Backport JJWT and dependencies update from main

mrts · mrts · commit 30a291fa48d1 · 2025-11-03T23:08:18.000+02:00
WE2-1132

Signed-off-by: Mart Somermaa &lt;mrts@users.noreply.github.com&gt;
diff --git a/pom.xml b/pom.xml
@@ -14,11 +14,11 @@
         <maven.version>3.3.9</maven.version>
         <maven-surefire-plugin.version>3.5.4</maven-surefire-plugin.version>
         <java.version>1.8</java.version>
-        <jjwt.version>0.11.5</jjwt.version>
+        <jjwt.version>0.13.0</jjwt.version>
         <jackson.version>2.18.5</jackson.version>
-        <slf4j.version>1.7.36</slf4j.version>
-        <bouncycastle.version>1.70</bouncycastle.version>
-        <okhttp.version>4.10.0</okhttp.version>
+        <slf4j.version>2.0.17</slf4j.version>
+        <bouncycastle.version>1.82</bouncycastle.version>
+        <okhttp.version>5.3.0</okhttp.version>
         <junit-jupiter.version>5.12.0</junit-jupiter.version>
         <assertj.version>3.27.3</assertj.version>
         <mockito.version>4.11.0</mockito.version>
@@ -56,17 +56,17 @@
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk15on</artifactId>
+            <artifactId>bcprov-jdk18on</artifactId>
             <version>${bouncycastle.version}</version>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk15on</artifactId>
+            <artifactId>bcpkix-jdk18on</artifactId>
             <version>${bouncycastle.version}</version>
         </dependency>
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
-            <artifactId>okhttp</artifactId>
+            <artifactId>okhttp-jvm</artifactId>
             <version>${okhttp.version}</version>
         </dependency>
 
diff --git a/src/main/java/eu/webeid/security/validator/AuthTokenSignatureValidator.java b/src/main/java/eu/webeid/security/validator/AuthTokenSignatureValidator.java
@@ -25,11 +25,12 @@
 import eu.webeid.security.exceptions.AuthTokenParseException;
 import eu.webeid.security.exceptions.AuthTokenSignatureValidationException;
 import eu.webeid.security.exceptions.ChallengeNullOrEmptyException;
-import io.jsonwebtoken.SignatureAlgorithm;
-import io.jsonwebtoken.impl.crypto.DefaultSignatureValidatorFactory;
-import io.jsonwebtoken.impl.crypto.SignatureValidator;
-import io.jsonwebtoken.security.SignatureException;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.impl.security.DefaultVerifySecureDigestRequest;
+import io.jsonwebtoken.security.SignatureAlgorithm;
+import io.jsonwebtoken.security.VerifySecureDigestRequest;
 
+import java.io.ByteArrayInputStream;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
@@ -73,25 +74,20 @@ public void validate(String algorithm, String signature, PublicKey publicKey, St
             throw new AuthTokenParseException("Unsupported signature algorithm");
         }
 
-        SignatureAlgorithm signatureAlgorithm;
+        final SignatureAlgorithm signatureAlgorithm = (SignatureAlgorithm) Jwts.SIG.get().forKey(algorithm);
+        if (signatureAlgorithm == null) {
+            // Should not happen, see ALLOWED_SIGNATURE_ALGORITHMS check above.
+            throw new AuthTokenParseException("JJWT does not support signature algorithm: " + algorithm);
+        }
         MessageDigest hashAlgorithm;
         try {
-            signatureAlgorithm = SignatureAlgorithm.forName(algorithm);
             hashAlgorithm = hashAlgorithmForName(algorithm);
-        } catch (SignatureException e) {
-            // Should not happen, see ALLOWED_SIGNATURE_ALGORITHMS check above.
-            throw new AuthTokenParseException("Invalid signature algorithm", e);
         } catch (NoSuchAlgorithmException e) {
-            throw new AuthTokenParseException("Invalid hash algorithm", e);
-        }
-        if (signatureAlgorithm == null || signatureAlgorithm == SignatureAlgorithm.NONE) {
             // Should not happen, see ALLOWED_SIGNATURE_ALGORITHMS check above.
-            throw new AuthTokenParseException("Invalid signature algorithm");
+            throw new AuthTokenParseException("Invalid hash algorithm", e);
         }
         Objects.requireNonNull(hashAlgorithm, "hashAlgorithm");
-        signatureAlgorithm.assertValidVerificationKey(publicKey);
-        final SignatureValidator signatureValidator = DefaultSignatureValidatorFactory.INSTANCE
-            .createSignatureValidator(signatureAlgorithm, publicKey);
+
         final byte[] decodedSignature = decodeBase64(signature);
 
         final byte[] originHash = hashAlgorithm.digest(originBytes);
@@ -100,9 +96,13 @@ public void validate(String algorithm, String signature, PublicKey publicKey, St
 
         // Note that in case of ECDSA, the eID card outputs raw R||S, but JCA's SHA384withECDSA signature
         // validation implementation requires the signature in DER encoding.
-        // JJWT's EllipticCurveProvider.transcodeSignatureToDER() internally takes care of transcoding
-        // raw R||S to DER as needed inside EllipticCurveProvider.isValid().
-        if (!signatureValidator.isValid(concatSignedFields, decodedSignature)) {
+        // JJWT internally takes care of transcoding raw R||S to DER as needed.
+        final VerifySecureDigestRequest<PublicKey> verificationRequest =
+            new DefaultVerifySecureDigestRequest<>(
+                new ByteArrayInputStream(concatSignedFields),
+                null, null,
+                publicKey, decodedSignature);
+        if (!signatureAlgorithm.verify(verificationRequest)) {
             throw new AuthTokenSignatureValidationException();
         }
     }
