|
| 1 | +import 'package:jose/src/jose.dart'; |
1 | 2 | import 'package:jose/src/jwk.dart'; |
2 | 3 | import 'package:jose/src/jwt.dart'; |
| 4 | +import 'package:jose/src/jws.dart'; |
3 | 5 | import 'package:test/test.dart'; |
4 | 6 |
|
5 | 7 | void main() { |
@@ -159,6 +161,38 @@ void main() { |
159 | 161 | expect(claims.expiry, DateTime.fromMillisecondsSinceEpoch(1300819380000)); |
160 | 162 | }); |
161 | 163 |
|
| 164 | + group('Verification key selection', () { |
| 165 | + test('JWT with header jwk is rejected when no matching trusted key exists', |
| 166 | + () async { |
| 167 | + final trustedKey = JsonWebKey.generate('RS256'); |
| 168 | + final keyStore = JsonWebKeyStore()..addKey(trustedKey); |
| 169 | + |
| 170 | + final alternateKey = JsonWebKey.generate('RS256'); |
| 171 | + final claims = JsonWebTokenClaims.fromJson({ |
| 172 | + 'sub': 'user-2', |
| 173 | + 'iss': 'https://trusted-issuer.example.com', |
| 174 | + 'aud': 'my-application', |
| 175 | + 'exp': DateTime.now().add(const Duration(hours: 1)).millisecondsSinceEpoch ~/ 1000, |
| 176 | + 'iat': DateTime.now().millisecondsSinceEpoch ~/ 1000, |
| 177 | + }); |
| 178 | + final builder = JsonWebSignatureBuilder() |
| 179 | + ..jsonContent = claims.toJson() |
| 180 | + ..setProtectedHeader('typ', 'JWT') |
| 181 | + ..addRecipient(alternateKey, algorithm: 'RS256') |
| 182 | + ..setProtectedHeader( |
| 183 | + 'jwk', |
| 184 | + JsonWebKey.fromCryptoKeys( |
| 185 | + publicKey: alternateKey.cryptoKeyPair.publicKey) |
| 186 | + .toJson()); |
| 187 | + final jwtCompact = builder.build().toCompactSerialization(); |
| 188 | + |
| 189 | + expect( |
| 190 | + () => JsonWebToken.decodeAndVerify(jwtCompact, keyStore), |
| 191 | + throwsA(isA<JoseException>()), |
| 192 | + ); |
| 193 | + }); |
| 194 | + }); |
| 195 | + |
162 | 196 | group('JWT with ES256K signature', () { |
163 | 197 | test('JWT with ES256K signature', () async { |
164 | 198 | var key = JsonWebKey.fromJson({ |
|
0 commit comments