From dbb5ca7c9cdee2f6dd52d203aa71a4397541e2dd Mon Sep 17 00:00:00 2001
From: juerg <juerg@google.com>
Date: Tue, 9 Aug 2022 08:08:28 -0700
Subject: [PATCH] Add validation test with duplicated 'issuer' claim, and with
 invalid UTF-16 encoded claim name.

PiperOrigin-RevId: 466362093
---
 testing/cross_language/jwt_validation_test.py | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/testing/cross_language/jwt_validation_test.py b/testing/cross_language/jwt_validation_test.py
index cd4e3cca0b..09f954a8a0 100644
--- a/testing/cross_language/jwt_validation_test.py
+++ b/testing/cross_language/jwt_validation_test.py
@@ -380,6 +380,24 @@ def test_verify_issuer(self, lang):
     with self.assertRaises(tink.TinkError):
       jwt_mac.verify_mac_and_decode(token, val4)
 
+  @parameterized.parameters(SUPPORTED_LANGUAGES)
+  def test_duplicated_issuer(self, lang):
+    token = generate_token('{"alg":"HS256"}', '{"iss":"joe", "iss":"jane"}')
+    jwt_mac = testing_servers.jwt_mac(lang, KEYSET)
+
+    if lang != 'java' and lang != 'python':
+      validator_with_second_issuer = jwt.new_validator(
+          ignore_issuer=True, allow_missing_expiration=True)
+      with self.assertRaises(tink.TinkError):
+        jwt_mac.verify_mac_and_decode(token, validator_with_second_issuer)
+    else:
+      # Currently, this is accepted in Java and Python, and always the last
+      # entry is used.
+      # TODO(b/241828611): This should be rejected.
+      validator_with_second_issuer = jwt.new_validator(
+          expected_issuer='jane', allow_missing_expiration=True)
+      jwt_mac.verify_mac_and_decode(token, validator_with_second_issuer)
+
   @parameterized.parameters(SUPPORTED_LANGUAGES)
   def test_verify_empty_string_issuer(self, lang):
     token = generate_token('{"alg":"HS256"}', '{"iss":""}')
@@ -438,6 +456,14 @@ def test_verify_with_invalid_json_escaped_utf16_in_payload(self, lang):
     with self.assertRaises(tink.TinkError):
       jwt_mac.verify_mac_and_decode(token, EMPTY_VALIDATOR)
 
+  @parameterized.parameters(SUPPORTED_LANGUAGES)
+  def test_verify_with_invalid_json_escaped_utf16_in_claim_name(self, lang):
+    token = generate_token('{"alg":"HS256"}',
+                           '{"\\uD800\\uD800claim":"value"}')
+    jwt_mac = testing_servers.jwt_mac(lang, KEYSET)
+    with self.assertRaises(tink.TinkError):
+      jwt_mac.verify_mac_and_decode(token, EMPTY_VALIDATOR)
+
   @parameterized.parameters(SUPPORTED_LANGUAGES)
   def test_verify_audience(self, lang):
     token = generate_token('{"alg":"HS256"}', '{"aud":["joe", "jane"]}')