Fixed bug in Jose4jJWTService#decode which caused null pointer exception when decoding a request JWT from a webhook

Author: Adam Englander

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 This changelog references the relevant changes (bug and security fixes) for the lifetime of the library.
 
+  * 4.2.1
+
+    * Fixed bug in Jose4jJWTService#decode which caused null pointer exception when decoding a request JWT from a webhook
+
   * 4.2.0
 
     * Add Organization Service management

sdk/src/main/java/com/iovation/launchkey/sdk/crypto/jwt/JWTClaims.java

@@ -41,7 +41,7 @@ public class JWTClaims {
 
     private final String contentHash;
 
-    private final int statusCode;
+    private final Integer statusCode;
 
     private final String cacheControlHeader;
 
@@ -89,7 +89,7 @@ public JWTClaims(
             Integer expiresAt,
             String contentHashAlgorithm,
             String contentHash,
-            int statusCode,
+            Integer statusCode,
             String cacheControlHeader,
             String locationHeader
     ) {
@@ -201,7 +201,7 @@ public String getContentHashAlgorithm() {
      * Get the response status code
      * @return The response status code
      */
-    public int getStatusCode() {
+    public Integer getStatusCode() {
         return statusCode;
     }
 
@@ -228,7 +228,7 @@ public boolean equals(Object o) {
 
         JWTClaims jwtClaims = (JWTClaims) o;
 
-        if (statusCode != jwtClaims.statusCode) return false;
+        if (statusCode != null ? !statusCode.equals(jwtClaims.statusCode) : jwtClaims.statusCode != null) return false;
         if (tokenId != null ? !tokenId.equals(jwtClaims.tokenId) : jwtClaims.tokenId != null) return false;
         if (issuer != null ? !issuer.equals(jwtClaims.issuer) : jwtClaims.issuer != null) return false;
         if (subject != null ? !subject.equals(jwtClaims.subject) : jwtClaims.subject != null) return false;
@@ -257,7 +257,7 @@ public int hashCode() {
         result = 31 * result + (expiresAt != null ? expiresAt.hashCode() : 0);
         result = 31 * result + (contentHashAlgorithm != null ? contentHashAlgorithm.hashCode() : 0);
         result = 31 * result + (contentHash != null ? contentHash.hashCode() : 0);
-        result = 31 * result + statusCode;
+        result = 31 * result + (statusCode != null ? statusCode.hashCode() : 0);
         result = 31 * result + (cacheControlHeader != null ? cacheControlHeader.hashCode() : 0);
         result = 31 * result + (locationHeader != null ? locationHeader.hashCode() : 0);
         return result;

sdk/src/main/java/com/iovation/launchkey/sdk/crypto/jwt/Jose4jJWTService.java

@@ -126,7 +126,7 @@ public JWTClaims decode(PublicKey publicKey, String expectedAudience, String exp
             JwtConsumer jwtConsumer = builder.build();
 
             JwtClaims libraryClaims = jwtConsumer.processToClaims(jwt);
-            Map responseClaims = libraryClaims.getClaimValue("response", Map.class);
+            Map responseClaims = libraryClaims.getClaimValue("response", Map.class) == null ? new HashMap<String, Object>(): libraryClaims.getClaimValue("response", Map.class);
 
             claims = new JWTClaims(
                     libraryClaims.getJwtId(),
@@ -138,7 +138,7 @@ public JWTClaims decode(PublicKey publicKey, String expectedAudience, String exp
                     (int) libraryClaims.getExpirationTime().getValue(),
                     responseClaims.get("func") == null ? null : String.valueOf(responseClaims.get("func")),
                     responseClaims.get("hash") == null ? null : String.valueOf(responseClaims.get("hash")),
-                    Integer.valueOf(String.valueOf(responseClaims.get("status"))),
+                    responseClaims.get("status") == null ? null :Integer.valueOf(String.valueOf(responseClaims.get("status"))),
                     responseClaims.get("cache") == null ? null : String.valueOf(responseClaims.get("cache")),
                     responseClaims.get("location") == null ? null : String.valueOf(responseClaims.get("location"))
             );

sdk/src/test/java/com/iovation/launchkey/sdk/crypto/jwt/JWTClaimsTest.java

@@ -91,7 +91,7 @@ public void getContentHashAlgorithm() throws Exception {
 
     @Test
     public void getStatusCode() throws Exception {
-        assertEquals(201, jwtClaims.getStatusCode());
+        assertEquals(Integer.valueOf(201), jwtClaims.getStatusCode());
     }
 
     @Test

sdk/src/test/java/com/iovation/launchkey/sdk/crypto/jwt/Jose4jJWTServiceTest.java

@@ -5,8 +5,11 @@
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.jose4j.jwa.AlgorithmConstraints;
 import org.jose4j.jws.AlgorithmIdentifiers;
+import org.jose4j.jws.JsonWebSignature;
+import org.jose4j.jwt.JwtClaims;
 import org.jose4j.jwt.consumer.JwtConsumer;
 import org.jose4j.jwt.consumer.JwtConsumerBuilder;
+import org.jose4j.lang.JoseException;
 import org.junit.Before;
 import org.junit.Test;
 
@@ -46,8 +49,8 @@ public class Jose4jJWTServiceTest {
 
     private Jose4jJWTService jwtService;
     private Date platformDate;
-    private KeyPair keyPair;
-    private String currentPrivateKeyId;
+    private static KeyPair keyPair = null;
+    private static String currentPrivateKeyId = null;
 
     @SuppressWarnings("SpellCheckingInspection")
     private static final String PUBLIC_KEY_PEM = "-----BEGIN PUBLIC KEY-----\n" +
@@ -77,12 +80,14 @@ public class Jose4jJWTServiceTest {
 
     @Before
     public void setUp() throws Exception {
-        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", provider);
-        keyPairGenerator.initialize(2048);
-        keyPair = keyPairGenerator.generateKeyPair();
+        if (keyPair == null) {
+            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", provider);
+            keyPairGenerator.initialize(2048);
+            keyPair = keyPairGenerator.generateKeyPair();
+            currentPrivateKeyId = JCECrypto.getRsaPublicKeyFingerprint(provider, (RSAPrivateKey) keyPair.getPrivate());
+        }
         platformDate = new Date();
         privateKeys = new HashMap<>();
-        currentPrivateKeyId = JCECrypto.getRsaPublicKeyFingerprint(provider, (RSAPrivateKey) keyPair.getPrivate());
         privateKeys.put(currentPrivateKeyId, (RSAPrivateKey) keyPair.getPrivate());
         jwtService = new Jose4jJWTService(
                 PLATFORM_IDENTIFIER,
@@ -92,6 +97,7 @@ public void setUp() throws Exception {
         );
     }
 
+
     @Test
     public void encodeEncodesSomethingThatProperlyDecodes() throws Exception {
 
@@ -197,4 +203,175 @@ public void testJwtDoesNotCollideForSameRequestDataHash() throws Exception {
         assertNotEquals(Hex.encodeHexString(sha256.digest(a.getBytes())),
                 Hex.encodeHexString(sha256.digest(b.getBytes())));
     }
+
+    @Test
+    public void testDecodeProcessesTID() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String expected = "Expected";
+        jwtClaims.setJwtId(expected);
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final String actual =
+                jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, expected, new Date(), jwt).getTokenId();
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    public void testDecodeProcessesIssuer() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final String actual =
+                jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getIssuer();
+        assertEquals(PLATFORM_IDENTIFIER, actual);
+    }
+
+    @Test
+    public void testDecodeProcessesSubject() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String expected = "Expected";
+        jwtClaims.setSubject(expected);
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final String actual =
+                jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getSubject();
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    public void testDecodeProcessesAudience() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String expected = "Expected";
+        jwtClaims.setAudience(expected);
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final String actual =
+                jwtService.decode(keyPair.getPublic(), expected, jwtClaims.getJwtId(), new Date(), jwt).getAudience();
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    public void testDecodeProcessesIssuedAt() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final long actual =
+                (long) jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getIssuedAt();
+        assertEquals(jwtClaims.getIssuedAt().getValue(), actual);
+    }
+
+    @Test
+    public void testDecodeProcessesNotBefore() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final long actual =
+                (long) jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getNotBefore();
+        assertEquals(jwtClaims.getNotBefore().getValue(), actual);
+    }
+
+    @Test
+    public void testDecodeProcessesExpiresAt() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final long actual =
+                (long) jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getExpiresAt();
+        assertEquals(jwtClaims.getExpirationTime().getValue(), actual);
+    }
+
+    @Test
+    public void testDecodeProcessesResponseContentHash() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String expected = "Expected";
+        Map<String, Object> response = new HashMap<>();
+        response.put("hash", expected);
+        jwtClaims.setClaim("response", response);
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final String actual =
+                jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getContentHash();
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    public void testDecodeProcessesResponseContentHashAlgorithm() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String expected = "Expected";
+        Map<String, Object> response = new HashMap<>();
+        response.put("func", expected);
+        jwtClaims.setClaim("response", response);
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final String actual =
+                jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getContentHashAlgorithm();
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    public void testDecodeProcessesResponseStatusCode() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        Integer expected = 200;
+        Map<String, Object> response = new HashMap<>();
+        response.put("status", expected);
+        jwtClaims.setClaim("response", response);
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final Integer actual =
+                jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getStatusCode();
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    public void testDecodeProcessesResponseCacheControlHeader() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String expected = "Expected";
+        Map<String, Object> response = new HashMap<>();
+        response.put("cache", expected);
+        jwtClaims.setClaim("response", response);
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final String actual =
+                jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getCacheControlHeader();
+        assertEquals(expected, actual);
+    }
+
+    @Test
+    public void testDecodeProcessesResponseLocationHeader() throws Exception {
+        JwtClaims jwtClaims = getBaseClaims();
+        String expected = "Expected";
+        Map<String, Object> response = new HashMap<>();
+        response.put("location", expected);
+        jwtClaims.setClaim("response", response);
+        String jwt = getJwsCompactSerializationFromJtwClaims(jwtClaims);
+        final String actual =
+                jwtService.decode(keyPair.getPublic(), ENTITY_IDENTIFIER, jwtClaims.getJwtId(), new Date(), jwt)
+                        .getLocationHeader();
+        assertEquals(expected, actual);
+    }
+
+    private JwtClaims getBaseClaims() {
+        JwtClaims jwtClaims = new JwtClaims();
+        jwtClaims.setGeneratedJwtId();
+        jwtClaims.setExpirationTimeMinutesInTheFuture(60000);
+        jwtClaims.setAudience(ENTITY_IDENTIFIER);
+        jwtClaims.setIssuer(PLATFORM_IDENTIFIER);
+        jwtClaims.setIssuedAtToNow();
+        jwtClaims.setNotBeforeMinutesInThePast(0);
+        return jwtClaims;
+    }
+
+    private String getJwsCompactSerializationFromJtwClaims(JwtClaims claims) throws JWTError {
+        JsonWebSignature jws = new JsonWebSignature();
+        jws.setKeyIdHeaderValue(currentPrivateKeyId);
+        jws.setKey(privateKeys.get(currentPrivateKeyId));
+        jws.setPayload(claims.toJson());
+        jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
+
+        String jwt;
+        try {
+            jwt = jws.getCompactSerialization();
+        } catch (JoseException e) {
+            throw new JWTError("An error occurred encoding the JWT", e);
+        }
+        return jwt;
+    }
 }