diff --git a/README.md b/README.md index 9e0a588..d0b11e4 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,10 @@ In the current version following encryption and signing operations are supported 1. Symmetric encryption (AES based). 1. Classes: `com.nimbusds.jose.aws.kms.crypto.KmsSymmetricEncrypter` and `com.nimbusds.jose.aws.kms.crypto.KmsSymmetricDecrypter` -1. Asymmetric or Symmetric encryption (RSA or ECDSA based for asymmetric keys and AES based for symmetric keys). +2. Asymmetric or Symmetric encryption (RSA or ECDSA based for asymmetric keys and AES based for symmetric keys). 1. Classes: `com.nimbusds.jose.aws.kms.crypto.KmsDefaultEncrypter` and `com.nimbusds.jose.aws.kms.crypto.KmsDefaultDecrypter` -1. Asymmetric signing (RSA or ECDSA based). +3. Asymmetric signing (RSA or ECDSA based). 1. Classes: `com.nimbusds.jose.aws.kms.crypto.KmsAsymmetricSigner` and `com.nimbusds.jose.aws.kms.crypto.KmsAsymmetricVerifier` diff --git a/nimbus-jose-jwt_aws-kms-extension/build.gradle b/nimbus-jose-jwt_aws-kms-extension/build.gradle index 6b87602..5bd3c1f 100644 --- a/nimbus-jose-jwt_aws-kms-extension/build.gradle +++ b/nimbus-jose-jwt_aws-kms-extension/build.gradle @@ -18,7 +18,7 @@ java { withSourcesJar() } -tasks.withType(JavaCompile) { +tasks.withType(JavaCompile).configureEach { options.encoding = 'UTF-8' } @@ -32,13 +32,15 @@ dependencies { api 'com.nimbusds:nimbus-jose-jwt:[9,9.31]' // These dependencies is used internally, and not exposed to consumers on their own compile classpath. - implementation 'com.amazonaws:aws-java-sdk-kms:[1.12, 2)' - implementation 'commons-cli:commons-cli:[1.4, 2)' + implementation 'software.amazon.awssdk:kms:2.30.18' + implementation 'commons-cli:commons-cli:1.9.0' + implementation 'commons-codec:commons-codec:1.18.0' implementation 'com.google.guava:guava:[32,)' // Use JUnit Jupiter for testing. testImplementation 'org.junit.jupiter:junit-jupiter:5.+' testImplementation 'org.assertj:assertj-core:[3,4)' + testImplementation 'org.junit.platform:junit-platform-launcher:1.11.4' // Mockito testImplementation 'org.mockito:mockito-core:[3,4)' diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRSASSASigner.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRSASSASigner.java index f2e97f1..fb64448 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRSASSASigner.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRSASSASigner.java @@ -17,11 +17,12 @@ package com.nimbusds.jose.aws.kms.crypto; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.MessageType; import com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricRSASSAProvider; -import javax.annotation.concurrent.ThreadSafe; import lombok.NonNull; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.MessageType; + +import javax.annotation.concurrent.ThreadSafe; /** @@ -37,7 +38,7 @@ public class KmsAsymmetricRSASSASigner extends KmsAsymmetricSigner { public KmsAsymmetricRSASSASigner( - @NonNull final AWSKMS kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { + @NonNull final KmsClient kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { super(kms, privateKeyId, messageType); } } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRSASSAVerifier.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRSASSAVerifier.java index aa1bd6d..ad62e94 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRSASSAVerifier.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRSASSAVerifier.java @@ -17,12 +17,13 @@ package com.nimbusds.jose.aws.kms.crypto; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.MessageType; import com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricRSASSAProvider; -import java.util.Set; -import javax.annotation.concurrent.ThreadSafe; import lombok.NonNull; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.MessageType; + +import javax.annotation.concurrent.ThreadSafe; +import java.util.Set; /** * Sign verifier implementation for RSA-SSA signing with public/private key stored in AWS KMS. @@ -37,12 +38,12 @@ public class KmsAsymmetricRSASSAVerifier extends KmsAsymmetricVerifier { public KmsAsymmetricRSASSAVerifier( - @NonNull final AWSKMS kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { + @NonNull final KmsClient kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { super(kms, privateKeyId, messageType); } public KmsAsymmetricRSASSAVerifier( - @NonNull final AWSKMS kms, @NonNull String privateKeyId, @NonNull final MessageType messageType, + @NonNull final KmsClient kms, @NonNull String privateKeyId, @NonNull final MessageType messageType, @NonNull final Set defCritHeaders) { super(kms, privateKeyId, messageType, defCritHeaders); } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricSigner.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricSigner.java index 11124b0..e4562e7 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricSigner.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricSigner.java @@ -17,18 +17,6 @@ package com.nimbusds.jose.aws.kms.crypto; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.NotFoundException; -import com.amazonaws.services.kms.model.SignRequest; -import com.amazonaws.services.kms.model.SignResult; import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.JWSSigner; @@ -36,9 +24,13 @@ import com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.util.Base64URL; -import javax.annotation.concurrent.ThreadSafe; import lombok.NonNull; import lombok.var; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + +import javax.annotation.concurrent.ThreadSafe; /** @@ -51,7 +43,7 @@ public class KmsAsymmetricSigner extends KmsAsymmetricSigningCryptoProvider implements JWSSigner { public KmsAsymmetricSigner( - @NonNull final AWSKMS kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { + @NonNull final KmsClient kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { super(kms, privateKeyId, messageType); } @@ -59,20 +51,21 @@ public KmsAsymmetricSigner( public Base64URL sign(@NonNull final JWSHeader header, @NonNull final byte[] signingInput) throws JOSEException { final var message = getMessage(header, signingInput); - SignResult signResult; + SignResponse signResponse; try { - signResult = getKms().sign(new SignRequest() - .withKeyId(getPrivateKeyId()) - .withMessageType(getMessageType()) - .withMessage(message) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(header.getAlgorithm()).toString())); + signResponse = getKms().sign(SignRequest.builder() + .keyId(getPrivateKeyId()) + .messageType(getMessageType()) + .message(SdkBytes.fromByteBuffer(message)) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(header.getAlgorithm()).toString()) + .build()); } catch (NotFoundException | DisabledException | KeyUnavailableException | InvalidKeyUsageException - | KMSInvalidStateException e) { + | KmsInvalidStateException e) { throw new RemoteKeySourceException("An exception was thrown from KMS due to invalid key.", e); - } catch (DependencyTimeoutException | InvalidGrantTokenException | KMSInternalException e) { + } catch (DependencyTimeoutException | InvalidGrantTokenException | KmsInternalException e) { throw new TemporaryJOSEException("A temporary exception was thrown from KMS.", e); } - return Base64URL.encode(signResult.getSignature().array()); + return Base64URL.encode(signResponse.signature().asByteArray()); } } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricVerifier.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricVerifier.java index a6c8716..844112a 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricVerifier.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricVerifier.java @@ -17,33 +17,20 @@ package com.nimbusds.jose.aws.kms.crypto; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidSignatureException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.NotFoundException; -import com.amazonaws.services.kms.model.VerifyRequest; -import com.amazonaws.services.kms.model.VerifyResult; -import com.nimbusds.jose.CriticalHeaderParamsAware; -import com.nimbusds.jose.JOSEException; -import com.nimbusds.jose.JWSHeader; -import com.nimbusds.jose.JWSVerifier; -import com.nimbusds.jose.RemoteKeySourceException; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; -import java.util.Set; -import javax.annotation.concurrent.ThreadSafe; import lombok.NonNull; import lombok.var; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + +import javax.annotation.concurrent.ThreadSafe; +import java.nio.ByteBuffer; +import java.util.Set; /** * Sign verifier implementation for asymmetric signing with public/private key stored in AWS KMS. @@ -52,9 +39,7 @@ * constructor parameters. */ @ThreadSafe -public class KmsAsymmetricVerifier - extends KmsAsymmetricSigningCryptoProvider - implements JWSVerifier, CriticalHeaderParamsAware { +public class KmsAsymmetricVerifier extends KmsAsymmetricSigningCryptoProvider implements JWSVerifier, CriticalHeaderParamsAware { /** * The critical header policy. @@ -63,13 +48,13 @@ public class KmsAsymmetricVerifier public KmsAsymmetricVerifier( - @NonNull final AWSKMS kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { + @NonNull final KmsClient kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { super(kms, privateKeyId, messageType); } public KmsAsymmetricVerifier( - @NonNull final AWSKMS kms, @NonNull String privateKeyId, @NonNull final MessageType messageType, + @NonNull final KmsClient kms, @NonNull String privateKeyId, @NonNull final MessageType messageType, @NonNull final Set defCritHeaders) { super(kms, privateKeyId, messageType); critPolicy.setDeferredCriticalHeaderParams(defCritHeaders); @@ -101,24 +86,25 @@ public boolean verify( var message = getMessage(header, signedContent); - VerifyResult verifyResult; + VerifyResponse verifyResponse; try { - verifyResult = getKms().verify(new VerifyRequest() - .withKeyId(getPrivateKeyId()) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(header.getAlgorithm()).toString()) - .withMessageType(getMessageType()) - .withMessage(message) - .withSignature(ByteBuffer.wrap(signature.decode()))); - } catch (KMSInvalidSignatureException e) { + verifyResponse = getKms().verify(VerifyRequest.builder() + .keyId(getPrivateKeyId()) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(header.getAlgorithm()).toString()) + .messageType(getMessageType()) + .message(SdkBytes.fromByteBuffer(message)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(signature.decode()))) + .build()); + } catch (KmsInvalidSignatureException e) { return false; } catch (NotFoundException | DisabledException | KeyUnavailableException | InvalidKeyUsageException - | KMSInvalidStateException e) { + | KmsInvalidStateException e) { throw new RemoteKeySourceException("An exception was thrown from KMS due to invalid key.", e); - } catch (DependencyTimeoutException | InvalidGrantTokenException | KMSInternalException e) { + } catch (DependencyTimeoutException | InvalidGrantTokenException | KmsInternalException e) { throw new TemporaryJOSEException("A temporary exception was thrown from KMS.", e); } - return verifyResult.isSignatureValid(); + return verifyResponse.signatureValid(); } } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultDecrypter.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultDecrypter.java index 8c2bd7f..aca51bc 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultDecrypter.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultDecrypter.java @@ -16,7 +16,6 @@ package com.nimbusds.jose.aws.kms.crypto; -import com.amazonaws.services.kms.AWSKMS; import com.nimbusds.jose.CriticalHeaderParamsAware; import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWEDecrypter; @@ -25,9 +24,11 @@ import com.nimbusds.jose.aws.kms.crypto.utils.JWEDecrypterUtil; import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral; import com.nimbusds.jose.util.Base64URL; +import lombok.NonNull; +import software.amazon.awssdk.services.kms.KmsClient; + import java.util.Map; import java.util.Set; -import lombok.NonNull; /** * Decrypter implementation for a symmetric or asymmetric key stored in AWS KMS. @@ -43,25 +44,25 @@ public class KmsDefaultDecrypter extends KmsDefaultEncryptionCryptoProvider impl */ private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral(); - public KmsDefaultDecrypter(@NonNull final AWSKMS kms, + public KmsDefaultDecrypter(@NonNull final KmsClient kms, @NonNull final String keyId, @NonNull final Map encryptionContext) { super(kms, keyId, encryptionContext); } - public KmsDefaultDecrypter(@NonNull final AWSKMS kms, + public KmsDefaultDecrypter(@NonNull final KmsClient kms, @NonNull final String keyId) { super(kms, keyId); } - public KmsDefaultDecrypter(@NonNull final AWSKMS kms, + public KmsDefaultDecrypter(@NonNull final KmsClient kms, @NonNull final String keyId, @NonNull final Set defCritHeaders) { this(kms, keyId); critPolicy.setDeferredCriticalHeaderParams(defCritHeaders); } - public KmsDefaultDecrypter(@NonNull final AWSKMS kms, + public KmsDefaultDecrypter(@NonNull final KmsClient kms, @NonNull final String keyId, @NonNull final Map encryptionContext, @NonNull final Set defCritHeaders) { diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultEncrypter.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultEncrypter.java index 47ba2e1..8976d75 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultEncrypter.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultEncrypter.java @@ -16,34 +16,21 @@ package com.nimbusds.jose.aws.kms.crypto; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.EncryptRequest; -import com.amazonaws.services.kms.model.EncryptResult; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.NotFoundException; -import com.nimbusds.jose.JOSEException; -import com.nimbusds.jose.JWEAlgorithm; -import com.nimbusds.jose.JWECryptoParts; -import com.nimbusds.jose.JWEEncrypter; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jose.RemoteKeySourceException; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.crypto.impl.KmsDefaultEncryptionCryptoProvider; -import com.nimbusds.jose.aws.kms.crypto.impl.KmsSymmetricCryptoProvider; import com.nimbusds.jose.aws.kms.crypto.utils.JWEHeaderUtil; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.crypto.impl.ContentCryptoProvider; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; -import java.util.Map; +import lombok.NonNull; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + import javax.annotation.concurrent.ThreadSafe; import javax.crypto.SecretKey; -import lombok.NonNull; +import java.nio.ByteBuffer; +import java.util.Map; /** * Encrypter implementation for a symmetric or asymmetric key stored in AWS KMS. @@ -54,12 +41,12 @@ @ThreadSafe public class KmsDefaultEncrypter extends KmsDefaultEncryptionCryptoProvider implements JWEEncrypter { - public KmsDefaultEncrypter(@NonNull final AWSKMS kms, @NonNull final String keyId) { + public KmsDefaultEncrypter(@NonNull final KmsClient kms, @NonNull final String keyId) { super(kms, keyId); } - public KmsDefaultEncrypter(@NonNull final AWSKMS kms, @NonNull final String keyId, - @NonNull final Map encryptionContext) { + public KmsDefaultEncrypter(@NonNull final KmsClient kms, @NonNull final String keyId, + @NonNull final Map encryptionContext) { super(kms, keyId, encryptionContext); } @@ -77,24 +64,25 @@ public JWECryptoParts encrypt(@NonNull final JWEHeader header, @NonNull final by final SecretKey cek = ContentCryptoProvider.generateCEK( updatedHeader.getEncryptionMethod(), getJCAContext().getSecureRandom()); - final EncryptResult encryptedKey = encryptCEK(getKeyId(), updatedHeader.getAlgorithm(), getEncryptionContext(), cek); - final Base64URL encodedEncryptedKey = Base64URL.encode(encryptedKey.getCiphertextBlob().array()); + final EncryptResponse encryptedKey = encryptCEK(getKeyId(), updatedHeader.getAlgorithm(), getEncryptionContext(), cek); + final Base64URL encodedEncryptedKey = Base64URL.encode(encryptedKey.ciphertextBlob().asByteArray()); return ContentCryptoProvider.encrypt(updatedHeader, clearText, cek, encodedEncryptedKey, getJCAContext()); } - private EncryptResult encryptCEK(String keyId, JWEAlgorithm alg, Map encryptionContext, SecretKey cek) + private EncryptResponse encryptCEK(String keyId, JWEAlgorithm alg, Map encryptionContext, SecretKey cek) throws JOSEException { try { - return getKms().encrypt(new EncryptRequest() - .withKeyId(keyId) - .withEncryptionAlgorithm(alg.getName()) - .withPlaintext(ByteBuffer.wrap(cek.getEncoded())) - .withEncryptionContext(encryptionContext)); + return getKms().encrypt(EncryptRequest.builder() + .keyId(keyId) + .encryptionAlgorithm(alg.getName()) + .plaintext(SdkBytes.fromByteBuffer(ByteBuffer.wrap(cek.getEncoded()))) + .encryptionContext(encryptionContext) + .build()); } catch (NotFoundException | DisabledException | InvalidKeyUsageException - | KMSInvalidStateException | InvalidGrantTokenException e) { + | KmsInvalidStateException | InvalidGrantTokenException e) { throw new RemoteKeySourceException("An exception was thrown from KMS due to invalid client request.", e); - } catch (DependencyTimeoutException | KeyUnavailableException | KMSInternalException e) { + } catch (DependencyTimeoutException | KeyUnavailableException | KmsInternalException e) { throw new TemporaryJOSEException("A temporary error was thrown from KMS.", e); } } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricDecrypter.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricDecrypter.java index 2ca0f74..afc4050 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricDecrypter.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricDecrypter.java @@ -16,7 +16,6 @@ package com.nimbusds.jose.aws.kms.crypto; -import com.amazonaws.services.kms.AWSKMS; import com.nimbusds.jose.CriticalHeaderParamsAware; import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWEDecrypter; @@ -25,10 +24,12 @@ import com.nimbusds.jose.aws.kms.crypto.utils.JWEDecrypterUtil; import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral; import com.nimbusds.jose.util.Base64URL; +import lombok.NonNull; +import software.amazon.awssdk.services.kms.KmsClient; + +import javax.annotation.concurrent.ThreadSafe; import java.util.Map; import java.util.Set; -import javax.annotation.concurrent.ThreadSafe; -import lombok.NonNull; /** * Decrypter implementation for SYMMETRIC (AES based) signing with public/private key stored in AWS KMS. @@ -45,23 +46,23 @@ public class KmsSymmetricDecrypter extends KmsSymmetricCryptoProvider implements */ private final CriticalHeaderParamsDeferral critPolicy = new CriticalHeaderParamsDeferral(); - public KmsSymmetricDecrypter(@NonNull final AWSKMS kms, @NonNull final String keyId, - @NonNull final Map encryptionContext) { + public KmsSymmetricDecrypter(@NonNull final KmsClient kms, @NonNull final String keyId, + @NonNull final Map encryptionContext) { super(kms, keyId, encryptionContext); } - public KmsSymmetricDecrypter(@NonNull final AWSKMS kms, @NonNull final String keyId) { + public KmsSymmetricDecrypter(@NonNull final KmsClient kms, @NonNull final String keyId) { super(kms, keyId); } - public KmsSymmetricDecrypter(@NonNull final AWSKMS kms, @NonNull final String keyId, - @NonNull final Set defCritHeaders) { + public KmsSymmetricDecrypter(@NonNull final KmsClient kms, @NonNull final String keyId, + @NonNull final Set defCritHeaders) { this(kms, keyId); critPolicy.setDeferredCriticalHeaderParams(defCritHeaders); } - public KmsSymmetricDecrypter(@NonNull final AWSKMS kms, @NonNull final String keyId, - @NonNull final Map encryptionContext, @NonNull final Set defCritHeaders) { + public KmsSymmetricDecrypter(@NonNull final KmsClient kms, @NonNull final String keyId, + @NonNull final Map encryptionContext, @NonNull final Set defCritHeaders) { this(kms, keyId, encryptionContext); critPolicy.setDeferredCriticalHeaderParams(defCritHeaders); } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricEncrypter.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricEncrypter.java index bb0434a..ceed30e 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricEncrypter.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricEncrypter.java @@ -16,33 +16,20 @@ package com.nimbusds.jose.aws.kms.crypto; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.GenerateDataKeyRequest; -import com.amazonaws.services.kms.model.GenerateDataKeyResult; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.NotFoundException; -import com.nimbusds.jose.EncryptionMethod; -import com.nimbusds.jose.JOSEException; -import com.nimbusds.jose.JWECryptoParts; -import com.nimbusds.jose.JWEEncrypter; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jose.RemoteKeySourceException; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.crypto.impl.KmsSymmetricCryptoProvider; import com.nimbusds.jose.aws.kms.crypto.utils.JWEHeaderUtil; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.crypto.impl.ContentCryptoProvider; import com.nimbusds.jose.util.Base64URL; -import java.util.Map; +import lombok.NonNull; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + import javax.annotation.concurrent.ThreadSafe; import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; -import lombok.NonNull; +import java.util.Map; /** * Encrypter implementation for SYMMETRIC (AES based) signing with public/private key stored in AWS KMS. @@ -53,12 +40,12 @@ @ThreadSafe public class KmsSymmetricEncrypter extends KmsSymmetricCryptoProvider implements JWEEncrypter { - public KmsSymmetricEncrypter(@NonNull final AWSKMS kms, @NonNull final String keyId) { + public KmsSymmetricEncrypter(@NonNull final KmsClient kms, @NonNull final String keyId) { super(kms, keyId); } - public KmsSymmetricEncrypter(@NonNull final AWSKMS kms, @NonNull final String keyId, - @NonNull final Map encryptionContext) { + public KmsSymmetricEncrypter(@NonNull final KmsClient kms, @NonNull final String keyId, + @NonNull final Map encryptionContext) { super(kms, keyId, encryptionContext); } @@ -72,28 +59,29 @@ public JWECryptoParts encrypt(@NonNull final JWEHeader header, @NonNull final by final Base64URL encryptedKey; // The second JWE part // Generate and encrypt the CEK according to the enc method - GenerateDataKeyResult generateDataKeyResult = generateDataKey(getKeyId(), header.getEncryptionMethod()); + GenerateDataKeyResponse generateDataKeyResponse = generateDataKey(getKeyId(), header.getEncryptionMethod()); final SecretKey cek = new SecretKeySpec( - generateDataKeyResult.getPlaintext().array(), header.getAlgorithm().toString()); + generateDataKeyResponse.plaintext().asByteArray(), header.getAlgorithm().toString()); - encryptedKey = Base64URL.encode(generateDataKeyResult.getCiphertextBlob().array()); + encryptedKey = Base64URL.encode(generateDataKeyResponse.ciphertextBlob().asByteArray()); updatedHeader = JWEHeaderUtil.getJWEHeaderWithEncryptionContext( header, ENCRYPTION_CONTEXT_HEADER, getEncryptionContext()); return ContentCryptoProvider.encrypt(updatedHeader, clearText, cek, encryptedKey, getJCAContext()); } - private GenerateDataKeyResult generateDataKey(String keyId, EncryptionMethod encryptionMethod) + private GenerateDataKeyResponse generateDataKey(String keyId, EncryptionMethod encryptionMethod) throws JOSEException { try { - return getKms().generateDataKey(new GenerateDataKeyRequest() - .withKeyId(keyId) - .withKeySpec(ENCRYPTION_METHOD_TO_DATA_KEY_SPEC_MAP.get(encryptionMethod)) - .withEncryptionContext(getEncryptionContext())); + return getKms().generateDataKey(GenerateDataKeyRequest.builder() + .keyId(keyId) + .keySpec(ENCRYPTION_METHOD_TO_DATA_KEY_SPEC_MAP.get(encryptionMethod)) + .encryptionContext(getEncryptionContext()) + .build()); } catch (NotFoundException | DisabledException | InvalidKeyUsageException | KeyUnavailableException - | KMSInvalidStateException e) { + | KmsInvalidStateException e) { throw new RemoteKeySourceException("An exception was thrown from KMS due to invalid key.", e); - } catch (DependencyTimeoutException | InvalidGrantTokenException | KMSInternalException e) { + } catch (DependencyTimeoutException | InvalidGrantTokenException | KmsInternalException e) { throw new TemporaryJOSEException("A temporary error was thrown from KMS.", e); } } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricRSASSAProvider.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricRSASSAProvider.java index 25bd3bf..30dc8ed 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricRSASSAProvider.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricRSASSAProvider.java @@ -16,27 +16,9 @@ package com.nimbusds.jose.aws.kms.crypto.impl; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.SigningAlgorithmSpec; -import com.google.common.collect.ImmutableMap; -import com.nimbusds.jose.JOSEException; -import com.nimbusds.jose.JWSAlgorithm; -import com.nimbusds.jose.JWSHeader; -import com.nimbusds.jose.Payload; -import com.nimbusds.jose.crypto.impl.BaseJWSProvider; -import java.nio.ByteBuffer; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.Map; -import java.util.Optional; -import java.util.Set; -import lombok.AccessLevel; -import lombok.Getter; import lombok.NonNull; -import lombok.var; -import org.apache.commons.codec.digest.MessageDigestAlgorithms; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.MessageType; /** @@ -47,7 +29,7 @@ @Deprecated public abstract class KmsAsymmetricRSASSAProvider extends KmsAsymmetricSigningCryptoProvider { protected KmsAsymmetricRSASSAProvider( - @NonNull final AWSKMS kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { + @NonNull final KmsClient kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { super(kms, privateKeyId, messageType); } } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricSigningCryptoProvider.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricSigningCryptoProvider.java index ee76857..fc3b103 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricSigningCryptoProvider.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricSigningCryptoProvider.java @@ -16,25 +16,26 @@ package com.nimbusds.jose.aws.kms.crypto.impl; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.SigningAlgorithmSpec; import com.google.common.collect.ImmutableMap; import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.crypto.impl.BaseJWSProvider; +import lombok.AccessLevel; +import lombok.Getter; +import lombok.NonNull; +import lombok.var; +import org.apache.commons.codec.digest.MessageDigestAlgorithms; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.MessageType; +import software.amazon.awssdk.services.kms.model.SigningAlgorithmSpec; + import java.nio.ByteBuffer; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Map; import java.util.Optional; import java.util.Set; -import lombok.AccessLevel; -import lombok.Getter; -import lombok.NonNull; -import lombok.var; -import org.apache.commons.codec.digest.MessageDigestAlgorithms; /** @@ -47,7 +48,7 @@ public abstract class KmsAsymmetricSigningCryptoProvider extends BaseJWSProvider */ @NonNull @Getter(AccessLevel.PROTECTED) - private final AWSKMS kms; + private final KmsClient kms; /** * KMS private-key (CMK) ID (it can be a key ID, key ARN, key alias or key alias ARN) @@ -58,7 +59,7 @@ public abstract class KmsAsymmetricSigningCryptoProvider extends BaseJWSProvider /** * KMS Message Type. Refer KMS's sign and verify APIs for details. - * Ref: https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType + * Ref: ... */ @NonNull @Getter(AccessLevel.PROTECTED) @@ -134,13 +135,13 @@ public abstract class KmsAsymmetricSigningCryptoProvider extends BaseJWSProvider * * @see RFC-7518 Section 3.1 * @see - * AWS Developer Guide - Asymmetric key specs - * + * AWS Developer Guide - Asymmetric key specs + * */ public static final Set SUPPORTED_ALGORITHMS = JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.keySet(); protected KmsAsymmetricSigningCryptoProvider( - @NonNull final AWSKMS kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { + @NonNull final KmsClient kms, @NonNull final String privateKeyId, @NonNull final MessageType messageType) { super(SUPPORTED_ALGORITHMS); this.kms = kms; this.privateKeyId = privateKeyId; diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsDefaultEncryptionCryptoProvider.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsDefaultEncryptionCryptoProvider.java index e55a2c2..c19d720 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsDefaultEncryptionCryptoProvider.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsDefaultEncryptionCryptoProvider.java @@ -16,8 +16,6 @@ package com.nimbusds.jose.aws.kms.crypto.impl; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.EncryptionAlgorithmSpec; import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; import com.nimbusds.jose.EncryptionMethod; @@ -27,11 +25,14 @@ import com.nimbusds.jose.aws.kms.crypto.utils.JWEHeaderUtil; import com.nimbusds.jose.crypto.impl.ContentCryptoProvider; import com.nimbusds.jose.crypto.impl.PublicBaseJWEProvider; -import java.util.Map; -import java.util.Set; import lombok.AccessLevel; import lombok.Getter; import lombok.NonNull; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.EncryptionAlgorithmSpec; + +import java.util.Map; +import java.util.Set; /** * This class provides cryptography support for Asymmetric and Symmetric encryption/decryption with keys stored in AWS @@ -43,7 +44,7 @@ public abstract class KmsDefaultEncryptionCryptoProvider extends PublicBaseJWEPr */ @NonNull @Getter(AccessLevel.PROTECTED) - private final AWSKMS kms; + private final KmsClient kms; /** * KMS key (CMK) ID (it can be a key ID, key ARN, key alias or key alias ARN) @@ -54,7 +55,7 @@ public abstract class KmsDefaultEncryptionCryptoProvider extends PublicBaseJWEPr /** * Encryption context for KMS. Refer KMS's encrypt and decrypt APIs for more details. - * Ref: https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html#KMS-Encrypt-request-EncryptionContext + * Ref: ... */ @Getter(AccessLevel.PROTECTED) private Map encryptionContext; @@ -63,7 +64,7 @@ public abstract class KmsDefaultEncryptionCryptoProvider extends PublicBaseJWEPr * The supported JWE algorithms (alg) by the AWS crypto provider class. *

* Note: We are using KMS prescribed algorithm names here. - * Ref: https://docs.aws.amazon.com/kms/latest/developerguide/asymmetric-key-specs.html + * Ref: ... */ public static final Set SUPPORTED_ALGORITHMS = ImmutableSet.of( JWEAlgorithm.parse(EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT.name()), @@ -80,14 +81,14 @@ public abstract class KmsDefaultEncryptionCryptoProvider extends PublicBaseJWEPr public static final String ENCRYPTION_CONTEXT_HEADER = "ec"; - protected KmsDefaultEncryptionCryptoProvider(@NonNull final AWSKMS kms, @NonNull final String keyId) { + protected KmsDefaultEncryptionCryptoProvider(@NonNull final KmsClient kms, @NonNull final String keyId) { super(SUPPORTED_ALGORITHMS, ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS); this.kms = kms; this.keyId = keyId; } - protected KmsDefaultEncryptionCryptoProvider(@NonNull final AWSKMS kms, @NonNull final String keyId, - @NonNull final Map encryptionContext) { + protected KmsDefaultEncryptionCryptoProvider(@NonNull final KmsClient kms, @NonNull final String keyId, + @NonNull final Map encryptionContext) { this(kms, keyId); this.encryptionContext = ImmutableMap.copyOf(encryptionContext); } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsSymmetricCryptoProvider.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsSymmetricCryptoProvider.java index a2fb386..5c23759 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsSymmetricCryptoProvider.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsSymmetricCryptoProvider.java @@ -16,9 +16,6 @@ package com.nimbusds.jose.aws.kms.crypto.impl; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.DataKeySpec; -import com.amazonaws.services.kms.model.EncryptionAlgorithmSpec; import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; import com.nimbusds.jose.EncryptionMethod; @@ -28,11 +25,15 @@ import com.nimbusds.jose.aws.kms.crypto.utils.JWEHeaderUtil; import com.nimbusds.jose.crypto.impl.ContentCryptoProvider; import com.nimbusds.jose.crypto.impl.PublicBaseJWEProvider; -import java.util.Map; -import java.util.Set; import lombok.AccessLevel; import lombok.Getter; import lombok.NonNull; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.DataKeySpec; +import software.amazon.awssdk.services.kms.model.EncryptionAlgorithmSpec; + +import java.util.Map; +import java.util.Set; /** @@ -46,7 +47,7 @@ public abstract class KmsSymmetricCryptoProvider extends PublicBaseJWEProvider { */ @NonNull @Getter(AccessLevel.PROTECTED) - private final AWSKMS kms; + private final KmsClient kms; /** * KMS key (CMK) ID (it can be a key ID, key ARN, key alias or key alias ARN) @@ -57,23 +58,23 @@ public abstract class KmsSymmetricCryptoProvider extends PublicBaseJWEProvider { /** * Encryption context for KMS. Refer KMS's encrypt and decrypt APIs for more details. - * Ref: https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html#KMS-Encrypt-request-EncryptionContext + * Ref: ... */ @Getter(AccessLevel.PROTECTED) private Map encryptionContext; /** * The supported JWE algorithms (alg) by the AWS crypto provider class. - * + *

* Note: We are using KMS prescribed algorithm names here. - * Ref: https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html#key-spec-symmetric-default + * Ref: ... */ public static final Set SUPPORTED_ALGORITHMS = ImmutableSet.of( JWEAlgorithm.parse(EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT.toString())); /** * The supported JWE encryption methods (enc) by the AWS crypto provider class. - * + *

* Note: We are using JWE prescribed encryption method names here. */ public static final Set SUPPORTED_ENCRYPTION_METHODS = ImmutableSet.of( @@ -92,14 +93,14 @@ public abstract class KmsSymmetricCryptoProvider extends PublicBaseJWEProvider { public static final String ENCRYPTION_CONTEXT_HEADER = "ec"; - protected KmsSymmetricCryptoProvider(@NonNull final AWSKMS kms, @NonNull final String keyId) { + protected KmsSymmetricCryptoProvider(@NonNull final KmsClient kms, @NonNull final String keyId) { super(SUPPORTED_ALGORITHMS, ContentCryptoProvider.SUPPORTED_ENCRYPTION_METHODS); this.kms = kms; this.keyId = keyId; } - protected KmsSymmetricCryptoProvider(@NonNull final AWSKMS kms, @NonNull final String keyId, - @NonNull final Map encryptionContext) { + protected KmsSymmetricCryptoProvider(@NonNull final KmsClient kms, @NonNull final String keyId, + @NonNull final Map encryptionContext) { this(kms, keyId); this.encryptionContext = ImmutableMap.copyOf(encryptionContext); } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEDecrypterUtil.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEDecrypterUtil.java index 7816c2a..6059813 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEDecrypterUtil.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEDecrypterUtil.java @@ -1,30 +1,18 @@ package com.nimbusds.jose.aws.kms.crypto.utils; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.DecryptRequest; -import com.amazonaws.services.kms.model.DecryptResult; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.NotFoundException; -import com.nimbusds.jose.JOSEException; -import com.nimbusds.jose.JWEAlgorithm; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jose.JWEObject; -import com.nimbusds.jose.RemoteKeySourceException; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.crypto.impl.ContentCryptoProvider; -import com.nimbusds.jose.util.Base64URL; import com.nimbusds.jose.jca.JWEJCAContext; -import java.nio.ByteBuffer; -import java.util.Map; +import com.nimbusds.jose.util.Base64URL; +import lombok.experimental.UtilityClass; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; -import lombok.experimental.UtilityClass; +import java.util.Map; /** * Utility class containing JWE decryption related methods. @@ -35,12 +23,11 @@ public class JWEDecrypterUtil { /** * Decrypts the specified cipher text of a {@link JWEObject JWE Object}. * - * @throws JOSEException - * @throws RemoteKeySourceException - * @throws TemporaryJOSEException + * @throws RemoteKeySourceException in case exception is thrown from KMS due to invalid key + * @throws TemporaryJOSEException in case temporary error is thrown from KMS */ public byte[] decrypt( - AWSKMS kms, + KmsClient kms, String keyId, Map encryptionContext, JWEHeader header, @@ -51,30 +38,31 @@ public byte[] decrypt( JWEJCAContext jcaContext) throws JOSEException { - final DecryptResult cekDecryptResult = + final DecryptResponse cekDecryptResult = decryptCek(kms, keyId, encryptionContext, header.getAlgorithm(), encryptedKey); final SecretKey cek = - new SecretKeySpec(cekDecryptResult.getPlaintext().array(), header.getAlgorithm().toString()); + new SecretKeySpec(cekDecryptResult.plaintext().asByteArray(), header.getAlgorithm().toString()); return ContentCryptoProvider.decrypt(header, encryptedKey, iv, cipherText, authTag, cek, jcaContext); } - private DecryptResult decryptCek( - AWSKMS kms, + private DecryptResponse decryptCek( + KmsClient kms, String keyId, Map encryptionContext, JWEAlgorithm alg, Base64URL encryptedKey ) throws JOSEException { try { - return kms.decrypt(new DecryptRequest() - .withEncryptionContext(encryptionContext) - .withKeyId(keyId) - .withEncryptionAlgorithm(alg.getName()) - .withCiphertextBlob(ByteBuffer.wrap(encryptedKey.decode()))); + return kms.decrypt(DecryptRequest.builder() + .encryptionContext(encryptionContext) + .keyId(keyId) + .encryptionAlgorithm(alg.getName()) + .ciphertextBlob(SdkBytes.fromByteArray(encryptedKey.decode())) + .build()); } catch (NotFoundException | DisabledException | InvalidKeyUsageException | KeyUnavailableException - | KMSInvalidStateException e) { + | KmsInvalidStateException e) { throw new RemoteKeySourceException("An exception was thrown from KMS due to invalid key.", e); - } catch (DependencyTimeoutException | InvalidGrantTokenException | KMSInternalException e) { + } catch (DependencyTimeoutException | InvalidGrantTokenException | KmsInternalException e) { throw new TemporaryJOSEException("A temporary error was thrown from KMS.", e); } } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEHeaderUtil.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEHeaderUtil.java index 11c973f..c17a46d 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEHeaderUtil.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEHeaderUtil.java @@ -6,11 +6,12 @@ import com.nimbusds.jose.JWEAlgorithm; import com.nimbusds.jose.JWEHeader; import com.nimbusds.jose.crypto.impl.AlgorithmSupportMessage; +import lombok.NonNull; +import lombok.experimental.UtilityClass; + import java.util.Map; import java.util.Objects; import java.util.Set; -import lombok.NonNull; -import lombok.experimental.UtilityClass; /** * Utility class containing JWE header related methods. @@ -47,7 +48,7 @@ public void validateJWEHeaderAlgorithms( public JWEHeader getJWEHeaderWithEncryptionContext( @NonNull final JWEHeader header, @NonNull String encryptionContextHeaderName, - Map encryptionContext) { + Map encryptionContext) { JWEHeader updatedHeader; if (Objects.nonNull(encryptionContext)) { diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsAsymmetricJwsCompactSignatureGeneratorScript.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsAsymmetricJwsCompactSignatureGeneratorScript.java index 0ef3b17..30048bc 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsAsymmetricJwsCompactSignatureGeneratorScript.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsAsymmetricJwsCompactSignatureGeneratorScript.java @@ -16,12 +16,6 @@ package com.nimbusds.jose.aws.kms.scripts; -import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; -import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.MESSAGE_TYPE; -import static java.lang.System.out; - -import com.amazonaws.services.kms.AWSKMSClientBuilder; -import com.amazonaws.services.kms.model.MessageType; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.JWSObject; @@ -32,6 +26,12 @@ import org.apache.commons.cli.HelpFormatter; import org.apache.commons.cli.Option; import org.apache.commons.cli.Options; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.MessageType; + +import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; +import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.MESSAGE_TYPE; +import static java.lang.System.out; /** * Script to generate signature for a text payload using a KMS Asymmetric CMK and generate a JWS token. @@ -119,7 +119,7 @@ private Options buildOptions() { private JWSObject sign(final JWSAlgorithm alg, final String kid, final String payload, final String messageType) throws Exception { final var jwsSigner = new KmsAsymmetricSigner( - AWSKMSClientBuilder.defaultClient(), + KmsClient.create(), kid, MessageType.fromValue(messageType)); final var jwsHeader = new JWSHeader.Builder(alg) diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsAsymmetricJwsCompactVerifierScript.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsAsymmetricJwsCompactVerifierScript.java index c001f35..ece83f7 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsAsymmetricJwsCompactVerifierScript.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsAsymmetricJwsCompactVerifierScript.java @@ -16,23 +16,24 @@ package com.nimbusds.jose.aws.kms.scripts; -import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; -import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.MESSAGE_TYPE; -import static java.lang.System.out; - -import com.amazonaws.services.kms.AWSKMSClientBuilder; -import com.amazonaws.services.kms.model.MessageType; import com.nimbusds.jose.JWSObject; import com.nimbusds.jose.aws.kms.crypto.KmsAsymmetricVerifier; -import java.util.Arrays; -import java.util.Objects; -import java.util.Set; -import java.util.stream.Collectors; import lombok.var; import org.apache.commons.cli.DefaultParser; import org.apache.commons.cli.HelpFormatter; import org.apache.commons.cli.Option; import org.apache.commons.cli.Options; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.MessageType; + +import java.util.Arrays; +import java.util.Objects; +import java.util.Set; +import java.util.stream.Collectors; + +import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; +import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.MESSAGE_TYPE; +import static java.lang.System.out; /** * Script to verify a text payload using a KMS Symmetric CMK and generate a JWE token. @@ -119,10 +120,10 @@ private boolean verify(final String serializedJws, final String messageTypeStrin return jwsObject.verify( Objects.nonNull(defCritHeaders) ? new KmsAsymmetricVerifier( - AWSKMSClientBuilder.defaultClient(), jwsObject.getHeader().getKeyID(), messageType, + KmsClient.create(), jwsObject.getHeader().getKeyID(), messageType, defCritHeaders) : new KmsAsymmetricVerifier( - AWSKMSClientBuilder.defaultClient(), jwsObject.getHeader().getKeyID(), messageType)); + KmsClient.create(), jwsObject.getHeader().getKeyID(), messageType)); } } diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsDefaultJweCompactDecrypterScript.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsDefaultJweCompactDecrypterScript.java index 3592027..0a99604 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsDefaultJweCompactDecrypterScript.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsDefaultJweCompactDecrypterScript.java @@ -16,10 +16,6 @@ package com.nimbusds.jose.aws.kms.scripts; -import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; -import static java.lang.System.out; - -import com.amazonaws.services.kms.AWSKMSClientBuilder; import com.nimbusds.jose.JWEObject; import com.nimbusds.jose.aws.kms.crypto.KmsDefaultDecrypter; import lombok.var; @@ -27,6 +23,10 @@ import org.apache.commons.cli.HelpFormatter; import org.apache.commons.cli.Option; import org.apache.commons.cli.Options; +import software.amazon.awssdk.services.kms.KmsClient; + +import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; +import static java.lang.System.out; /** * Script to decrypt a text payload using a KMS key and generate a JWE token. @@ -82,7 +82,7 @@ private JWEObject decrypt(String serializedJwe) throws Exception { var jweObject = JWEObject.parse(serializedJwe); var jweHeader = jweObject.getHeader(); jweObject.decrypt(new KmsDefaultDecrypter( - AWSKMSClientBuilder.defaultClient(), + KmsClient.create(), jweHeader.getKeyID())); return jweObject; diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsDefaultJweCompactEncrypterScript.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsDefaultJweCompactEncrypterScript.java index f61ed94..3e39362 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsDefaultJweCompactEncrypterScript.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsDefaultJweCompactEncrypterScript.java @@ -16,21 +16,17 @@ package com.nimbusds.jose.aws.kms.scripts; -import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; -import static java.lang.System.out; - -import com.amazonaws.services.kms.AWSKMSClientBuilder; -import com.nimbusds.jose.EncryptionMethod; -import com.nimbusds.jose.JWEAlgorithm; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jose.JWEObject; -import com.nimbusds.jose.Payload; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.crypto.KmsDefaultEncrypter; import lombok.var; import org.apache.commons.cli.DefaultParser; import org.apache.commons.cli.HelpFormatter; import org.apache.commons.cli.Option; import org.apache.commons.cli.Options; +import software.amazon.awssdk.services.kms.KmsClient; + +import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; +import static java.lang.System.out; /** * Script to encrypt a text payload using a KMS key and generate a JWE token. @@ -118,7 +114,7 @@ private Options buildOptions() { private JWEObject encrypt( final JWEAlgorithm alg, final EncryptionMethod enc, final String kid, final String payload) throws Exception { - var jweEncrypter = new KmsDefaultEncrypter(AWSKMSClientBuilder.defaultClient(), kid); + var jweEncrypter = new KmsDefaultEncrypter(KmsClient.create(), kid); var jweObject = new JWEObject(new JWEHeader.Builder(alg, enc).keyID(kid).build(), new Payload(payload)); jweObject.encrypt(jweEncrypter); return jweObject; diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsSymmetricJweCompactDecrypterScript.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsSymmetricJweCompactDecrypterScript.java index 05230a9..ff6d1ee 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsSymmetricJweCompactDecrypterScript.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsSymmetricJweCompactDecrypterScript.java @@ -16,20 +16,17 @@ package com.nimbusds.jose.aws.kms.scripts; -import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; -import static java.lang.System.out; - -import com.amazonaws.services.kms.AWSKMSClientBuilder; -import com.nimbusds.jose.JWEHeader; import com.nimbusds.jose.JWEObject; import com.nimbusds.jose.aws.kms.crypto.KmsSymmetricDecrypter; -import com.nimbusds.jose.aws.kms.crypto.impl.KmsSymmetricCryptoProvider; -import java.util.Map; import lombok.var; import org.apache.commons.cli.DefaultParser; import org.apache.commons.cli.HelpFormatter; import org.apache.commons.cli.Option; import org.apache.commons.cli.Options; +import software.amazon.awssdk.services.kms.KmsClient; + +import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; +import static java.lang.System.out; /** * Script to decrypt a text payload using a KMS Symmetric CMK and generate a JWE token. @@ -93,7 +90,7 @@ private JWEObject decrypt(String serializedJwe) var jweObject = JWEObject.parse(serializedJwe); var jweHeader = jweObject.getHeader(); jweObject.decrypt(new KmsSymmetricDecrypter( - AWSKMSClientBuilder.defaultClient(), + KmsClient.create(), jweHeader.getKeyID())); return jweObject; diff --git a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsSymmetricJweCompactEncrypterScript.java b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsSymmetricJweCompactEncrypterScript.java index 69c7487..74e69d6 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsSymmetricJweCompactEncrypterScript.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/main/java/com/nimbusds/jose/aws/kms/scripts/KmsSymmetricJweCompactEncrypterScript.java @@ -16,22 +16,17 @@ package com.nimbusds.jose.aws.kms.scripts; -import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; -import static java.lang.System.out; - -import com.amazonaws.services.kms.AWSKMSClientBuilder; -import com.nimbusds.jose.EncryptionMethod; -import com.nimbusds.jose.JWEAlgorithm; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jose.JWEObject; -import com.nimbusds.jose.Payload; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.crypto.KmsSymmetricEncrypter; -import java.util.Map; import lombok.var; import org.apache.commons.cli.DefaultParser; import org.apache.commons.cli.HelpFormatter; import org.apache.commons.cli.Option; import org.apache.commons.cli.Options; +import software.amazon.awssdk.services.kms.KmsClient; + +import static com.nimbusds.jose.aws.kms.scripts.ScriptConstants.LINE_SEPARATOR; +import static java.lang.System.out; /** * Script to encrypt a text payload using a KMS Symmetric CMK and generate a JWE token. @@ -119,7 +114,7 @@ private Options buildOptions() { private JWEObject encrypt( final JWEAlgorithm alg, final EncryptionMethod enc, final String kid, final String payload) throws Exception { - var jweEncrypter = new KmsSymmetricEncrypter(AWSKMSClientBuilder.defaultClient(), kid); + var jweEncrypter = new KmsSymmetricEncrypter(KmsClient.create(), kid); var jweObject = new JWEObject(new JWEHeader.Builder(alg, enc).keyID(kid).build(), new Payload(payload)); jweObject.encrypt(jweEncrypter); return jweObject; diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRsaSsaSignerTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRsaSsaSignerTest.java index 9032648..51de33e 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRsaSsaSignerTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRsaSsaSignerTest.java @@ -16,33 +16,11 @@ package com.nimbusds.jose.aws.kms.crypto; -import static com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider.JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.Mockito.doReturn; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.when; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.AWSKMSException; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.NotFoundException; -import com.amazonaws.services.kms.model.SignRequest; -import com.amazonaws.services.kms.model.SignResult; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.RemoteKeySourceException; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; import lombok.SneakyThrows; import lombok.var; import org.jeasy.random.EasyRandom; @@ -56,6 +34,16 @@ import org.junit.platform.commons.support.ReflectionSupport; import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + +import java.nio.ByteBuffer; + +import static com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider.JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC; +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.Mockito.*; @DisplayName("For KmsAsymmetricRSASSASigner class,") @ExtendWith(MockitoExtension.class) @@ -64,7 +52,7 @@ public class KmsAsymmetricRsaSsaSignerTest { private final EasyRandom random = new EasyRandom(); @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private String testPrivateKeyId; private MessageType testMessageType; @@ -112,14 +100,15 @@ void beforeEach() { class WithInvalidSigningKey { @SneakyThrows - AWSKMSException parameterizedBeforeEach(Class invalidSigningExceptionClass) { + KmsException parameterizedBeforeEach(Class invalidSigningExceptionClass) { final var mockInvalidSigningException = mock(invalidSigningExceptionClass); when(mockAwsKms - .sign(new SignRequest() - .withKeyId(testPrivateKeyId) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()))) + .sign(SignRequest.builder() + .keyId(testPrivateKeyId) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .build())) .thenThrow(mockInvalidSigningException); return mockInvalidSigningException; } @@ -128,8 +117,8 @@ AWSKMSException parameterizedBeforeEach(Class invalidSigningExc @DisplayName("should throw RemoteKeySourceException.") @ValueSource(classes = { NotFoundException.class, DisabledException.class, KeyUnavailableException.class, - InvalidKeyUsageException.class, KMSInvalidStateException.class}) - void shouldThrowRemoteKeySourceException(Class exceptionClass) { + InvalidKeyUsageException.class, KmsInvalidStateException.class}) + void shouldThrowRemoteKeySourceException(Class exceptionClass) { final var mockInvalidSigningException = parameterizedBeforeEach(exceptionClass); assertThatThrownBy(() -> kmsAsymmetricRsaSsaSigner.sign(testJweHeader, testSigningInput)) .isInstanceOf(RemoteKeySourceException.class) @@ -143,14 +132,15 @@ void shouldThrowRemoteKeySourceException(Class exceptionClass) class WithTemporaryExceptionFromKms { @SneakyThrows - AWSKMSException parameterizedBeforeEach(Class temporaryKmsExceptionClass) { + KmsException parameterizedBeforeEach(Class temporaryKmsExceptionClass) { final var mockTemporaryKmsException = mock(temporaryKmsExceptionClass); when(mockAwsKms - .sign(new SignRequest() - .withKeyId(testPrivateKeyId) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()))) + .sign(SignRequest.builder() + .keyId(testPrivateKeyId) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .build())) .thenThrow(mockTemporaryKmsException); return mockTemporaryKmsException; } @@ -158,8 +148,8 @@ AWSKMSException parameterizedBeforeEach(Class temporaryKmsExcep @ParameterizedTest @DisplayName("should throw TemporaryJOSEException.") @ValueSource(classes = { - DependencyTimeoutException.class, InvalidGrantTokenException.class, KMSInternalException.class}) - void shouldThrowJOSEException(Class exceptionClass) { + DependencyTimeoutException.class, InvalidGrantTokenException.class, KmsInternalException.class}) + void shouldThrowJOSEException(Class exceptionClass) { final var mockInvalidSigningException = parameterizedBeforeEach(exceptionClass); assertThatThrownBy(() -> kmsAsymmetricRsaSsaSigner.sign(testJweHeader, testSigningInput)) .isInstanceOf(TemporaryJOSEException.class) @@ -173,23 +163,24 @@ void shouldThrowJOSEException(Class exceptionClass) { class WithSignResultFromKms { @Mock - private SignResult mockSignResult; + private SignResponse mockSignResponse; private Base64URL expectedSignature; @BeforeEach void beforeEach() { when(mockAwsKms - .sign(new SignRequest() - .withKeyId(testPrivateKeyId) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()))) - .thenReturn(mockSignResult); + .sign(SignRequest.builder() + .keyId(testPrivateKeyId) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .build())) + .thenReturn(mockSignResponse); final var testSignatureByteBuffer = ByteBuffer.allocate(random.nextInt(512)); random.nextBytes(testSignatureByteBuffer.array()); - when(mockSignResult.getSignature()).thenReturn(testSignatureByteBuffer); + when(mockSignResponse.signature()).thenReturn(SdkBytes.fromByteBuffer(testSignatureByteBuffer)); expectedSignature = Base64URL.encode(testSignatureByteBuffer.array()); } @@ -202,4 +193,4 @@ void shouldReturnValidResponse() { } } } -} \ No newline at end of file +} diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRsaSsaVerifierTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRsaSsaVerifierTest.java index 53ea54e..d0ea45e 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRsaSsaVerifierTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricRsaSsaVerifierTest.java @@ -16,28 +16,6 @@ package com.nimbusds.jose.aws.kms.crypto; -import static com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider.JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.Mockito.doReturn; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.when; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.AWSKMSException; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidSignatureException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.NotFoundException; -import com.amazonaws.services.kms.model.VerifyRequest; -import com.amazonaws.services.kms.model.VerifyResult; import com.google.common.collect.ImmutableSet; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; @@ -45,8 +23,6 @@ import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; -import java.util.Set; import lombok.SneakyThrows; import lombok.var; import org.jeasy.random.EasyRandom; @@ -60,6 +36,17 @@ import org.junit.platform.commons.support.ReflectionSupport; import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + +import java.nio.ByteBuffer; +import java.util.Set; + +import static com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider.JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC; +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.Mockito.*; @DisplayName("For KmsAsymmetricRSASSAVerifier class,") @@ -69,7 +56,7 @@ public class KmsAsymmetricRsaSsaVerifierTest { private final EasyRandom random = new EasyRandom(); @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private String testPrivateKeyId; private MessageType testMessageType; private Set testCriticalHeaders; @@ -194,15 +181,16 @@ void beforeEach() { class WithInvalidSigningKey { @SneakyThrows - AWSKMSException parameterizedBeforeEach(Class invalidSigningExceptionClass) { + KmsException parameterizedBeforeEach(Class invalidSigningExceptionClass) { final var mockInvalidSigningException = mock(invalidSigningExceptionClass); when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) .thenThrow(mockInvalidSigningException); return mockInvalidSigningException; } @@ -211,8 +199,8 @@ AWSKMSException parameterizedBeforeEach(Class invalidSigningExc @DisplayName("should throw RemoteKeySourceException.") @ValueSource(classes = { NotFoundException.class, DisabledException.class, KeyUnavailableException.class, - InvalidKeyUsageException.class, KMSInvalidStateException.class}) - void shouldThrowRemoteKeySourceException(Class exceptionClass) { + InvalidKeyUsageException.class, KmsInvalidStateException.class}) + void shouldThrowRemoteKeySourceException(Class exceptionClass) { final var mockInvalidSigningException = parameterizedBeforeEach(exceptionClass); assertThatThrownBy( () -> kmsAsymmetricRsaSsaVerifier.verify(testJweHeader, testSigningInput, testSignature)) @@ -227,15 +215,16 @@ void shouldThrowRemoteKeySourceException(Class exceptionClass) class WithTemporaryExceptionFromKms { @SneakyThrows - AWSKMSException parameterizedBeforeEach(Class temporaryKmsExceptionClass) { + KmsException parameterizedBeforeEach(Class temporaryKmsExceptionClass) { final var mockTemporaryKmsException = mock(temporaryKmsExceptionClass); when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) .thenThrow(mockTemporaryKmsException); return mockTemporaryKmsException; } @@ -243,8 +232,8 @@ AWSKMSException parameterizedBeforeEach(Class temporaryKmsExcep @ParameterizedTest @DisplayName("should throw TemporaryJOSEException.") @ValueSource(classes = { - DependencyTimeoutException.class, InvalidGrantTokenException.class, KMSInternalException.class}) - void shouldThrowJOSEException(Class exceptionClass) { + DependencyTimeoutException.class, InvalidGrantTokenException.class, KmsInternalException.class}) + void shouldThrowJOSEException(Class exceptionClass) { final var mockInvalidSigningException = parameterizedBeforeEach(exceptionClass); assertThatThrownBy( () -> kmsAsymmetricRsaSsaVerifier.verify(testJweHeader, testSigningInput, testSignature)) @@ -259,17 +248,18 @@ void shouldThrowJOSEException(Class exceptionClass) { class WithKMSInvalidSignatureException { @Mock - private KMSInvalidSignatureException mockKmsInvalidSignatureException; + private KmsInvalidSignatureException mockKmsInvalidSignatureException; @BeforeEach void beforeEach() { when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) .thenThrow(mockKmsInvalidSignatureException); } @@ -288,20 +278,21 @@ void shouldReturnFalse() { class WithInvalidSignature { @Mock - private VerifyResult mockVerifyResult; + private VerifyResponse mockVerifyResponse; @BeforeEach void beforeEach() { when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) - .thenReturn(mockVerifyResult); - - when(mockVerifyResult.isSignatureValid()).thenReturn(false); + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) + .thenReturn(mockVerifyResponse); + + when(mockVerifyResponse.signatureValid()).thenReturn(false); } @Test @@ -319,20 +310,21 @@ void shouldReturnFalse() { class WithValidSignature { @Mock - private VerifyResult mockVerifyResult; + private VerifyResponse mockVerifyResponse; @BeforeEach void beforeEach() { when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) - .thenReturn(mockVerifyResult); - - when(mockVerifyResult.isSignatureValid()).thenReturn(true); + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) + .thenReturn(mockVerifyResponse); + + when(mockVerifyResponse.signatureValid()).thenReturn(true); } @Test @@ -346,4 +338,4 @@ void shouldReturnTrue() { } } } -} \ No newline at end of file +} diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricSignerTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricSignerTest.java index 434bb52..7ab2b97 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricSignerTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricSignerTest.java @@ -16,33 +16,11 @@ package com.nimbusds.jose.aws.kms.crypto; -import static com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider.JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.Mockito.doReturn; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.when; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.AWSKMSException; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.NotFoundException; -import com.amazonaws.services.kms.model.SignRequest; -import com.amazonaws.services.kms.model.SignResult; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; import com.nimbusds.jose.RemoteKeySourceException; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; import lombok.SneakyThrows; import lombok.var; import org.jeasy.random.EasyRandom; @@ -56,6 +34,16 @@ import org.junit.platform.commons.support.ReflectionSupport; import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + +import java.nio.ByteBuffer; + +import static com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider.JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC; +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.Mockito.*; @DisplayName("For KmsAsymmetricSigner class,") @ExtendWith(MockitoExtension.class) @@ -64,7 +52,7 @@ public class KmsAsymmetricSignerTest { private final EasyRandom random = new EasyRandom(); @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private String testPrivateKeyId; private MessageType testMessageType; @@ -112,14 +100,15 @@ void beforeEach() { class WithInvalidSigningKey { @SneakyThrows - AWSKMSException parameterizedBeforeEach(Class invalidSigningExceptionClass) { + KmsException parameterizedBeforeEach(Class invalidSigningExceptionClass) { final var mockInvalidSigningException = mock(invalidSigningExceptionClass); when(mockAwsKms - .sign(new SignRequest() - .withKeyId(testPrivateKeyId) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()))) + .sign(SignRequest.builder() + .keyId(testPrivateKeyId) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .build())) .thenThrow(mockInvalidSigningException); return mockInvalidSigningException; } @@ -128,8 +117,8 @@ AWSKMSException parameterizedBeforeEach(Class invalidSigningExc @DisplayName("should throw RemoteKeySourceException.") @ValueSource(classes = { NotFoundException.class, DisabledException.class, KeyUnavailableException.class, - InvalidKeyUsageException.class, KMSInvalidStateException.class}) - void shouldThrowRemoteKeySourceException(Class exceptionClass) { + InvalidKeyUsageException.class, KmsInvalidStateException.class}) + void shouldThrowRemoteKeySourceException(Class exceptionClass) { final var mockInvalidSigningException = parameterizedBeforeEach(exceptionClass); assertThatThrownBy(() -> kmsAsymmetricSigner.sign(testJweHeader, testSigningInput)) .isInstanceOf(RemoteKeySourceException.class) @@ -143,14 +132,15 @@ void shouldThrowRemoteKeySourceException(Class exceptionClass) class WithTemporaryExceptionFromKms { @SneakyThrows - AWSKMSException parameterizedBeforeEach(Class temporaryKmsExceptionClass) { + KmsException parameterizedBeforeEach(Class temporaryKmsExceptionClass) { final var mockTemporaryKmsException = mock(temporaryKmsExceptionClass); when(mockAwsKms - .sign(new SignRequest() - .withKeyId(testPrivateKeyId) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()))) + .sign(SignRequest.builder() + .keyId(testPrivateKeyId) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .build())) .thenThrow(mockTemporaryKmsException); return mockTemporaryKmsException; } @@ -158,8 +148,8 @@ AWSKMSException parameterizedBeforeEach(Class temporaryKmsExcep @ParameterizedTest @DisplayName("should throw TemporaryJOSEException.") @ValueSource(classes = { - DependencyTimeoutException.class, InvalidGrantTokenException.class, KMSInternalException.class}) - void shouldThrowJOSEException(Class exceptionClass) { + DependencyTimeoutException.class, InvalidGrantTokenException.class, KmsInternalException.class}) + void shouldThrowJOSEException(Class exceptionClass) { final var mockInvalidSigningException = parameterizedBeforeEach(exceptionClass); assertThatThrownBy(() -> kmsAsymmetricSigner.sign(testJweHeader, testSigningInput)) .isInstanceOf(TemporaryJOSEException.class) @@ -173,23 +163,24 @@ void shouldThrowJOSEException(Class exceptionClass) { class WithSignResultFromKms { @Mock - private SignResult mockSignResult; + private SignResponse mockSignResponse; private Base64URL expectedSignature; @BeforeEach void beforeEach() { when(mockAwsKms - .sign(new SignRequest() - .withKeyId(testPrivateKeyId) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()))) - .thenReturn(mockSignResult); + .sign(SignRequest.builder() + .keyId(testPrivateKeyId) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .build())) + .thenReturn(mockSignResponse); final var testSignatureByteBuffer = ByteBuffer.allocate(random.nextInt(512)); random.nextBytes(testSignatureByteBuffer.array()); - when(mockSignResult.getSignature()).thenReturn(testSignatureByteBuffer); + when(mockSignResponse.signature()).thenReturn(SdkBytes.fromByteBuffer(testSignatureByteBuffer)); expectedSignature = Base64URL.encode(testSignatureByteBuffer.array()); } @@ -202,4 +193,4 @@ void shouldReturnValidResponse() { } } } -} \ No newline at end of file +} diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricVerifierTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricVerifierTest.java index b1a6723..7027986 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricVerifierTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsAsymmetricVerifierTest.java @@ -16,28 +16,6 @@ package com.nimbusds.jose.aws.kms.crypto; -import static com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider.JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.Mockito.doReturn; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.when; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.AWSKMSException; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidSignatureException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.NotFoundException; -import com.amazonaws.services.kms.model.VerifyRequest; -import com.amazonaws.services.kms.model.VerifyResult; import com.google.common.collect.ImmutableSet; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; @@ -45,8 +23,6 @@ import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; -import java.util.Set; import lombok.SneakyThrows; import lombok.var; import org.jeasy.random.EasyRandom; @@ -60,6 +36,17 @@ import org.junit.platform.commons.support.ReflectionSupport; import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + +import java.nio.ByteBuffer; +import java.util.Set; + +import static com.nimbusds.jose.aws.kms.crypto.impl.KmsAsymmetricSigningCryptoProvider.JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC; +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.Mockito.*; @DisplayName("For KmsAsymmetricVerifier class,") @@ -69,7 +56,7 @@ public class KmsAsymmetricVerifierTest { private final EasyRandom random = new EasyRandom(); @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private String testPrivateKeyId; private MessageType testMessageType; private Set testCriticalHeaders; @@ -194,15 +181,16 @@ void beforeEach() { class WithInvalidSigningKey { @SneakyThrows - AWSKMSException parameterizedBeforeEach(Class invalidSigningExceptionClass) { + KmsException parameterizedBeforeEach(Class invalidSigningExceptionClass) { final var mockInvalidSigningException = mock(invalidSigningExceptionClass); when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) .thenThrow(mockInvalidSigningException); return mockInvalidSigningException; } @@ -211,8 +199,8 @@ AWSKMSException parameterizedBeforeEach(Class invalidSigningExc @DisplayName("should throw RemoteKeySourceException.") @ValueSource(classes = { NotFoundException.class, DisabledException.class, KeyUnavailableException.class, - InvalidKeyUsageException.class, KMSInvalidStateException.class}) - void shouldThrowRemoteKeySourceException(Class exceptionClass) { + InvalidKeyUsageException.class, KmsInvalidStateException.class}) + void shouldThrowRemoteKeySourceException(Class exceptionClass) { final var mockInvalidSigningException = parameterizedBeforeEach(exceptionClass); assertThatThrownBy( () -> kmsAsymmetricVerifier.verify(testJweHeader, testSigningInput, testSignature)) @@ -227,15 +215,16 @@ void shouldThrowRemoteKeySourceException(Class exceptionClass) class WithTemporaryExceptionFromKms { @SneakyThrows - AWSKMSException parameterizedBeforeEach(Class temporaryKmsExceptionClass) { + KmsException parameterizedBeforeEach(Class temporaryKmsExceptionClass) { final var mockTemporaryKmsException = mock(temporaryKmsExceptionClass); when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) .thenThrow(mockTemporaryKmsException); return mockTemporaryKmsException; } @@ -243,8 +232,8 @@ AWSKMSException parameterizedBeforeEach(Class temporaryKmsExcep @ParameterizedTest @DisplayName("should throw TemporaryJOSEException.") @ValueSource(classes = { - DependencyTimeoutException.class, InvalidGrantTokenException.class, KMSInternalException.class}) - void shouldThrowJOSEException(Class exceptionClass) { + DependencyTimeoutException.class, InvalidGrantTokenException.class, KmsInternalException.class}) + void shouldThrowJOSEException(Class exceptionClass) { final var mockInvalidSigningException = parameterizedBeforeEach(exceptionClass); assertThatThrownBy( () -> kmsAsymmetricVerifier.verify(testJweHeader, testSigningInput, testSignature)) @@ -259,17 +248,18 @@ void shouldThrowJOSEException(Class exceptionClass) { class WithKMSInvalidSignatureException { @Mock - private KMSInvalidSignatureException mockKmsInvalidSignatureException; + private KmsInvalidSignatureException mockKmsInvalidSignatureException; @BeforeEach void beforeEach() { when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) .thenThrow(mockKmsInvalidSignatureException); } @@ -288,20 +278,21 @@ void shouldReturnFalse() { class WithInvalidSignature { @Mock - private VerifyResult mockVerifyResult; + private VerifyResponse mockVerifyResponse; @BeforeEach void beforeEach() { when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) - .thenReturn(mockVerifyResult); - - when(mockVerifyResult.isSignatureValid()).thenReturn(false); + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) + .thenReturn(mockVerifyResponse); + + when(mockVerifyResponse.signatureValid()).thenReturn(false); } @Test @@ -319,20 +310,21 @@ void shouldReturnFalse() { class WithValidSignature { @Mock - private VerifyResult mockVerifyResult; + private VerifyResponse mockVerifyResponse; @BeforeEach void beforeEach() { when(mockAwsKms - .verify(new VerifyRequest() - .withKeyId(testPrivateKeyId) - .withSigningAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) - .withMessageType(testMessageType) - .withMessage(mockMessage) - .withSignature(ByteBuffer.wrap(testSignature.decode())))) - .thenReturn(mockVerifyResult); - - when(mockVerifyResult.isSignatureValid()).thenReturn(true); + .verify(VerifyRequest.builder() + .keyId(testPrivateKeyId) + .signingAlgorithm(JWS_ALGORITHM_TO_SIGNING_ALGORITHM_SPEC.get(testJweHeader.getAlgorithm()).toString()) + .messageType(testMessageType) + .message(SdkBytes.fromByteBuffer(mockMessage)) + .signature(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testSignature.decode()))) + .build())) + .thenReturn(mockVerifyResponse); + + when(mockVerifyResponse.signatureValid()).thenReturn(true); } @Test @@ -346,4 +338,4 @@ void shouldReturnTrue() { } } } -} \ No newline at end of file +} diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultDecrypterTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultDecrypterTest.java index 25f2875..1d6c82a 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultDecrypterTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultDecrypterTest.java @@ -16,25 +16,8 @@ package com.nimbusds.jose.aws.kms.crypto; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.mockito.Mockito.doNothing; -import static org.mockito.Mockito.mockStatic; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.EncryptionAlgorithmSpec; -import com.amazonaws.services.kms.model.DecryptResult; -import com.amazonaws.services.kms.model.DecryptRequest; import com.google.common.collect.ImmutableSet; -import com.nimbusds.jose.EncryptionMethod; -import com.nimbusds.jose.JOSEException; -import com.nimbusds.jose.JWEAlgorithm; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jose.RemoteKeySourceException; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.crypto.testUtils.EasyRandomTestUtils; import com.nimbusds.jose.aws.kms.crypto.utils.JWEDecrypterUtil; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; @@ -42,17 +25,9 @@ import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral; import com.nimbusds.jose.jca.JWEJCAContext; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; -import java.util.Map; -import java.util.Set; -import javax.crypto.spec.SecretKeySpec; import lombok.SneakyThrows; import org.jeasy.random.EasyRandom; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.DisplayName; -import org.junit.jupiter.api.Nested; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.ValueSource; @@ -60,6 +35,22 @@ import org.mockito.Mock; import org.mockito.MockedStatic; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.DecryptRequest; +import software.amazon.awssdk.services.kms.model.DecryptResponse; +import software.amazon.awssdk.services.kms.model.EncryptionAlgorithmSpec; + +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.nio.charset.Charset; +import java.util.Map; +import java.util.Set; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.*; @DisplayName("For KmsDefaultDecrypter class, ") @ExtendWith(MockitoExtension.class) @@ -68,7 +59,7 @@ public class KmsDefaultDecrypterTest { private final EasyRandom random = EasyRandomTestUtils.getEasyRandomWithByteBufferSupport(); @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private String testKeyId; private Map testEncryptionContext; private Set testDeferredCriticalHeaders; @@ -171,7 +162,7 @@ class WithCriticalHeader { private JWEJCAContext mockJWEJCAContext; @Mock JWEDecrypterUtil jweDecrypterUtil; - private final DecryptResult testDecryptResult = random.nextObject(DecryptResult.class); + private final DecryptResponse testDecryptResponse = DecryptResponse.builder().plaintext(SdkBytes.fromString("test", Charset.defaultCharset())).build(); private final MockedStatic mockContentCryptoProvider = mockStatic(ContentCryptoProvider.class); private byte[] expectedData = new byte[random.nextInt(512)]; @@ -189,7 +180,7 @@ void beforeEach() { () -> ContentCryptoProvider.decrypt( testJweHeader, testEncryptedKey, testIv, testCipherText, testAuthTag, new SecretKeySpec( - testDecryptResult.getPlaintext().array(), + testDecryptResponse.plaintext().asByteArray(), testJweHeader.getAlgorithm().toString()), kmsDefaultDecrypter.getJCAContext())) .thenReturn(expectedData); @@ -226,12 +217,13 @@ class WithDecryptionResultFromJWEDecrypterUtil { @SneakyThrows void beforeEach() { when(mockAwsKms - .decrypt(new DecryptRequest() - .withEncryptionContext(testEncryptionContext) - .withEncryptionAlgorithm(testJweHeader.getAlgorithm().getName()) - .withKeyId(testKeyId) - .withCiphertextBlob(ByteBuffer.wrap(testEncryptedKey.decode())))) - .thenReturn(testDecryptResult); + .decrypt(DecryptRequest.builder() + .encryptionContext(testEncryptionContext) + .encryptionAlgorithm(testJweHeader.getAlgorithm().getName()) + .keyId(testKeyId) + .ciphertextBlob(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testEncryptedKey.decode()))) + .build())) + .thenReturn(testDecryptResponse); when(jweDecrypterUtil.decrypt(mockAwsKms, testKeyId, testEncryptionContext, testJweHeader, testEncryptedKey, testIv, testCipherText, testAuthTag, mockJWEJCAContext)) @@ -265,4 +257,4 @@ void afterEach() { testJweHeader); } } -} \ No newline at end of file +} diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultEncrypterTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultEncrypterTest.java index 69afe21..37176c1 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultEncrypterTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsDefaultEncrypterTest.java @@ -16,56 +16,18 @@ package com.nimbusds.jose.aws.kms.crypto; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.ArgumentMatchers.eq; -import static org.mockito.ArgumentMatchers.refEq; -import static org.mockito.Mockito.doNothing; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.mockStatic; -import static org.mockito.Mockito.reset; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.AWSKMSException; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.EncryptRequest; -import com.amazonaws.services.kms.model.EncryptResult; -import com.amazonaws.services.kms.model.EncryptionAlgorithmSpec; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.NotFoundException; import com.google.common.collect.ImmutableMap; -import com.nimbusds.jose.EncryptionMethod; -import com.nimbusds.jose.JWEAlgorithm; -import com.nimbusds.jose.JWECryptoParts; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jose.RemoteKeySourceException; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.crypto.impl.KmsDefaultEncryptionCryptoProvider; import com.nimbusds.jose.aws.kms.crypto.testUtils.EasyRandomTestUtils; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.crypto.impl.ContentCryptoProvider; import com.nimbusds.jose.jca.JWEJCAContext; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; -import java.security.SecureRandom; -import java.util.Map; -import javax.crypto.SecretKey; import lombok.SneakyThrows; import lombok.var; import org.jeasy.random.EasyRandom; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.DisplayName; -import org.junit.jupiter.api.Nested; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.ValueSource; @@ -73,15 +35,29 @@ import org.mockito.Mock; import org.mockito.MockedStatic; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + +import javax.crypto.SecretKey; +import java.nio.ByteBuffer; +import java.nio.charset.Charset; +import java.security.SecureRandom; +import java.util.Map; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.ArgumentMatchers.*; +import static org.mockito.Mockito.*; @DisplayName("For KmsDefaultEncrypter class,") @ExtendWith(MockitoExtension.class) class KmsDefaultEncrypterTest { - private EasyRandom random = EasyRandomTestUtils.getEasyRandomWithByteBufferSupport(); + private final EasyRandom random = EasyRandomTestUtils.getEasyRandomWithByteBufferSupport(); @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private final String testKeyId = random.nextObject(String.class); private final Map testEncryptionContext = random.nextObject(Map.class); @@ -118,14 +94,15 @@ void beforeEach() { @DisplayName("with invalid key exception from KMS,") class WithInvalidKMSKeyException { - AWSKMSException parameterizedBeforeEach(final Class invalidKeyExceptionClass) { + KmsException parameterizedBeforeEach(final Class invalidKeyExceptionClass) { final var invalidKeyException = mock(invalidKeyExceptionClass); when(mockAwsKms - .encrypt(new EncryptRequest() - .withKeyId(testKeyId) - .withEncryptionAlgorithm(testJweHeader.getAlgorithm().getName()) - .withPlaintext(any()) - .withEncryptionContext(testEncryptionContext))) + .encrypt(EncryptRequest.builder() + .keyId(testKeyId) + .encryptionAlgorithm(testJweHeader.getAlgorithm().getName()) + .plaintext(any()) + .encryptionContext(testEncryptionContext) + .build())) .thenThrow(invalidKeyException); return invalidKeyException; @@ -135,8 +112,8 @@ AWSKMSException parameterizedBeforeEach(final Class invalidKeyE @DisplayName("should throw RemoteKeySourceException.") @ValueSource(classes = { NotFoundException.class, DisabledException.class, InvalidKeyUsageException.class, - KMSInvalidStateException.class, InvalidGrantTokenException.class}) - void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { + KmsInvalidStateException.class, InvalidGrantTokenException.class}) + void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { final var invalidKeyException = parameterizedBeforeEach(invalidKeyExceptionClass); assertThatThrownBy(() -> kmsDefaultEncrypter.encrypt(testJweHeader, testClearText)) .isInstanceOf(RemoteKeySourceException.class) @@ -149,14 +126,15 @@ void shouldThrowRemoteKeySourceException(final Class invalidKey @DisplayName("with a temporary exception from KMS,") class WithTemporaryKMSException { - AWSKMSException parameterizedBeforeEach(final Class temporaryKMSExceptionClass) { + KmsException parameterizedBeforeEach(final Class temporaryKMSExceptionClass) { final var temporaryKMSException = mock(temporaryKMSExceptionClass); when(mockAwsKms - .encrypt(new EncryptRequest() - .withKeyId(testKeyId) - .withEncryptionAlgorithm(testJweHeader.getAlgorithm().getName()) - .withPlaintext(any()) - .withEncryptionContext(testEncryptionContext))) + .encrypt(EncryptRequest.builder() + .keyId(testKeyId) + .encryptionAlgorithm(testJweHeader.getAlgorithm().getName()) + .plaintext(any()) + .encryptionContext(testEncryptionContext) + .build())) .thenThrow(temporaryKMSException); return temporaryKMSException; @@ -165,8 +143,8 @@ AWSKMSException parameterizedBeforeEach(final Class temporaryKM @ParameterizedTest @DisplayName("should throw RemoteKeySourceException.") @ValueSource(classes = { - DependencyTimeoutException.class, KeyUnavailableException.class, KMSInternalException.class}) - void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { + DependencyTimeoutException.class, KeyUnavailableException.class, KmsInternalException.class}) + void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { final var invalidKeyException = parameterizedBeforeEach(invalidKeyExceptionClass); assertThatThrownBy(() -> kmsDefaultEncrypter.encrypt(testJweHeader, testClearText)) .isInstanceOf(TemporaryJOSEException.class) @@ -179,7 +157,7 @@ void shouldThrowRemoteKeySourceException(final Class invalidKey @DisplayName("with encrypted cek from KMS,") class WithDataKey { - private EncryptResult testEncryptedKey; + private EncryptResponse testEncryptedKey; private final MockedStatic mockContentCryptoProvider = mockStatic(ContentCryptoProvider.class); @@ -197,16 +175,17 @@ class WithDataKey { @BeforeEach void beforeEach() { - testEncryptedKey = random.nextObject(EncryptResult.class); + testEncryptedKey = EncryptResponse.builder().ciphertextBlob(SdkBytes.fromString("test", Charset.defaultCharset())).build(); final byte[] cekBytes = new byte[10]; random.nextBytes(cekBytes); when(mockCek.getEncoded()).thenReturn(cekBytes); when(mockAwsKms - .encrypt(new EncryptRequest() - .withKeyId(testKeyId) - .withEncryptionAlgorithm(testJweHeader.getAlgorithm().getName()) - .withPlaintext(ByteBuffer.wrap(cekBytes)) - .withEncryptionContext(testEncryptionContext))) + .encrypt(EncryptRequest.builder() + .keyId(testKeyId) + .encryptionAlgorithm(testJweHeader.getAlgorithm().getName()) + .plaintext(SdkBytes.fromByteBuffer(ByteBuffer.wrap(cekBytes))) + .encryptionContext(testEncryptionContext) + .build())) .thenReturn(testEncryptedKey); when(mockJWEJCAContext.getSecureRandom()).thenReturn(mockSecureRandom); @@ -239,17 +218,29 @@ void beforeEach() { testJweHeader); mockContentCryptoProvider.when( - () -> ContentCryptoProvider.encrypt( - testJweHeader, - testClearText, - mockCek, - Base64URL.encode(testEncryptedKey.getCiphertextBlob().array()), - mockJWEJCAContext)) + () -> ContentCryptoProvider.encrypt( + testJweHeader, + testClearText, + mockCek, + Base64URL.encode(testEncryptedKey.ciphertextBlob().asByteArray()), + mockJWEJCAContext)) .thenReturn(mockJweCryptoParts); + + reset(mockAwsKms); + final byte[] cekBytes = new byte[10]; + random.nextBytes(cekBytes); + when(mockCek.getEncoded()).thenReturn(cekBytes); + when(mockAwsKms + .encrypt(EncryptRequest.builder() + .keyId(testKeyId) + .encryptionAlgorithm(testJweHeader.getAlgorithm().getName()) + .plaintext(SdkBytes.fromByteBuffer(ByteBuffer.wrap(cekBytes))) + .build())) + .thenReturn(testEncryptedKey); } @Test - @DisplayName("should encrypted JWE token.") + @DisplayName("should encrypt JWE token.") @SneakyThrows void shouldReturnEncryptedJWEToken() { final JWECryptoParts actualJweCryptoParts = @@ -275,13 +266,13 @@ void beforeEach() { .build()), eq(testClearText), eq(mockCek), - eq(Base64URL.encode(testEncryptedKey.getCiphertextBlob().array())), + eq(Base64URL.encode(testEncryptedKey.ciphertextBlob().asByteArray())), eq(mockJWEJCAContext))) .thenReturn(mockJweCryptoParts); } @Test - @DisplayName("should encrypted JWE token.") + @DisplayName("should encrypt JWE token.") @SneakyThrows void shouldReturnEncryptedJWEToken() { final JWECryptoParts actualJweCryptoParts = diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricDecrypterTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricDecrypterTest.java index 4c3ad1f..8bc4440 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricDecrypterTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricDecrypterTest.java @@ -16,25 +16,8 @@ package com.nimbusds.jose.aws.kms.crypto; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.mockito.Mockito.doNothing; -import static org.mockito.Mockito.mockStatic; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.DecryptRequest; -import com.amazonaws.services.kms.model.DecryptResult; -import com.amazonaws.services.kms.model.EncryptionAlgorithmSpec; import com.google.common.collect.ImmutableSet; -import com.nimbusds.jose.EncryptionMethod; -import com.nimbusds.jose.JOSEException; -import com.nimbusds.jose.JWEAlgorithm; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jose.RemoteKeySourceException; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.crypto.testUtils.EasyRandomTestUtils; import com.nimbusds.jose.aws.kms.crypto.utils.JWEDecrypterUtil; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; @@ -42,17 +25,9 @@ import com.nimbusds.jose.crypto.impl.CriticalHeaderParamsDeferral; import com.nimbusds.jose.jca.JWEJCAContext; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; -import java.util.Map; -import java.util.Set; -import javax.crypto.spec.SecretKeySpec; import lombok.SneakyThrows; import org.jeasy.random.EasyRandom; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.DisplayName; -import org.junit.jupiter.api.Nested; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.ValueSource; @@ -60,6 +35,22 @@ import org.mockito.Mock; import org.mockito.MockedStatic; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.DecryptRequest; +import software.amazon.awssdk.services.kms.model.DecryptResponse; +import software.amazon.awssdk.services.kms.model.EncryptionAlgorithmSpec; + +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.nio.charset.Charset; +import java.util.Map; +import java.util.Set; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.Mockito.*; @DisplayName("For KmsSymmetricDecrypter class, ") @ExtendWith(MockitoExtension.class) @@ -68,7 +59,7 @@ class KmsSymmetricDecrypterTest { private final EasyRandom random = EasyRandomTestUtils.getEasyRandomWithByteBufferSupport(); @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private String testKeyId; private Map testEncryptionContext; private Set testDeferredCriticalHeaders; @@ -121,10 +112,10 @@ void shouldReturnDeferredCriticalHeaders() { class DecryptMethod { private JWEHeader testJweHeader; - private Base64URL testEncryptedKey = random.nextObject(Base64URL.class); - private Base64URL testIv = random.nextObject(Base64URL.class); - private Base64URL testCipherText = random.nextObject(Base64URL.class); - private Base64URL testAuthTag = random.nextObject(Base64URL.class); + private final Base64URL testEncryptedKey = random.nextObject(Base64URL.class); + private final Base64URL testIv = random.nextObject(Base64URL.class); + private final Base64URL testCipherText = random.nextObject(Base64URL.class); + private final Base64URL testAuthTag = random.nextObject(Base64URL.class); @BeforeEach @SneakyThrows @@ -171,10 +162,10 @@ class WithCriticalHeader { private JWEJCAContext mockJWEJCAContext; @Mock JWEDecrypterUtil jweDecrypterUtil; - private final DecryptResult testDecryptResult = random.nextObject(DecryptResult.class); + private final DecryptResponse testDecryptResponse = DecryptResponse.builder().plaintext(SdkBytes.fromString("test", Charset.defaultCharset())).build(); private final MockedStatic mockContentCryptoProvider = mockStatic(ContentCryptoProvider.class); - private byte[] expectedData = new byte[random.nextInt(512)]; + private final byte[] expectedData = new byte[random.nextInt(512)]; @BeforeEach void beforeEach() { @@ -188,7 +179,7 @@ void beforeEach() { () -> ContentCryptoProvider.decrypt( testJweHeader, testEncryptedKey, testIv, testCipherText, testAuthTag, new SecretKeySpec( - testDecryptResult.getPlaintext().array(), + testDecryptResponse.plaintext().asByteArray(), testJweHeader.getAlgorithm().toString()), kmsSymmetricDecrypter.getJCAContext())) .thenReturn(expectedData); @@ -207,7 +198,7 @@ class WithExceptionThrownFromJWEDecrypterUtil { }) void shouldThrowException(final Class exceptionClass) { try (MockedStatic utilMockedStatic = mockStatic(JWEDecrypterUtil.class)) { - utilMockedStatic.when(() -> jweDecrypterUtil.decrypt(mockAwsKms, testKeyId, testEncryptionContext, + utilMockedStatic.when(() -> JWEDecrypterUtil.decrypt(mockAwsKms, testKeyId, testEncryptionContext, testJweHeader, testEncryptedKey, testIv, testCipherText, testAuthTag, mockJWEJCAContext)) .thenThrow(exceptionClass); @@ -225,13 +216,14 @@ class WithDecryptionResultFromJWEDecrypterUtil { @SneakyThrows void beforeEach() { when(mockAwsKms - .decrypt(new DecryptRequest() - .withEncryptionContext(testEncryptionContext) - .withEncryptionAlgorithm(testJweHeader.getAlgorithm().getName()) - .withKeyId(testKeyId) - .withCiphertextBlob(ByteBuffer.wrap(testEncryptedKey.decode())))) - .thenReturn(testDecryptResult); - when(jweDecrypterUtil.decrypt(mockAwsKms, testKeyId, testEncryptionContext, + .decrypt(DecryptRequest.builder() + .encryptionContext(testEncryptionContext) + .encryptionAlgorithm(testJweHeader.getAlgorithm().getName()) + .keyId(testKeyId) + .ciphertextBlob(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testEncryptedKey.decode()))) + .build())) + .thenReturn(testDecryptResponse); + when(JWEDecrypterUtil.decrypt(mockAwsKms, testKeyId, testEncryptionContext, testJweHeader, testEncryptedKey, testIv, testCipherText, testAuthTag, mockJWEJCAContext)) .thenReturn(expectedData); @@ -264,4 +256,4 @@ void afterEach() { testJweHeader); } } -} \ No newline at end of file +} diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricEncrypterTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricEncrypterTest.java index af965b3..a0f9956 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricEncrypterTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/KmsSymmetricEncrypterTest.java @@ -16,52 +16,17 @@ package com.nimbusds.jose.aws.kms.crypto; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.ArgumentMatchers.eq; -import static org.mockito.ArgumentMatchers.refEq; -import static org.mockito.Mockito.doNothing; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.mockStatic; -import static org.mockito.Mockito.reset; -import static org.mockito.Mockito.spy; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.AWSKMSException; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.EncryptionAlgorithmSpec; -import com.amazonaws.services.kms.model.GenerateDataKeyRequest; -import com.amazonaws.services.kms.model.GenerateDataKeyResult; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.NotFoundException; import com.google.common.collect.ImmutableMap; -import com.nimbusds.jose.EncryptionMethod; -import com.nimbusds.jose.JWEAlgorithm; -import com.nimbusds.jose.JWECryptoParts; -import com.nimbusds.jose.JWEHeader; -import com.nimbusds.jose.RemoteKeySourceException; +import com.nimbusds.jose.*; import com.nimbusds.jose.aws.kms.crypto.impl.KmsSymmetricCryptoProvider; import com.nimbusds.jose.aws.kms.crypto.testUtils.EasyRandomTestUtils; import com.nimbusds.jose.aws.kms.exceptions.TemporaryJOSEException; import com.nimbusds.jose.crypto.impl.ContentCryptoProvider; import com.nimbusds.jose.util.Base64URL; -import java.util.Map; -import javax.crypto.spec.SecretKeySpec; import lombok.SneakyThrows; import lombok.var; import org.jeasy.random.EasyRandom; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.DisplayName; -import org.junit.jupiter.api.Nested; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.ValueSource; @@ -69,15 +34,28 @@ import org.mockito.Mock; import org.mockito.MockedStatic; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + +import javax.crypto.spec.SecretKeySpec; +import java.nio.charset.Charset; +import java.util.Map; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.ArgumentMatchers.refEq; +import static org.mockito.Mockito.*; @DisplayName("For KmsSymmetricEncrypter class,") @ExtendWith(MockitoExtension.class) class KmsSymmetricEncrypterTest { - private EasyRandom random = EasyRandomTestUtils.getEasyRandomWithByteBufferSupport(); + private final EasyRandom random = EasyRandomTestUtils.getEasyRandomWithByteBufferSupport(); @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private final String testKeyId = random.nextObject(String.class); private final Map testEncryptionContext = random.nextObject(Map.class); @@ -114,15 +92,16 @@ void beforeEach() { @DisplayName("with invalid key exception from KMS,") class WithInvalidKMSKeyException { - AWSKMSException parameterizedBeforeEach(final Class invalidKeyExceptionClass) { + KmsException parameterizedBeforeEach(final Class invalidKeyExceptionClass) { final var invalidKeyException = mock(invalidKeyExceptionClass); when(mockAwsKms - .generateDataKey(new GenerateDataKeyRequest() - .withKeyId(testKeyId) - .withKeySpec( + .generateDataKey(GenerateDataKeyRequest.builder() + .keyId(testKeyId) + .keySpec( KmsSymmetricCryptoProvider.ENCRYPTION_METHOD_TO_DATA_KEY_SPEC_MAP.get( testJweHeader.getEncryptionMethod())) - .withEncryptionContext(testEncryptionContext))) + .encryptionContext(testEncryptionContext) + .build())) .thenThrow(invalidKeyException); return invalidKeyException; @@ -132,8 +111,8 @@ AWSKMSException parameterizedBeforeEach(final Class invalidKeyE @DisplayName("should throw RemoteKeySourceException.") @ValueSource(classes = { NotFoundException.class, DisabledException.class, InvalidKeyUsageException.class, - KeyUnavailableException.class, KMSInvalidStateException.class}) - void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { + KeyUnavailableException.class, KmsInvalidStateException.class}) + void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { final var invalidKeyException = parameterizedBeforeEach(invalidKeyExceptionClass); assertThatThrownBy(() -> kmsSymmetricEncrypter.encrypt(testJweHeader, testClearText)) .isInstanceOf(RemoteKeySourceException.class) @@ -146,15 +125,16 @@ void shouldThrowRemoteKeySourceException(final Class invalidKey @DisplayName("with a temporary exception from KMS,") class WithTemporaryKMSException { - AWSKMSException parameterizedBeforeEach(final Class temporaryKMSExceptionClass) { + KmsException parameterizedBeforeEach(final Class temporaryKMSExceptionClass) { final var temporaryKMSException = mock(temporaryKMSExceptionClass); when(mockAwsKms - .generateDataKey(new GenerateDataKeyRequest() - .withKeyId(testKeyId) - .withKeySpec( + .generateDataKey(GenerateDataKeyRequest.builder() + .keyId(testKeyId) + .keySpec( KmsSymmetricCryptoProvider.ENCRYPTION_METHOD_TO_DATA_KEY_SPEC_MAP.get( testJweHeader.getEncryptionMethod())) - .withEncryptionContext(testEncryptionContext))) + .encryptionContext(testEncryptionContext) + .build())) .thenThrow(temporaryKMSException); return temporaryKMSException; @@ -164,8 +144,8 @@ AWSKMSException parameterizedBeforeEach(final Class temporaryKM @DisplayName("should throw RemoteKeySourceException.") @ValueSource(classes = { DependencyTimeoutException.class, InvalidGrantTokenException.class, - KMSInternalException.class}) - void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { + KmsInternalException.class}) + void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { final var invalidKeyException = parameterizedBeforeEach(invalidKeyExceptionClass); assertThatThrownBy(() -> kmsSymmetricEncrypter.encrypt(testJweHeader, testClearText)) .isInstanceOf(TemporaryJOSEException.class) @@ -178,7 +158,7 @@ void shouldThrowRemoteKeySourceException(final Class invalidKey @DisplayName("with data-key from KMS,") class WithDataKey { - private GenerateDataKeyResult testGenerateDataKeyResult; + private GenerateDataKeyResponse testGenerateDataKeyResponse; private final MockedStatic mockContentCryptoProvider = mockStatic(ContentCryptoProvider.class); @@ -187,15 +167,16 @@ class WithDataKey { @BeforeEach void beforeEach() { - testGenerateDataKeyResult = random.nextObject(GenerateDataKeyResult.class); + testGenerateDataKeyResponse = GenerateDataKeyResponse.builder().plaintext(SdkBytes.fromString("test", Charset.defaultCharset())).ciphertextBlob(SdkBytes.fromString("test", Charset.defaultCharset())).build(); when(mockAwsKms - .generateDataKey(new GenerateDataKeyRequest() - .withKeyId(testKeyId) - .withKeySpec( + .generateDataKey(GenerateDataKeyRequest.builder() + .keyId(testKeyId) + .keySpec( KmsSymmetricCryptoProvider.ENCRYPTION_METHOD_TO_DATA_KEY_SPEC_MAP.get( testJweHeader.getEncryptionMethod())) - .withEncryptionContext(testEncryptionContext))) - .thenReturn(testGenerateDataKeyResult); + .encryptionContext(testEncryptionContext) + .build())) + .thenReturn(testGenerateDataKeyResponse); } @Nested @@ -218,15 +199,25 @@ void beforeEach() { () -> ContentCryptoProvider.encrypt( testJweHeader, testClearText, - new SecretKeySpec(testGenerateDataKeyResult.getPlaintext().array(), + new SecretKeySpec(testGenerateDataKeyResponse.plaintext().asByteArray(), testJweHeader.getAlgorithm().toString()), - Base64URL.encode(testGenerateDataKeyResult.getCiphertextBlob().array()), + Base64URL.encode(testGenerateDataKeyResponse.ciphertextBlob().asByteArray()), jcaContext)) .thenReturn(mockJweCryptoParts); + + reset(mockAwsKms); + when(mockAwsKms + .generateDataKey(GenerateDataKeyRequest.builder() + .keyId(testKeyId) + .keySpec( + KmsSymmetricCryptoProvider.ENCRYPTION_METHOD_TO_DATA_KEY_SPEC_MAP.get( + testJweHeader.getEncryptionMethod())) + .build())) + .thenReturn(testGenerateDataKeyResponse); } @Test - @DisplayName("should encrypted JWE token.") + @DisplayName("should encrypt JWE token.") @SneakyThrows void shouldReturnEncryptedJWEToken() { final JWECryptoParts actualJweCryptoParts = @@ -253,16 +244,16 @@ void beforeEach() { .build()), eq(testClearText), eq(new SecretKeySpec( - testGenerateDataKeyResult.getPlaintext().array(), + testGenerateDataKeyResponse.plaintext().asByteArray(), testJweHeader.getAlgorithm().toString())), eq(Base64URL.encode( - testGenerateDataKeyResult.getCiphertextBlob().array())), + testGenerateDataKeyResponse.ciphertextBlob().asByteArray())), eq(jcaContext))) .thenReturn(mockJweCryptoParts); } @Test - @DisplayName("should encrypted JWE token.") + @DisplayName("should encrypt JWE token.") @SneakyThrows void shouldReturnEncryptedJWEToken() { final JWECryptoParts actualJweCryptoParts = diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricRSASSAProviderTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricRSASSAProviderTest.java index 14793d5..38ff84f 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricRSASSAProviderTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricRSASSAProviderTest.java @@ -16,35 +16,27 @@ package com.nimbusds.jose.aws.kms.crypto.impl; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.Mockito.CALLS_REAL_METHODS; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.mockStatic; -import static org.mockito.Mockito.when; -import static org.mockito.Mockito.withSettings; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.SigningAlgorithmSpec; import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; -import java.nio.ByteBuffer; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import lombok.SneakyThrows; import org.jeasy.random.EasyRandom; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.DisplayName; -import org.junit.jupiter.api.Nested; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.Mock; import org.mockito.MockedStatic; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.MessageType; + +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.Mockito.*; @DisplayName("For KmsAsymmetricRSASSAProvider class,") @ExtendWith(MockitoExtension.class) @@ -53,7 +45,7 @@ public class KmsAsymmetricRSASSAProviderTest { private EasyRandom random; @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private String testPrivateKeyId; private MessageType testMessageType; diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricSigningCryptoProviderTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricSigningCryptoProviderTest.java index 43d3a24..288dfd4 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricSigningCryptoProviderTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsAsymmetricSigningCryptoProviderTest.java @@ -16,35 +16,27 @@ package com.nimbusds.jose.aws.kms.crypto.impl; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.Mockito.CALLS_REAL_METHODS; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.mockStatic; -import static org.mockito.Mockito.when; -import static org.mockito.Mockito.withSettings; - -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.MessageType; -import com.amazonaws.services.kms.model.SigningAlgorithmSpec; import com.nimbusds.jose.JOSEException; import com.nimbusds.jose.JWSAlgorithm; import com.nimbusds.jose.JWSHeader; -import java.nio.ByteBuffer; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import lombok.SneakyThrows; import org.jeasy.random.EasyRandom; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.DisplayName; -import org.junit.jupiter.api.Nested; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.Mock; import org.mockito.MockedStatic; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.MessageType; + +import java.nio.ByteBuffer; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.Mockito.*; @DisplayName("For KmsAsymmetricSigningCryptoProvider class,") @ExtendWith(MockitoExtension.class) @@ -53,7 +45,7 @@ public class KmsAsymmetricSigningCryptoProviderTest { private EasyRandom random; @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private String testPrivateKeyId; private MessageType testMessageType; diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsDefaultEncryptionCryptoProviderTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsDefaultEncryptionCryptoProviderTest.java index b4d9bed..bf1e509 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsDefaultEncryptionCryptoProviderTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsDefaultEncryptionCryptoProviderTest.java @@ -16,35 +16,29 @@ package com.nimbusds.jose.aws.kms.crypto.impl; -import static org.mockito.Mockito.CALLS_REAL_METHODS; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.mockStatic; -import static org.mockito.Mockito.withSettings; - -import com.amazonaws.services.kms.AWSKMS; import com.nimbusds.jose.JWEHeader; import com.nimbusds.jose.aws.kms.crypto.utils.JWEHeaderUtil; -import java.util.Map; import org.jeasy.random.EasyRandom; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.DisplayName; -import org.junit.jupiter.api.Nested; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.Mock; import org.mockito.MockedStatic; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.services.kms.KmsClient; + +import java.util.Map; + +import static org.mockito.Mockito.*; @DisplayName("For KmsDefaultEncryptionCryptoProvider class,") @ExtendWith(MockitoExtension.class) class KmsDefaultEncryptionCryptoProviderTest { - private EasyRandom random = new EasyRandom(); + private final EasyRandom random = new EasyRandom(); @Mock - private AWSKMS mockAwsKms; - private String testPrivateKeyId = random.nextObject(String.class); + private KmsClient mockAwsKms; + private final String testPrivateKeyId = random.nextObject(String.class); private KmsDefaultEncryptionCryptoProvider kmsDefaultEncryptionCryptoProvider; @@ -112,4 +106,4 @@ void shouldThrowException() throws Exception { } } } -} \ No newline at end of file +} diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsSymmetricCryptoProviderTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsSymmetricCryptoProviderTest.java index 9876acf..54bcf0d 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsSymmetricCryptoProviderTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/impl/KmsSymmetricCryptoProviderTest.java @@ -16,35 +16,29 @@ package com.nimbusds.jose.aws.kms.crypto.impl; -import static org.mockito.Mockito.CALLS_REAL_METHODS; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.mockStatic; -import static org.mockito.Mockito.withSettings; - -import com.amazonaws.services.kms.AWSKMS; import com.nimbusds.jose.JWEHeader; import com.nimbusds.jose.aws.kms.crypto.utils.JWEHeaderUtil; -import java.util.Map; import org.jeasy.random.EasyRandom; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.DisplayName; -import org.junit.jupiter.api.Nested; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.Mock; import org.mockito.MockedStatic; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.services.kms.KmsClient; + +import java.util.Map; + +import static org.mockito.Mockito.*; @DisplayName("For KmsSymmetricCryptoProvider class,") @ExtendWith(MockitoExtension.class) class KmsSymmetricCryptoProviderTest { - private EasyRandom random = new EasyRandom(); + private final EasyRandom random = new EasyRandom(); @Mock - private AWSKMS mockAwsKms; - private String testPrivateKeyId = random.nextObject(String.class); + private KmsClient mockAwsKms; + private final String testPrivateKeyId = random.nextObject(String.class); private KmsSymmetricCryptoProvider kmsSymmetricCryptoProvider; @@ -112,4 +106,4 @@ void shouldThrowException() throws Exception { } } } -} \ No newline at end of file +} diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEDecrypterUtilTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEDecrypterUtilTest.java index d0618fa..c2fa4ec 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEDecrypterUtilTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEDecrypterUtilTest.java @@ -1,18 +1,5 @@ package com.nimbusds.jose.aws.kms.crypto.utils; -import com.amazonaws.services.kms.AWSKMS; -import com.amazonaws.services.kms.model.AWSKMSException; -import com.amazonaws.services.kms.model.DecryptRequest; -import com.amazonaws.services.kms.model.DecryptResult; -import com.amazonaws.services.kms.model.DependencyTimeoutException; -import com.amazonaws.services.kms.model.DisabledException; -import com.amazonaws.services.kms.model.EncryptionAlgorithmSpec; -import com.amazonaws.services.kms.model.InvalidGrantTokenException; -import com.amazonaws.services.kms.model.InvalidKeyUsageException; -import com.amazonaws.services.kms.model.KeyUnavailableException; -import com.amazonaws.services.kms.model.KMSInternalException; -import com.amazonaws.services.kms.model.KMSInvalidStateException; -import com.amazonaws.services.kms.model.NotFoundException; import com.nimbusds.jose.EncryptionMethod; import com.nimbusds.jose.JWEAlgorithm; import com.nimbusds.jose.JWEHeader; @@ -22,29 +9,28 @@ import com.nimbusds.jose.crypto.impl.ContentCryptoProvider; import com.nimbusds.jose.jca.JWEJCAContext; import com.nimbusds.jose.util.Base64URL; -import java.nio.ByteBuffer; -import java.util.Map; -import javax.crypto.spec.SecretKeySpec; import lombok.SneakyThrows; import lombok.var; import org.jeasy.random.EasyRandom; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeEach; -import org.junit.jupiter.api.DisplayName; -import org.junit.jupiter.api.Nested; -import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.*; import org.junit.jupiter.api.extension.ExtendWith; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.ValueSource; import org.mockito.Mock; import org.mockito.MockedStatic; import org.mockito.junit.jupiter.MockitoExtension; +import software.amazon.awssdk.core.SdkBytes; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.*; + +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.nio.charset.Charset; +import java.util.Map; -import static org.assertj.core.api.Assertions.assertThatThrownBy; -import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.mockStatic; -import static org.mockito.Mockito.when; import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; +import static org.mockito.Mockito.*; @DisplayName("For the JWEDecrypterUtil class,") @ExtendWith(MockitoExtension.class) @@ -59,13 +45,13 @@ class DecryptMethod { @Mock private JWEJCAContext mockJWEJCAContext; @Mock - private AWSKMS mockAwsKms; + private KmsClient mockAwsKms; private Map testEncryptionContext; private JWEHeader testJweHeader; - private Base64URL testEncryptedKey = random.nextObject(Base64URL.class); - private Base64URL testIv = random.nextObject(Base64URL.class); - private Base64URL testCipherText = random.nextObject(Base64URL.class); - private Base64URL testAuthTag = random.nextObject(Base64URL.class); + private final Base64URL testEncryptedKey = random.nextObject(Base64URL.class); + private final Base64URL testIv = random.nextObject(Base64URL.class); + private final Base64URL testCipherText = random.nextObject(Base64URL.class); + private final Base64URL testAuthTag = random.nextObject(Base64URL.class); @BeforeEach void setUp() { @@ -81,14 +67,15 @@ void setUp() { @DisplayName("with invalid key exception from KMS,") class WithInvalidKMSKeyException { - AWSKMSException parameterizedBeforeEach(final Class invalidKeyExceptionClass) { + KmsException parameterizedBeforeEach(final Class invalidKeyExceptionClass) { final var invalidKeyException = mock(invalidKeyExceptionClass); when(mockAwsKms - .decrypt(new DecryptRequest() - .withEncryptionContext(testEncryptionContext) - .withKeyId(testKeyId) - .withEncryptionAlgorithm(testJweHeader.getAlgorithm().getName()) - .withCiphertextBlob(ByteBuffer.wrap(testEncryptedKey.decode())))) + .decrypt(DecryptRequest.builder() + .encryptionContext(testEncryptionContext) + .keyId(testKeyId) + .encryptionAlgorithm(testJweHeader.getAlgorithm().getName()) + .ciphertextBlob(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testEncryptedKey.decode()))) + .build())) .thenThrow(invalidKeyException); return invalidKeyException; @@ -98,8 +85,8 @@ AWSKMSException parameterizedBeforeEach(final Class invalidKeyE @DisplayName("should throw RemoteKeySourceException.") @ValueSource(classes = { NotFoundException.class, DisabledException.class, InvalidKeyUsageException.class, - KeyUnavailableException.class, KMSInvalidStateException.class}) - void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { + KeyUnavailableException.class, KmsInvalidStateException.class}) + void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { final var invalidKeyException = parameterizedBeforeEach(invalidKeyExceptionClass); assertThatThrownBy( () -> JWEDecrypterUtil.decrypt(mockAwsKms, testKeyId, testEncryptionContext, testJweHeader, @@ -114,14 +101,15 @@ void shouldThrowRemoteKeySourceException(final Class invalidKey @DisplayName("with a temporary exception from KMS,") class WithTemporaryKMSException { - AWSKMSException parameterizedBeforeEach(final Class temporaryKMSExceptionClass) { + KmsException parameterizedBeforeEach(final Class temporaryKMSExceptionClass) { final var temporaryKMSException = mock(temporaryKMSExceptionClass); when(mockAwsKms - .decrypt(new DecryptRequest() - .withEncryptionContext(testEncryptionContext) - .withKeyId(testKeyId) - .withEncryptionAlgorithm(testJweHeader.getAlgorithm().getName()) - .withCiphertextBlob(ByteBuffer.wrap(testEncryptedKey.decode())))) + .decrypt(DecryptRequest.builder() + .encryptionContext(testEncryptionContext) + .keyId(testKeyId) + .encryptionAlgorithm(testJweHeader.getAlgorithm().getName()) + .ciphertextBlob(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testEncryptedKey.decode()))) + .build())) .thenThrow(temporaryKMSException); return temporaryKMSException; @@ -131,8 +119,8 @@ AWSKMSException parameterizedBeforeEach(final Class temporaryKM @DisplayName("should throw TemporaryJOSEException.") @ValueSource(classes = { DependencyTimeoutException.class, InvalidGrantTokenException.class, - KMSInternalException.class}) - void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { + KmsInternalException.class}) + void shouldThrowRemoteKeySourceException(final Class invalidKeyExceptionClass) { final var invalidKeyException = parameterizedBeforeEach(invalidKeyExceptionClass); assertThatThrownBy( () -> JWEDecrypterUtil.decrypt(mockAwsKms, testKeyId, testEncryptionContext, testJweHeader, @@ -147,7 +135,7 @@ void shouldThrowRemoteKeySourceException(final Class invalidKey @DisplayName("with decryption result,") class WithDecryptionResult { - private final DecryptResult testDecryptResult = random.nextObject(DecryptResult.class); + private final DecryptResponse testDecryptResult = DecryptResponse.builder().plaintext(SdkBytes.fromString("test", Charset.defaultCharset())).build(); private final MockedStatic mockContentCryptoProvider = mockStatic(ContentCryptoProvider.class); private final byte[] expectedData = new byte[random.nextInt(512)]; @@ -155,11 +143,12 @@ class WithDecryptionResult { @BeforeEach void beforeEach() { when(mockAwsKms - .decrypt(new DecryptRequest() - .withEncryptionContext(testEncryptionContext) - .withKeyId(testKeyId) - .withEncryptionAlgorithm(testJweHeader.getAlgorithm().getName()) - .withCiphertextBlob(ByteBuffer.wrap(testEncryptedKey.decode())))) + .decrypt(DecryptRequest.builder() + .encryptionContext(testEncryptionContext) + .keyId(testKeyId) + .encryptionAlgorithm(testJweHeader.getAlgorithm().getName()) + .ciphertextBlob(SdkBytes.fromByteBuffer(ByteBuffer.wrap(testEncryptedKey.decode()))) + .build())) .thenReturn(testDecryptResult); random.nextBytes(expectedData); @@ -167,7 +156,7 @@ void beforeEach() { () -> ContentCryptoProvider.decrypt( testJweHeader, testEncryptedKey, testIv, testCipherText, testAuthTag, new SecretKeySpec( - testDecryptResult.getPlaintext().array(), + testDecryptResult.plaintext().asByteArray(), testJweHeader.getAlgorithm().toString()), mockJWEJCAContext)) .thenReturn(expectedData); @@ -189,4 +178,4 @@ void afterEach() { } } } -} \ No newline at end of file +} diff --git a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEHeaderUtilTest.java b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEHeaderUtilTest.java index 71ac110..8ae241d 100644 --- a/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEHeaderUtilTest.java +++ b/nimbus-jose-jwt_aws-kms-extension/src/test/java/com/nimbusds/jose/aws/kms/crypto/utils/JWEHeaderUtilTest.java @@ -16,11 +16,6 @@ package com.nimbusds.jose.aws.kms.crypto.utils; -import static org.assertj.core.api.Assertions.assertThat; -import static org.assertj.core.api.Assertions.assertThatNoException; -import static org.assertj.core.api.Assertions.assertThatThrownBy; - -import com.amazonaws.services.kms.model.EncryptionAlgorithmSpec; import com.google.common.collect.ImmutableSet; import com.nimbusds.jose.EncryptionMethod; import com.nimbusds.jose.JOSEException; @@ -29,13 +24,17 @@ import com.nimbusds.jose.aws.kms.crypto.testUtils.EasyRandomTestUtils; import com.nimbusds.jose.crypto.impl.AlgorithmSupportMessage; import com.nimbusds.jose.crypto.impl.ContentCryptoProvider; -import java.util.Map; -import java.util.Set; import org.jeasy.random.EasyRandom; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.DisplayName; import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Test; +import software.amazon.awssdk.services.kms.model.EncryptionAlgorithmSpec; + +import java.util.Map; +import java.util.Set; + +import static org.assertj.core.api.Assertions.*; @DisplayName("For the JWEHeaderUtil class,") class JWEHeaderUtilTest { @@ -71,7 +70,7 @@ void beforeEach() { @DisplayName("should throw JOSEException.") void shouldThrowJOSEException() { assertThatThrownBy(() -> JWEHeaderUtil.validateJWEHeaderAlgorithms( - testJweHeader, testSupportedAlgorithms, testSupportedEncryptionMethods)) + testJweHeader, testSupportedAlgorithms, testSupportedEncryptionMethods)) .isInstanceOf(JOSEException.class) .hasMessage(AlgorithmSupportMessage.unsupportedJWEAlgorithm( testJweHeader.getAlgorithm(), testSupportedAlgorithms)) @@ -169,6 +168,7 @@ class WithNonNullContext { void beforeEach() { testEncryptionContext = random.nextObject(Map.class); } + @Test @DisplayName("should return the updated header with encryption context.") void shouldReturnUpdatedHeader() {