Add validation of inconsistent kid header to JwtMac in Java.

- If "kid" in the key and the token do not match, then the token is rejected. - For output prefix type TINK, we require that the kid is always set. PiperOrigin-RevId: 393946913
author: juerg <juerg@google.com> 2021-08-31 01:58:23 -0700
committer: Copybara-Service <copybara-worker@google.com> 2021-08-31 01:59:05 -0700
commit: 62c473f487c8cb80688ef9fa669b1e53027f2bac (patch)
tree: 21e2cf08d664582cb60ecb93d872b6b0f323b0d7 /java_src/src/main/java/com/google/crypto/tink/jwt/JwtMacInternal.java
parent: 2fd2d6f4d4f48431b4ac8f409de4117f0a68ceb2 (diff)
download: tink-62c473f487c8cb80688ef9fa669b1e53027f2bac.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/java_src/src/main/java/com/google/crypto/tink/jwt/JwtMacInternal.java b/java_src/src/main/java/com/google/crypto/tink/jwt/JwtMacInternal.java
index 731177708..ed522093e 100644
--- a/java_src/src/main/java/com/google/crypto/tink/jwt/JwtMacInternal.java
+++ b/java_src/src/main/java/com/google/crypto/tink/jwt/JwtMacInternal.java
@@ -29,6 +29,6 @@ interface JwtMacInternal {
       throws GeneralSecurityException;
 
   /** Decodes and verifies a JWT in the JWS compact serialization format. */
-  VerifiedJwt verifyMacAndDecode(String compact, JwtValidator validator)
-      throws GeneralSecurityException;
+  VerifiedJwt verifyMacAndDecodeWithKid(
+      String compact, JwtValidator validator, Optional<String> kid) throws GeneralSecurityException;
 }
author	juerg <juerg@google.com>	2021-08-31 01:58:23 -0700
committer	Copybara-Service <copybara-worker@google.com>	2021-08-31 01:59:05 -0700
commit	62c473f487c8cb80688ef9fa669b1e53027f2bac (patch)
tree	21e2cf08d664582cb60ecb93d872b6b0f323b0d7 /java_src/src/main/java/com/google/crypto/tink/jwt/JwtMacInternal.java
parent	2fd2d6f4d4f48431b4ac8f409de4117f0a68ceb2 (diff)
download	tink-62c473f487c8cb80688ef9fa669b1e53027f2bac.tar.gz