From d4956c102931845861f46eb05dad0ade8a86ab6e Mon Sep 17 00:00:00 2001
From: Les Hazlewood <121180+lhazlewood@users.noreply.github.com>
Date: Wed, 16 Aug 2023 19:03:56 -0700
Subject: [PATCH] Ensured Jwk tests that used RSASSA-PSS keys (from openssl
 files) used the BC provider since RSASSA-PSS isn't available natively before
 JDK 11

---
 .../impl/security/DefaultJwkParserTest.groovy | 10 ++++++--
 .../impl/security/JwksTest.groovy             | 23 +++++++++++--------
 2 files changed, 22 insertions(+), 11 deletions(-)

diff --git a/impl/src/test/groovy/io/jsonwebtoken/impl/security/DefaultJwkParserTest.groovy b/impl/src/test/groovy/io/jsonwebtoken/impl/security/DefaultJwkParserTest.groovy
index 107fc9c8c..edc0a2678 100644
--- a/impl/src/test/groovy/io/jsonwebtoken/impl/security/DefaultJwkParserTest.groovy
+++ b/impl/src/test/groovy/io/jsonwebtoken/impl/security/DefaultJwkParserTest.groovy
@@ -26,6 +26,7 @@ import org.junit.Test
 
 import java.nio.charset.StandardCharsets
 import java.security.Key
+import java.security.Provider
 
 import static org.junit.Assert.*
 
@@ -35,7 +36,7 @@ class DefaultJwkParserTest {
     void testKeys() {
 
         Set<Key> keys = new LinkedHashSet<>()
-        TestKeys.HS.each { keys.add(it) }
+        TestKeys.SECRET.each { keys.add(it) }
         TestKeys.ASYM.each {
             keys.add(it.pair.public)
             keys.add(it.pair.private)
@@ -44,7 +45,12 @@ class DefaultJwkParserTest {
         def serializer = Services.loadFirst(Serializer)
         for (Key key : keys) {
             //noinspection GroovyAssignabilityCheck
-            def jwk = Jwks.builder().key(key).build()
+            Provider provider = null // assume default
+            if (key.getClass().getName().startsWith("org.bouncycastle.")) {
+                // No native JVM support for the key, so we need to enable BC:
+                provider = Providers.findBouncyCastle(Conditions.TRUE)
+            }
+            def jwk = Jwks.builder().provider(provider).key(key).build()
             def data = serializer.serialize(jwk)
             String json = new String(data, StandardCharsets.UTF_8)
             def parsed = Jwks.parser().build().parse(json)
diff --git a/impl/src/test/groovy/io/jsonwebtoken/impl/security/JwksTest.groovy b/impl/src/test/groovy/io/jsonwebtoken/impl/security/JwksTest.groovy
index 272c22ce4..b968c47ce 100644
--- a/impl/src/test/groovy/io/jsonwebtoken/impl/security/JwksTest.groovy
+++ b/impl/src/test/groovy/io/jsonwebtoken/impl/security/JwksTest.groovy
@@ -16,6 +16,7 @@
 package io.jsonwebtoken.impl.security
 
 import io.jsonwebtoken.Jwts
+import io.jsonwebtoken.impl.lang.Conditions
 import io.jsonwebtoken.impl.lang.Converters
 import io.jsonwebtoken.io.Decoders
 import io.jsonwebtoken.io.Encoders
@@ -23,10 +24,7 @@ import io.jsonwebtoken.security.*
 import org.junit.Test
 
 import javax.crypto.SecretKey
-import java.security.MessageDigest
-import java.security.PrivateKey
-import java.security.PublicKey
-import java.security.SecureRandom
+import java.security.*
 import java.security.cert.X509Certificate
 import java.security.interfaces.ECKey
 import java.security.interfaces.ECPublicKey
@@ -264,11 +262,17 @@ class JwksTest {
             PublicKey pub = pair.getPublic()
             PrivateKey priv = pair.getPrivate()
 
+            Provider provider = null // assume default
+            if (pub.getClass().getName().startsWith("org.bouncycastle.")) {
+                // No native JVM support for the key, so we need to enable BC:
+                provider = Providers.findBouncyCastle(Conditions.TRUE)
+            }
+
             // test individual keys
-            PublicJwk pubJwk = Jwks.builder().key(pub).publicKeyUse("sig").build()
+            PublicJwk pubJwk = Jwks.builder().provider(provider).key(pub).publicKeyUse("sig").build()
             assertEquals pub, pubJwk.toKey()
 
-            def builder = Jwks.builder().key(priv).publicKeyUse('sig')
+            def builder = Jwks.builder().provider(provider).key(priv).publicKeyUse('sig')
             if (alg instanceof EdSignatureAlgorithm) {
                 // We haven't implemented EdDSA public-key derivation yet, so public key is required
                 builder.publicKey(pub)
@@ -283,12 +287,13 @@ class JwksTest {
             assertEquals priv, jwkPair.getPrivate()
 
             // test pair
+            builder = Jwks.builder().provider(provider)
             if (pub instanceof ECKey) {
-                builder = Jwks.builder().ecKeyPair(pair)
+                builder = builder.ecKeyPair(pair)
             } else if (pub instanceof RSAKey) {
-                builder = Jwks.builder().rsaKeyPair(pair)
+                builder = builder.rsaKeyPair(pair)
             } else {
-                builder = Jwks.builder().octetKeyPair(pair)
+                builder = builder.octetKeyPair(pair)
             }
             privJwk = builder.publicKeyUse("sig").build() as PrivateJwk
             assertEquals priv, privJwk.toKey()