java.lang.Object
- net.shibboleth.oidc.security.impl.ExplicitKeySignedJWTTrustEngineTest

```
public class ExplicitKeySignedJWTTrustEngineTest
extends Object
```
Tests for the ExplicitKeySignedJWTTrustEngine.
Note, there is not explicit test for the 'none' algorithm as Nimbus will not created a SignedJWT (as required by the trust engine) if the 'none' algorithm is used.

We can not test a JWT with an in-line symmetric key (oct type) JWK as Nimbus will not (correctly) parse it. Hence we assume the trust engine could never be passed such an invalid JWT.

Field Summary

Fields
Modifier and Type	Field	Description
`private static String`	`CLIENT_SECRET`	The client_secret.
`private static String`	`CLIENT_SECRET_512`	The client_secret.
`private MockFunctionalCredentialResolver`	`credResolver`
`private CriteriaSet`	`criteria`	The criteria set to use.
`private String`	`CVE_2016_10555_SIGNING_CERT_PUBLIC_KEY`
`private net.shibboleth.oidc.security.impl.ExplicitKeySignedJWTTrustEngine`	`engine`
`private JOSEObjectCredentialResolver`	`joseObjectCredResolver`
`private String`	`JWT_WITH_INLINE_SHARED_SECRET_JWK`	This is a forged JWT that contains a 'secret' inside the JWK header.
`private com.nimbusds.jose.jwk.ECKey`	`key`
`private net.shibboleth.oidc.security.jose.SignatureValidationParameters`	`params`	Signature params.

Constructor Summary

Constructors
Constructor Description

ExplicitKeySignedJWTTrustEngineTest()

Method Summary

All Methods Static Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`protected static com.nimbusds.jwt.JWTClaimsSet`	`buildStandardClaims(String issuer, String audience)`	Build a basic claims set using the audience and issuer provided.
`protected static com.nimbusds.jwt.SignedJWT`	`createECSignedJWT(com.nimbusds.jose.jwk.ECKey key, String keyId, com.nimbusds.jose.JWSAlgorithm algo, String issuer, String audience)`	Create a EC signed JWS without a JKU or inline JWK.
`protected static com.nimbusds.jwt.SignedJWT`	`createECSignedJWTWithDifferentInlineJWK(com.nimbusds.jose.jwk.ECKey key, String keyId, com.nimbusds.jose.JWSAlgorithm algo, com.nimbusds.jose.jwk.ECKey signingKey, String issuer, String audience)`	Create a JWS using a a key that is different to that in the JOSE header.
`protected static com.nimbusds.jwt.SignedJWT`	`createECSignedJWTWithInlineJWK(com.nimbusds.jose.jwk.ECKey key, String keyId, com.nimbusds.jose.JWSAlgorithm algo, String issuer, String audience)`	Create an EC signed JWS with an inline (in JOSE headers) JWK.
`protected static com.nimbusds.jwt.SignedJWT`	`createECSignedJWTWithJKU(com.nimbusds.jose.jwk.ECKey key, String keyId, URI jku, com.nimbusds.jose.JWSAlgorithm algo, String issuer, String audience)`	Create an EC signed JWS with a JKU URL.
`protected static com.nimbusds.jwt.SignedJWT`	`createMACSignedJWT(String key, String keyId, com.nimbusds.jose.JWSAlgorithm algo, String issuer, String audience)`	Create a JWS using a MAC without a JKU or inline JWK.
`void`	`setup()`
`void`	`testInvalid_CVE_2016_10555()`	Test for CVE-2016-10555.
`void`	`testInvalid_InlineJWKInvalidSignature()`
`void`	`testInvalid_InlineJWKWrongKid()`
`void`	`testInvalid_WithInlineSharedSecretJWK()`	A shared secret would never come via a JWK, but test in case of forgery.
`void`	`testInvalid_WithUntrustedInlineJWK_CVE_2018_0114()`
`void`	`testValid_WithInlineJKU()`
`void`	`testValid_WithInlineJWK()`
`void`	`testValid_WithSymmetricKeyCredential()`
`void`	`testValid_WithSymmetricKeyCredential_Filtered()`	Test symmetric key using a mock filtering resolver.
`void`	`testValid_WithSymmetricKeyCredential_Filtered_WrongKeySize()`	Test symmetric key using a mock filtering resolver.
`void`	`testValid_WithSymmetricKeyCredential_JWSAlgorithm_Excluded()`
`void`	`testValid_WithSymmetricKeyCredential_JWSAlgorithm_NotIncluded()`
`void`	`testValid_WithTrustedCredential()`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

engine

private net.shibboleth.oidc.security.impl.ExplicitKeySignedJWTTrustEngine engine

key

private com.nimbusds.jose.jwk.ECKey key

credResolver

private MockFunctionalCredentialResolver credResolver

joseObjectCredResolver

private JOSEObjectCredentialResolver joseObjectCredResolver

CVE_2016_10555_SIGNING_CERT_PUBLIC_KEY
```
private final String CVE_2016_10555_SIGNING_CERT_PUBLIC_KEY
```
See Also:

Constant Field Values

JWT_WITH_INLINE_SHARED_SECRET_JWK
```
private final String JWT_WITH_INLINE_SHARED_SECRET_JWK
```
This is a forged JWT that contains a 'secret' inside the JWK header. This should never happen, but we want to test that we can not create a SignedJWT from it.

See Also:

Constant Field Values

CLIENT_SECRET
```
private static final String CLIENT_SECRET
```
The client_secret. 256 bit

See Also:

Constant Field Values

CLIENT_SECRET_512
```
private static final String CLIENT_SECRET_512
```
The client_secret. 256 bit

See Also:

Constant Field Values

params

private net.shibboleth.oidc.security.jose.SignatureValidationParameters params

Signature params.

criteria
```
private CriteriaSet criteria
```
The criteria set to use.

Constructor Detail
- ExplicitKeySignedJWTTrustEngineTest
```
public ExplicitKeySignedJWTTrustEngineTest()
```

Method Detail

setup

@BeforeMethod
public void setup()
           throws com.nimbusds.jose.JOSEException

Throws:: com.nimbusds.jose.JOSEException

testValid_WithTrustedCredential

public void testValid_WithTrustedCredential()
                                     throws com.nimbusds.jose.JOSEException,
                                            SecurityException

Throws:: com.nimbusds.jose.JOSEException; SecurityException

testValid_WithSymmetricKeyCredential

public void testValid_WithSymmetricKeyCredential()
                                          throws com.nimbusds.jose.JOSEException,
                                                 SecurityException

Throws:: com.nimbusds.jose.JOSEException; SecurityException

testValid_WithSymmetricKeyCredential_Filtered

public void testValid_WithSymmetricKeyCredential_Filtered()
                                                   throws com.nimbusds.jose.JOSEException,
                                                          SecurityException

Test symmetric key using a mock filtering resolver.

Throws:: com.nimbusds.jose.JOSEException - on error; SecurityException - on error

testValid_WithSymmetricKeyCredential_Filtered_WrongKeySize

public void testValid_WithSymmetricKeyCredential_Filtered_WrongKeySize()
                                                                throws com.nimbusds.jose.JOSEException,
                                                                       SecurityException

Test symmetric key using a mock filtering resolver. The key length is too small for the HS512 MAC algorithm used and so no credentials should be supplied for validation.

Throws:: com.nimbusds.jose.JOSEException - on error; SecurityException - on error

testValid_WithSymmetricKeyCredential_JWSAlgorithm_Excluded

public void testValid_WithSymmetricKeyCredential_JWSAlgorithm_Excluded()
                                                                throws com.nimbusds.jose.JOSEException,
                                                                       SecurityException

Throws:: com.nimbusds.jose.JOSEException; SecurityException

testValid_WithSymmetricKeyCredential_JWSAlgorithm_NotIncluded

public void testValid_WithSymmetricKeyCredential_JWSAlgorithm_NotIncluded()
                                                                   throws com.nimbusds.jose.JOSEException,
                                                                          SecurityException

Throws:: com.nimbusds.jose.JOSEException; SecurityException

testInvalid_CVE_2016_10555
```
public void testInvalid_CVE_2016_10555()
                                throws Exception
```
Test for CVE-2016-10555. That is, can a malicious user choose which algorithm to verify the token with. If so, they could create a MAC for the JWT with the servers public key as a secret, change the algorithm to HS256 (a MAC version) and have the server (if vulnerable) validate it against the public key it has locally - so the server assumes it always needs to use the public key to verify signatures, and passes it in as a secret to the MAC verifier.
This is only likely in cases where the implementation only expects to verify using a public key and has a generic method that accepts the public key, but can actually use a MAC verification method - with the public key. So a fairly unusual case!.

Throws:

Exception - on error.

testValid_WithInlineJWK

public void testValid_WithInlineJWK()
                             throws com.nimbusds.jose.JOSEException,
                                    SecurityException

Throws:: com.nimbusds.jose.JOSEException; SecurityException

testInvalid_WithInlineSharedSecretJWK
```
public void testInvalid_WithInlineSharedSecretJWK()
                                           throws Exception
```
A shared secret would never come via a JWK, but test in case of forgery. We should not support shared secrets in JWKs. Nimbus should not parse such a header. Add a smoke test to ensure this is always the case.

Throws:

Exception - on error.

testInvalid_WithUntrustedInlineJWK_CVE_2018_0114

public void testInvalid_WithUntrustedInlineJWK_CVE_2018_0114()
                                                      throws com.nimbusds.jose.JOSEException,
                                                             SecurityException

Throws:: com.nimbusds.jose.JOSEException; SecurityException

testValid_WithInlineJKU

public void testValid_WithInlineJKU()
                             throws com.nimbusds.jose.JOSEException,
                                    SecurityException,
                                    URISyntaxException

Throws:: com.nimbusds.jose.JOSEException; SecurityException; URISyntaxException

testInvalid_InlineJWKWrongKid

public void testInvalid_InlineJWKWrongKid()
                                   throws com.nimbusds.jose.JOSEException,
                                          SecurityException

Throws:: com.nimbusds.jose.JOSEException; SecurityException

testInvalid_InlineJWKInvalidSignature

public void testInvalid_InlineJWKInvalidSignature()
                                           throws com.nimbusds.jose.JOSEException,
                                                  SecurityException

Throws:: com.nimbusds.jose.JOSEException; SecurityException

buildStandardClaims

protected static com.nimbusds.jwt.JWTClaimsSet buildStandardClaims(String issuer,
                                                                   String audience)

Build a basic claims set using the audience and issuer provided.

Parameters:: issuer - the issuer; audience - the audience
Returns:: the constructed claims set

createECSignedJWT

protected static com.nimbusds.jwt.SignedJWT createECSignedJWT(com.nimbusds.jose.jwk.ECKey key,
                                                              String keyId,
                                                              com.nimbusds.jose.JWSAlgorithm algo,
                                                              String issuer,
                                                              String audience)
                                                       throws com.nimbusds.jose.JOSEException

Create a EC signed JWS without a JKU or inline JWK.

Parameters:: key - the key to sign the JWT.; keyId - the keyId to describe the key to use in the header.; algo - the key algorithm.; issuer - the issuer.; audience - the audience.
Returns:: the signed JWT
Throws:: com.nimbusds.jose.JOSEException - on error.

createMACSignedJWT

protected static com.nimbusds.jwt.SignedJWT createMACSignedJWT(String key,
                                                               @Nullable
                                                               String keyId,
                                                               com.nimbusds.jose.JWSAlgorithm algo,
                                                               String issuer,
                                                               String audience)
                                                        throws com.nimbusds.jose.JOSEException

Create a JWS using a MAC without a JKU or inline JWK.

Parameters:: key - the shared key to sign the JWT.; keyId - the keyId to describe the key to use in the header. If null, will not be added; algo - the key algorithm.; issuer - the issuer.; audience - the audience.
Returns:: the signed JWT
Throws:: com.nimbusds.jose.JOSEException - on error.

createECSignedJWTWithJKU

protected static com.nimbusds.jwt.SignedJWT createECSignedJWTWithJKU(com.nimbusds.jose.jwk.ECKey key,
                                                                     String keyId,
                                                                     URI jku,
                                                                     com.nimbusds.jose.JWSAlgorithm algo,
                                                                     String issuer,
                                                                     String audience)
                                                              throws com.nimbusds.jose.JOSEException,
                                                                     URISyntaxException

Create an EC signed JWS with a JKU URL.

Parameters:: key - the key to sign the JWT.; keyId - the keyId to describe the key to use in the header.; jku - the JKU.; algo - the key algorithm.; issuer - the issuer.; audience - the audience.
Returns:: the signed JWT
Throws:: com.nimbusds.jose.JOSEException - on error.; URISyntaxException - on error.

createECSignedJWTWithInlineJWK

protected static com.nimbusds.jwt.SignedJWT createECSignedJWTWithInlineJWK(com.nimbusds.jose.jwk.ECKey key,
                                                                           String keyId,
                                                                           com.nimbusds.jose.JWSAlgorithm algo,
                                                                           String issuer,
                                                                           String audience)
                                                                    throws com.nimbusds.jose.JOSEException

Create an EC signed JWS with an inline (in JOSE headers) JWK.

Parameters:: key - the key to sign the JWT.; keyId - the keyId to describe the key to use in the header.; algo - the key algorithm.; issuer - the issuer.; audience - the audience.
Returns:: the signed JWT
Throws:: com.nimbusds.jose.JOSEException - on error.

createECSignedJWTWithDifferentInlineJWK

protected static com.nimbusds.jwt.SignedJWT createECSignedJWTWithDifferentInlineJWK(com.nimbusds.jose.jwk.ECKey key,
                                                                                    String keyId,
                                                                                    com.nimbusds.jose.JWSAlgorithm algo,
                                                                                    com.nimbusds.jose.jwk.ECKey signingKey,
                                                                                    String issuer,
                                                                                    String audience)
                                                                             throws com.nimbusds.jose.JOSEException

Create a JWS using a a key that is different to that in the JOSE header.

Parameters:: key - the key to described in the JWK header.; keyId - the keyId to describe the key to use in the header.; algo - the key algorithm.; signingKey - the key used to sign the JWS, which could be different than the key described in the JWK.; issuer - the issuer.; audience - the audience.
Returns:: the signed JWT
Throws:: com.nimbusds.jose.JOSEException - on error.

Class ExplicitKeySignedJWTTrustEngineTest