Merge pull request #14 from DolphFlynn/main

Release 2.5

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "gradle"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "com.nimbusds:nimbus-jose-jwt"

.github/workflows/gradle-test.yml

@@ -20,10 +20,11 @@ jobs:
         java-version: '21'
         distribution: 'temurin'
 
+    - name: Setup Gradle
+      uses: gradle/actions/setup-gradle@v4
+
     - name: Test
-      uses: gradle/actions/setup-gradle@v3
-      with:
-        arguments: test
+      run: ./gradlew test
 
     - name: Publish test report on failure
       uses: actions/upload-artifact@v4

README.md

@@ -17,6 +17,12 @@ Additionally it facilitates several well-known attacks against JWT implementatio
 
 ## Changelog
 
+**2.5 2025-01-13**
+- Add ability to test for HMAC signatures using [weak secrets](https://github.com/wallarm/jwt-secrets).
+- Add import capability for JWK data.
+- Add support for decimal TimeClaims (Thanks to [@Nirusu](https://github.com/Nirusu)).
+- Remember last used key within signing dialogs.
+
 **2.4 2024-12-24**
 - Add support for non-JSON claims within JWS (Thanks to [@Hannah-PortSwigger](https://github.com/Hannah-PortSwigger) for suggesting this).
 
@@ -150,6 +156,7 @@ The `Attack` option implements several well-known attacks against JSON Web Signa
 * Signing with an empty HMAC key
 * Signing with a *Psychic signature*
 * Embedding a Collaborator payload
+* Weak HMAC secret
 
 These are described in more detail [below](#Attacks).
 
@@ -167,7 +174,7 @@ This option is automatically enabled if it is detected that the original JWT did
 *JWT Editor* can be built from source.
 * Ensure that Java JDK 21 or newer is installed
 * From root of project, run the command `./gradlew jar`
-* This should place the JAR file `jwt-editor-2.4.jar` within the `build/libs` directory
+* This should place the JAR file `jwt-editor-2.5.jar` within the `build/libs` directory
 * This can be loaded into Burp Suite by navigating to the `Extensions` tab, `Installed` sub-tab, clicking `Add` and loading the JAR file
 * This BApp is using the newer Montoya API so it's best to use the latest version of Burp Suite (try the earlier adopter channel if there are issues with the latest stable release)
 
@@ -218,6 +225,9 @@ Burp Suite's [Collaborator](https://portswigger.net/burp/documentation/collabora
 is fetching content based on the `x5u` or `jku` headers. 
 Note that this functionality is only available in Burp Suite Professional.
 
+### Weak HMAC secret
+Attempt to brute-force the signing key for JWS with HMAC signatures using known [JWT secrets](https://github.com/wallarm/jwt-secrets).
+
 ## Issues / Enhancements
 If you have found a bug or think that a particular feature is missing, please raise an issue on the [GitHub repository](https://github.com/DolphFlynn/jwt-editor/issues).
 

build.gradle

@@ -3,7 +3,7 @@ plugins {
 }
 
 group = 'com.blackberry'
-version = '2.4'
+version = '2.5'
 description = 'jwt-editor'
 
 repositories {
@@ -35,15 +35,15 @@ dependencies {
             'com.nimbusds:nimbus-jose-jwt:9.21',
             'org.exbin.deltahex:deltahex-swing:0.1.2',
             'com.fifesoft:rsyntaxtextarea:3.5.3',
-            'org.json:json:20240303'
+            'org.json:json:20250107'
     )
     testImplementation(
             "org.bouncycastle:bcprov-jdk18on:${bouncycastle_version}",
             "org.bouncycastle:bcpkix-jdk18on:${bouncycastle_version}",
             "net.portswigger.burp.extensions:montoya-api:${extender_version}",
-            'org.junit.jupiter:junit-jupiter:5.11.2',
-            'org.assertj:assertj-core:3.26.3',
-            'org.mockito:mockito-core:5.14.1'
+            'org.junit.jupiter:junit-jupiter:5.11.4',
+            'org.assertj:assertj-core:3.27.3',
+            'org.mockito:mockito-core:5.15.2'
     )
 }
 

src/main/java/burp/JWTEditorExtension.java

@@ -25,7 +25,6 @@
 import com.blackberry.jwteditor.view.editor.WebSocketEditorView;
 import com.blackberry.jwteditor.view.hexcodearea.HexCodeAreaFactory;
 import com.blackberry.jwteditor.view.rsta.RstaFactory;
-import com.blackberry.jwteditor.view.utils.ErrorLoggingActionListenerFactory;
 
 import java.awt.*;
 
@@ -69,7 +68,6 @@ public void initialize(MontoyaApi api) {
         userInterface.registerSuiteTab(suiteView.getTabCaption(), suiteView.getUiComponent());
 
         HexCodeAreaFactory hexAreaCodeFactory = new HexCodeAreaFactory(api.logging(), api.userInterface());
-        ErrorLoggingActionListenerFactory actionListenerFactory = new ErrorLoggingActionListenerFactory(api.logging());
         InformationPanelFactory informationPanelFactory = new InformationPanelFactory(api.userInterface(), api.logging());
 
         userInterface.registerHttpRequestEditorProvider(editorCreationContext ->
@@ -78,7 +76,7 @@ public void initialize(MontoyaApi api) {
                         rstaFactory,
                         api.collaborator().defaultPayloadGenerator(),
                         hexAreaCodeFactory,
-                        actionListenerFactory,
+                        api.logging(),
                         informationPanelFactory,
                         editorCreationContext.editorMode() != READ_ONLY,
                         isProVersion
@@ -91,7 +89,7 @@ public void initialize(MontoyaApi api) {
                         rstaFactory,
                         api.collaborator().defaultPayloadGenerator(),
                         hexAreaCodeFactory,
-                        actionListenerFactory,
+                        api.logging(),
                         informationPanelFactory,
                         editorCreationContext.editorMode() != READ_ONLY,
                         isProVersion
@@ -104,7 +102,7 @@ public void initialize(MontoyaApi api) {
                         rstaFactory,
                         api.collaborator().defaultPayloadGenerator(),
                         hexAreaCodeFactory,
-                        actionListenerFactory,
+                        api.logging(),
                         informationPanelFactory,
                         editorCreationContext.editorMode() != READ_ONLY,
                         isProVersion

src/main/java/com/blackberry/jwteditor/exceptions/SigningException.java

@@ -1,7 +1,29 @@
+/*
+Author : Dolph Flynn
+
+Copyright 2024 Dolph Flynn
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package com.blackberry.jwteditor.exceptions;
 
 public class SigningException extends Exception {
     public SigningException(String msg) {
         super(msg);
     }
+
+    public SigningException(String message, Throwable cause) {
+        super(message, cause);
+    }
 }

src/main/java/com/blackberry/jwteditor/exceptions/VerificationException.java

@@ -1,7 +1,29 @@
+/*
+Author : Dolph Flynn
+
+Copyright 2024 Dolph Flynn
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
 package com.blackberry.jwteditor.exceptions;
 
 public class VerificationException extends Exception {
     public VerificationException(String msg) {
         super(msg);
     }
+
+    public VerificationException(String message, Throwable cause) {
+        super(message, cause);
+    }
 }

src/main/java/com/blackberry/jwteditor/model/jose/Header.java

@@ -23,6 +23,7 @@
 
 import static com.blackberry.jwteditor.utils.JSONUtils.isJsonCompact;
 import static com.blackberry.jwteditor.utils.JSONUtils.prettyPrintJSON;
+import static com.nimbusds.jose.HeaderParameterNames.ALGORITHM;
 
 public class Header extends Base64Encoded {
 
@@ -44,4 +45,9 @@ public JSONObject json()
     {
         return new JSONObject(decoded());
     }
+
+    public String algorithm() {
+        JSONObject json = json();
+        return json.has(ALGORITHM) ? json.getString(ALGORITHM) : "";
+    }
 }

src/main/java/com/blackberry/jwteditor/model/jose/JWE.java

@@ -23,6 +23,7 @@
 import com.nimbusds.jose.JWEDecrypter;
 import com.nimbusds.jose.JWEHeader;
 import com.nimbusds.jose.util.Base64URL;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
 import java.security.Provider;
 import java.security.Security;
@@ -124,7 +125,7 @@ public JWS decrypt(Key key) throws DecryptionException, ParseException {
             JWEDecrypter decrypter = key.getDecrypter(header.getAlgorithm());
 
             // Try to use the BouncyCastle provider, but fall-back to default if this fails
-            Provider provider = Security.getProvider("BC");
+            Provider provider = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME);
             if (provider != null) {
                 decrypter.getJCAContext().setProvider(provider);
             }

src/main/java/com/blackberry/jwteditor/model/jose/JWEFactory.java

@@ -22,6 +22,7 @@
 import com.blackberry.jwteditor.model.keys.Key;
 import com.nimbusds.jose.*;
 import com.nimbusds.jose.util.Base64URL;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
 import java.nio.charset.StandardCharsets;
 import java.security.Provider;
@@ -44,7 +45,7 @@ public static JWE encrypt(JWS jws, Key key, JWEAlgorithm kek, EncryptionMethod c
         }
 
         // Try to use the BouncyCastle provider, but fall-back to default if this fails
-        Provider provider = Security.getProvider("BC");
+        Provider provider = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME);
         if (provider != null) {
             encrypter.getJCAContext().setProvider(provider);
         }

src/main/java/com/blackberry/jwteditor/model/jose/JWS.java

@@ -26,10 +26,10 @@
 import com.nimbusds.jose.util.Base64URL;
 
 import java.nio.charset.StandardCharsets;
-import java.security.Provider;
-import java.security.Security;
 import java.util.List;
 
+import static com.blackberry.jwteditor.model.jose.JWSVerifierFactory.verifierFor;
+
 /**
  * Class representing a JWS
  */
@@ -53,8 +53,7 @@ public JWSClaims claims() {
         return claims;
     }
 
-    public Signature signature()
-    {
+    public Signature signature() {
         return signature;
     }
 
@@ -84,19 +83,7 @@ public List<Information> information() {
      * @throws VerificationException if verification process fails
      */
     public boolean verify(Key key, JWSHeader verificationInfo) throws VerificationException {
-        // Get the verifier based on the key type
-        JWSVerifier verifier;
-        try {
-            verifier = key.getVerifier();
-        } catch (JOSEException e) {
-            throw new VerificationException(e.getMessage());
-        }
-
-        // Try to use the BouncyCastle provider, but fall-back to default if this fails
-        Provider provider = Security.getProvider("BC");
-        if (provider != null) {
-            verifier.getJCAContext().setProvider(provider);
-        }
+        JWSVerifier verifier = verifierFor(key, verificationInfo.getAlgorithm());
 
         // Build the signing input
         // JWS signature input is the ASCII bytes of the base64 encoded header and payload concatenated with a '.'

src/main/java/com/blackberry/jwteditor/model/jose/JWSFactory.java

@@ -28,6 +28,7 @@
 
 import java.text.ParseException;
 
+import static com.blackberry.jwteditor.model.jose.JWSSignerFactory.signerFor;
 import static com.blackberry.jwteditor.utils.StringUtils.countOccurrences;
 import static com.nimbusds.jose.HeaderParameterNames.*;
 import static java.util.Arrays.stream;
@@ -83,7 +84,7 @@ public static JWS sign(Key key, JWSAlgorithm algorithm, SigningUpdateMode update
     }
 
     public static JWS sign(Key key, JWSAlgorithm algorithm, Base64URL header, Base64URL payload) throws SigningException {
-        return new JWSSigner(key).sign(header, payload, new JWSHeader.Builder(algorithm).build());
+        return signerFor(key, algorithm).sign(header, payload, new JWSHeader.Builder(algorithm).build());
     }
 
     /**

src/main/java/com/blackberry/jwteditor/model/jose/JWSSigner.java

@@ -19,32 +19,17 @@
 package com.blackberry.jwteditor.model.jose;
 
 import com.blackberry.jwteditor.exceptions.SigningException;
-import com.blackberry.jwteditor.model.keys.Key;
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.util.Base64URL;
 
 import java.nio.charset.StandardCharsets;
-import java.security.Provider;
-import java.security.Security;
 
 class JWSSigner {
     private final com.nimbusds.jose.JWSSigner signer;
 
-    JWSSigner(Key key) throws SigningException {
-        // Get the signer based on the key type
-        try {
-            signer = key.getSigner();
-        } catch (JOSEException e) {
-            throw new SigningException(e.getMessage());
-        }
-
-        // Try to use the BouncyCastle provider, but fall-back to default if this fails
-        Provider provider = Security.getProvider("BC");
-
-        if (provider != null) {
-            signer.getJCAContext().setProvider(provider);
-        }
+    JWSSigner(com.nimbusds.jose.JWSSigner signer) {
+        this.signer = signer;
     }
 
     public JWS sign(Base64URL header, Base64URL payload, JWSHeader signingInfo) throws SigningException {