toJwt method signature changed, tests for ECDH

jalauros · jalauros · commit 35b23018e92e · 2018-11-08T21:14:52.000+02:00
diff --git a/src/main/java/org/oidc/msg/AbstractMessage.java b/src/main/java/org/oidc/msg/AbstractMessage.java
@@ -396,8 +396,7 @@ private String parseFromToken(String token, KeyJar keyJar, String keyOwner, Stri
       try {
         decyptionAlg = AlgorithmResolver.resolveKeyTransportAlgorithmForDecryption(key,
             decodedJwt);
-      } catch (ValueError | UnsupportedEncodingException | SerializationNotPossible
-          | DeserializationNotPossible e) {
+      } catch (ValueError | UnsupportedEncodingException | SerializationNotPossible e) {
         if (iter.hasNext()) {
           // We move on to try next key
           continue;
@@ -424,19 +423,6 @@ private String parseFromToken(String token, KeyJar keyJar, String keyOwner, Stri
   }
 
 
-  /**
-   * Serialize the content of this instance (the claims map) into a jwt string.
-   * 
-   * @param signingKey
-   *          signing key
-   * @param alg
-   *          signing algorithm name
-   * @return message as jwt string.
-   * @throws SerializationException 
-   */
-  public String toJwt(Key signingKey, String alg) throws SerializationException {
-    return toJwt(signingKey, alg, null, null, null);
-  }
   /**
    * Serialize the content of this instance (the claims map) into a jwt string.
    * 
@@ -450,10 +436,16 @@ public String toJwt(Key signingKey, String alg) throws SerializationException {
    *          key transport algorithm name. Must not be null if transportKey is set.
    * @param encEnc
    *          content encryption algorithm name. Must not be null if transportKey is set.
+   * @param keyjar
+   *          key jar containing receiver ephemeral public key when using ECDH family of key transport
+   * @param sender
+   *          sender i.e. client id
+   * @param receiver
+   *          receiver i.e. issuer id of the o.                            
    * @return message as jwt string.
    */
   
-  public String toJwt(Key signingKey, String alg, Key transportKey, String encAlg, String encEnc)
+  public String toJwt(Key signingKey, String alg, Key transportKey, String encAlg, String encEnc, KeyJar keyjar, String sender, String receiver)
       throws SerializationException {
     header = new HashMap<String, Object>();
     header.put("alg", alg);
@@ -500,7 +492,7 @@ public String toJwt(Key signingKey, String alg, Key transportKey, String encAlg,
     }
     try {
       return JWTEncryptor.init().withPayload(signedJwt.getBytes("UTF-8")).encrypt(
-          AlgorithmResolver.resolveKeyTransportAlgorithmForEncryption(transportKey, encAlg),
+          AlgorithmResolver.resolveKeyTransportAlgorithmForEncryption(transportKey, encAlg, encEnc, keyjar, sender, receiver),
           Algorithm.getContentEncryptionAlg(encEnc, CipherParams.getInstance(encEnc)));
     } catch (UnsupportedEncodingException | ValueError | SerializationNotPossible e) {
       throw new SerializationException(
diff --git a/src/main/java/org/oidc/msg/Message.java b/src/main/java/org/oidc/msg/Message.java
@@ -48,14 +48,28 @@ public interface Message {
   /**
    * Serialize the content of this instance (the claims map) into a jwt string.
    * 
-   * @param key
+   * @param signingKey
    *          signing key
    * @param alg
-   *          signing algorithm
+   *          signing algorithm name
+   * @param transportKey
+   *          key transport key, if null encryption is not done.
+   * @param encAlg
+   *          key transport algorithm name. Must not be null if transportKey is set.
+   * @param encEnc
+   *          content encryption algorithm name. Must not be null if transportKey is set.
+   * @param keyjar
+   *          key jar containing receiver ephemeral public key when using ECDH 
+   *          family of key transport
+   * @param sender
+   *          sender i.e. client id
+   * @param receiver
+   *          receiver i.e. issuer id of the o.                            
    * @return message as jwt string.
-   * @throws SerializationException Thrown if message cannot be serialized.
    */
-  String toJwt(Key key, String alg) throws SerializationException;
+  
+  public String toJwt(Key signingKey, String alg, Key transportKey, String encAlg, String encEnc,
+      KeyJar keyjar, String sender, String receiver) throws SerializationException;
 
   /**
    * Constructs a message from the JSON string.
diff --git a/src/test/java/org/oidc/msg/AbstractMessageTest.java b/src/test/java/org/oidc/msg/AbstractMessageTest.java
@@ -20,27 +20,30 @@
 import com.auth0.jwt.JWTVerifier;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.exceptions.JWTDecodeException;
+import com.auth0.jwt.exceptions.oicmsg_exceptions.HeaderError;
 import com.auth0.jwt.exceptions.oicmsg_exceptions.ImportException;
 import com.auth0.jwt.exceptions.oicmsg_exceptions.JWKException;
+import com.auth0.jwt.exceptions.oicmsg_exceptions.SerializationNotPossible;
 import com.auth0.jwt.exceptions.oicmsg_exceptions.UnknownKeyType;
 import com.auth0.jwt.exceptions.oicmsg_exceptions.ValueError;
 import com.auth0.jwt.interfaces.DecodedJWT;
+import com.auth0.msg.ECKey;
 import com.auth0.msg.Key;
+import com.auth0.msg.KeyBundle;
 import com.auth0.msg.KeyJar;
-//import com.auth0.msg.KeyType;
 import com.auth0.msg.SYMKey;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import java.io.IOException;
 import java.lang.reflect.Array;
 import java.net.MalformedURLException;
+import java.security.KeyPair;
 import java.security.interfaces.RSAPublicKey;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-
 import org.hamcrest.CoreMatchers;
 import org.junit.Assert;
 import org.junit.Before;
@@ -128,7 +131,7 @@ public void testSuccessToAndFromJWTNoneAlgBasicTypes() throws IOException, Inval
     claims.put("foo4", 5L);
     MockMessage mockMessage = new MockMessage(claims, parVerDef);
     mockMessage.verify();
-    String jwt = mockMessage.toJwt(null, "none");
+    String jwt = mockMessage.toJwt(null, "none", null, null, null, null, null, null);
     // Test jwt can be verified by auth0
     Algorithm algorithm = Algorithm.none();
     JWTVerifier verifier = JWT.require(algorithm).build();
@@ -153,25 +156,60 @@ public void testSuccessToAndFromJWTNoneAlgBasicTypes() throws IOException, Inval
   
   private void testSuccessJWTEncryptDecrypt(String alg, String encAlg, String encEnc)
       throws IOException, InvalidClaimException, SerializationException, DeserializationException,
-      IllegalArgumentException, ImportException, UnknownKeyType, ValueError, JWKException {
+      IllegalArgumentException, ImportException, UnknownKeyType, ValueError, JWKException, HeaderError, SerializationNotPossible {
     //Initial test for jwt encryption. Not at all complete case.
     HashMap<String, Object> claims = new HashMap<String, Object>();
     claims.put("foo", "bar");
     MockMessage mockMessage = new MockMessage(claims);
     List<Key> keysDec = getKeyJar().getDecryptKey(null, keyOwner, null, null);
     List<Key> keysEnc = getKeyJarPub().getEncryptKey(null, keyOwner, null, null);
-    int index=0;
-    if (encAlg.equals("A128KW")){
-      index=1;
-    }
-    if (encAlg.equals("A192KW")){
-      index=2;
-    }
-    if (encAlg.equals("A256KW")){
-      index=3;
+    String signedAndEncryptedJwt = null;
+    if (encAlg.equals("A128KW")) {
+      signedAndEncryptedJwt = mockMessage.toJwt(keysDec.get(0), alg, keysEnc.get(1), encAlg,
+          encEnc, null, null, null);
+    } else if (encAlg.equals("A192KW")) {
+      signedAndEncryptedJwt = mockMessage.toJwt(keysDec.get(0), alg, keysEnc.get(2), encAlg,
+          encEnc, null, null, null);
+    } else if (encAlg.equals("A256KW")) {
+      signedAndEncryptedJwt = mockMessage.toJwt(keysDec.get(0), alg, keysEnc.get(3), encAlg,
+          encEnc, null, null, null);
+    } else if (encAlg.startsWith("ECDH")) {
+      
+      //For ECDH we need to do bit more complicated test
+      KeyPair senderKeyPair = ECKey.generateECKeyPair("P-256");
+      ECKey senderKey = ECKey.keyBuilder(senderKeyPair.getPrivate()).build();
+      KeyPair receiverKeyPair = ECKey.generateECKeyPair("P-256");
+      ECKey receiverPubKey = ECKey.keyBuilder(receiverKeyPair.getPublic()).build();
+      ECKey receiverPrvKey = ECKey.keyBuilder(receiverKeyPair.getPrivate()).build();
+      senderKey.setUse("enc");
+      //Key jar of sender
+      KeyJar keyjarSender=new KeyJar();
+      KeyBundle keyBundlePub = new KeyBundle();
+      keyBundlePub.append(receiverPubKey);
+      //Receiver public key is expected to be in the key jar of sender
+      keyjarSender.addKeyBundle("receiver", keyBundlePub);
+      signedAndEncryptedJwt = mockMessage.toJwt(keysDec.get(0), alg, senderKey, encAlg,
+          encEnc, keyjarSender, "sender","receiver");
+      //Key jar of receiver is expected to have private key of the receiver
+      KeyBundle keyBundlePrv = new KeyBundle();
+      keyBundlePrv.append(receiverPrvKey);
+      KeyJar keyjarReceiver=new KeyJar();
+      keyjarReceiver.addKeyBundle("sender", keyBundlePrv);
+      receiverPubKey.setUse("enc");
+      
+      for (KeyBundle bundle:getKeyJar().getBundles().get(keyOwner)) {
+        keyjarReceiver.addKeyBundle("sender", bundle);
+      }
+      MockMessage mockMessage2 = new MockMessage();
+      mockMessage2.fromJwt(signedAndEncryptedJwt, keyjarReceiver, "sender");
+      Assert.assertEquals("bar",  mockMessage2.getClaims().get("foo"));
+      return;
+      
+    } else {
+      //Default
+      signedAndEncryptedJwt = mockMessage.toJwt(keysDec.get(0), alg, keysEnc.get(0), encAlg,
+          encEnc, null, null, null);
     }
-    String signedAndEncryptedJwt=mockMessage.toJwt(keysDec.get(0), alg, keysEnc.get(index), encAlg,
-        encEnc);
     MockMessage mockMessage2 = new MockMessage();
     mockMessage2.fromJwt(signedAndEncryptedJwt, getKeyJar(), keyOwner);
     Assert.assertEquals("bar",  mockMessage2.getClaims().get("foo"));
@@ -181,7 +219,7 @@ private void testSuccessJWTEncryptDecrypt(String alg, String encAlg, String encE
   @Test
   public void testSuccessJWTEncryptDecrypt1()
       throws IOException, InvalidClaimException, SerializationException, DeserializationException,
-      IllegalArgumentException, ImportException, UnknownKeyType, ValueError, JWKException {
+      IllegalArgumentException, ImportException, UnknownKeyType, ValueError, JWKException, HeaderError, SerializationNotPossible {
     
     testSuccessJWTEncryptDecrypt("RS256","RSA1_5","A128CBC-HS256");
     testSuccessJWTEncryptDecrypt("RS384","RSA-OAEP","A192CBC-HS384");
@@ -190,8 +228,14 @@ public void testSuccessJWTEncryptDecrypt1()
     testSuccessJWTEncryptDecrypt("RS384","RSA-OAEP","A192GCM");
     testSuccessJWTEncryptDecrypt("RS512","RSA-OAEP-256","A256GCM");
     testSuccessJWTEncryptDecrypt("RS256","A128KW","A128CBC-HS256");
-    testSuccessJWTEncryptDecrypt("RS256","A192KW","A128CBC-HS256");
-    testSuccessJWTEncryptDecrypt("RS256","A256KW","A128CBC-HS256");
+    testSuccessJWTEncryptDecrypt("RS384","A192KW","A128CBC-HS256");
+    testSuccessJWTEncryptDecrypt("RS512","A256KW","A128CBC-HS256");
+    //TODO: not passing
+    //testSuccessJWTEncryptDecrypt("RS256","ECDH-ES","A128CBC-HS256");
+    testSuccessJWTEncryptDecrypt("RS256","ECDH-ES+A128KW","A128GCM");
+    testSuccessJWTEncryptDecrypt("RS384","ECDH-ES+A192KW","A192GCM");
+    testSuccessJWTEncryptDecrypt("RS512","ECDH-ES+A256KW","A256GCM");
+    
   }
   
   @Test
@@ -205,15 +249,15 @@ public void testSuccessToJWTSignRS()
     MockMessage mockMessage = new MockMessage(claims);
     DecodedJWT jwt = JWT
         .require(Algorithm.RSA256((RSAPublicKey) keysVerify.get(0).getKey(false), null)).build()
-        .verify(mockMessage.toJwt(keysSign.get(0), "RS256"));
+        .verify(mockMessage.toJwt(keysSign.get(0), "RS256", null, null, null, null, null, null));
     Assert.assertEquals("bar", jwt.getClaim("foo").asString());
     Assert.assertEquals("RS256", jwt.getHeaderClaim("alg").asString());
     jwt = JWT.require(Algorithm.RSA384((RSAPublicKey) keysVerify.get(0).getKey(false), null))
-        .build().verify(mockMessage.toJwt(keysSign.get(0), "RS384"));
+        .build().verify(mockMessage.toJwt(keysSign.get(0), "RS384", null, null, null, null, null, null));
     Assert.assertEquals("bar", jwt.getClaim("foo").asString());
     Assert.assertEquals("RS384", jwt.getHeaderClaim("alg").asString());
     jwt = JWT.require(Algorithm.RSA512((RSAPublicKey) keysVerify.get(0).getKey(false), null))
-        .build().verify(mockMessage.toJwt(keysSign.get(0), "RS512"));
+        .build().verify(mockMessage.toJwt(keysSign.get(0), "RS512", null, null, null, null, null, null));
     Assert.assertEquals("bar", jwt.getClaim("foo").asString());
     Assert.assertEquals("RS512", jwt.getHeaderClaim("alg").asString());
   }
@@ -229,15 +273,15 @@ public void testSuccessToJWTSignHS()
     MockMessage mockMessage = new MockMessage(claims);
     DecodedJWT jwt = JWT
         .require(Algorithm.HMAC256(secret)).build()
-        .verify(mockMessage.toJwt(key, "HS256"));
+        .verify(mockMessage.toJwt(key, "HS256", null, null, null, null, null, null));
     Assert.assertEquals("bar", jwt.getClaim("foo").asString());
     Assert.assertEquals("HS256", jwt.getHeaderClaim("alg").asString());
     jwt = JWT.require(Algorithm.HMAC384(secret))
-        .build().verify(mockMessage.toJwt(key, "HS384"));
+        .build().verify(mockMessage.toJwt(key, "HS384", null, null, null, null, null, null));
     Assert.assertEquals("bar", jwt.getClaim("foo").asString());
     Assert.assertEquals("HS384", jwt.getHeaderClaim("alg").asString());
     jwt = JWT.require(Algorithm.HMAC512(secret))
-        .build().verify(mockMessage.toJwt(key, "HS512"));
+        .build().verify(mockMessage.toJwt(key, "HS512", null, null, null, null, null, null));
     Assert.assertEquals("bar", jwt.getClaim("foo").asString());
     Assert.assertEquals("HS512", jwt.getHeaderClaim("alg").asString());
   }
diff --git a/src/test/java/org/oidc/msg/BaseMessageTest.java b/src/test/java/org/oidc/msg/BaseMessageTest.java
@@ -257,7 +257,7 @@ protected String generateIdTokenNow(Map<String, Object> claims, Key key, String
     claims.put("iat", new Date());
     IDToken token = new IDToken(claims);
     token.verify();
-    return token.toJwt(key, algo);
+    return token.toJwt(key, algo, null, null, null, null, null, null);
   }
 
   /**
diff --git a/src/test/java/org/oidc/msg/oidc/AuthenticationRequestTest.java b/src/test/java/org/oidc/msg/oidc/AuthenticationRequestTest.java
@@ -143,7 +143,7 @@ public void testSuccessIdTokenHint() throws InvalidClaimException, IllegalArgume
       ImportException, UnknownKeyType, ValueError, IOException, JWKException, SerializationException, DeserializationException {
     IDToken idTokenHint = getIDTokenHint();
     List<Key> keysSign = getKeyJar().getSigningKey("RSA", keyOwner, null, null);
-    claims.put("id_token_hint", idTokenHint.toJwt(keysSign.get(0), "RS256"));
+    claims.put("id_token_hint", idTokenHint.toJwt(keysSign.get(0), "RS256", null, null, null, null, null, null));
     AuthenticationRequest req = new AuthenticationRequest(claims);
     Assert.assertTrue(req.verify());
     IDToken idTokenHintFromJwt = new IDToken();
@@ -194,7 +194,7 @@ public void testUrlEncodingSuccess()
     claims.put("ui_locales", locales);
     IDToken idTokenHint = getIDTokenHint();
     List<Key> keysSign = getKeyJar().getSigningKey("RSA", keyOwner, null, null);
-    claims.put("id_token_hint", idTokenHint.toJwt(keysSign.get(0), "RS256"));
+    claims.put("id_token_hint", idTokenHint.toJwt(keysSign.get(0), "RS256", null, null, null, null, null, null));
     claims.put("login_hint", "user_is_bob");
     String[] acrs = new String[2];
     acrs[0] = "1";
@@ -204,7 +204,7 @@ public void testUrlEncodingSuccess()
     claims.put("claims", claimsRequest.toJson());
     RequestObject requestObject = new RequestObject(claims);
     Assert.assertTrue(requestObject.verify());
-    claims.put("request", requestObject.toJwt(keysSign.get(0), "RS256"));
+    claims.put("request", requestObject.toJwt(keysSign.get(0), "RS256", null, null, null, null, null, null));
     message = new AuthenticationRequest(claims);
     message.verify();
     AuthenticationRequest messageParsed = new AuthenticationRequest();

Original file line number	Diff line number	Diff line change
`@@ -257,7 +257,7 @@ protected String generateIdTokenNow(Map<String, Object> claims, Key key, String`
`257`	`257`	`claims.put("iat", new Date());`
`258`	`258`	`IDToken token = new IDToken(claims);`
`259`	`259`	`token.verify();`
`260`		`- return token.toJwt(key, algo);`
	`260`	`+ return token.toJwt(key, algo, null, null, null, null, null, null);`
`261`	`261`	`}`
`262`	`262`
`263`	`263`	`/**`