Ensured symmetric logic between the Keys and SignatureAlgorithm helpe…

…r methods for hmac key lengths. Updated Android dependencies and ProGuard exclusion definitions Updating docs to reflect 0.10.3 release Resolves #381, #382
jwtk · Aug 14, 2018 · 85d8920 · 85d8920
1 parent d7071fa
commit 85d8920
Show file tree

Hide file tree

Showing 11 changed files with 38 additions and 36 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 ## Release Notes
 
+### 0.10.3
+
+This is a minor patch release that fixed a key length assertion for `SignatureAlgorithm.forSigningKey` that was 
+failing in Android environments.  The Android dependencies and ProGuard exclusions documentation was updated as 
+well to reflect Android Studio 3.0 conventions.
+
 ### 0.10.2
 
 This is a minor patch release that ensures the `OrgJsonSerializer` and `OrgJsonDeserializer` implementations are 

diff --git a/README.md b/README.md
@@ -179,18 +179,18 @@ If you're building a (non-Android) JDK project, you will want to define the foll
 <dependency>
     <groupId>io.jsonwebtoken</groupId>
     <artifactId>jjwt-api</artifactId>
-    <version>0.10.2</version>
+    <version>0.10.3</version>
 </dependency>
 <dependency>
     <groupId>io.jsonwebtoken</groupId>
     <artifactId>jjwt-impl</artifactId>
-    <version>0.10.2</version>
+    <version>0.10.3</version>
     <scope>runtime</scope>
 </dependency>
 <dependency>
     <groupId>io.jsonwebtoken</groupId>
     <artifactId>jjwt-jackson</artifactId>
-    <version>0.10.2</version>
+    <version>0.10.3</version>
     <scope>runtime</scope>
 </dependency>
 <!-- Uncomment this next dependency if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
@@ -209,11 +209,11 @@ If you're building a (non-Android) JDK project, you will want to define the foll
 
 ```groovy
 dependencies {
-    compile 'io.jsonwebtoken:jjwt-api:0.10.2'
-    runtime 'io.jsonwebtoken:jjwt-impl:0.10.2',
+    compile 'io.jsonwebtoken:jjwt-api:0.10.3'
+    runtime 'io.jsonwebtoken:jjwt-impl:0.10.3',
             // Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
             //'org.bouncycastle:bcprov-jdk15on:1.60',
-            'io.jsonwebtoken:jjwt-jackson:0.10.2'
+            'io.jsonwebtoken:jjwt-jackson:0.10.3'
 }
 ```
 
@@ -229,13 +229,13 @@ Add the dependencies to your project:
 
 ```groovy
 dependencies {
-    compile 'io.jsonwebtoken:jjwt-api:0.10.2'
-    runtime 'io.jsonwebtoken:jjwt-impl:0.10.2' 
-    runtime('io.jsonwebtoken:jjwt-orgjson:0.10.2') {
+    api 'io.jsonwebtoken:jjwt-api:0.10.3'
+    runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.10.3' 
+    runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.10.3') {
         exclude group: 'org.json', module: 'json' //provided by Android natively
     }
     // Uncomment the next line if you want to use RSASSA-PSS (PS256, PS384, PS512) algorithms:
-    //runtime 'org.bouncycastle:bcprov-jdk15on:1.60'
+    //runtimeOnly 'org.bouncycastle:bcprov-jdk15on:1.60'
 }
 ```
 
@@ -250,6 +250,8 @@ You can use the following [Android Proguard](https://developer.android.com/studi
 -keep class io.jsonwebtoken.** { *; }
 -keepnames class io.jsonwebtoken.* { *; }
 -keepnames interface io.jsonwebtoken.* { *; }
+-dontwarn org.json.JSONString
+-dontwarn org.json.JSONWriter
 
 -keep class org.bouncycastle.** { *; }
 -keepnames class org.bouncycastle.** { *; }
@@ -1192,7 +1194,7 @@ scope which is the typical JJWT default).  That is:
 <dependency>
     <groupId>io.jsonwebtoken</groupId>
     <artifactId>jjwt-jackson</artifactId>
-    <version>0.10.2</version>
+    <version>0.10.3</version>
     <scope>compile</scope> <!-- Not runtime -->
 </dependency>
 ```
@@ -1201,7 +1203,7 @@ scope which is the typical JJWT default).  That is:
 
 ```groovy
 dependencies {
-    compile 'io.jsonwebtoken:jjwt-jackson:0.10.2'
+    compile 'io.jsonwebtoken:jjwt-jackson:0.10.3'
 }
 ```
 

diff --git a/api/pom.xml b/api/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

diff --git a/api/src/main/java/io/jsonwebtoken/SignatureAlgorithm.java b/api/src/main/java/io/jsonwebtoken/SignatureAlgorithm.java
@@ -554,18 +554,20 @@ public static SignatureAlgorithm forSigningKey(Key key) throws InvalidKeyExcepti
         if (key instanceof SecretKey) {
 
             SecretKey secretKey = (SecretKey)key;
-            String secretKeyAlg = secretKey.getAlgorithm();
+            int bitLength = io.jsonwebtoken.lang.Arrays.length(secretKey.getEncoded()) * Byte.SIZE;
 
             for(SignatureAlgorithm alg : PREFERRED_HMAC_ALGS) {
-                if (alg.jcaName.equals(secretKeyAlg)) {
-                    alg.assertValidSigningKey(key);
+                // ensure compatibility check is based on key length. See https://github.com/jwtk/jjwt/issues/381
+                if (bitLength >= alg.minKeyLength) {
                     return alg;
                 }
             }
 
-            String msg = "The specified SecretKey algorithm did not equal one of the three required JCA " +
-                "algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.";
-            throw new InvalidKeyException(msg);
+            String msg = "The specified SecretKey is not strong enough to be used with JWT HMAC signature " +
+                "algorithms.  The JWT specification requires HMAC keys to be >= 256 bits long.  The specified " +
+                "key is " + bitLength + " bits.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more " +
+                "information.";
+            throw new WeakKeyException(msg);
         }
 
         if (key instanceof RSAKey) {

diff --git a/api/src/test/groovy/io/jsonwebtoken/SignatureAlgorithmTest.groovy b/api/src/test/groovy/io/jsonwebtoken/SignatureAlgorithmTest.groovy
@@ -186,17 +186,6 @@ class SignatureAlgorithmTest {
         }
     }
 
-    @Test
-    void testForSigningKeySecretKeyInvalidAlgName() {
-        try {
-            SignatureAlgorithm.forSigningKey(new SecretKeySpec(new byte[1], 'AES'))
-            fail()
-        } catch (InvalidKeyException e) {
-            assertEquals "The specified SecretKey algorithm did not equal one of the three required JCA " +
-                    "algorithm names of HmacSHA256, HmacSHA384, or HmacSHA512.", e.message
-        }
-    }
-
     @Test
     void testForSigningKeySecretKeyWeakKey() {
         try {

diff --git a/extensions/jackson/pom.xml b/extensions/jackson/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

diff --git a/extensions/orgjson/pom.xml b/extensions/orgjson/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

diff --git a/extensions/pom.xml b/extensions/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

diff --git a/impl/pom.xml b/impl/pom.xml
@@ -21,7 +21,7 @@
     <parent>
         <groupId>io.jsonwebtoken</groupId>
         <artifactId>jjwt-root</artifactId>
-        <version>0.10.2</version>
+        <version>0.10.3-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

diff --git a/impl/src/test/groovy/io/jsonwebtoken/security/KeysImplTest.groovy b/impl/src/test/groovy/io/jsonwebtoken/security/KeysImplTest.groovy
@@ -32,6 +32,9 @@ class KeysImplTest {
                 SecretKey key = Keys.secretKeyFor(alg)
                 assertEquals alg.minKeyLength, key.getEncoded().length * 8 //convert byte count to bit count
                 assertEquals alg.jcaName, key.algorithm
+                alg.assertValidSigningKey(key)
+                alg.assertValidVerificationKey(key)
+                assertEquals alg, SignatureAlgorithm.forSigningKey(key) // https://github.com/jwtk/jjwt/issues/381
             } else {
                 try {
                     Keys.secretKeyFor(alg)

diff --git a/pom.xml b/pom.xml
@@ -25,7 +25,7 @@
 
     <groupId>io.jsonwebtoken</groupId>
     <artifactId>jjwt-root</artifactId>
-    <version>0.10.2</version>
+    <version>0.10.3-SNAPSHOT</version>
     <name>JJWT</name>
     <description>JSON Web Token support for the JVM and Android</description>
     <packaging>pom</packaging>
@@ -43,7 +43,7 @@
         <connection>scm:git:https://github.com/jwtk/jjwt.git</connection>
         <developerConnection>scm:git:git@github.com:jwtk/jjwt.git</developerConnection>
         <url>git@github.com:jwtk/jjwt.git</url>
-        <tag>0.10.2</tag>
+        <tag>HEAD</tag>
     </scm>
     <issueManagement>
         <system>GitHub Issues</system>