stop exposing internal private state

googleapis · chingor13 · Aug 7, 2019 · Aug 7, 2019 · Aug 7, 2019 · Aug 7, 2019
commit 80c7cb52adfe553da3f1a3390373ec7092274658
diff --git a/google-http-client/src/main/java/com/google/api/client/json/webtoken/JsonWebSignature.java b/google-http-client/src/main/java/com/google/api/client/json/webtoken/JsonWebSignature.java
@@ -32,6 +32,7 @@
 import java.security.Signature;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
@@ -471,14 +472,14 @@ private static X509TrustManager getDefaultX509TrustManager() {
     }
   }
 
-  /** Returns the modifiable array of bytes of the signature. */
+  /** Returns the bytes of the signature. */
   public final byte[] getSignatureBytes() {
-    return signatureBytes;
+    return Arrays.copyOf(signatureBytes, signatureBytes.length);
   }
 
-  /** Returns the modifiable array of bytes of the signature content. */
+  /** Returns the bytes of the signature content. */
   public final byte[] getSignedContentBytes() {
-    return signedContentBytes;
+    return Arrays.copyOf(signedContentBytes, signedContentBytes.length);
   }
 
   /**

diff --git a/...e-http-client/src/test/java/com/google/api/client/json/webtoken/JsonWebSignatureTest.java b/...e-http-client/src/test/java/com/google/api/client/json/webtoken/JsonWebSignatureTest.java
@@ -17,9 +17,15 @@
 import com.google.api.client.testing.json.MockJsonFactory;
 import com.google.api.client.testing.json.webtoken.TestCertificates;
 import com.google.api.client.testing.util.SecurityTestUtils;
+
+import java.io.IOException;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPrivateKey;
 import javax.net.ssl.X509TrustManager;
+
+import org.junit.Assert;
+import org.junit.Test;
+
 import junit.framework.TestCase;
 
 /**
@@ -29,6 +35,7 @@
  */
 public class JsonWebSignatureTest extends TestCase {
 
+  @Test
   public void testSign() throws Exception {
     JsonWebSignature.Header header = new JsonWebSignature.Header();
     header.setAlgorithm("RS256");
@@ -51,13 +58,34 @@ private X509Certificate verifyX509WithCaCert(TestCertificates.CertData caCert) t
     X509TrustManager trustManager = caCert.getTrustManager();
     return signature.verifySignature(trustManager);
   }
+
+  @Test
+  public void testImmutableSignatureBytes() throws IOException {
+    JsonWebSignature signature = TestCertificates.getJsonWebSignature();
+    byte[] bytes = signature.getSignatureBytes();
+    bytes[0] = (byte) (bytes[0] + 1);
+    byte[] bytes2 = signature.getSignatureBytes();
+    Assert.assertNotEquals(bytes2[0], bytes[0]);
+  }
+
+  @Test
+  public void testImmutableSignedContentBytes() throws IOException {
+    JsonWebSignature signature = TestCertificates.getJsonWebSignature();
+    byte[] bytes = signature.getSignedContentBytes();
+    bytes[0] = (byte) (bytes[0] + 1);
+    byte[] bytes2 = signature.getSignedContentBytes();
+    Assert.assertNotEquals(bytes2[0], bytes[0]);
+  }
+
 
+  @Test
   public void testVerifyX509() throws Exception {
     X509Certificate signatureCert = verifyX509WithCaCert(TestCertificates.CA_CERT);
     assertNotNull(signatureCert);
     assertTrue(signatureCert.getSubjectDN().getName().startsWith("CN=foo.bar.com"));
   }
 
+  @Test
   public void testVerifyX509WrongCa() throws Exception {
     assertNull(verifyX509WithCaCert(TestCertificates.BOGUS_CA_CERT));
   }