Algorithms should take Data not a String

Closes #37

Author: kylef

CHANGELOG.md

@@ -1,5 +1,18 @@
 # JSON Web Token Changelog
 
+## Master
+
+### Breaking
+
+- Algorithms now take `Data` instead of a `String`. This improves the API
+  allowing you to use keys that cannot be serialised as a String.
+
+  You can easily convert a String to Data such as in the following example:
+
+  ```swift
+  .hs256("secret".data(using: .utf8)!)
+  ```
+
 ## 2.0.0
 
 This release adds support for Swift 3.0.

JWTTests/JWTTests.swift

@@ -1,16 +1,17 @@
+import Foundation
 import XCTest
 import JWT
 
 class JWTEncodeTests : XCTestCase {
   func testEncodingJWT() {
     let payload = ["name": "Kyle"] as Payload
-    let jwt = JWT.encode(payload, algorithm: .hs256("secret"))
+    let jwt = JWT.encode(payload, algorithm: .hs256("secret".data(using: .utf8)!))
     let fixture = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiS3lsZSJ9.zxm7xcp1eZtZhp4t-nlw09ATQnnFKIiSN83uG8u6cAg"
     XCTAssertEqual(jwt, fixture)
   }
 
   func testEncodingWithBuilder() {
-    let algorithm = Algorithm.hs256("secret")
+    let algorithm = Algorithm.hs256("secret".data(using: .utf8)!)
     let jwt = JWT.encode(algorithm) { builder in
       builder.issuer = "fuller.li"
     }
@@ -77,7 +78,7 @@ class JWTDecodeTests : XCTestCase {
   func testDecodingValidJWT() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiS3lsZSJ9.zxm7xcp1eZtZhp4t-nlw09ATQnnFKIiSN83uG8u6cAg"
 
-    assertSuccess(try JWT.decode(jwt, algorithm: .hs256("secret"))) { payload in
+    assertSuccess(try JWT.decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["name": "Kyle"])
     }
   }
@@ -97,45 +98,45 @@ class JWTDecodeTests : XCTestCase {
 
   func testSuccessfulIssuerValidation() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmdWxsZXIubGkifQ.d7B7PAQcz1E6oNhrlxmHxHXHgg39_k7X7wWeahl8kSQ"
-    assertSuccess(try decode(jwt, algorithm: .hs256("secret"), issuer:"fuller.li")) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!), issuer:"fuller.li")) { payload in
       XCTAssertEqual(payload as NSDictionary, ["iss": "fuller.li"])
     }
   }
 
   func testIncorrectIssuerValidation() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmdWxsZXIubGkifQ.wOhJ9_6lx-3JGJPmJmtFCDI3kt7uMAMmhHIslti7ryI"
-    assertFailure(try decode(jwt, algorithm: .hs256("secret"), issuer:"querykit.org"))
+    assertFailure(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!), issuer:"querykit.org"))
   }
 
   func testMissingIssuerValidation() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w"
-    assertFailure(try decode(jwt, algorithm: .hs256("secret"), issuer:"fuller.li"))
+    assertFailure(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!), issuer:"fuller.li"))
   }
 
   // MARK: Expiration claim
 
   func testExpiredClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0MjgxODg0OTF9.cy6b2szsNkKnHFnz2GjTatGjoHBTs8vBKnPGZgpp91I"
-    assertFailure(try decode(jwt, algorithm: .hs256("secret")))
+    assertFailure(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!)))
   }
 
   func testInvalidExpiaryClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOlsiMTQyODE4ODQ5MSJdfQ.OwF-wd3THjxrEGUhh6IdnNhxQZ7ydwJ3Z6J_dfl9MBs"
-    assertFailure(try decode(jwt, algorithm: .hs256("secret")))
+    assertFailure(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!)))
   }
 
   func testUnexpiredClaim() {
     // If this just started failing, hello 2024!
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjgxODg0OTF9.EW7k-8Mvnv0GpvOKJalFRLoCB3a3xGG3i7hAZZXNAz0"
-    assertSuccess(try decode(jwt, algorithm: .hs256("secret"))) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["exp": 1728188491])
     }
   }
 
   func testUnexpiredClaimString() {
     // If this just started failing, hello 2024!
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIxNzI4MTg4NDkxIn0.y4w7lNLrfRRPzuNUfM-ZvPkoOtrTU_d8ZVYasLdZGpk"
-    assertSuccess(try decode(jwt, algorithm: .hs256("secret"))) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["exp": "1728188491"])
     }
   }
@@ -144,81 +145,81 @@ class JWTDecodeTests : XCTestCase {
 
   func testNotBeforeClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0MjgxODk3MjB9.jFT0nXAJvEwyG6R7CMJlzNJb7FtZGv30QRZpYam5cvs"
-    assertSuccess(try decode(jwt, algorithm: .hs256("secret"))) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["nbf": 1428189720])
     }
   }
 
   func testNotBeforeClaimString() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOiIxNDI4MTg5NzIwIn0.qZsj36irdmIAeXv6YazWDSFbpuxHtEh4Deof5YTpnVI"
-    assertSuccess(try decode(jwt, algorithm: .hs256("secret"))) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["nbf": "1428189720"])
     }
   }
 
   func testInvalidNotBeforeClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOlsxNDI4MTg5NzIwXX0.PUL1FQubzzJa4MNXe2D3d5t5cMaqFr3kYlzRUzly-C8"
-    assertDecodeError(try decode(jwt, algorithm: .hs256("secret")), error: "Not before claim (nbf) must be an integer")
+    assertDecodeError(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!)), error: "Not before claim (nbf) must be an integer")
   }
 
   func testUnmetNotBeforeClaim() {
     // If this just started failing, hello 2024!
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MjgxODg0OTF9.Tzhu1tu-7BXcF5YEIFFE1Vmg4tEybUnaz58FR4PcblQ"
-    assertFailure(try decode(jwt, algorithm: .hs256("secret")))
+    assertFailure(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!)))
   }
 
   // MARK: Issued at claim
 
   func testIssuedAtClaimInThePast() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0MjgxODk3MjB9.I_5qjRcCUZVQdABLwG82CSuu2relSdIyJOyvXWUAJh4"
-    assertSuccess(try decode(jwt, algorithm: .hs256("secret"))) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["iat": 1428189720])
     }
   }
 
   func testIssuedAtClaimInThePastString() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOiIxNDI4MTg5NzIwIn0.M8veWtsY52oBwi7LRKzvNnzhjK0QBS8Su1r0atlns2k"
-    assertSuccess(try decode(jwt, algorithm: .hs256("secret"))) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["iat": "1428189720"])
     }
   }
 
   func testIssuedAtClaimInTheFuture() {
     // If this just started failing, hello 2024!
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjgxODg0OTF9.owHiJyJmTcW1lBW5y_Rz3iBfSbcNiXlbZ2fY9qR7-aU"
-    assertFailure(try decode(jwt, algorithm: .hs256("secret")))
+    assertFailure(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!)))
   }
 
   func testInvalidIssuedAtClaim() {
     // If this just started failing, hello 2024!
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOlsxNzI4MTg4NDkxXX0.ND7QMWtLkXDXH38OaXM3SQgLo3Z5TNgF_pcfWHV_alQ"
-    assertDecodeError(try decode(jwt, algorithm: .hs256("secret")), error: "Issued at claim (iat) must be an integer")
+    assertDecodeError(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!)), error: "Issued at claim (iat) must be an integer")
   }
 
   // MARK: Audience claims
 
   func testAudiencesClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsibWF4aW5lIiwia2F0aWUiXX0.-PKvdNLCClrWG7CvesHP6PB0-vxu-_IZcsYhJxBy5JM"
-    assertSuccess(try decode(jwt, algorithm: .hs256("secret"), audience:"maxine")) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!), audience:"maxine")) { payload in
       XCTAssertEqual(payload as NSDictionary, ["aud": ["maxine", "katie"]])
     }
   }
 
   func testAudienceClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJreWxlIn0.dpgH4JOwueReaBoanLSxsGTc7AjKUvo7_M1sAfy_xVE"
-    assertSuccess(try decode(jwt, algorithm: .hs256("secret"), audience:"kyle")) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!), audience:"kyle")) { payload in
       XCTAssertEqual(payload as NSDictionary, ["aud": "kyle"])
     }
   }
 
   func testMismatchAudienceClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJreWxlIn0.VEB_n06pTSLlTXPFkc46ARADJ9HXNUBUPo3VhL9RDe4" // kyle
-    assertFailure(try decode(jwt, algorithm: .hs256("secret"), audience:"maxine"))
+    assertFailure(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!), audience:"maxine"))
   }
 
   func testMissingAudienceClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w"
-    assertFailure(try decode(jwt, algorithm: .hs256("secret"), audience:"kyle"))
+    assertFailure(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!), audience:"kyle"))
   }
 
   // MARK: Signature verification
@@ -232,24 +233,24 @@ class JWTDecodeTests : XCTestCase {
 
   func testNoneFailsWithSecretAlgorithm() {
     let jwt = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ0ZXN0IjoiaW5nIn0."
-    assertFailure(try decode(jwt, algorithm: .hs256("secret")))
+    assertFailure(try decode(jwt, algorithm: .hs256("secret".data(using: .utf8)!)))
   }
 
   func testMatchesAnyAlgorithm() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w."
-    assertFailure(try decode(jwt, algorithms: [.hs256("anothersecret"), .hs256("secret")]))
+    assertFailure(try decode(jwt, algorithms: [.hs256("anothersecret".data(using: .utf8)!), .hs256("secret".data(using: .utf8)!)]))
   }
 
   func testHS384Algorithm() {
     let jwt = "eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.lddiriKLoo42qXduMhCTKZ5Lo3njXxOC92uXyvbLyYKzbq4CVVQOb3MpDwnI19u4"
-    assertSuccess(try decode(jwt, algorithm: .hs384("secret"))) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs384("secret".data(using: .utf8)!))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["some": "payload"])
     }
   }
 
   func testHS512Algorithm() {
     let jwt = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzb21lIjoicGF5bG9hZCJ9.WTzLzFO079PduJiFIyzrOah54YaM8qoxH9fLMQoQhKtw3_fMGjImIOokijDkXVbyfBqhMo2GCNu4w9v7UXvnpA"
-    assertSuccess(try decode(jwt, algorithm: .hs512("secret"))) { payload in
+    assertSuccess(try decode(jwt, algorithm: .hs512("secret".data(using: .utf8)!))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["some": "payload"])
     }
   }

README.md

@@ -21,13 +21,13 @@ import JWT
 ### Encoding a claim
 
 ```swift
-JWT.encode(["my": "payload"], algorithm: .HS256("secret"))
+JWT.encode(["my": "payload"], algorithm: .hs256("secret".data(using: .utf8)!))
 ```
 
 #### Building a JWT with the builder pattern
 
 ```swift
-JWT.encode(.hs256("secret")) { builder in
+JWT.encode(.hs256("secret".data(using: .utf8))) { builder in
   builder.issuer = "fuller.li"
   builder.issuedAt = Date()
   builder["custom"] = "Hi"
@@ -40,7 +40,7 @@ When decoding a JWT, you must supply one or more algorithms and keys.
 
 ```swift
 do {
-  let payload = try JWT.decode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w", algorithm: .hs256("secret"))
+  let payload = try JWT.decode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w", algorithm: .hs256("secret".data(using: .utf8)!))
   print(payload)
 } catch {
   print("Failed to decode JWT: \(error)")
@@ -50,7 +50,11 @@ do {
 When the JWT may be signed with one out of many algorithms or keys:
 
 ```swift
-try JWT.decode("eyJh...5w", algorithms: [.hs256("secret"), .hs256("secret2"), .hs512("secure")])
+try JWT.decode("eyJh...5w", algorithms: [
+  .hs256("secret".data(using: .utf8)!),
+  .hs256("secret2".data(using: .utf8)!),
+  .hs512("secure".data(using: .utf8)!)
+])
 ```
 
 #### Supported claims

Sources/JWT.swift

@@ -9,32 +9,13 @@ public enum Algorithm : CustomStringConvertible {
   case none
 
   /// HMAC using SHA-256 hash algorithm
-  case hs256(String)
+  case hs256(Data)
 
   /// HMAC using SHA-384 hash algorithm
-  case hs384(String)
+  case hs384(Data)
 
   /// HMAC using SHA-512 hash algorithm
-  case hs512(String)
-
-  static func algorithm(_ name:String, key:String?) -> Algorithm? {
-    if name == "none" {
-      if key != nil {
-        return nil  // We don't allow nil when we configured a key
-      }
-      return Algorithm.none
-    } else if let key = key {
-      if name == "HS256" {
-        return .hs256(key)
-      } else if name == "HS384" {
-        return .hs384(key)
-      } else if name == "HS512" {
-        return .hs512(key)
-      }
-    }
-
-    return nil
-  }
+  case hs512(Data)
 
   public var description:String {
     switch self {
@@ -51,10 +32,9 @@ public enum Algorithm : CustomStringConvertible {
 
   /// Sign a message using the algorithm
   func sign(_ message:String) -> String {
-    func signHS(_ key:String, variant:CryptoSwift.HMAC.Variant) -> String {
-      let keyData = key.data(using: String.Encoding.utf8, allowLossyConversion: false)!
+    func signHS(_ key: Data, variant:CryptoSwift.HMAC.Variant) -> String {
       let messageData = message.data(using: String.Encoding.utf8, allowLossyConversion: false)!
-      let mac = HMAC(key: keyData.bytes, variant:variant)
+      let mac = HMAC(key: key.bytes, variant:variant)
       let result: [UInt8]
       do {
         result = try mac.authenticate(messageData.bytes)