Implement algorithm lucidity

Nanne Baars · nbaars · commit a15062791cd5 · 2021-08-05T10:48:30.000+02:00
diff --git a/commons/src/main/java/org/paseto4j/commons/Key.java b/commons/src/main/java/org/paseto4j/commons/Key.java
@@ -0,0 +1,27 @@
+package org.paseto4j.commons;
+
+import static org.paseto4j.commons.Conditions.verify;
+
+public abstract class Key {
+
+    public byte[] material;
+    public Version version;
+
+    public Key(byte[] keyMaterial, Version version) {
+        this.material = keyMaterial;
+        this.version = version;
+    }
+
+    public Key(byte[] keyMaterial, Version version, int size) {
+        verify(keyMaterial.length == 32, "key should be " + size + " bytes");
+
+        this.material = keyMaterial;
+        this.version = version;
+    }
+
+    abstract public boolean isValidFor(Version v, Purpose p);
+
+    public boolean hasLength(int length) {
+        return length == material.length;
+    }
+}
diff --git a/commons/src/main/java/org/paseto4j/commons/PrivateKey.java b/commons/src/main/java/org/paseto4j/commons/PrivateKey.java
@@ -0,0 +1,11 @@
+package org.paseto4j.commons;
+
+public class PrivateKey extends Key {
+    public PrivateKey(byte[] keyMaterial, Version version) {
+        super(keyMaterial, version);
+    }
+
+    public boolean isValidFor(Version v, Purpose p) {
+        return v == this.version && p == Purpose.PURPOSE_PUBLIC;
+    }
+}
diff --git a/commons/src/main/java/org/paseto4j/commons/PublicKey.java b/commons/src/main/java/org/paseto4j/commons/PublicKey.java
@@ -0,0 +1,11 @@
+package org.paseto4j.commons;
+
+public class PublicKey extends Key {
+    public PublicKey(byte[] keyMaterial, Version version) {
+        super(keyMaterial, version);
+    }
+
+    public boolean isValidFor(Version v, Purpose p) {
+        return v == this.version && p == Purpose.PURPOSE_PUBLIC;
+    }
+}
diff --git a/commons/src/main/java/org/paseto4j/commons/Purpose.java b/commons/src/main/java/org/paseto4j/commons/Purpose.java
@@ -0,0 +1,3 @@
+package org.paseto4j.commons;
+
+public enum Purpose {PURPOSE_LOCAL, PURPOSE_PUBLIC};
diff --git a/commons/src/main/java/org/paseto4j/commons/SecretKey.java b/commons/src/main/java/org/paseto4j/commons/SecretKey.java
@@ -0,0 +1,11 @@
+package org.paseto4j.commons;
+
+public class SecretKey extends Key {
+    public SecretKey(byte[] keyMaterial, Version version) {
+        super(keyMaterial, version, 32);
+    }
+
+    public boolean isValidFor(Version v, Purpose p) {
+        return v == this.version && p == Purpose.PURPOSE_LOCAL;
+    }
+}
diff --git a/commons/src/main/java/org/paseto4j/commons/Version.java b/commons/src/main/java/org/paseto4j/commons/Version.java
@@ -0,0 +1,4 @@
+package org.paseto4j.commons;
+
+public enum Version {V1, V2};
+
diff --git a/examples/src/main/java/org/paseto4j/version2/Version1.java b/examples/src/main/java/org/paseto4j/version2/Version1.java
@@ -24,10 +24,15 @@
 
 package org.paseto4j.version2;
 
+import org.paseto4j.commons.PrivateKey;
+import org.paseto4j.commons.PublicKey;
+import org.paseto4j.commons.SecretKey;
 import org.paseto4j.version1.Paseto;
 
 import java.security.*;
 
+import static org.paseto4j.commons.Version.V1;
+
 public class Version1 {
 
     private static final String TOKEN = "{\"data\":\"this is a signed message\",\"expires\":\"2019-01-01T00:00:00+00:00\"}";
@@ -47,21 +52,21 @@ public static void main(String[] args) throws SignatureException {
     private static void exampleV1Public() throws SignatureException {
         KeyPair keyPair = generateKeyPair();
 
-        String signedToken = Paseto.sign(keyPair.getPrivate().getEncoded(), TOKEN, FOOTER);
+        String signedToken = Paseto.sign(new PrivateKey(keyPair.getPrivate().getEncoded(), V1), TOKEN, FOOTER);
         System.out.println("Signed token is: " + signedToken);
 
-        String token = Paseto.parse(keyPair.getPublic().getEncoded(), signedToken, FOOTER);
+        String token = Paseto.parse(new PublicKey(keyPair.getPublic().getEncoded(), V1), signedToken, FOOTER);
         System.out.println("Signature is valid, token is: " + token);
     }
 
     private static void exampleV1PublicSignatureInvalid() throws SignatureException {
         KeyPair keyPair1 = generateKeyPair();
         KeyPair keyPair2 = generateKeyPair();
 
-        String signedToken = Paseto.sign(keyPair1.getPrivate().getEncoded(), TOKEN, FOOTER);
+        String signedToken = Paseto.sign(new PrivateKey(keyPair1.getPrivate().getEncoded(), V1), TOKEN, FOOTER);
         System.out.println("Signed token is: " + signedToken);
 
-        String token = Paseto.parse(keyPair2.getPublic().getEncoded(), signedToken, FOOTER);
+        String token = Paseto.parse(new PublicKey(keyPair2.getPublic().getEncoded(), V1), signedToken, FOOTER);
         System.out.println("Signature is valid, token is: " + token);
     }
 
@@ -77,10 +82,10 @@ private static KeyPair generateKeyPair() {
 
     private static void exampleV1Local() {
         byte[] secretKey = SecureRandom.getSeed(32);
-        String encryptedToken = Paseto.encrypt(secretKey, TOKEN, FOOTER);
+        String encryptedToken = Paseto.encrypt(new SecretKey(secretKey, V1), TOKEN, FOOTER);
         System.out.println("Encrypted token is: " + encryptedToken);
 
-        String decryptedToken = Paseto.decrypt(secretKey, encryptedToken, FOOTER);
+        String decryptedToken = Paseto.decrypt(new SecretKey(secretKey, V1), encryptedToken, FOOTER);
         System.out.println("Decrypted token is: " + decryptedToken);
     }
 
diff --git a/examples/src/main/java/org/paseto4j/version2/Version2.java b/examples/src/main/java/org/paseto4j/version2/Version2.java
@@ -2,6 +2,9 @@
 
 import org.apache.tuweni.bytes.Bytes;
 import org.apache.tuweni.crypto.sodium.Signature;
+import org.paseto4j.commons.PrivateKey;
+import org.paseto4j.commons.PublicKey;
+import org.paseto4j.commons.Version;
 
 import java.security.SignatureException;
 
@@ -14,8 +17,8 @@ public static void main(String... args) throws SignatureException {
     private void signToken() throws SignatureException {
         var seed = Bytes.random(32).toArray();
         var keyPair = Signature.KeyPair.fromSeed(Signature.Seed.fromBytes(seed));
-        var publicKey = new byte[32];
-        var privateKey = keyPair.secretKey().bytesArray();
+        var publicKey = new PublicKey(keyPair.publicKey().bytesArray(), Version.V2);
+        var privateKey = new PrivateKey(keyPair.secretKey().bytesArray(), Version.V2);
 
         String signedToken = Paseto.sign(
                 privateKey,
diff --git a/version1/src/main/java/org/paseto4j/version1/Paseto.java b/version1/src/main/java/org/paseto4j/version1/Paseto.java
@@ -24,37 +24,42 @@
 
 package org.paseto4j.version1;
 
+import org.paseto4j.commons.PrivateKey;
+import org.paseto4j.commons.PublicKey;
+import org.paseto4j.commons.SecretKey;
+
 import java.security.SignatureException;
 
 public class Paseto {
 
-    private Paseto() {}
+    private Paseto() {
+    }
 
     /**
      * https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version1.md#encrypt
      */
-    public static String encrypt(byte[] key, String payload, String footer) {
+    public static String encrypt(SecretKey key, String payload, String footer) {
         return org.paseto4j.version1.PasetoLocal.encrypt(key, payload, footer);
     }
 
     /**
      * https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version1.md#decrypt
      */
-    public static String decrypt(byte[] key, String signedMessage, String footer) {
+    public static String decrypt(SecretKey key, String signedMessage, String footer) {
         return PasetoLocal.decrypt(key, signedMessage, footer);
     }
 
     /**
      * Sign the token, https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version1.md#sign
      */
-    public static String sign(byte[] privateKey, String payload, String footer) {
+    public static String sign(PrivateKey privateKey, String payload, String footer) {
         return PasetoPublic.sign(privateKey, payload, footer);
     }
 
     /**
      * Parse the token, https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version1.md#verify
      */
-    public static String parse(byte[] publicKey, String signedMessage, String footer) throws SignatureException {
+    public static String parse(PublicKey publicKey, String signedMessage, String footer) throws SignatureException {
         return PasetoPublic.parse(publicKey, signedMessage, footer);
     }
 }
diff --git a/version1/src/main/java/org/paseto4j/version1/PasetoLocal.java b/version1/src/main/java/org/paseto4j/version1/PasetoLocal.java
@@ -25,8 +25,7 @@
 package org.paseto4j.version1;
 
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import org.paseto4j.commons.ByteUtils;
-import org.paseto4j.commons.PreAuthenticationEncoder;
+import org.paseto4j.commons.*;
 
 import java.security.MessageDigest;
 import java.security.Security;
@@ -55,17 +54,17 @@ private PasetoLocal() {
     /**
      * https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version1.md#encrypt
      */
-    public static String encrypt(byte[] key, String payload, String footer) {
+    public static String encrypt(SecretKey key, String payload, String footer) {
         return encrypt(key, randomBytes(), payload, footer);
     }
 
     /**
      * https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version1.md#encrypt
      */
-    static String encrypt(byte[] key, byte[] randomKey, String payload, String footer) {
+    static String encrypt(SecretKey key, byte[] randomKey, String payload, String footer) {
         requireNonNull(key);
         requireNonNull(payload);
-        verify(key.length == 32, "key should be 32 bytes");
+        verify(key.isValidFor(Version.V1, Purpose.PURPOSE_LOCAL), "Key is not valid for purpose and version");
 
         //3
         byte[] nonce = getNonce(payload.getBytes(UTF_8), randomKey);
@@ -96,21 +95,21 @@ private static byte[] getNonce(byte[] payload, byte[] randomKey) {
         return Arrays.copyOfRange(CryptoFunctions.hmac384(randomKey, payload), 0, 32);
     }
 
-    private static byte[] encryptionKey(byte[] key, byte[] nonce) {
-        return hkdfSha384(key, Arrays.copyOfRange(nonce, 0, 16), "paseto-encryption-key".getBytes(UTF_8));
+    private static byte[] encryptionKey(SecretKey key, byte[] nonce) {
+        return hkdfSha384(key.material, Arrays.copyOfRange(nonce, 0, 16), "paseto-encryption-key".getBytes(UTF_8));
     }
 
-    private static byte[] authenticationKey(byte[] key, byte[] nonce) {
-        return hkdfSha384(key, Arrays.copyOfRange(nonce, 0, 16), "paseto-auth-key-for-aead".getBytes(UTF_8));
+    private static byte[] authenticationKey(SecretKey key, byte[] nonce) {
+        return hkdfSha384(key.material, Arrays.copyOfRange(nonce, 0, 16), "paseto-auth-key-for-aead".getBytes(UTF_8));
     }
 
     /**
      * https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version1.md#decrypt
      */
-    static String decrypt(byte[] key, String token, String footer) {
+    static String decrypt(SecretKey key, String token, String footer) {
         requireNonNull(key);
         requireNonNull(token);
-        verify(key.length == 32, "Secret key should be 32 bytes");
+        verify(key.isValidFor(Version.V1, Purpose.PURPOSE_LOCAL), "Key is not valid for purpose and version");
 
         String[] tokenParts = token.split("\\.");
         verify(tokenParts.length == 3 || tokenParts.length == 4, "Token should contain at least 3 parts");
diff --git a/version1/src/main/java/org/paseto4j/version1/PasetoPublic.java b/version1/src/main/java/org/paseto4j/version1/PasetoPublic.java
@@ -24,9 +24,7 @@
 
 package org.paseto4j.version1;
 
-import org.paseto4j.commons.ByteUtils;
-import org.paseto4j.commons.Conditions;
-import org.paseto4j.commons.PreAuthenticationEncoder;
+import org.paseto4j.commons.*;
 
 import java.security.MessageDigest;
 import java.security.SignatureException;
@@ -37,6 +35,7 @@
 import static java.util.Base64.getUrlEncoder;
 import static java.util.Objects.requireNonNull;
 import static org.paseto4j.commons.Conditions.isNullOrEmpty;
+import static org.paseto4j.commons.Conditions.verify;
 
 class PasetoPublic {
 
@@ -48,15 +47,16 @@ private PasetoPublic() {
     /**
      * Sign the token, https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version1.md#sign
      */
-    static String sign(byte[] privateKey, String payload, String footer) {
+    static String sign(PrivateKey privateKey, String payload, String footer) {
         requireNonNull(privateKey);
         requireNonNull(payload);
+        Conditions.verify(privateKey.isValidFor(Version.V1, Purpose.PURPOSE_PUBLIC), "Key is not valid for purpose and version");
 
         //2
         byte[] m2 = PreAuthenticationEncoder.encode(PUBLIC.getBytes(UTF_8), payload.getBytes(UTF_8), footer.getBytes(UTF_8));
 
         //3
-        byte[] signature = CryptoFunctions.signRsaPssSha384(privateKey, m2);
+        byte[] signature = CryptoFunctions.signRsaPssSha384(privateKey.material, m2);
 
         //4
         String signedToken = PUBLIC + getUrlEncoder().withoutPadding().encodeToString(ByteUtils.concat(payload.getBytes(UTF_8), signature));
@@ -70,9 +70,10 @@ static String sign(byte[] privateKey, String payload, String footer) {
     /**
      * Parse the token, https://github.com/paragonie/paseto/blob/master/docs/01-Protocol-Versions/Version1.md#verify
      */
-    static String parse(byte[] publicKey, String signedMessage, String footer) throws SignatureException {
+    static String parse(PublicKey publicKey, String signedMessage, String footer) throws SignatureException {
         requireNonNull(publicKey);
         requireNonNull(signedMessage);
+        Conditions.verify(publicKey.isValidFor(Version.V1, Purpose.PURPOSE_PUBLIC), "Key is not valid for purpose and version");
 
         String[] tokenParts = signedMessage.split("\\.");
 
@@ -98,8 +99,8 @@ static String parse(byte[] publicKey, String signedMessage, String footer) throw
         return new String(message, UTF_8);
     }
 
-    private static void verify(byte[] key, byte[] m2, byte[] signature) throws SignatureException {
-        if (!CryptoFunctions.verifyRsaPssSha384(key, m2, signature)) {
+    private static void verify(PublicKey key, byte[] m2, byte[] signature) throws SignatureException {
+        if (!CryptoFunctions.verifyRsaPssSha384(key.material, m2, signature)) {
             throw new SignatureException("Invalid signature");
         }
     }
diff --git a/version1/src/test/java/org/paseto4j/version1/PasetoLocalTest.java b/version1/src/test/java/org/paseto4j/version1/PasetoLocalTest.java
@@ -29,6 +29,8 @@
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.paseto4j.commons.PasetoException;
+import org.paseto4j.commons.SecretKey;
+import org.paseto4j.commons.Version;
 
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
@@ -44,13 +46,13 @@ class PasetoLocalTest {
     @ParameterizedTest
     @MethodSource("testVectors")
     void encryptTestVectors(String key, String nonce, String payload, String footer, String expectedToken) {
-        assertEquals(expectedToken, PasetoLocal.encrypt(hexToBytes(key), hexToBytes(nonce), payload, footer));
+        assertEquals(expectedToken, PasetoLocal.encrypt(new SecretKey(hexToBytes(key), Version.V1), hexToBytes(nonce), payload, footer));
     }
 
     @ParameterizedTest
     @MethodSource("testVectors")
     void decryptTestVectors(String key, String nonce, String payload, String footer, String encryptedToken) {
-        assertEquals(payload, Paseto.decrypt(hexToBytes(key), encryptedToken, footer));
+        assertEquals(payload, Paseto.decrypt(new SecretKey(hexToBytes(key), Version.V1), encryptedToken, footer));
     }
 
     private static Stream<Arguments> testVectors() {
@@ -97,7 +99,7 @@ private static Stream<Arguments> testVectors() {
 
     @Test
     void normalUsage() {
-        byte[] key = hexToBytes("707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f");
+        SecretKey key = new SecretKey(hexToBytes("707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f"), Version.V1);
         String encryptedToken = PasetoLocal.encrypt(
                 key,
                 "{\"data\":\"this is a signed message\",\"exp\":\"2019-01-01T00:00:00+00:00\"}",
@@ -111,7 +113,7 @@ void normalUsage() {
 
     @Test
     void wrongFooter() {
-        byte[] key = hexToBytes("707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f");
+        SecretKey key = new SecretKey(hexToBytes("707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f"), Version.V1);
         String encryptedToken = PasetoLocal.encrypt(
                 key,
                 "{\"data\":\"this is a signed message\",\"exp\":\"2019-01-01T00:00:00+00:00\"}",
@@ -122,13 +124,4 @@ void wrongFooter() {
                 PasetoException.class, () -> Paseto.decrypt(key, encryptedToken, "Wrong footer"), "Wrong footer");
     }
 
-    @Test
-    void keySizeShouldBe2048() throws NoSuchAlgorithmException {
-        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
-        keyGen.initialize(1024);
-        KeyPair keyPair = keyGen.generateKeyPair();
-
-        assertThrows(PasetoException.class, () -> Paseto.sign(keyPair.getPrivate().getEncoded(), "msg", ""));
-    }
-
 }
diff --git a/version1/src/test/java/org/paseto4j/version1/PasetoPublicTest.java b/version1/src/test/java/org/paseto4j/version1/PasetoPublicTest.java
diff --git a/version2/src/main/java/org/paseto4j/version2/Paseto.java b/version2/src/main/java/org/paseto4j/version2/Paseto.java
diff --git a/version2/src/main/java/org/paseto4j/version2/PasetoLocal.java b/version2/src/main/java/org/paseto4j/version2/PasetoLocal.java
diff --git a/version2/src/main/java/org/paseto4j/version2/PasetoPublic.java b/version2/src/main/java/org/paseto4j/version2/PasetoPublic.java
diff --git a/version2/src/test/java/org/paseto4j/version2/PasetoLocalTest.java b/version2/src/test/java/org/paseto4j/version2/PasetoLocalTest.java
diff --git a/version2/src/test/java/org/paseto4j/version2/PasetoPublicTest.java b/version2/src/test/java/org/paseto4j/version2/PasetoPublicTest.java

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+package org.paseto4j.commons;`
	`2`	`+`
	`3`	`+public enum Purpose {PURPOSE_LOCAL, PURPOSE_PUBLIC};`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +package org.paseto4j.commons;
++
 +public enum Version {V1, V2};
++