithm verifier = Algorithm.RSA384PSS((RSAKey) readPublicKeyFromFile(PUBLIC_KEY_FILE, "RSA")); |
| 142 | + verifier.verify(JWT.decode(jwt)); |
| 143 | + } |
| 144 | + |
| 145 | + @Test |
| 146 | + public void shouldRejectPS256TokenWhenVerifiedWithPS512() throws Exception { |
| 147 | + exception.expect(SignatureVerificationException.class); |
| 148 | + exception.expectMessage("The Token's Signature resulted invalid when verified using the Algorithm: RSASSA-PSS"); |
| 149 | + |
| 150 | + Algorithm signer = Algorithm.RSA256PSS((RSAKey) readPrivateKeyFromFile(PRIVATE_KEY_FILE, "RSA")); |
| 151 | + String jwt = asJWT(signer, PS256Header, auth0IssPayload); |
| 152 | + |
| 153 | + Algorithm verifier = Algorithm.RSA512PSS((RSAKey) readPublicKeyFromFile(PUBLIC_KEY_FILE, "RSA")); |
| 154 | + verifier.verify(JWT.decode(jwt)); |
| 155 | + } |
| 156 | + |
| 157 | + /** |
| 158 | + * Exercises the JDK-native RSASSA-PSS implementation (SunRsaSign, Java 11+) rather than the |
| 159 | + * BouncyCastle provider the rest of this class relies on. Skipped on Java 8, whose built-in |
| 160 | + * providers do not implement RSASSA-PSS. |
| 161 | + */ |
| 162 | + @Test |
| 163 | + public void shouldSignAndVerifyPS256WithJdkNativeProvider() throws Exception { |
| 164 | + Assume.assumeFalse("Requires JDK-native RSASSA-PSS (Java 11+)", |
| 165 | + System.getProperty("java.specification.version").equals("1.8")); |
| 166 | + |
| 167 | + Security.removeProvider(bcProvider.getName()); |
| 168 | + try { |
| 169 | + Algorithm algorithm = Algorithm.RSA256PSS( |
| 170 | + (RSAPublicKey) readPublicKeyFromFile(PUBLIC_KEY_FILE, "RSA"), |
| 171 | + (RSAPrivateKey) readPrivateKeyFromFile(PRIVATE_KEY_FILE, "RSA")); |
| 172 | + |
| 173 | + String jwt = asJWT(algorithm, PS256Header, auth0IssPayload); |
| 174 | + |
| 175 | + assertSignaturePresent(jwt); |
| 176 | + algorithm.verify(JWT.decode(jwt)); |
| 177 | + } finally { |
| 178 | + Security.insertProviderAt(bcProvider, 1); |
| 179 | + } |
| 180 | + } |
131 | 181 | } |
0 commit comments