JCL-385: Improve PKCE verifier to always produce spec conforming values

Author: acoburn

openid/src/main/java/com/inrupt/client/openid/PKCE.java

@@ -36,6 +36,8 @@
  */
 public final class PKCE {
 
+    private static final BigInteger PADDING = BigInteger.ofValue(2).pow(256);
+
     /**
      * Create a PKCE challenge value using the S256 algorithm.
      *
@@ -73,7 +75,7 @@ static String createChallenge(final String verifier, final String alg) {
      * @return the Base64URL-encoded verifier
      */
     static String createVerifier() {
-        final byte[] rand = new BigInteger(32 * 8, new SecureRandom()).toByteArray();
+        final byte[] rand = PADDING.add(new BigInteger(32 * 8, new SecureRandom())).toByteArray();
         return Base64.getUrlEncoder().withoutPadding().encodeToString(rand);
     }
 

openid/src/test/java/com/inrupt/client/openid/PKCETest.java

@@ -30,16 +30,16 @@ class PKCETest {
 
     @Test
     void createChallengeTest() {
-        assertTrue(PKCE.createChallenge("🐶🐶🐶", "SHA-256").getBytes(UTF_8).length >= 43);
-        assertTrue(PKCE.createChallenge("🐶🐶🐶", "SHA-256").getBytes(UTF_8).length <= 128);
-        assertTrue(PKCE.createChallenge("", "SHA-256").getBytes(UTF_8).length >= 43);
-        assertTrue(PKCE.createChallenge("", "SHA-256").getBytes(UTF_8).length <= 128);
+        assertTrue(PKCE.createChallenge("🐶🐶🐶", "SHA-256").length() >= 43);
+        assertTrue(PKCE.createChallenge("🐶🐶🐶", "SHA-256").length() <= 128);
+        assertTrue(PKCE.createChallenge("", "SHA-256").length() >= 43);
+        assertTrue(PKCE.createChallenge("", "SHA-256").length() <= 128);
         assertThrows(NullPointerException.class, () -> PKCE.createChallenge(null, "SHA-256"));
     }
 
     @Test
     void createVerifierTest() {
-        assertTrue(PKCE.createVerifier().getBytes(UTF_8).length >= 43);
-        assertTrue(PKCE.createVerifier().getBytes(UTF_8).length <= 128);
+        assertTrue(PKCE.createVerifier().length() >= 43);
+        assertTrue(PKCE.createVerifier().length() <= 128);
     }
 }