ewjay
diff --git a/‎lib/src/main/java/com/auth0/jwt/JWTCreator.java‎
Lines changed: 6 additions & 2 deletions b/‎lib/src/main/java/com/auth0/jwt/JWTCreator.java‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java‎
Lines changed: 13 additions & 4 deletions b/‎lib/src/main/java/com/auth0/jwt/algorithms/Algorithm.java‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwt/algorithms/ECDSAAlgorithm.java‎
Lines changed: 26 additions & 17 deletions b/‎lib/src/main/java/com/auth0/jwt/algorithms/ECDSAAlgorithm.java‎
Lines changed: 26 additions & 17 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java‎
Lines changed: 9 additions & 5 deletions b/‎lib/src/main/java/com/auth0/jwt/algorithms/HMACAlgorithm.java‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwt/algorithms/NoneAlgorithm.java‎
Lines changed: 4 additions & 1 deletion b/‎lib/src/main/java/com/auth0/jwt/algorithms/NoneAlgorithm.java‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎lib/src/main/java/com/auth0/jwt/algorithms/RSAAlgorithm.java‎
Lines changed: 27 additions & 17 deletions b/‎lib/src/main/java/com/auth0/jwt/algorithms/RSAAlgorithm.java‎
Lines changed: 27 additions & 17 deletions
diff --git a/‎lib/src/main/java/com/auth0/jwt/interfaces/KeyProvider.java‎
Lines changed: 9 additions & 1 deletion b/‎lib/src/main/java/com/auth0/jwt/interfaces/KeyProvider.java‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎lib/src/main/java/com/auth0/jwt/interfaces/Signature.java‎
Lines changed: 0 additions & 14 deletions b/‎lib/src/main/java/com/auth0/jwt/interfaces/Signature.java‎
Lines changed: 0 additions & 14 deletions
@@ -303,6 +303,10 @@ public String sign(Algorithm algorithm) throws IllegalArgumentException, JWTCrea
             }
             headerClaims.put(PublicClaims.ALGORITHM, algorithm.getName());
             headerClaims.put(PublicClaims.TYPE, "JWT");
+            String signingKeyId = algorithm.getSigningKeyId();
+            if (!headerClaims.containsKey(PublicClaims.KEY_ID) && signingKeyId != null) {
+                withKeyId(signingKeyId);
+            }
             return new JWTCreator(algorithm, headerClaims, payloadClaims).sign();
         }
 
@@ -322,8 +326,8 @@ private void addClaim(String name, Object value) {
     }
 
     private String sign() throws SignatureGenerationException {
-        String header = Base64.encodeBase64URLSafeString((headerJson.getBytes(StandardCharsets.UTF_8)));
-        String payload = Base64.encodeBase64URLSafeString((payloadJson.getBytes(StandardCharsets.UTF_8)));
+        String header = Base64.encodeBase64URLSafeString(headerJson.getBytes(StandardCharsets.UTF_8));
+        String payload = Base64.encodeBase64URLSafeString(payloadJson.getBytes(StandardCharsets.UTF_8));
         String content = String.format("%s.%s", header, payload);
 
         byte[] signatureBytes = algorithm.sign(content.getBytes(StandardCharsets.UTF_8));
 
@@ -2,6 +2,7 @@
 
 import com.auth0.jwt.exceptions.SignatureGenerationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import com.auth0.jwt.interfaces.ECKeyProvider;
 import com.auth0.jwt.interfaces.RSAKeyProvider;
 
@@ -324,6 +325,15 @@ protected Algorithm(String name, String description) {
         this.description = description;
     }
 
+    /**
+     * Getter for the Id of the Private Key used to sign the tokens. This is usually specified as the `kid` claim in the Header.
+     *
+     * @return the Key Id that identifies the Signing Key or null if it's not specified.
+     */
+    public String getSigningKeyId() {
+        return null;
+    }
+
     /**
      * Getter for the name of this Algorithm, as defined in the JWT Standard. i.e. "HS256"
      *
@@ -348,13 +358,12 @@ public String toString() {
     }
 
     /**
-     * Verify the given content using this Algorithm instance.
+     * Verify the given token using this Algorithm instance.
      *
-     * @param contentBytes   an array of bytes representing the base64 encoded content to be verified against the signature.
-     * @param signatureBytes an array of bytes representing the base64 encoded signature to compare the content against.
+     * @param jwt the already decoded JWT that it's going to be verified.
      * @throws SignatureVerificationException if the Token's Signature is invalid, meaning that it doesn't match the signatureBytes, or if the Key is invalid.
      */
-    public abstract void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureVerificationException;
+    public abstract void verify(DecodedJWT jwt) throws SignatureVerificationException;
 
     /**
      * Sign the given content using this Algorithm instance.
 
@@ -2,8 +2,11 @@
 
 import com.auth0.jwt.exceptions.SignatureGenerationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import com.auth0.jwt.interfaces.ECKeyProvider;
+import org.apache.commons.codec.binary.Base64;
 
+import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SignatureException;
@@ -22,9 +25,6 @@ class ECDSAAlgorithm extends Algorithm {
         if (keyProvider == null) {
             throw new IllegalArgumentException("The Key Provider cannot be null.");
         }
-        if (keyProvider.getPublicKey() == null && keyProvider.getPrivateKey() == null) {
-            throw new IllegalArgumentException("Both provided Keys cannot be null.");
-        }
         this.keyProvider = keyProvider;
         this.crypto = crypto;
         this.ecNumberSize = ecNumberSize;
@@ -34,24 +34,20 @@ class ECDSAAlgorithm extends Algorithm {
         this(new CryptoHelper(), id, algorithm, ecNumberSize, keyProvider);
     }
 
-    ECPublicKey getPublicKey() {
-        return keyProvider.getPublicKey();
-    }
-
-    ECPrivateKey getPrivateKey() {
-        return keyProvider.getPrivateKey();
-    }
-
     @Override
-    public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureVerificationException {
+    public void verify(DecodedJWT jwt) throws SignatureVerificationException {
+        byte[] contentBytes = String.format("%s.%s", jwt.getHeader(), jwt.getPayload()).getBytes(StandardCharsets.UTF_8);
+        byte[] signatureBytes = Base64.decodeBase64(jwt.getSignature());
+
         try {
-            if (keyProvider.getPublicKey() == null) {
+            ECPublicKey publicKey = keyProvider.getPublicKey(jwt.getKeyId());
+            if (publicKey == null) {
                 throw new IllegalStateException("The given Public Key is null.");
             }
             if (!isDERSignature(signatureBytes)) {
                 signatureBytes = JOSEToDER(signatureBytes);
             }
-            boolean valid = crypto.verifySignatureFor(getDescription(), keyProvider.getPublicKey(), contentBytes, signatureBytes);
+            boolean valid = crypto.verifySignatureFor(getDescription(), publicKey, contentBytes, signatureBytes);
 
             if (!valid) {
                 throw new SignatureVerificationException(this);
@@ -64,15 +60,20 @@ public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureV
     @Override
     public byte[] sign(byte[] contentBytes) throws SignatureGenerationException {
         try {
-            if (keyProvider.getPrivateKey() == null) {
+            ECPrivateKey privateKey = keyProvider.getPrivateKey();
+            if (privateKey == null) {
                 throw new IllegalStateException("The given Private Key is null.");
             }
-            return crypto.createSignatureFor(getDescription(), keyProvider.getPrivateKey(), contentBytes);
+            return crypto.createSignatureFor(getDescription(), privateKey, contentBytes);
         } catch (NoSuchAlgorithmException | SignatureException | InvalidKeyException | IllegalStateException e) {
             throw new SignatureGenerationException(this, e);
         }
     }
 
+    @Override
+    public String getSigningKeyId() {
+        return keyProvider.getSigningKeyId();
+    }
 
     private boolean isDERSignature(byte[] signature) {
         // DER Structure: http://crypto.stackexchange.com/a/1797
@@ -138,16 +139,24 @@ private int countPadding(byte[] bytes, int fromIndex, int toIndex) {
 
     //Visible for testing
     static ECKeyProvider providerForKeys(final ECPublicKey publicKey, final ECPrivateKey privateKey) {
+        if (publicKey == null && privateKey == null) {
+            throw new IllegalArgumentException("Both provided Keys cannot be null.");
+        }
         return new ECKeyProvider() {
             @Override
-            public ECPublicKey getPublicKey() {
+            public ECPublicKey getPublicKey(String keyId) {
                 return publicKey;
             }
 
             @Override
             public ECPrivateKey getPrivateKey() {
                 return privateKey;
             }
+
+            @Override
+            public String getSigningKeyId() {
+                return null;
+            }
         };
     }
 }
@@ -2,9 +2,12 @@
 
 import com.auth0.jwt.exceptions.SignatureGenerationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import org.apache.commons.codec.CharEncoding;
+import org.apache.commons.codec.binary.Base64;
 
 import java.io.UnsupportedEncodingException;
+import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 
@@ -13,6 +16,7 @@ class HMACAlgorithm extends Algorithm {
     private final CryptoHelper crypto;
     private final byte[] secret;
 
+    //Visible for testing
     HMACAlgorithm(CryptoHelper crypto, String id, String algorithm, byte[] secretBytes) throws IllegalArgumentException {
         super(id, algorithm);
         if (secretBytes == null) {
@@ -30,19 +34,19 @@ class HMACAlgorithm extends Algorithm {
         this(new CryptoHelper(), id, algorithm, getSecretBytes(secret));
     }
 
+    //Visible for testing
     static byte[] getSecretBytes(String secret) throws IllegalArgumentException, UnsupportedEncodingException {
         if (secret == null) {
             throw new IllegalArgumentException("The Secret cannot be null");
         }
         return secret.getBytes(CharEncoding.UTF_8);
     }
 
-    byte[] getSecret() {
-        return secret;
-    }
-
     @Override
-    public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureVerificationException {
+    public void verify(DecodedJWT jwt) throws SignatureVerificationException {
+        byte[] contentBytes = String.format("%s.%s", jwt.getHeader(), jwt.getPayload()).getBytes(StandardCharsets.UTF_8);
+        byte[] signatureBytes = Base64.decodeBase64(jwt.getSignature());
+
         try {
             boolean valid = crypto.verifySignatureFor(getDescription(), secret, contentBytes, signatureBytes);
             if (!valid) {
 
@@ -2,6 +2,8 @@
 
 import com.auth0.jwt.exceptions.SignatureGenerationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import org.apache.commons.codec.binary.Base64;
 
 class NoneAlgorithm extends Algorithm {
 
@@ -10,7 +12,8 @@ class NoneAlgorithm extends Algorithm {
     }
 
     @Override
-    public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureVerificationException {
+    public void verify(DecodedJWT jwt) throws SignatureVerificationException {
+        byte[] signatureBytes = Base64.decodeBase64(jwt.getSignature());
         if (signatureBytes.length > 0) {
             throw new SignatureVerificationException(this);
         }
 
@@ -2,8 +2,11 @@
 
 import com.auth0.jwt.exceptions.SignatureGenerationException;
 import com.auth0.jwt.exceptions.SignatureVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
 import com.auth0.jwt.interfaces.RSAKeyProvider;
+import org.apache.commons.codec.binary.Base64;
 
+import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SignatureException;
@@ -21,9 +24,6 @@ class RSAAlgorithm extends Algorithm {
         if (keyProvider == null) {
             throw new IllegalArgumentException("The Key Provider cannot be null.");
         }
-        if (keyProvider.getPublicKey() == null && keyProvider.getPrivateKey() == null) {
-            throw new IllegalArgumentException("Both provided Keys cannot be null.");
-        }
         this.keyProvider = keyProvider;
         this.crypto = crypto;
     }
@@ -32,21 +32,17 @@ class RSAAlgorithm extends Algorithm {
         this(new CryptoHelper(), id, algorithm, keyProvider);
     }
 
-    RSAPublicKey getPublicKey() {
-        return keyProvider.getPublicKey();
-    }
-
-    RSAPrivateKey getPrivateKey() {
-        return keyProvider.getPrivateKey();
-    }
-
     @Override
-    public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureVerificationException {
+    public void verify(DecodedJWT jwt) throws SignatureVerificationException {
+        byte[] contentBytes = String.format("%s.%s", jwt.getHeader(), jwt.getPayload()).getBytes(StandardCharsets.UTF_8);
+        byte[] signatureBytes = Base64.decodeBase64(jwt.getSignature());
+
         try {
-            if (keyProvider.getPublicKey() == null) {
+            RSAPublicKey publicKey = keyProvider.getPublicKey(jwt.getKeyId());
+            if (publicKey == null) {
                 throw new IllegalStateException("The given Public Key is null.");
             }
-            boolean valid = crypto.verifySignatureFor(getDescription(), keyProvider.getPublicKey(), contentBytes, signatureBytes);
+            boolean valid = crypto.verifySignatureFor(getDescription(), publicKey, contentBytes, signatureBytes);
             if (!valid) {
                 throw new SignatureVerificationException(this);
             }
@@ -58,27 +54,41 @@ public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureV
     @Override
     public byte[] sign(byte[] contentBytes) throws SignatureGenerationException {
         try {
-            if (keyProvider.getPrivateKey() == null) {
+            RSAPrivateKey privateKey = keyProvider.getPrivateKey();
+            if (privateKey == null) {
                 throw new IllegalStateException("The given Private Key is null.");
             }
-            return crypto.createSignatureFor(getDescription(), keyProvider.getPrivateKey(), contentBytes);
+            return crypto.createSignatureFor(getDescription(), privateKey, contentBytes);
         } catch (NoSuchAlgorithmException | SignatureException | InvalidKeyException | IllegalStateException e) {
             throw new SignatureGenerationException(this, e);
         }
     }
 
+    @Override
+    public String getSigningKeyId() {
+        return keyProvider.getSigningKeyId();
+    }
+
     //Visible for testing
     static RSAKeyProvider providerForKeys(final RSAPublicKey publicKey, final RSAPrivateKey privateKey) {
+        if (publicKey == null && privateKey == null) {
+            throw new IllegalArgumentException("Both provided Keys cannot be null.");
+        }
         return new RSAKeyProvider() {
             @Override
-            public RSAPublicKey getPublicKey() {
+            public RSAPublicKey getPublicKey(String keyId) {
                 return publicKey;
             }
 
             @Override
             public RSAPrivateKey getPrivateKey() {
                 return privateKey;
             }
+
+            @Override
+            public String getSigningKeyId() {
+                return null;
+            }
         };
     }
 }
@@ -14,14 +14,22 @@ interface KeyProvider<U extends PublicKey, R extends PrivateKey> {
     /**
      * Getter for the Public Key instance, used to verify the signature.
      *
+     * @param keyId the Key Id specified in the Token's Header or null if none is available. Provides a hint on which Public Key to use to verify the token's signature.
      * @return the Public Key instance
      */
-    U getPublicKey();
+    U getPublicKey(String keyId);
 
     /**
      * Getter for the Private Key instance, used to sign the content.
      *
      * @return the Private Key instance
      */
     R getPrivateKey();
+
+    /**
+     * Getter for the Id of the Private Key used to sign the tokens. This represents the `kid` claim and will be placed in the Header if no other "Key Id" has been set already.
+     *
+     * @return the Key Id that identifies the Signing Key or null if it's not specified.
+     */
+    String getSigningKeyId();
 }
Original file line number	Diff line number	Diff line change
`@@ -303,6 +303,10 @@ public String sign(Algorithm algorithm) throws IllegalArgumentException, JWTCrea`
`303`	`303`	`}`
`304`	`304`	`headerClaims.put(PublicClaims.ALGORITHM, algorithm.getName());`
`305`	`305`	`headerClaims.put(PublicClaims.TYPE, "JWT");`
	`306`	`+ String signingKeyId = algorithm.getSigningKeyId();`
	`307`	`+ if (!headerClaims.containsKey(PublicClaims.KEY_ID) && signingKeyId != null) {`
	`308`	`+ withKeyId(signingKeyId);`
	`309`	`+ }`
`306`	`310`	`return new JWTCreator(algorithm, headerClaims, payloadClaims).sign();`
`307`	`311`	`}`
`308`	`312`
`@@ -322,8 +326,8 @@ private void addClaim(String name, Object value) {`
`322`	`326`	`}`
`323`	`327`
`324`	`328`	`private String sign() throws SignatureGenerationException {`
`325`		`- String header = Base64.encodeBase64URLSafeString((headerJson.getBytes(StandardCharsets.UTF_8)));`
`326`		`- String payload = Base64.encodeBase64URLSafeString((payloadJson.getBytes(StandardCharsets.UTF_8)));`
	`329`	`+ String header = Base64.encodeBase64URLSafeString(headerJson.getBytes(StandardCharsets.UTF_8));`
	`330`	`+ String payload = Base64.encodeBase64URLSafeString(payloadJson.getBytes(StandardCharsets.UTF_8));`
`327`	`331`	`String content = String.format("%s.%s", header, payload);`
`328`	`332`
`329`	`333`	`byte[] signatureBytes = algorithm.sign(content.getBytes(StandardCharsets.UTF_8));`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,8 @@`
`2`	`2`
`3`	`3`	`import com.auth0.jwt.exceptions.SignatureGenerationException;`
`4`	`4`	`import com.auth0.jwt.exceptions.SignatureVerificationException;`
	`5`	`+import com.auth0.jwt.interfaces.DecodedJWT;`
	`6`	`+import org.apache.commons.codec.binary.Base64;`
`5`	`7`
`6`	`8`	`class NoneAlgorithm extends Algorithm {`
`7`	`9`
`@@ -10,7 +12,8 @@ class NoneAlgorithm extends Algorithm {`
`10`	`12`	`}`
`11`	`13`
`12`	`14`	`@Override`
`13`		`- public void verify(byte[] contentBytes, byte[] signatureBytes) throws SignatureVerificationException {`
	`15`	`+ public void verify(DecodedJWT jwt) throws SignatureVerificationException {`
	`16`	`+ byte[] signatureBytes = Base64.decodeBase64(jwt.getSignature());`
`14`	`17`	`if (signatureBytes.length > 0) {`
`15`	`18`	`throw new SignatureVerificationException(this);`
`16`	`19`	`}`