fail fast if encountering a shorteningThreshold other than MAXINT

overheadhunter · overheadhunter · commit a6ecef11735b · 2021-04-19T15:57:18.000+02:00
because c9s support is not currently implemented
diff --git a/src/main/java/org/cryptomator/cloudaccess/CloudAccess.java b/src/main/java/org/cryptomator/cloudaccess/CloudAccess.java
@@ -75,6 +75,7 @@ private static void verifyVaultFormat8GCMConfig(CloudProvider cloudProvider, Clo
 		var verifier = JWT.require(algorithm)
 				.withClaim("format", 8)
 				.withClaim("cipherCombo", "SIV_GCM")
+				.withClaim("shorteningThreshold", Integer.MAX_VALUE) // no shortening supported atm
 				.build();
 
 		var read = cloudProvider.read(vaultConfigPath, ProgressListener.NO_PROGRESS_AWARE);
diff --git a/src/test/java/org/cryptomator/cloudaccess/vaultformat8/VaultFormat8IntegrationTest.java b/src/test/java/org/cryptomator/cloudaccess/vaultformat8/VaultFormat8IntegrationTest.java
@@ -97,6 +97,7 @@ public void testInstantiateFormat8GCMCloudAccessWithWrongVaultVersion() {
 				.withJWTId(UUID.randomUUID().toString())
 				.withClaim("format", 9)
 				.withClaim("cipherCombo", "SIV_GCM")
+				.withClaim("shorteningThreshold", Integer.MAX_VALUE)
 				.sign(algorithm);
 		var in = new ByteArrayInputStream(token.getBytes(StandardCharsets.US_ASCII));
 		localProvider.write(CloudPath.of("/vaultconfig.jwt"), false, in, in.available(), Optional.empty(), ProgressListener.NO_PROGRESS_AWARE).toCompletableFuture().join();
@@ -115,6 +116,7 @@ public void testInstantiateFormat8GCMCloudAccessWithWrongCiphermode() {
 				.withJWTId(UUID.randomUUID().toString())
 				.withClaim("format", 8)
 				.withClaim("cipherCombo", "FOO")
+				.withClaim("shorteningThreshold", Integer.MAX_VALUE)
 				.sign(algorithm);
 		var in = new ByteArrayInputStream(token.getBytes(StandardCharsets.US_ASCII));
 		localProvider.write(CloudPath.of("/vaultconfig.jwt"), false, in, in.available(), Optional.empty(), ProgressListener.NO_PROGRESS_AWARE).toCompletableFuture().join();
@@ -133,12 +135,32 @@ public void testInstantiateFormat8GCMCloudAccessWithWrongKey() {
 		var token = JWT.create()
 				.withJWTId(UUID.randomUUID().toString())
 				.withClaim("format", 8)
-				.withClaim("cipherCombo", "FOO")
+				.withClaim("cipherCombo", "SIV_GCM")
+				.withClaim("shorteningThreshold", Integer.MAX_VALUE)
 				.sign(algorithm);
 		var in = new ByteArrayInputStream(token.getBytes(StandardCharsets.US_ASCII));
 		localProvider.write(CloudPath.of("/vaultconfig.jwt"), false, in, in.available(), Optional.empty(), ProgressListener.NO_PROGRESS_AWARE).toCompletableFuture().join();
 
 		Assertions.assertThrows(VaultKeyVerificationFailedException.class, () -> CloudAccess.vaultFormat8GCMCloudAccess(localProvider, CloudPath.of("/"), new byte[64]));
 	}
 
+	@Test
+	@DisplayName("init with shorteningThreshold")
+	public void testInstantiateFormat8GCMCloudAccessWithShortening() {
+		Assumptions.assumeFalse(localProvider.exists(CloudPath.of("/vaultconfig.jwt")).toCompletableFuture().join());
+
+		byte[] masterkey = new byte[64];
+		Algorithm algorithm = Algorithm.HMAC256(masterkey);
+		var token = JWT.create()
+				.withJWTId(UUID.randomUUID().toString())
+				.withClaim("format", 8)
+				.withClaim("cipherCombo", "SIV_GCM")
+				.withClaim("shorteningThreshold", 42)
+				.sign(algorithm);
+		var in = new ByteArrayInputStream(token.getBytes(StandardCharsets.US_ASCII));
+		localProvider.write(CloudPath.of("/vaultconfig.jwt"), false, in, in.available(), Optional.empty(), ProgressListener.NO_PROGRESS_AWARE).toCompletableFuture().join();
+
+		Assertions.assertThrows(VaultVerificationFailedException.class, () -> CloudAccess.vaultFormat8GCMCloudAccess(localProvider, CloudPath.of("/"), new byte[64]));
+	}
+
 }
