001/* 002 * nimbus-jose-jwt 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.jose.proc; 019 020 021import java.util.Arrays; 022import java.util.Collections; 023import java.util.HashSet; 024import java.util.Set; 025 026import net.jcip.annotations.Immutable; 027 028import com.nimbusds.jose.JOSEObjectType; 029 030 031/** 032 * Default JOSE header "typ" (type) parameter verifier. 033 * 034 * <p>Example JWS header with a "typ" (type) parameter set to "at+jwt": 035 * 036 * <pre> 037 * { 038 * "alg" : "ES256", 039 * "typ" : "at+jwt", 040 * "kid" : "123" 041 * } 042 * </pre> 043 * 044 * <p>To create a verifier which allows the "typ" to be omitted or set to 045 * "JWT": 046 * 047 * <pre> 048 * JOSEObjectVerifier verifier = new DefaultJOSEObjectTypeVerifier(JOSEObjectType.JWT, null); 049 * </pre> 050 * 051 * <p>To create a verifier which allows a "typ" of "at+jwt": 052 * 053 * <pre> 054 * JOSEObjectVerifier verifier = new DefaultJOSEObjectTypeVerifier(new JOSEObjectType("at+jwt"))); 055 * </pre> 056 * 057 * @author Vladimir Dzhuvinov 058 * @version 2019-10-15 059 * @since 8.0 060 */ 061@Immutable 062public class DefaultJOSEObjectTypeVerifier <C extends SecurityContext> implements JOSEObjectTypeVerifier<C> { 063 064 065 /** 066 * The allowed types. 067 */ 068 private final Set<JOSEObjectType> allowedTypes; 069 070 071 /** 072 * The standard header "typ" (type) parameter verifier for JWS, JWE and 073 * plain (unsecured) JOSE objects (other than JWT). See RFC 7515, 074 * section 4.1.9 and RFC 7516, section 4.1.11. 075 */ 076 public static final DefaultJOSEObjectTypeVerifier JOSE = new DefaultJOSEObjectTypeVerifier(JOSEObjectType.JOSE, null); 077 078 /** 079 * The standard header "typ" (type) parameter verifier for signed, 080 * encrypted and plain (unsecured) JWTs. See RFC 7519, section 5.1. 081 */ 082 public static final DefaultJOSEObjectTypeVerifier JWT = new DefaultJOSEObjectTypeVerifier(JOSEObjectType.JWT, null); 083 084 085 /** 086 * Creates a new JOSE object type verifier which allows the type to be 087 * omitted or {@code null}. 088 */ 089 public DefaultJOSEObjectTypeVerifier() { 090 091 this.allowedTypes = Collections.singleton(null); 092 } 093 094 095 /** 096 * Creates a new JOSE object type verifier allowing the specified 097 * types. 098 * 099 * @param allowedTypes The allowed types, if a {@code null} is included 100 * the type parameter may be omitted or 101 * {@code null}. The set must not be {@code null} 102 * or empty. 103 */ 104 public DefaultJOSEObjectTypeVerifier(final Set<JOSEObjectType> allowedTypes) { 105 if (allowedTypes == null || allowedTypes.isEmpty()) { 106 throw new IllegalArgumentException("The allowed types must not be null or empty"); 107 } 108 this.allowedTypes = allowedTypes; 109 } 110 111 112 /** 113 * Creates a new JOSE object type verifier allowing the specified 114 * types. 115 * 116 * @param allowedTypes The allowed types, if a {@code null} is included 117 * the type parameter may be omitted or 118 * {@code null}. The array must not be {@code null} 119 * or empty. 120 */ 121 public DefaultJOSEObjectTypeVerifier(final JOSEObjectType ... allowedTypes) { 122 if (allowedTypes == null || allowedTypes.length == 0) { 123 throw new IllegalArgumentException("The allowed types must not be null or empty"); 124 } 125 this.allowedTypes = new HashSet<>(Arrays.asList(allowedTypes)); 126 } 127 128 129 /** 130 * Returns the allowed JOSE object types. 131 * 132 * @return The allowed JOSE object types, if a {@code null} is included 133 * the type parameter may be omitted or {@code null}. 134 */ 135 public Set<JOSEObjectType> getAllowedTypes() { 136 return allowedTypes; 137 } 138 139 140 @Override 141 public void verify(final JOSEObjectType type, final C context) 142 throws BadJOSEException { 143 144 if (type == null && ! allowedTypes.contains(null)) { 145 throw new BadJOSEException("Required JOSE header \"typ\" (type) parameter is missing"); 146 } 147 148 if (! allowedTypes.contains(type)) { 149 throw new BadJOSEException("JOSE header \"typ\" (type) \"" + type + "\" not allowed"); 150 } 151 } 152}