Upgrade to JJWT 0.10.6

* Update to version 0.10.6
* Use -api, -impl, and -jackson modules
* Drop the use of deprecated JJWT APIs
* Fix a misuse of the key material (testing only)

Author: ctron

bom/pom.xml

@@ -40,7 +40,7 @@
     <java-base-image.name>openjdk:11-jre-slim</java-base-image.name>
     <jaxb.api.version>2.2.12</jaxb.api.version>
     <javax.annotation.api.version>1.3.2</javax.annotation.api.version>
-    <jjwt.version>0.7.0</jjwt.version>
+    <jjwt.version>0.10.6</jjwt.version>
     <jmeter.version>3.3</jmeter.version>
     <junit.version>4.12</junit.version>
     <logback.version>1.2.3</logback.version>
@@ -280,7 +280,17 @@
       </dependency>
       <dependency>
         <groupId>io.jsonwebtoken</groupId>
-        <artifactId>jjwt</artifactId>
+        <artifactId>jjwt-api</artifactId>
+        <version>${jjwt.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.jsonwebtoken</groupId>
+        <artifactId>jjwt-impl</artifactId>
+        <version>${jjwt.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>io.jsonwebtoken</groupId>
+        <artifactId>jjwt-jackson</artifactId>
         <version>${jjwt.version}</version>
       </dependency>
       <dependency>

client/src/test/java/org/eclipse/hono/client/impl/RegistrationClientImplTest.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2016, 2018 Contributors to the Eclipse Foundation
+ * Copyright (c) 2016, 2019 Contributors to the Eclipse Foundation
  *
  * See the NOTICE file(s) distributed with this work for additional
  * information regarding copyright ownership.
@@ -26,6 +26,9 @@
 import java.sql.Date;
 import java.time.Duration;
 import java.time.Instant;
+import java.util.Random;
+
+import javax.crypto.SecretKey;
 
 import org.apache.qpid.proton.message.Message;
 import org.eclipse.hono.cache.ExpiringValueCache;
@@ -45,6 +48,7 @@
 
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
+import io.jsonwebtoken.security.Keys;
 import io.vertx.core.Handler;
 import io.vertx.core.Vertx;
 import io.vertx.core.json.JsonObject;
@@ -214,11 +218,15 @@ private static JsonObject newRegistrationAssertionResult() {
 
     private static JsonObject newRegistrationAssertionResult(final String defaultContentType) {
 
+        final byte[] bits = new byte[32];
+        new Random().nextBytes(bits);
+        final SecretKey key = Keys.hmacShaKeyFor(bits);
+
         final String token = Jwts.builder()
-            .signWith(SignatureAlgorithm.HS256, "asecretkeywithatleastthirtytwobytes")
-            .setExpiration(Date.from(Instant.now().plusSeconds(10)))
-            .setIssuer("test")
-            .compact();
+                .signWith(key, SignatureAlgorithm.HS256)
+                .setExpiration(Date.from(Instant.now().plusSeconds(10)))
+                .setIssuer("test")
+                .compact();
         final JsonObject result = new JsonObject().put(RegistrationConstants.FIELD_ASSERTION, token);
         if (defaultContentType != null) {
             result.put(RegistrationConstants.FIELD_DEFAULTS, new JsonObject()

core/pom.xml

@@ -61,7 +61,11 @@
     </dependency>
     <dependency>
       <groupId>io.jsonwebtoken</groupId>
-      <artifactId>jjwt</artifactId>
+      <artifactId>jjwt-impl</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.jsonwebtoken</groupId>
+      <artifactId>jjwt-jackson</artifactId>
     </dependency>
     <dependency>
       <!-- required as a (missing) transient dependency for JJWT -->

service-base/pom.xml

@@ -64,16 +64,6 @@
       <artifactId>logback-classic</artifactId>
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>io.jsonwebtoken</groupId>
-      <artifactId>jjwt</artifactId>
-      <exclusions>
-       <exclusion>
-        <groupId>com.fasterxml.jackson.core</groupId>
-        <artifactId>jackson-databind</artifactId>
-       </exclusion>
-      </exclusions>
-    </dependency>
     <dependency>
      <groupId>org.eclipse.hono</groupId>
      <artifactId>hono-client</artifactId>

service-base/src/main/java/org/eclipse/hono/service/auth/AuthTokenHelperImpl.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2016, 2018 Contributors to the Eclipse Foundation
+ * Copyright (c) 2016, 2019 Contributors to the Eclipse Foundation
  *
  * See the NOTICE file(s) distributed with this work for additional
  * information regarding copyright ownership.
@@ -89,7 +89,7 @@ public static AuthTokenHelper forSharedSecret(final String sharedSecret, final l
     public String createToken(final String authorizationId, final Authorities authorities) {
 
         final JwtBuilder builder = Jwts.builder()
-                .signWith(algorithm, key)
+                .signWith(key, algorithm)
                 .setIssuer("Hono")
                 .setSubject(Objects.requireNonNull(authorizationId))
                 .setExpiration(Date.from(Instant.now().plus(tokenLifetime)));

service-base/src/main/java/org/eclipse/hono/service/registration/RegistrationAssertionHelperImpl.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2016, 2018 Contributors to the Eclipse Foundation
+ * Copyright (c) 2016, 2019 Contributors to the Eclipse Foundation
  *
  * See the NOTICE file(s) distributed with this work for additional
  * information regarding copyright ownership.
@@ -94,7 +94,8 @@ public String getAssertion(final String tenantId, final String deviceId) {
             throw new IllegalStateException("no algorithm set");
         }
 
-        return Jwts.builder().signWith(algorithm, key)
+        return Jwts.builder()
+                .signWith(key, algorithm)
                 .setSubject(deviceId)
                 .claim("ten", tenantId)
                 .setExpiration(Date.from(Instant.now().plus(tokenLifetime)))
@@ -112,7 +113,7 @@ public boolean isValid(final String token, final String tenantId, final String d
                     .setAllowedClockSkewSeconds(10)
                     .parse(token);
             return true;
-        } catch (JwtException e) {
+        } catch (final JwtException e) {
             // token is invalid for some reason
             LOG.debug("failed to validate token", e);
             return false;