Skip to content

Commit

Permalink
Ensured symmetric logic between the Keys and SignatureAlgorithm helpe…
Browse files Browse the repository at this point in the history
…r methods for hmac key lengths.

Updated Android dependencies and ProGuard exclusion definitions
Updating docs to reflect 0.10.3 release
Resolves #381, #382
  • Loading branch information
lhazlewood committed Aug 14, 2018
1 parent d7071fa commit 37f1574
Show file tree
Hide file tree
Showing 11 changed files with 38 additions and 36 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
## Release Notes

### 0.10.3

This is a minor patch release that fixed a key length assertion for `SignatureAlgorithm.forSigningKey` that was
failing in Android environments. The Android dependencies and ProGuard exclusions documentation was updated as
well to reflect Android Studio 3.0 conventions.

### 0.10.2

This is a minor patch release that ensures the `OrgJsonSerializer` and `OrgJsonDeserializer` implementations are
Expand Down
26 changes: 14 additions & 12 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -179,18 +179,18 @@ If you're building a (non-Android) JDK project, you will want to define the foll
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
<scope>runtime</scope>
</dependency>
<!-- Uncomment this next dependency if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
Expand All @@ -209,11 +209,11 @@ If you're building a (non-Android) JDK project, you will want to define the foll

```groovy
dependencies {
compile 'io.jsonwebtoken:jjwt-api:0.10.2'
runtime 'io.jsonwebtoken:jjwt-impl:0.10.2',
compile 'io.jsonwebtoken:jjwt-api:0.10.3'
runtime 'io.jsonwebtoken:jjwt-impl:0.10.3',
// Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
//'org.bouncycastle:bcprov-jdk15on:1.60',
'io.jsonwebtoken:jjwt-jackson:0.10.2'
'io.jsonwebtoken:jjwt-jackson:0.10.3'
}
```

Expand All @@ -229,13 +229,13 @@ Add the dependencies to your project:

```groovy
dependencies {
compile 'io.jsonwebtoken:jjwt-api:0.10.2'
runtime 'io.jsonwebtoken:jjwt-impl:0.10.2'
runtime('io.jsonwebtoken:jjwt-orgjson:0.10.2') {
api 'io.jsonwebtoken:jjwt-api:0.10.3'
runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.10.3'
runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.10.3') {
exclude group: 'org.json', module: 'json' //provided by Android natively
}
// Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
//runtime 'org.bouncycastle:bcprov-jdk15on:1.60'
//runtimeOnly 'org.bouncycastle:bcprov-jdk15on:1.60'
}
```

Expand All @@ -250,6 +250,8 @@ You can use the following [Android Proguard](https://developer.android.com/studi
-keep class io.jsonwebtoken.** { *; }
-keepnames class io.jsonwebtoken.* { *; }
-keepnames interface io.jsonwebtoken.* { *; }
-dontwarn org.json.JSONString
-dontwarn org.json.JSONWriter
-keep class org.bouncycastle.** { *; }
-keepnames class org.bouncycastle.** { *; }
Expand Down Expand Up @@ -1192,7 +1194,7 @@ scope which is the typical JJWT default). That is:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.10.2</version>
<version>0.10.3</version>
<scope>compile</scope> <!-- Not runtime -->
</dependency>
```
Expand All @@ -1201,7 +1203,7 @@ scope which is the typical JJWT default). That is:
```groovy
dependencies {
compile 'io.jsonwebtoken:jjwt-jackson:0.10.2'
compile 'io.jsonwebtoken:jjwt-jackson:0.10.3'
}
```
Expand Down
2 changes: 1 addition & 1 deletion api/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.11.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
14 changes: 8 additions & 6 deletions api/src/main/java/io/jsonwebtoken/SignatureAlgorithm.java
Original file line number Diff line number Diff line change
Expand Up @@ -554,18 +554,20 @@ public static SignatureAlgorithm forSigningKey(Key key) throws InvalidKeyExcepti
if (key instanceof SecretKey) {

SecretKey secretKey = (SecretKey)key;
String secretKeyAlg = secretKey.getAlgorithm();
int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;

for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
if (alg.jcaName.equals(secretKeyAlg)) {
alg.assertValidSigningKey(key);
// ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
if (bitLength >= alg.minKeyLength) {
return alg;
}
}

String msg = "The specified SecretKey algorithm did not equal one of the three required JCA " +
"algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.";
throw new InvalidKeyException(msg);
String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
"algorithms. The JWT specification requires HMAC keys to be >= 256 bits long. The specified " +
"key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
"information.";
throw new WeakKeyException(msg);
}

if (key instanceof RSAKey) {
Expand Down
11 changes: 0 additions & 11 deletions api/src/test/groovy/io/jsonwebtoken/SignatureAlgorithmTest.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -186,17 +186,6 @@ class SignatureAlgorithmTest {
}
}

@Test
void testForSigningKeySecretKeyInvalidAlgName() {
try {
SignatureAlgorithm.forSigningKey(new SecretKeySpec(new byte[1], 'AES'))
fail()
} catch (InvalidKeyException e) {
assertEquals "The specified SecretKey algorithm did not equal one of the three required JCA " +
"algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.", e.message
}
}

@Test
void testForSigningKeySecretKeyWeakKey() {
try {
Expand Down
2 changes: 1 addition & 1 deletion extensions/jackson/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.11.0-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>

Expand Down
2 changes: 1 addition & 1 deletion extensions/orgjson/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.11.0-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>

Expand Down
2 changes: 1 addition & 1 deletion extensions/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.11.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
2 changes: 1 addition & 1 deletion impl/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<parent>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.11.0-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@ class KeysImplTest {
SecretKey key = Keys.secretKeyFor(alg)
assertEquals alg.minKeyLength, key.getEncoded().length * 8 //convert byte count to bit count
assertEquals alg.jcaName, key.algorithm
alg.assertValidSigningKey(key)
alg.assertValidVerificationKey(key)
assertEquals alg, SignatureAlgorithm.forSigningKey(key) // https://github.com/jwtk/jjwt/issues/381
} else {
try {
Keys.secretKeyFor(alg)
Expand Down
4 changes: 2 additions & 2 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@

<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-root</artifactId>
<version>0.10.2</version>
<version>0.11.0-SNAPSHOT</version>
<name>JJWT</name>
<description>JSON Web Token support for the JVM and Android</description>
<packaging>pom</packaging>
Expand All @@ -43,7 +43,7 @@
<connection>scm:git:https://github.com/jwtk/jjwt.git</connection>
<developerConnection>scm:git:git@github.com:jwtk/jjwt.git</developerConnection>
<url>git@github.com:jwtk/jjwt.git</url>
<tag>0.10.2</tag>
<tag>HEAD</tag>
</scm>
<issueManagement>
<system>GitHub Issues</system>
Expand Down

0 comments on commit 37f1574

Please sign in to comment.