search

eclipse-vertx / vertx-auth

Apache License 2.0
160 stars 153 forks source link

[JWT Auth provider] JWTAuthOptions creation fails when using PasswordProtection in KeyStoreOptions #667

Closed difflib closed 10 months ago

difflib commented 10 months ago

Version

vertx 4.4.6

Context

When I use the code from this:

val config = JWTAuthOptions()
            .setKeyStore(
                KeyStoreOptions()
                    .setPath("keystore.jceks")
                    .setPassword("secret")
                    .setType("JCEKS")
                    .setProvider("SunJCE")
            )
val provider: JWTAuth = JWTAuth.create(vertx, config)

The JWTAuth creation is OK. However when I try to use a putPasswordProtection (or setPasswordProtection) to build KeyStoreOptions, like this:

val config = JWTAuthOptions()
            .setKeyStore(
                KeyStoreOptions()
                    .setPath("keystore.jceks")
                    .setPassword("secret")
                    .putPasswordProtection("hs256","secret")
                    .setType("JCEKS")
                    .setProvider("SunJCE")
            )
val provider: JWTAuth = JWTAuth.create(vertx, config)

This exception is raised

......
java.lang.NullPointerException: Cannot invoke "String.toCharArray()" because the return value of "java.util.Map.get(Object)" is null
    at io.vertx.ext.auth.impl.jose.JWK.load(JWK.java:147)
    at io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl.<init>(JWTAuthProviderImpl.java:101)
    at io.vertx.ext.auth.jwt.JWTAuth.create(JWTAuth.java:42)
    at com.difflib.cms.TestMainVerticle.debug(TestMainVerticle.kt:149)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:568)
    at org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:727)
    at org.junit.jupiter.engine.execution.MethodInvocation.proceed(MethodInvocation.java:60)
    at org.junit.jupiter.engine.execution.InvocationInterceptorChain$ValidatingInvocation.proceed(InvocationInterceptorChain.java:131)
......

Extra

OS version:Ubuntu 22.04.3 LTS JVM version:17.0.6 Kotlin version:232-1.9.20-release-507-IJ10072.27

gaol commented 10 months ago

@difflib have you tried with HS256 with capitalized characters: .putPasswordProtection("HS256","secret") ?

tsegismont commented 10 months ago

@gaol indeed, they should use the HS256 key instead of hs256.

However, the implementation does not take into account the possibility that the map does not contain an entry for a given alias. I've sent #668 to address this

tsegismont commented 10 months ago

NPE Fixed by 292eb2a1