Ensured symmetric logic between the Keys and SignatureAlgorithm helpe…

…r methods for hmac key lengths.

Updated Android dependencies and ProGuard exclusion definitions
Resolves #381, #382

Ensured symmetric logic between the Keys and SignatureAlgorithm helper methods for hmac key lengths.  Resolves #381
Prepping for a 0.10.3 point release

README.md

@@ -229,13 +229,13 @@ Add the dependencies to your project:
 
 ```groovy
 dependencies {
-    compile 'io.jsonwebtoken:jjwt-api:0.10.2'
-    runtime 'io.jsonwebtoken:jjwt-impl:0.10.2' 
-    runtime('io.jsonwebtoken:jjwt-orgjson:0.10.2') {
+    api 'io.jsonwebtoken:jjwt-api:0.10.2'
+    runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.10.2' 
+    runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.10.2') {
         exclude group: 'org.json', module: 'json' //provided by Android natively
     }
     // Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
-    //runtime 'org.bouncycastle:bcprov-jdk15on:1.60'
+    //runtimeOnly 'org.bouncycastle:bcprov-jdk15on:1.60'
 }
 ```
 
@@ -250,6 +250,8 @@ You can use the following [Android Proguard](https://developer.android.com/studi
 -keep class io.jsonwebtoken.** { *; }
 -keepnames class io.jsonwebtoken.* { *; }
 -keepnames interface io.jsonwebtoken.* { *; }
+-dontwarn org.json.JSONString
+-dontwarn org.json.JSONWriter
 
 -keep class org.bouncycastle.** { *; }
 -keepnames class org.bouncycastle.** { *; }

api/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

api/src/main/java/io/jsonwebtoken/SignatureAlgorithm.java

@@ -554,18 +554,20 @@ public static SignatureAlgorithm forSigningKey(Key key) throws InvalidKeyExcepti
         if (key instanceof SecretKey) {
 
             SecretKey secretKey = (SecretKey)key;
-            String secretKeyAlg = secretKey.getAlgorithm();
+            int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;
 
             for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
-                if (alg.jcaName.equals(secretKeyAlg)) {
-                    alg.assertValidSigningKey(key);
+                // ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
+                if (bitLength >= alg.minKeyLength) {
                     return alg;
                 }
             }
 
-            String msg = "The specified SecretKey algorithm did not equal one of the three required JCA " +
-                "algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.";
-            throw new InvalidKeyException(msg);
+            String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
+                "algorithms.  The JWT specification requires HMAC keys to be >= 256 bits long.  The specified " +
+                "key is " + bitLength + " bits.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
+                "information.";
+            throw new WeakKeyException(msg);
         }
 
         if (key instanceof RSAKey) {

api/src/test/groovy/io/jsonwebtoken/SignatureAlgorithmTest.groovy

@@ -186,17 +186,6 @@ class SignatureAlgorithmTest {
         }
     }
 
-    @Test
-    void testForSigningKeySecretKeyInvalidAlgName() {
-        try {
-            SignatureAlgorithm.forSigningKey(new SecretKeySpec(new byte[1], 'AES'))
-            fail()
-        } catch (InvalidKeyException e) {
-            assertEquals "The specified SecretKey algorithm did not equal one of the three required JCA " +
-                    "algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.", e.message
-        }
-    }
-
     @Test
     void testForSigningKeySecretKeyWeakKey() {
         try {

extensions/jackson/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

extensions/orgjson/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

extensions/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

impl/pom.xml

@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

impl/src/test/groovy/io/jsonwebtoken/security/KeysImplTest.groovy

@@ -32,6 +32,9 @@ class KeysImplTest {
                 SecretKey key = Keys.secretKeyFor(alg)
                 assertEquals alg.minKeyLength, key.getEncoded().length * 8 //convert byte count to bit count
                 assertEquals alg.jcaName, key.algorithm
+                alg.assertValidSigningKey(key)
+                alg.assertValidVerificationKey(key)
+                assertEquals alg, SignatureAlgorithm.forSigningKey(key) // https://github.com/jwtk/jjwt/issues/381
             } else {
                 try {
                     Keys.secretKeyFor(alg)

pom.xml

@@ -25,7 +25,7 @@
 
     <groupId>io.jsonwebtoken</groupId>
     <artifactId>jjwt-root</artifactId>
-    <version>0.10.2</version>
+    <version>0.10.3-SNAPSHOT</version>
     <name>JJWT</name>
     <description>JSON Web Token support for the JVM and Android</description>
     <packaging>pom</packaging>
@@ -43,7 +43,7 @@
         <connection>scm:git:https://github.com/jwtk/jjwt.git</connection>
         <developerConnection>scm:git:git@github.com:jwtk/jjwt.git</developerConnection>
         <url>git@github.com:jwtk/jjwt.git</url>
-        <tag>0.10.2</tag>
+        <tag>HEAD</tag>
     </scm>
     <issueManagement>
         <system>GitHub Issues</system>