- changed status to invalid
(Nested) signed and encrypted produces too many segments
Issue #179
invalid
Below test code produces an invalid JWT (more than 3 segments in the serialized output). If you look at the output, you will notice double delimiter ".." in there. Example output:
eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiZGlyIn0..599ATU3FG24Ec0k2.vaQLnT_MQTzeTDPrGUQPQmswKkha9qptIAktQrD4u7cIIcARO7IphGbg5ke_D45s0fvv309TYP6hpyUUz9VhhhjemhGeONqLEKo-QmAM2ZjT0jeklvunIqnwODU8iQBn71qqzPLgvxSaYHZ68qvsi2SQ_7azxd54TTWnuyParjtSyj8b9ET-RPHCre8gMByfrHE4TiWBuFx_CaHTaEsX921sdAsOTC7rRKGrHQ.osg4Cy7U8GIVQPypU_vxMQ
// Generate 256-bit AES key for HMAC as well as encryption
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256);
final SecretKey secretKey = keyGen.generateKey();
final byte[] rawKey = secretKey.getEncoded();
// Create HMAC signer
final JWSSigner signer = new MACSigner(rawKey);
final ZonedDateTime currentTime = ZonedDateTime.now(ZoneOffset.UTC);
// Prepare JWT with claims set
JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
.subject("alice")
.issueTime(Date.from(currentTime.toInstant()))
.expirationTime(Date.from(currentTime.plusHours(1).toInstant()))
.issuer("https://pushcoin.com")
.build();
SignedJWT signedJWTOut = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claimsSet);
// Apply the HMAC
signedJWTOut.sign(signer);
// Create JWE object with signed JWT as payload
JWEObject jweObjectOut = new JWEObject(
new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A256GCM)
.contentType("JWT") // required to signal nested JWT
.build(),
new Payload(signedJWTOut));
// Perform encryption
jweObjectOut.encrypt(new DirectEncrypter(rawKey));
// Serialise to JWE compact form
String jweString = jweObjectOut.serialize();
Comments (2)
-
reporter
-
Thanks for double checking this :)
Happy coding!
- Log in to comment
JWE compact serialization consists of five base64url encoded parts and direct encryption doesn't use an encrypted key so that field will be an empty string.