Skip to content

Commit

Permalink
Ensured JCA Name comparison is not case sensitive per Java Security S…
Browse files Browse the repository at this point in the history
…tandard Algorithm Names documentation. Accompanied with test case for regression.

Resolves #381
  • Loading branch information
lhazlewood committed Aug 14, 2018
1 parent a4b388c commit 56b3a71
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 1 deletion.
6 changes: 5 additions & 1 deletion api/src/main/java/io/jsonwebtoken/SignatureAlgorithm.java
Original file line number Diff line number Diff line change
Expand Up @@ -349,7 +349,11 @@ private void assertValid(Key key, boolean signing) throws InvalidKeyException {
if (alg == null) {
throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm cannot be null.");
}
if (!HS256.jcaName.equals(alg) && !HS384.jcaName.equals(alg) && !HS512.jcaName.equals(alg)) {

// These next checks use equalsIgnoreCase per https://github.com/jwtk/jjwt/issues/381#issuecomment-412912272
if (!HS256.jcaName.equalsIgnoreCase(alg) &&
!HS384.jcaName.equalsIgnoreCase(alg) &&
!HS512.jcaName.equalsIgnoreCase(alg)) {
throw new InvalidKeyException("The " + keyType(signing) + " key's algorithm '" + alg +
"' does not equal a valid HmacSHA* algorithm name and cannot be used with " + name() + ".");
}
Expand Down
19 changes: 19 additions & 0 deletions api/src/test/groovy/io/jsonwebtoken/SignatureAlgorithmTest.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -372,6 +372,25 @@ class SignatureAlgorithmTest {
}
}

@Test // https://github.com/jwtk/jjwt/issues/381
void testAssertValidHmacSigningKeyCaseInsensitiveJcaName() {

for (SignatureAlgorithm alg : SignatureAlgorithm.values().findAll { it.isHmac() }) {

SecretKey key = createMock(SecretKey)
int numBits = alg.minKeyLength
int numBytes = numBits / 8 as int
expect(key.getEncoded()).andReturn(new byte[numBytes])
expect(key.getAlgorithm()).andReturn(alg.jcaName.toUpperCase()) // <-- upper case, non standard JCA name

replay key

alg.assertValidSigningKey(key)

verify key
}
}

@Test
void testAssertValidHmacSigningKeyUnsupportedAlgorithm() {

Expand Down

0 comments on commit 56b3a71

Please sign in to comment.