diff --git a/src/main/java/net/oauth/jsontoken/crypto/RsaSHA1Verifier.java b/src/main/java/net/oauth/jsontoken/crypto/RsaSHA1Verifier.java deleted file mode 100644 index 5f9d379..0000000 --- a/src/main/java/net/oauth/jsontoken/crypto/RsaSHA1Verifier.java +++ /dev/null @@ -1,43 +0,0 @@ -package net.oauth.jsontoken.crypto; - -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.security.PublicKey; -import java.security.Signature; -import java.security.SignatureException; - -public class RsaSHA1Verifier implements Verifier { - - private final PublicKey verificationKey; - private final Signature signer; - - /** - * Public Constructor. - * - * @param verificationKey the key used to verify the signature. - */ - public RsaSHA1Verifier(PublicKey verificationKey) { - this.verificationKey = verificationKey; - try { - this.signer = Signature.getInstance("SHA1withRSA"); - this.signer.initVerify(verificationKey); - } catch (NoSuchAlgorithmException e) { - throw new IllegalStateException("platform is missing RSAwithSHA1 signature alg", e); - } catch (InvalidKeyException e) { - throw new IllegalStateException("key is invalid", e); - } - } - - @Override - public void verifySignature(byte[] source, byte[] signature) throws SignatureException { - try { - signer.initVerify(verificationKey); - } catch (InvalidKeyException e) { - throw new RuntimeException("key someone become invalid since calling the constructor"); - } - signer.update(source); - if (!signer.verify(signature)) { - throw new SignatureException("signature did not verify"); - } - } -} diff --git a/src/main/java/net/oauth/jsontoken/crypto/SignatureAlgorithm.java b/src/main/java/net/oauth/jsontoken/crypto/SignatureAlgorithm.java index 4cc77be..c5bf63c 100644 --- a/src/main/java/net/oauth/jsontoken/crypto/SignatureAlgorithm.java +++ b/src/main/java/net/oauth/jsontoken/crypto/SignatureAlgorithm.java @@ -17,9 +17,23 @@ /** Enum of the signature algorithms supported by this package. */ public enum SignatureAlgorithm { + /** HMAC with SHA-256 */ HS256("SHA256"), + /** + * HMAC with SHA-1 + * + * @deprecated SHA-1 is vulnerable to collision attacks + */ + @Deprecated HS1("SHA1"), + /** RSA with SHA-256 */ RS256("SHA256"), + /** + * RSA with SHA-1 + * + * @deprecated SHA-1 is vulnerable to collision attacks + */ + @Deprecated RS1("SHA1"); private final String hashAlg;