Normalize origin.

chenkins · chenkins · commit 7526fed37159 · 2025-11-04T21:03:17.000+01:00
diff --git a/hub/src/main/java/cloud/katta/crypto/uvf/UvfMetadataPayload.java b/hub/src/main/java/cloud/katta/crypto/uvf/UvfMetadataPayload.java
@@ -337,7 +337,7 @@ public String encrypt(final String apiURL, final UUID vaultId, final JWKSet keys
         final JWEObjectJSON builder = new JWEObjectJSON(
                 new JWEHeader.Builder(EncryptionMethod.A256GCM)
                         // kid goes into recipient-specific header
-                        .customParam("origin", String.format("%s/vaults/%s/uvf/vault.uvf", apiURL, vaultId.toString()))
+                        .customParam("origin", URI.create(String.format("%s/vaults/%s/uvf/vault.uvf", apiURL, vaultId.toString())).normalize().toString())
                         .jwkURL(URI.create("jwks.json"))
                         .contentType("json")
                         .criticalParams(Collections.singleton(UVF_SPEC_VERSION_KEY_PARAM))
diff --git a/hub/src/test/java/cloud/katta/crypto/uvf/UvfMetadataPayloadTest.java b/hub/src/test/java/cloud/katta/crypto/uvf/UvfMetadataPayloadTest.java
@@ -32,6 +32,7 @@
 import cloud.katta.protocols.hub.HubSession;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWEObjectJSON;
 import com.nimbusds.jose.jwk.Curve;
 import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.JWKSet;
@@ -103,17 +104,20 @@ void encryptDecrypt() throws JOSEException, JsonProcessingException, ParseExcept
         final OctetSequenceKey memberKey = jwks.memberKey();
         final ECKey recoveryKey = jwks.recoveryKey();
 
-        final String encrypted = orig.encrypt("https://example.com/api/", UUID.randomUUID(), jwks.toJWKSet());
+        final UUID vaultId = UUID.randomUUID();
+        final String encrypted = orig.encrypt("https://example.com/api/", vaultId, jwks.toJWKSet());
 
         // decrypt with memberKey
         {
             final UvfMetadataPayload decrypted = UvfMetadataPayload.decryptWithJWK(encrypted, memberKey);
+            assertEquals(String.format("https://example.com/api/vaults/%s/uvf/vault.uvf", vaultId), JWEObjectJSON.parse(encrypted).getHeader().getCustomParams().get("origin"));
             assertEquals(orig, decrypted);
         }
 
         // decrypt with recoveryKey
         {
             final UvfMetadataPayload decrypted = UvfMetadataPayload.decryptWithJWK(encrypted, recoveryKey);
+            assertEquals(String.format("https://example.com/api/vaults/%s/uvf/vault.uvf", vaultId), JWEObjectJSON.parse(encrypted).getHeader().getCustomParams().get("origin"));
             assertEquals(orig, decrypted);
         }
 
