Skip to content

Commit

Permalink
Name cleanup (#840)
Browse files Browse the repository at this point in the history 
- Renamed X509Mutator#x509CertificateSha1Thumbprint to x509Sha1Thumbprint
- Renamed X509Mutator#x509CertificateSha256Thumbprint to x509Sha256Thumbprint
- Renamed X509Builder#withX509Sha1Thumbprint to x509Sha1Thumbprint
- Renamed X509Builder#withX509Sha256Thumbprint to x509Sha256Thumbprint
- Renamed X509Builder#x509CertificateChain to x509Chain
- Renamed X509Accessor#getX509CertificateChain to getX509Chain
- Renamed X509Accessor#getX509CertificateSha1Thumbprint getX509Sha1Thumbprint
- Renamed X509Accessor#getX509CertificateSha256Thumbprint to getX509Sha256Thumbprint

- Renamed JwtParserBuilder#enableUnsecured() to unsecured()
- Renamed JwtParserBuilder#enableUnsecuredDecompression() to unsecuredDecompression()

- Renamed KeyOperationPolicyBuilder#allowUnrelated(boolean) to unrelated() (removed boolean argument also to be consistent with JwtParserBuilder#unsecured())
  • Loading branch information
@lhazlewood
lhazlewood committed Sep 28, 2023
1 parent b687ca5 commit 20b2fa9
Show file tree
Hide file tree
Showing 38 changed files with 246 additions and 250 deletions.
6 changes: 3 additions & 3 deletions api/src/main/java/io/jsonwebtoken/JwsHeader.java
View file
Expand Up @@ -65,23 +65,23 @@ public interface JwsHeader extends ProtectedHeader {
/**
* JWS <a href="https://tools.ietf.org/html/rfc7516#section-4.1.6">X.509 Certificate Chain Header</a> name: the string literal <b><code>x5c</code></b>
*
* @deprecated since JJWT_RELEASE_VERSION in favor of {@link #getX509CertificateChain()}
* @deprecated since JJWT_RELEASE_VERSION in favor of {@link #getX509Chain()}
*/
@Deprecated
String X509_CERT_CHAIN = "x5c";

/**
* JWS <a href="https://tools.ietf.org/html/rfc7516#section-4.1.7">X.509 Certificate SHA-1 Thumbprint Header</a> name: the string literal <b><code>x5t</code></b>
*
* @deprecated since JJWT_RELEASE_VERSION in favor of {@link #getX509CertificateSha1Thumbprint()}
* @deprecated since JJWT_RELEASE_VERSION in favor of {@link #getX509Sha1Thumbprint()}
*/
@Deprecated
String X509_CERT_SHA1_THUMBPRINT = "x5t";

/**
* JWS <a href="https://tools.ietf.org/html/rfc7516#section-4.1.8">X.509 Certificate SHA-256 Thumbprint Header</a> name: the string literal <b><code>x5t#S256</code></b>
*
* @deprecated since JJWT_RELEASE_VERSION in favor of {@link #getX509CertificateSha256Thumbprint()}
* @deprecated since JJWT_RELEASE_VERSION in favor of {@link #getX509Sha256Thumbprint()}
*/
@Deprecated
String X509_CERT_SHA256_THUMBPRINT = "x5t#S256";
Expand Down
16 changes: 8 additions & 8 deletions api/src/main/java/io/jsonwebtoken/JwtParserBuilder.java
View file
Expand Up @@ -62,26 +62,26 @@ public interface JwtParserBuilder extends Builder<JwtParser> {
* @see <a href="https://www.rfc-editor.org/rfc/rfc7518.html#section-8.5">Unsecured JWS Security Considerations</a>
* @see <a href="https://www.rfc-editor.org/rfc/rfc7518.html#section-3.6">Using the Algorithm &quot;none&quot;</a>
* @see Jwts.SIG#NONE
* @see #enableUnsecuredDecompression()
* @see #unsecuredDecompression()
* @since JJWT_RELEASE_VERSION
*/
JwtParserBuilder enableUnsecured();
JwtParserBuilder unsecured();

/**
* If {@link #enableUnsecured() enabledUnsecuredJws} is enabled, calling this method additionally enables
* If the parser is {@link #unsecured()}, calling this method additionally enables
* payload decompression of Unsecured JWTs (JWTs with an 'alg' (Algorithm) header value of 'none') that also have
* a 'zip' (Compression) header. This behavior is disabled by default because using compression
* algorithms with data from unverified (unauthenticated) parties can be susceptible to Denial of Service attacks
* and other data integrity problems as described in
* <a href="https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-pellegrino.pdf">In the
* Compression Hornet’s Nest: A Security Study of Data Compression in Network Services</a>.
*
* <p>Because this behavior is only relevant if {@link #enableUnsecured() enabledUnsecured} is specified,
* calling this method without also calling {@code enableUnsecured()} will result in a build exception, as the
* <p>Because this behavior is only relevant if the parser is unsecured,
* calling this method without also calling {@link #unsecured()} will result in a build exception, as the
* incongruent state could reflect a misunderstanding of both behaviors which should be remedied by the
* application developer.</p>
*
* <b>As is the case for {@link #enableUnsecured()}, be careful when calling this method - one should fully
* <b>As is the case for {@link #unsecured()}, be careful when calling this method - one should fully
* understand
* <a href="https://www.rfc-editor.org/rfc/rfc7518.html#section-8.5">Unsecured JWS Security Considerations</a>
* before enabling this feature.</b>
Expand All @@ -91,10 +91,10 @@ public interface JwtParserBuilder extends Builder<JwtParser> {
* @see <a href="https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-pellegrino.pdf">In the
* Compression Hornet’s Nest: A Security Study of Data Compression in Network Services</a>
* @see Jwts.SIG#NONE
* @see #enableUnsecured()
* @see #unsecured()
* @since JJWT_RELEASE_VERSION
*/
JwtParserBuilder enableUnsecuredDecompression();
JwtParserBuilder unsecuredDecompression();

JwtParserBuilder critical(String crit);

Expand Down
2 changes: 1 addition & 1 deletion api/src/main/java/io/jsonwebtoken/security/KeyOperationBuilder.java
View file
Expand Up @@ -61,7 +61,7 @@ public interface KeyOperationBuilder extends Builder<KeyOperation> {
* assert built.isRelated(other);</pre></blockquote>
*
* <p>A {@link JwkBuilder}'s key operation {@link JwkBuilder#operationPolicy(KeyOperationPolicy) policy} is likely
* to {@link KeyOperationPolicyBuilder#allowUnrelated(boolean) reject} any <em>un</em>related operations specified
* to {@link KeyOperationPolicyBuilder#unrelated() reject} any <em>un</em>related operations specified
* together due to the potential security vulnerabilities that could occur.</p>
*
* <p>This method may be called multiple times to add/append a related {@code id} to the constructed
Expand Down
22 changes: 9 additions & 13 deletions api/src/main/java/io/jsonwebtoken/security/KeyOperationPolicyBuilder.java
View file
Expand Up @@ -35,25 +35,21 @@
public interface KeyOperationPolicyBuilder extends Builder<KeyOperationPolicy> {

/**
* Sets if a JWK is allowed to have unrelated {@link KeyOperation}s in its {@code key_ops} parameter values.
* The default value is {@code false} per the JWK
* <a href="https://www.rfc-editor.org/rfc/rfc7517.html#section-4.3">RFC 7517, Section 4.3</a> recommendation:
*
* Allows a JWK to have unrelated {@link KeyOperation}s in its {@code key_ops} parameter values. <b>Be careful
* when calling this method - one should fully understand the security implications of using the same key
* with multiple algorithms in your application.</b>
* <p>If this method is not called, unrelated key operations are disabled by default per the recommendations in
* <a href="https://datatracker.ietf.org/doc/html/rfc7517#section-4.3">RFC 7517, Section 4.3</a>:</p>
* <blockquote><pre>
* Multiple unrelated key operations SHOULD NOT be specified for a key
* because of the potential vulnerabilities associated with using the
* same key with multiple algorithms.
* </pre></blockquote>
*
* <p>Only set this value to {@code true} if you fully understand the security implications of using the same key
* with multiple algorithms in your application. Otherwise it is best not to use this builder method, or
* explicitly set it to {@code false}.</p>
* same key with multiple algorithms.</pre></blockquote>
*
* @param allow if a JWK is allowed to have unrelated key {@link KeyOperation}s in its {@code key_ops}
* parameter values.
* @return the builder for method chaining
* @see <a href="https://datatracker.ietf.org/doc/html/rfc7517#section-4.3">&quot;key_ops&quot; (Key Operations)
* Parameter</a>
*/
KeyOperationPolicyBuilder allowUnrelated(boolean allow);
KeyOperationPolicyBuilder unrelated();

/**
* Adds the specified key operation to the policy's total set of supported key operations
Expand Down
6 changes: 3 additions & 3 deletions api/src/main/java/io/jsonwebtoken/security/X509Accessor.java
View file
Expand Up @@ -86,7 +86,7 @@ public interface X509Accessor {
* @see <a href="https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.6">JWS <code>x5c</code> (X.509 Certificate Chain) Header Parameter</a>
* @see <a href="https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.8">JWE <code>x5c</code> (X.509 Certificate Chain) Header Parameter</a>
*/
List<X509Certificate> getX509CertificateChain();
List<X509Certificate> getX509Chain();

/**
* Returns the {@code x5t} (X.509 Certificate SHA-1 Thumbprint) (a.k.a. digest) of the DER-encoding of the
Expand All @@ -110,7 +110,7 @@ public interface X509Accessor {
* @see <a href="https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.7">JWS <code>x5t</code> (X.509 Certificate SHA-1 Thumbprint) Header Parameter</a>
* @see <a href="https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.9">JWE <code>x5t</code> (X.509 Certificate SHA-1 Thumbprint) Header Parameter</a>
*/
byte[] getX509CertificateSha1Thumbprint();
byte[] getX509Sha1Thumbprint();

/**
* Returns the {@code x5t#S256} (X.509 Certificate SHA-256 Thumbprint) (a.k.a. digest) of the DER-encoding of the
Expand All @@ -134,5 +134,5 @@ public interface X509Accessor {
* @see <a href="https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.8">JWS <code>x5t#S256</code> (X.509 Certificate SHA-256 Thumbprint) Header Parameter</a>
* @see <a href="https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.10">JWE <code>x5t#S256</code> (X.509 Certificate SHA-256 Thumbprint) Header Parameter</a>
*/
byte[] getX509CertificateSha256Thumbprint();
byte[] getX509Sha256Thumbprint();
}
12 changes: 6 additions & 6 deletions api/src/main/java/io/jsonwebtoken/security/X509Builder.java
View file
Expand Up @@ -28,8 +28,8 @@ public interface X509Builder<T extends X509Builder<T>> extends X509Mutator<T> {

/**
* If the {@code enable} argument is {@code true}, compute the SHA-1 thumbprint of the first
* {@link X509Certificate} in the configured {@link #x509CertificateChain(List) x509CertificateChain}, and set
* the resulting value as the {@link #x509CertificateSha1Thumbprint(byte[])} parameter.
* {@link X509Certificate} in the configured {@link #x509Chain(List) x509CertificateChain}, and set
* the resulting value as the {@link #x509Sha1Thumbprint(byte[])} parameter.
*
* <p>If no chain has been configured, or {@code enable} is {@code false}, the builder will not compute nor add a
* {@code x5t} value.</p>
Expand All @@ -38,12 +38,12 @@ public interface X509Builder<T extends X509Builder<T>> extends X509Mutator<T> {
* the resulting value as the {@code x5t} value.
* @return the builder for method chaining.
*/
T withX509Sha1Thumbprint(boolean enable);
T x509Sha1Thumbprint(boolean enable);

/**
* If the {@code enable} argument is {@code true}, compute the SHA-256 thumbprint of the first
* {@link X509Certificate} in the configured {@link #x509CertificateChain(List) x509CertificateChain}, and set
* the resulting value as the {@link #x509CertificateSha256Thumbprint(byte[])} parameter.
* {@link X509Certificate} in the configured {@link #x509Chain(List) x509CertificateChain}, and set
* the resulting value as the {@link #x509Sha256Thumbprint(byte[])} parameter.
*
* <p>If no chain has been configured, or {@code enable} is {@code false}, the builder will not compute nor add a
* {@code x5t#S256} value.</p>
Expand All @@ -52,5 +52,5 @@ public interface X509Builder<T extends X509Builder<T>> extends X509Mutator<T> {
* the resulting value as the {@code x5t#S256} value.
* @return the builder for method chaining.
*/
T withX509Sha256Thumbprint(boolean enable);
T x509Sha256Thumbprint(boolean enable);
}
6 changes: 3 additions & 3 deletions api/src/main/java/io/jsonwebtoken/security/X509Mutator.java
View file
Expand Up @@ -85,7 +85,7 @@ public interface X509Mutator<T extends X509Mutator<T>> {
* @see <a href="https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.6">JWS <code>x5c</code> (X.509 Certificate Chain) Header Parameter</a>
* @see <a href="https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.8">JWE <code>x5c</code> (X.509 Certificate Chain) Header Parameter</a>
*/
T x509CertificateChain(List<X509Certificate> chain);
T x509Chain(List<X509Certificate> chain);

/**
* Sets the {@code x5t} (X.509 Certificate SHA-1 Thumbprint) (a.k.a. digest) of the DER-encoding of the
Expand All @@ -111,7 +111,7 @@ public interface X509Mutator<T extends X509Mutator<T>> {
* @see <a href="https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.7">JWS <code>x5t</code> (X.509 Certificate SHA-1 Thumbprint) Header Parameter</a>
* @see <a href="https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.9">JWE <code>x5t</code> (X.509 Certificate SHA-1 Thumbprint) Header Parameter</a>
*/
T x509CertificateSha1Thumbprint(byte[] thumbprint);
T x509Sha1Thumbprint(byte[] thumbprint);

/**
* Sets the {@code x5t#S256} (X.509 Certificate SHA-256 Thumbprint) (a.k.a. digest) of the DER-encoding of the
Expand All @@ -137,5 +137,5 @@ public interface X509Mutator<T extends X509Mutator<T>> {
* @see <a href="https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.8">JWS <code>x5t#S256</code> (X.509 Certificate SHA-256 Thumbprint) Header Parameter</a>
* @see <a href="https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.10">JWE <code>x5t#S256</code> (X.509 Certificate SHA-256 Thumbprint) Header Parameter</a>
*/
T x509CertificateSha256Thumbprint(byte[] thumbprint);
T x509Sha256Thumbprint(byte[] thumbprint);
}
12 changes: 6 additions & 6 deletions impl/src/main/java/io/jsonwebtoken/impl/AbstractX509Context.java
View file
Expand Up @@ -47,34 +47,34 @@ public T x509Url(URI uri) {
}

@Override
public List<X509Certificate> getX509CertificateChain() {
public List<X509Certificate> getX509Chain() {
return get(AbstractAsymmetricJwk.X5C);
}

@Override
public T x509CertificateChain(List<X509Certificate> chain) {
public T x509Chain(List<X509Certificate> chain) {
put(AbstractAsymmetricJwk.X5C, chain);
return self();
}

@Override
public byte[] getX509CertificateSha1Thumbprint() {
public byte[] getX509Sha1Thumbprint() {
return get(AbstractAsymmetricJwk.X5T);
}

@Override
public T x509CertificateSha1Thumbprint(byte[] thumbprint) {
public T x509Sha1Thumbprint(byte[] thumbprint) {
put(AbstractAsymmetricJwk.X5T, thumbprint);
return self();
}

@Override
public byte[] getX509CertificateSha256Thumbprint() {
public byte[] getX509Sha256Thumbprint() {
return get(AbstractAsymmetricJwk.X5T_S256);
}

@Override
public T x509CertificateSha256Thumbprint(byte[] thumbprint) {
public T x509Sha256Thumbprint(byte[] thumbprint) {
put(AbstractAsymmetricJwk.X5T_S256, thumbprint);
return self();
}
Expand Down
8 changes: 4 additions & 4 deletions impl/src/main/java/io/jsonwebtoken/impl/DefaultJweHeaderBuilder.java
View file
Expand Up @@ -34,14 +34,14 @@ protected DefaultJweHeaderBuilder(DefaultJweHeaderMutator<?> src) {
}

@Override
public T withX509Sha1Thumbprint(boolean enable) {
this.x509.withX509Sha1Thumbprint(enable);
public T x509Sha1Thumbprint(boolean enable) {
this.x509.x509Sha1Thumbprint(enable);
return self();
}

@Override
public T withX509Sha256Thumbprint(boolean enable) {
this.x509.withX509Sha256Thumbprint(enable);
public T x509Sha256Thumbprint(boolean enable) {
this.x509.x509Sha256Thumbprint(enable);
return self();
}
}
12 changes: 6 additions & 6 deletions impl/src/main/java/io/jsonwebtoken/impl/DefaultJweHeaderMutator.java
View file
Expand Up @@ -166,20 +166,20 @@ public T x509Url(URI uri) {
}

@Override
public T x509CertificateChain(List<X509Certificate> chain) {
this.x509.x509CertificateChain(chain);
public T x509Chain(List<X509Certificate> chain) {
this.x509.x509Chain(chain);
return self();
}

@Override
public T x509CertificateSha1Thumbprint(byte[] thumbprint) {
this.x509.x509CertificateSha1Thumbprint(thumbprint);
public T x509Sha1Thumbprint(byte[] thumbprint) {
this.x509.x509Sha1Thumbprint(thumbprint);
return self();
}

@Override
public T x509CertificateSha256Thumbprint(byte[] thumbprint) {
this.x509.x509CertificateSha256Thumbprint(thumbprint);
public T x509Sha256Thumbprint(byte[] thumbprint) {
this.x509.x509Sha256Thumbprint(thumbprint);
return self();
}

Expand Down
20 changes: 10 additions & 10 deletions impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java
View file
Expand Up @@ -128,7 +128,7 @@ public class DefaultJwtParser implements JwtParser {
private static final String UNSECURED_DISABLED_MSG_PREFIX = "Unsecured JWSs (those with an " +
DefaultHeader.ALGORITHM + " header value of '" + Jwts.SIG.NONE.getId() + "') are disallowed by " +
"default as mandated by https://www.rfc-editor.org/rfc/rfc7518.html#section-3.6. If you wish to " +
"allow them to be parsed, call the JwtParserBuilder.enableUnsecured() method, but please read the " +
"allow them to be parsed, call the JwtParserBuilder.unsecured() method, but please read the " +
"security considerations covered in that method's JavaDoc before doing so. Header: ";

private static final String CRIT_UNSECURED_MSG = "Unsecured JWSs (those with an " + DefaultHeader.ALGORITHM +
Expand Down Expand Up @@ -176,17 +176,17 @@ public class DefaultJwtParser implements JwtParser {
"by default to protect against [Denial of Service attacks](" +
"https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-pellegrino.pdf). If you " +
"wish to enable Unsecure JWS or Unencoded JWS payload decompression, call the JwtParserBuilder." +
"enableUnsecuredDecompression() method, but please read the security considerations covered in that " +
"unsecuredDecompression() method, but please read the security considerations covered in that " +
"method's JavaDoc before doing so.";

private final Provider provider;

@SuppressWarnings("deprecation")
private final SigningKeyResolver signingKeyResolver;

private final boolean enableUnsecured;
private final boolean unsecured;

private final boolean enableUnsecuredDecompression;
private final boolean unsecuredDecompression;

private final Function<JwsHeader, SecureDigestAlgorithm<?, ?>> sigAlgFn;

Expand Down Expand Up @@ -214,8 +214,8 @@ public class DefaultJwtParser implements JwtParser {
@SuppressWarnings("deprecation")
DefaultJwtParser(Provider provider,
SigningKeyResolver signingKeyResolver,
boolean enableUnsecured,
boolean enableUnsecuredDecompression,
boolean unsecured,
boolean unsecuredDecompression,
Locator<? extends Key> keyLocator,
Clock clock,
Set<String> critical,
Expand All @@ -229,8 +229,8 @@ public class DefaultJwtParser implements JwtParser {
Collection<KeyAlgorithm<?, ?>> extraKeyAlgs,
Collection<AeadAlgorithm> extraEncAlgs) {
this.provider = provider;
this.enableUnsecured = enableUnsecured;
this.enableUnsecuredDecompression = enableUnsecuredDecompression;
this.unsecured = unsecured;
this.unsecuredDecompression = unsecuredDecompression;
this.signingKeyResolver = signingKeyResolver;
this.keyLocator = Assert.notNull(keyLocator, "Key Locator cannot be null.");
this.clock = Assert.notNull(clock, "Clock cannot be null.");
Expand Down Expand Up @@ -406,7 +406,7 @@ private void verifySignature(final TokenizedJwt tokenized, final JwsHeader jwsHe
throw new MalformedJwtException(JWE_NONE_MSG);
}
// Unsecured JWTs are disabled by default per the RFC:
if (!enableUnsecured) {
if (!this.unsecured) {
String msg = UNSECURED_DISABLED_MSG_PREFIX + header;
throw new UnsupportedJwtException(msg);
}
Expand Down Expand Up @@ -584,7 +584,7 @@ private void verifySignature(final TokenizedJwt tokenized, final JwsHeader jwsHe
if (!payloadBase64UrlEncoded) {
String msg = String.format(B64_DECOMPRESSION_MSG, compressionAlgorithm.getId());
throw new UnsupportedJwtException(msg);
} else if (!enableUnsecuredDecompression) {
} else if (!unsecuredDecompression) {
String msg = String.format(UNPROTECTED_DECOMPRESSION_MSG, compressionAlgorithm.getId());
throw new UnsupportedJwtException(msg);
}
Expand Down

0 comments on commit 20b2fa9

Please sign in to comment.