Merge pull request #25 from DolphFlynn/alg

Alg

src/main/java/burp/config/BurpConfigPersistence.java

@@ -24,6 +24,7 @@
 import burp.proxy.HighlightColor;
 import burp.proxy.ProxyConfig;
 import burp.scanner.ScannerConfig;
+import com.nimbusds.jose.JWSAlgorithm;
 import org.json.JSONException;
 import org.json.JSONObject;
 
@@ -36,6 +37,7 @@ public class BurpConfigPersistence {
     private static final String INTRUDER_FUZZ_PARAMETER_NAME = "intruder_payload_processor_parameter_name";
     private static final String INTRUDER_FUZZ_RESIGNING = "intruder_payload_processor_resign";
     private static final String INTRUDER_FUZZ_SIGNING_KEY_ID = "intruder_payload_processor_signing_key_id";
+    private static final String INTRUDER_FUZZ_SIGNING_ALGORITHM = "intruder_payload_processor_signing_algorithm";
     private static final String SCANNER_INSERTION_POINT_PROVIDER_ENABLED_KEY = "scanner_insertion_point_provider_enabled";
     private static final String SCANNER_INSERTION_PARAMETER_NAME = "scanner_insertion_point_provider_parameter_name";
 
@@ -77,6 +79,11 @@ public BurpConfig loadOrCreateNew() {
                     intruderConfig.setSigningKeyId(keyId);
                 }
 
+                if (parsedObject.has(INTRUDER_FUZZ_SIGNING_ALGORITHM) && parsedObject.get(INTRUDER_FUZZ_SIGNING_ALGORITHM) instanceof String algorithm) {
+                    JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(algorithm);
+                    intruderConfig.setSigningAlgorithm(jwsAlgorithm);
+                }
+
                 if (parsedObject.has(INTRUDER_FUZZ_RESIGNING) && parsedObject.get(INTRUDER_FUZZ_RESIGNING) instanceof Boolean resign) {
                     intruderConfig.setResign(resign);
                 }
@@ -107,6 +114,11 @@ public void save(BurpConfig model) {
         burpConfigJson.put(INTRUDER_FUZZ_PARAMETER_TYPE, model.intruderConfig().fuzzLocation());
         burpConfigJson.put(INTRUDER_FUZZ_RESIGNING, model.intruderConfig().resign());
         burpConfigJson.put(INTRUDER_FUZZ_SIGNING_KEY_ID, model.intruderConfig().signingKeyId());
+
+        JWSAlgorithm signingAlgorithm = model.intruderConfig().signingAlgorithm();
+        String signingAlgorithmName = signingAlgorithm == null ? null : signingAlgorithm.getName();
+        burpConfigJson.put(INTRUDER_FUZZ_SIGNING_ALGORITHM, signingAlgorithmName);
+
         burpConfigJson.put(SCANNER_INSERTION_POINT_PROVIDER_ENABLED_KEY, model.scannerConfig().enableHeaderJWSInsertionPointLocation());
         burpConfigJson.put(SCANNER_INSERTION_PARAMETER_NAME, model.scannerConfig().insertionPointLocationParameterName());
 

src/main/java/burp/intruder/IntruderConfig.java

@@ -18,13 +18,16 @@
 
 package burp.intruder;
 
+import com.nimbusds.jose.JWSAlgorithm;
+
 import static burp.intruder.FuzzLocation.PAYLOAD;
 import static org.apache.commons.lang3.StringUtils.isNotEmpty;
 
 public class IntruderConfig {
     private String fuzzParameter;
     private FuzzLocation fuzzLocation;
     private String signingKeyId;
+    private JWSAlgorithm signingAlgorithm;
     private boolean resign;
 
     public IntruderConfig() {
@@ -54,18 +57,27 @@ public String signingKeyId() {
 
     public void setSigningKeyId(String signingKeyId) {
         this.signingKeyId = signingKeyId;
-        this.resign = resign && isSigningKeyIdValid();
+        this.resign = resign && canSign();
     }
 
     public boolean resign() {
         return resign;
     }
 
     public void setResign(boolean resign) {
-        this.resign = resign && isSigningKeyIdValid();
+        this.resign = resign && canSign();
+    }
+
+    public JWSAlgorithm signingAlgorithm() {
+        return signingAlgorithm;
+    }
+
+    public void setSigningAlgorithm(JWSAlgorithm signingAlgorithm) {
+        this.signingAlgorithm = signingAlgorithm;
+        this.resign = resign && canSign();
     }
 
-    private boolean isSigningKeyIdValid() {
-        return isNotEmpty(signingKeyId);
+    private boolean canSign() {
+        return isNotEmpty(signingKeyId) && signingAlgorithm != null;
     }
 }

src/main/java/burp/intruder/JWSPayloadProcessor.java

@@ -18,7 +18,6 @@
 
 import static burp.intruder.FuzzLocation.PAYLOAD;
 import static com.blackberry.jwteditor.model.jose.JOSEObjectFinder.parseJOSEObject;
-import static org.apache.commons.lang3.StringUtils.isNotEmpty;
 
 public class JWSPayloadProcessor implements PayloadProcessor {
     private final Logging logging;
@@ -61,9 +60,7 @@ public PayloadProcessingResult processPayload(PayloadData payloadData) {
     }
 
     private Optional<Key> loadKey() {
-        String keyId = intruderConfig.signingKeyId();
-
-        if (isNotEmpty(keyId)) {
+        if (!intruderConfig.resign()) {
             return Optional.empty();
         }
 
@@ -87,7 +84,8 @@ private JWS createJWS(Base64URL header, Base64URL payload, Base64URL originalSig
             Optional<JWS> result = Optional.empty();
 
             try {
-                result = Optional.of(JWSFactory.sign(key, key.getSigningAlgorithms()[0], header, payload));
+                // TODO - update alg within header
+                result = Optional.of(JWSFactory.sign(key, intruderConfig.signingAlgorithm(), header, payload));
             } catch (SigningException ex) {
                 logging.logToError("Failed to sign JWS: " + ex);
             }

src/main/java/com/blackberry/jwteditor/view/config/ConfigView.form

@@ -173,7 +173,7 @@
               <text value="Intruder"/>
             </properties>
           </component>
-          <grid id="23fd" layout-manager="GridLayoutManager" row-count="4" column-count="3" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
+          <grid id="23fd" layout-manager="GridLayoutManager" row-count="5" column-count="3" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">
             <margin top="0" left="0" bottom="0" right="0"/>
             <constraints>
               <grid row="2" column="0" row-span="3" col-span="2" vsize-policy="3" hsize-policy="3" anchor="9" fill="0" indent="0" use-parent-layout="false"/>
@@ -254,6 +254,20 @@
                   <text value=""/>
                 </properties>
               </component>
+              <component id="2c6" class="javax.swing.JLabel">
+                <constraints>
+                  <grid row="4" column="1" row-span="1" col-span="1" vsize-policy="0" hsize-policy="0" anchor="8" fill="0" indent="0" use-parent-layout="false"/>
+                </constraints>
+                <properties>
+                  <text value="Signing Algorithm:"/>
+                </properties>
+              </component>
+              <component id="734f8" class="javax.swing.JComboBox" binding="comboBoxIntruderSigningAlg">
+                <constraints>
+                  <grid row="4" column="2" row-span="1" col-span="1" vsize-policy="0" hsize-policy="2" anchor="8" fill="1" indent="0" use-parent-layout="false"/>
+                </constraints>
+                <properties/>
+              </component>
             </children>
           </grid>
           <grid id="5df6b" layout-manager="GridLayoutManager" row-count="1" column-count="1" same-size-horizontally="false" same-size-vertically="false" hgap="-1" vgap="-1">

src/main/java/com/blackberry/jwteditor/view/config/ConfigView.java

@@ -29,6 +29,7 @@
 import com.blackberry.jwteditor.model.keys.KeysModel;
 import com.blackberry.jwteditor.model.keys.KeysModelListener.SimpleKeysModelListener;
 import com.blackberry.jwteditor.view.utils.DocumentAdapter;
+import com.nimbusds.jose.JWSAlgorithm;
 
 import javax.swing.*;
 import java.awt.*;
@@ -40,6 +41,7 @@
 
 public class ConfigView {
     private final IntruderConfig intruderConfig;
+    private final KeysModel keysModel;
 
     private JPanel mainPanel;
     private JCheckBox checkBoxHighlightJWT;
@@ -58,7 +60,7 @@ public class ConfigView {
     private JPanel intruderPanel;
     private JLabel spacerLabel;
     private JCheckBox resignIntruderJWS;
-    private KeysModel keysModel;
+    private JComboBox comboBoxIntruderSigningAlg;
 
     public ConfigView(BurpConfig burpConfig, UserInterface userInterface, boolean isProVersion, KeysModel keysModel) {
         this.keysModel = keysModel;
@@ -87,7 +89,15 @@ public ConfigView(BurpConfig burpConfig, UserInterface userInterface, boolean is
         comboBoxPayloadPosition.addActionListener(e -> intruderConfig.setFuzzLocation((FuzzLocation) comboBoxPayloadPosition.getSelectedItem()));
 
         updateSigningKeyList();
-        comboBoxIntruderSigningKeyId.addActionListener(e -> intruderConfig.setSigningKeyId((String) comboBoxIntruderSigningKeyId.getSelectedItem()));
+        comboBoxIntruderSigningKeyId.addActionListener(e -> {
+            String newSigningKeyId = (String) comboBoxIntruderSigningKeyId.getSelectedItem();
+
+            if (!intruderConfig.signingKeyId().equals(newSigningKeyId)) {
+                intruderConfig.setSigningKeyId(newSigningKeyId);
+                updateSigningAlgorithmList();
+            }
+        });
+        comboBoxIntruderSigningAlg.addActionListener(e -> intruderConfig.setSigningAlgorithm((JWSAlgorithm) comboBoxIntruderSigningAlg.getSelectedItem()));
         resignIntruderJWS.addActionListener(e -> intruderConfig.setResign(resignIntruderJWS.isSelected()));
         keysModel.addKeyModelListener(new SimpleKeysModelListener(this::updateSigningKeyList));
 
@@ -117,34 +127,64 @@ public ConfigView(BurpConfig burpConfig, UserInterface userInterface, boolean is
     private void updateSigningKeyList() {
         List<Key> signingKeys = keysModel.getSigningKeys();
         String[] signingKeyIds = signingKeys.stream().map(Key::getID).toArray(String[]::new);
-        String selectedSigningId = intruderConfig.signingKeyId();
+        String modelSelectedSigningId = intruderConfig.signingKeyId();
 
+        String viewSelectedKeyId = (String) comboBoxIntruderSigningKeyId.getSelectedItem();
         comboBoxIntruderSigningKeyId.setModel(new DefaultComboBoxModel<>(signingKeyIds));
 
         if (signingKeys.isEmpty()) {
             resignIntruderJWS.setSelected(false);
             resignIntruderJWS.setEnabled(false);
             comboBoxIntruderSigningKeyId.setEnabled(false);
+            comboBoxIntruderSigningAlg.setEnabled(false);
             intruderConfig.setResign(false);
             intruderConfig.setSigningKeyId(null);
         } else {
             resignIntruderJWS.setEnabled(true);
             comboBoxIntruderSigningKeyId.setEnabled(true);
+            comboBoxIntruderSigningAlg.setEnabled(true);
 
             Optional<Key> selectedKey = signingKeys.stream()
-                    .filter(k -> k.getID().equals(selectedSigningId))
+                    .filter(k -> k.getID().equals(modelSelectedSigningId))
                     .findFirst();
 
+
             if (selectedKey.isPresent()) {
+                Key key = selectedKey.get();
+
                 resignIntruderJWS.setSelected(intruderConfig.resign());
-                comboBoxIntruderSigningKeyId.setSelectedItem(selectedKey.get());
+                comboBoxIntruderSigningKeyId.setSelectedItem(key.getID());
+
+                if (!modelSelectedSigningId.equals(viewSelectedKeyId)) {
+                    comboBoxIntruderSigningAlg.setModel(new DefaultComboBoxModel(key.getSigningAlgorithms()));
+                    comboBoxIntruderSigningAlg.setSelectedIndex(0);
+                }
             } else {
                 resignIntruderJWS.setSelected(false);
                 comboBoxIntruderSigningKeyId.setSelectedIndex(0);
+
+                Key key = signingKeys.get(0);
+                comboBoxIntruderSigningAlg.setModel(new DefaultComboBoxModel(key.getSigningAlgorithms()));
             }
         }
     }
 
+    private void updateSigningAlgorithmList() {
+        Key key = keysModel.getSigningKeys().stream()
+                .filter(k -> k.getID().equals(intruderConfig.signingKeyId()))
+                .findFirst()
+                .orElseThrow();
+
+        JWSAlgorithm[] signingAlgorithms = key.getSigningAlgorithms();
+        comboBoxIntruderSigningAlg.setModel(new DefaultComboBoxModel(signingAlgorithms));
+
+        if (signingAlgorithms.length > 0) {
+            JWSAlgorithm algorithm = signingAlgorithms[0];
+            comboBoxIntruderSigningAlg.setSelectedItem(algorithm);
+            intruderConfig.setSigningAlgorithm(algorithm);
+        }
+    }
+
     /**
      * Custom list cell renderer to color rows of combo box drop down list.
      */

src/test/java/burp/config/BurpConfigPersistenceTest.java

@@ -21,6 +21,7 @@
 import burp.api.montoya.persistence.Preferences;
 import burp.intruder.FuzzLocation;
 import burp.proxy.HighlightColor;
+import com.nimbusds.jose.JWSAlgorithm;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
@@ -34,6 +35,8 @@
 import static burp.proxy.HighlightColor.CYAN;
 import static burp.proxy.HighlightColor.RED;
 import static burp.proxy.ProxyConfig.DEFAULT_HIGHLIGHT_COLOR;
+import static com.nimbusds.jose.JWSAlgorithm.ES256;
+import static com.nimbusds.jose.JWSAlgorithm.EdDSA;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.params.provider.Arguments.arguments;
 import static org.mockito.Mockito.*;
@@ -230,35 +233,39 @@ private static Stream<Arguments> validIntruderConfigJson() {
                         HEADER,
                         "sub",
                         false,
+                        null,
                         null
                 ),
                 arguments(
                         "{\"intruder_payload_processor_fuzz_location\":\"payload\",\"intruder_payload_processor_parameter_name\":\"role\"}",
                         PAYLOAD,
                         "role",
                         false,
+                        null,
                         null
                 ),
                 arguments(
-                        "{\"intruder_payload_processor_fuzz_location\":\"header\",\"intruder_payload_processor_parameter_name\":\"sub\",\"intruder_payload_processor_resign\":true, \"intruder_payload_processor_signing_key_id\": \"uuid\"}",
+                        "{\"intruder_payload_processor_fuzz_location\":\"header\",\"intruder_payload_processor_parameter_name\":\"sub\",\"intruder_payload_processor_resign\":true, \"intruder_payload_processor_signing_key_id\": \"uuid\", \"intruder_payload_processor_signing_algorithm\": \"EdDSA\"}",
                         HEADER,
                         "sub",
                         true,
-                        "uuid"
+                        "uuid",
+                        EdDSA
                 ),
                 arguments(
-                        "{\"intruder_payload_processor_fuzz_location\":\"header\",\"intruder_payload_processor_parameter_name\":\"sub\",\"intruder_payload_processor_signing_key_id\":\"131da5fb-8484-4717-b0d2-b79925978596\"}",
+                        "{\"intruder_payload_processor_fuzz_location\":\"header\",\"intruder_payload_processor_parameter_name\":\"sub\",\"intruder_payload_processor_signing_key_id\":\"131da5fb-8484-4717-b0d2-b79925978596\", \"intruder_payload_processor_signing_algorithm\": \"ES256\"}",
                         HEADER,
                         "sub",
                         false,
-                        "131da5fb-8484-4717-b0d2-b79925978596"
+                        "131da5fb-8484-4717-b0d2-b79925978596",
+                        ES256
                 )
         );
     }
 
     @ParameterizedTest
     @MethodSource("validIntruderConfigJson")
-    void givenValidIntruderSavedConfig_whenLoadOrCreateCalled_thenAppropriateConfigReturned(String json, FuzzLocation expectedLocation, String expectedParameterName, boolean expectedResign, String expectedSigningKeyId) {
+    void givenValidIntruderSavedConfig_whenLoadOrCreateCalled_thenAppropriateConfigReturned(String json, FuzzLocation expectedLocation, String expectedParameterName, boolean expectedResign, String expectedSigningKeyId, JWSAlgorithm expectedSigningAlgorithm) {
         BurpConfigPersistence configPersistence = new BurpConfigPersistence(callbacks);
         when(callbacks.getString(BURP_SETTINGS_NAME)).thenReturn(json);
 
@@ -270,6 +277,7 @@ void givenValidIntruderSavedConfig_whenLoadOrCreateCalled_thenAppropriateConfigR
         assertThat(burpConfig.intruderConfig().fuzzParameter()).isEqualTo(expectedParameterName);
         assertThat(burpConfig.intruderConfig().resign()).isEqualTo(expectedResign);
         assertThat(burpConfig.intruderConfig().signingKeyId()).isEqualTo(expectedSigningKeyId);
+        assertThat(burpConfig.intruderConfig().signingAlgorithm()).isEqualTo(expectedSigningAlgorithm);
     }
 
     @Test

src/test/java/burp/config/IntruderConfigTest.java

@@ -21,6 +21,7 @@
 import burp.intruder.IntruderConfig;
 import org.junit.jupiter.api.Test;
 
+import static com.nimbusds.jose.JWSAlgorithm.HS256;
 import static org.assertj.core.api.Assertions.assertThat;
 
 class IntruderConfigTest {
@@ -45,12 +46,23 @@ void givenEmptyKeyID_whenResignIsSetTrue_thenResignIsFalse() {
     }
 
     @Test
-    void givenValidKeyID_whenResignIsSetTrue_thenResignIsTrue() {
+    void givenValidKeyIDAndNullSigningAlgorithm_whenResignIsSetTrue_thenResignIsFalse() {
         IntruderConfig config = new IntruderConfig();
         config.setSigningKeyId("keyID");
 
         config.setResign(true);
 
+        assertThat(config.resign()).isFalse();
+    }
+
+    @Test
+    void givenValidKeyIDAndNonNullSigningAlgorithm_whenResignIsSetTrue_thenResignIsTrue() {
+        IntruderConfig config = new IntruderConfig();
+        config.setSigningKeyId("keyID");
+        config.setSigningAlgorithm(HS256);
+
+        config.setResign(true);
+
         assertThat(config.resign()).isTrue();
     }