Exception cleanup.

Author: atholbro

paseto/src/main/kotlin/net/aholbrook/paseto/crypto/Ecdsa.kt

@@ -1,7 +1,7 @@
 package net.aholbrook.paseto.crypto
 
 import net.aholbrook.paseto.exception.ByteArrayLengthException
-import net.aholbrook.paseto.exception.KeyV3Exception
+import net.aholbrook.paseto.exception.EcKeyException
 import org.bouncycastle.asn1.ASN1ObjectIdentifier
 import org.bouncycastle.asn1.ASN1Primitive
 import org.bouncycastle.asn1.DERBitString
@@ -11,16 +11,13 @@ import org.bouncycastle.asn1.sec.SECObjectIdentifiers
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo
 import org.bouncycastle.asn1.x9.X9ObjectIdentifiers
-import org.bouncycastle.crypto.CryptoException
 import org.bouncycastle.crypto.digests.SHA384Digest
 import org.bouncycastle.crypto.ec.CustomNamedCurves
 import org.bouncycastle.crypto.generators.ECKeyPairGenerator
 import org.bouncycastle.crypto.params.ECDomainParameters
 import org.bouncycastle.crypto.params.ECKeyGenerationParameters
 import org.bouncycastle.crypto.params.ECPrivateKeyParameters
 import org.bouncycastle.crypto.params.ECPublicKeyParameters
-import org.bouncycastle.crypto.params.RSAKeyParameters
-import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters
 import org.bouncycastle.crypto.signers.ECDSASigner
 import org.bouncycastle.crypto.signers.HMacDSAKCalculator
 import org.bouncycastle.crypto.util.PrivateKeyFactory
@@ -49,7 +46,7 @@ internal fun ecdsaP384Sign(sig: ByteArray, m: ByteArray, sk: ByteArray, enforceL
 
     val d = BigInteger(1, sk)
     if (d.signum() <= 0 || d >= params.n) {
-        throw KeyV3Exception("Invalid P-384 private key")
+        throw EcKeyException("Invalid P-384 private key")
     }
     val secretKey = ECPrivateKeyParameters(d, params)
 
@@ -134,7 +131,7 @@ internal fun p384SkToPk(sk: ByteArray): ByteArray {
     val params = CustomNamedCurves.getByOID(SECObjectIdentifiers.secp384r1)
     val d = BigInteger(1, sk)
     if (d.signum() <= 0 || d >= params.n) {
-        throw KeyV3Exception("Invalid P-384 private key")
+        throw EcKeyException("Invalid P-384 private key")
     }
     val q = params.g.multiply(d).normalize()
     return q.getEncoded(true)
@@ -145,21 +142,21 @@ internal fun p384VerifyPk(pk: ByteArray): ECPoint {
         throw ByteArrayLengthException("pk", pk.size, ECDSA_P384_PUBLICKEYBYTES)
     }
     if (pk[0] != 0x02.toByte() && pk[0] != 0x03.toByte()) {
-        throw KeyV3Exception("must use point compression")
+        throw EcKeyException("must use point compression")
     }
 
     val params = CustomNamedCurves.getByOID(SECObjectIdentifiers.secp384r1)
     val q = try {
         params.curve.decodePoint(pk)
     } catch (ex: IllegalArgumentException) {
-        throw KeyV3Exception("decode point", ex)
+        throw EcKeyException("decode point", ex)
     }
 
     if (q.isInfinity) {
-        throw KeyV3Exception("Point at infinity")
+        throw EcKeyException("Point at infinity")
     }
     if (!q.isValid) {
-        throw KeyV3Exception("Point not on curve")
+        throw EcKeyException("Point not on curve")
     }
 
     return q
@@ -173,7 +170,7 @@ internal fun p384EncodeSkPkcs8(sk: ByteArray): ByteArray {
     val d = BigInteger(1, sk)
 
     if (d.signum() <= 0 || d >= params.n) {
-        throw KeyV3Exception("Invalid P-384 private key")
+        throw EcKeyException("Invalid P-384 private key")
     }
 
     @Suppress("MagicNumber")
@@ -190,23 +187,23 @@ internal fun p384EncodeSkPkcs8(sk: ByteArray): ByteArray {
 internal fun p384DecodeSkPkcs8(der: ByteArray): ByteArray {
     try {
         val params = PrivateKeyFactory.createKey(der) as? ECPrivateKeyParameters
-            ?: throw KeyV3Exception("Private key is not on secp384r1")
+            ?: throw EcKeyException("Private key is not on secp384r1")
         val domain = params.parameters
         val expected = CustomNamedCurves.getByOID(SECObjectIdentifiers.secp384r1)
 
         if (domain.curve != expected.curve || domain.g != expected.g || domain.n != expected.n ||
             domain.h != expected.h
         ) {
-            throw KeyV3Exception("Private key is not on secp384r1")
+            throw EcKeyException("Private key is not on secp384r1")
         }
 
         if (params.d.signum() <= 0 || params.d >= domain.n) {
-            throw KeyV3Exception("Invalid private key")
+            throw EcKeyException("Invalid private key")
         }
 
         return BigIntegers.asUnsignedByteArray(ECDSA_P384_SECRETKEYBYTES, params.d)
     } catch (ex: Throwable) {
-        throw KeyV3Exception("invalid private key", ex)
+        throw EcKeyException("invalid private key", ex)
     }
 }
 
@@ -218,7 +215,7 @@ internal fun p384EncodeSkSec1(sk: ByteArray): ByteArray {
     val params = CustomNamedCurves.getByOID(SECObjectIdentifiers.secp384r1)
     val d = BigInteger(1, sk)
     if (d.signum() <= 0 || d >= params.n) {
-        throw KeyV3Exception("Invalid P-384 private key")
+        throw EcKeyException("Invalid P-384 private key")
     }
 
     val publicKey = DERBitString(params.g.multiply(d).normalize().getEncoded(false))
@@ -232,31 +229,31 @@ internal fun p384EncodeSkSec1(sk: ByteArray): ByteArray {
 internal fun p384DecodeSkSec1(der: ByteArray): ByteArray {
     try {
         val key = ECPrivateKey.getInstance(ASN1Primitive.fromByteArray(der))
-            ?: throw KeyV3Exception("Invalid private key")
+            ?: throw EcKeyException("Invalid private key")
         val curveParams = CustomNamedCurves.getByOID(SECObjectIdentifiers.secp384r1)
 
         key.parametersObject?.let { params ->
             when (params) {
                 is ASN1ObjectIdentifier -> {
                     if (params != SECObjectIdentifiers.secp384r1) {
-                        throw KeyV3Exception("SEC1 key not on secp384r1")
+                        throw EcKeyException("SEC1 key not on secp384r1")
                     }
                 }
 
                 else -> {
-                    throw KeyV3Exception("Unsupported curve parameters")
+                    throw EcKeyException("Unsupported curve parameters")
                 }
             }
-        } ?: throw KeyV3Exception("SEC1 key must include curve parameters")
+        } ?: throw EcKeyException("SEC1 key must include curve parameters")
 
         val d = key.key
         if (d.signum() <= 0 || d >= curveParams.n) {
-            throw KeyV3Exception("Invalid P-384 private key")
+            throw EcKeyException("Invalid P-384 private key")
         }
 
         return BigIntegers.asUnsignedByteArray(ECDSA_P384_SECRETKEYBYTES, d)
     } catch (ex: Throwable) {
-        throw KeyV3Exception("Invalid private key", ex)
+        throw EcKeyException("Invalid private key", ex)
     }
 }
 
@@ -272,21 +269,21 @@ internal fun p384EncodePkSpki(pk: ByteArray): ByteArray {
 internal fun p384DecodePkSpki(der: ByteArray): ByteArray {
     try {
         val params = PublicKeyFactory.createKey(der) as? ECPublicKeyParameters
-            ?: throw KeyV3Exception("Public key is not on secp384r1")
+            ?: throw EcKeyException("Public key is not on secp384r1")
         val domain = params.parameters
         val expected = CustomNamedCurves.getByOID(SECObjectIdentifiers.secp384r1)
 
         if (domain.curve != expected.curve || domain.g != expected.g || domain.n != expected.n ||
             domain.h != expected.h
         ) {
-            throw KeyV3Exception("Public key is not on secp384r1")
+            throw EcKeyException("Public key is not on secp384r1")
         }
 
         return params.q.getEncoded(true).also {
             p384VerifyPk(it)
         }
     } catch (ex: Throwable) {
-        throw KeyV3Exception("invalid public key", ex)
+        throw EcKeyException("invalid public key", ex)
     }
 }
 

paseto/src/main/kotlin/net/aholbrook/paseto/crypto/RsaPssSha384.kt

@@ -1,7 +1,7 @@
 package net.aholbrook.paseto.crypto
 
 import net.aholbrook.paseto.exception.ByteArrayLengthException
-import net.aholbrook.paseto.exception.CryptoProviderException
+import net.aholbrook.paseto.exception.CryptoException as PasetoCryptoException
 import org.bouncycastle.asn1.ASN1Primitive
 import org.bouncycastle.asn1.DERNull
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers
@@ -50,7 +50,7 @@ internal fun pssSha384(forSigning: Boolean, key: ByteArray): PSSSigner {
 
         return pss
     } catch (e: IOException) {
-        throw CryptoProviderException("IOException", e)
+        throw PasetoCryptoException("IOException", e)
     }
 }
 
@@ -68,7 +68,7 @@ internal fun rsaSign(m: ByteArray, privateKey: ByteArray): ByteArray {
         return pss.generateSignature()
     } catch (e: CryptoException) {
         // Not documented
-        throw CryptoProviderException("CryptoException", e)
+        throw PasetoCryptoException("CryptoException", e)
     }
 }
 

paseto/src/main/kotlin/net/aholbrook/paseto/exception/ByteArrayExceptions.kt

@@ -8,7 +8,7 @@ class ByteArrayLengthException @InternalApi constructor(
     val required: Int,
     val isExact: Boolean = true,
     cause: Throwable? = null,
-) : CryptoProviderException(
+) : PasetoException(
     "$arg: $required ${if (isExact) "exact " else ""}bytes required, given $len bytes.",
     cause,
 )
@@ -19,4 +19,4 @@ class ByteArrayRangeException @InternalApi constructor(
     val minBound: Int,
     val maxBound: Int,
     throwable: Throwable? = null,
-) : CryptoProviderException("$arg: length outside of range $minBound..$maxBound.", throwable)
+) : PasetoException("$arg: length outside of range $minBound..$maxBound.", throwable)

paseto/src/main/kotlin/net/aholbrook/paseto/exception/Exceptions.kt

@@ -4,37 +4,31 @@ import net.aholbrook.paseto.InternalApi
 import net.aholbrook.paseto.Token
 import net.aholbrook.paseto.protocol.Version
 
-open class CryptoProviderException @InternalApi constructor(s: String?, throwable: Throwable?) :
-    RuntimeException(s, throwable)
-
 open class PasetoException @InternalApi constructor(msg: String, cause: Throwable? = null) :
     RuntimeException(msg, cause)
 
+open class CryptoException @InternalApi constructor(s: String, throwable: Throwable?) :
+    PasetoException(s, throwable)
+
 class ImplicitAssertionsNotSupportedException @InternalApi constructor(actual: Version) :
     PasetoException("Implicit assertions are not supported for " + actual.name + " tokens.")
 
 class CannotSignWithoutSecretKey @InternalApi constructor() :
     PasetoException("Token services without a secret key do not support signing.")
 
-open class PasetoStringException @InternalApi constructor(s: String, val token: String, cause: Throwable? = null) :
+open class EncodedTokenException @InternalApi constructor(s: String, val token: String, cause: Throwable? = null) :
     PasetoException(s, cause)
 
-open class PasetoPayloadException @InternalApi constructor(
-    s: String,
-    val payload: ByteArray,
-    cause: Throwable? = null,
-) : PasetoException(s, cause)
-
 class EncryptionException @InternalApi constructor() : PasetoException("Failed to encrypt payload.")
 
 class DecryptionException @InternalApi constructor(token: String) :
-    PasetoStringException("Failed to decrypt token.", token)
+    EncodedTokenException("Failed to decrypt token.", token)
 
 open class InvalidFooterException @InternalApi constructor(msg: String, cause: Throwable? = null) :
     PasetoException(msg, cause)
 
 class IncorrectFooterException @InternalApi constructor(val given: String?, val expected: String) :
-    PasetoException("Invalid footer in token: \"$given\" expected: \"$expected\".")
+    InvalidFooterException("Invalid footer in token: \"$given\" expected: \"$expected\".")
 
 class FooterExceedsMaxLengthException @InternalApi constructor(val length: Int, val max: Int) :
     InvalidFooterException("Footer of length $length exceeds maximum length $max.")
@@ -49,27 +43,18 @@ class FooterJsonParseException @InternalApi constructor(message: String?, cause:
     InvalidFooterException(message ?: "", cause)
 
 class InvalidHeaderException @InternalApi constructor(val given: String?, val expected: String, token: String) :
-    PasetoStringException("Invalid header in token: \"$given\", expected: \"$expected\".", token)
+    EncodedTokenException("Invalid header in token: \"$given\", expected: \"$expected\".", token)
 
-class SigningException @InternalApi constructor(payload: ByteArray) :
-    PasetoPayloadException("Failed to sign payload.", payload)
+class SigningException @InternalApi constructor(val payload: ByteArray) :
+    PasetoException("Failed to sign payload.")
 
 class SignatureVerificationException @InternalApi constructor(token: String) :
-    PasetoStringException("Failed to verify token signature.", token)
-
-open class PasetoTokenException @InternalApi constructor(s: String, val token: Token) : PasetoException(s)
-
-class TokenExpiresBeforeIssuedException @InternalApi constructor(token: Token) :
-    PasetoTokenException("token would expire (${token.expiresAt}) before it was issued (${token.issuedAt})", token)
+    EncodedTokenException("Failed to verify token signature.", token)
 
-class TokenIsNotValidUntilAfterExpiration @InternalApi constructor(token: Token) :
-    PasetoTokenException("token is not valid (${token.notBefore}) until after it expires (${token.expiresAt})", token)
 
-class MissingClaimException @InternalApi constructor(val claim: String, token: Token) :
-    PasetoTokenException("Token is missing required claim $claim.", token)
 
 class PasetoParseException @InternalApi constructor(val reason: Reason, token: String) :
-    PasetoStringException(
+    EncodedTokenException(
         when (reason) {
             Reason.MISSING_SECTIONS ->
                 "Invalid token: \"$token\" unable to locate 3-4 paseto sections."

paseto/src/main/kotlin/net/aholbrook/paseto/exception/KeyExceptions.kt

@@ -13,9 +13,9 @@ class KeyVersionException @InternalApi constructor(val expected: Version, val ac
     PasetoException("Got wrong Key version: $actual given, expected: $expected.")
 
 class KeyClearedException @InternalApi constructor() :
-    PasetoException("Key instance has already been consumed and cleared. Lpad a new key for each operation.")
+    PasetoException("Key instance has already been consumed and cleared. Load a new key for each operation.")
 
 class KeyPemUnsupportedTypeException @InternalApi constructor(val type: String) :
     PasetoException("Unsupported PEM type: $type")
 
-class KeyV3Exception @InternalApi constructor(msg: String, cause: Throwable? = null) : PasetoException(msg, cause)
+class EcKeyException @InternalApi constructor(msg: String, cause: Throwable? = null) : PasetoException(msg, cause)

paseto/src/main/kotlin/net/aholbrook/paseto/exception/RuleValidationExceptions.kt

@@ -5,57 +5,65 @@ import net.aholbrook.paseto.Token
 import net.aholbrook.paseto.rules.Rule
 import java.time.Instant
 
+
 open class RuleValidationException @InternalApi constructor(
     msg: String,
     val claim: String,
-    val rule: Rule?,
-    token: Token,
-) : PasetoTokenException(msg, token)
+    val token: Token,
+) : PasetoException(msg) {
+    lateinit var rule: Rule
+        internal set
+}
+
+class TokenExpiresBeforeIssuedException @InternalApi constructor(token: Token) :
+    RuleValidationException("token would expire (${token.expiresAt}) before it was issued (${token.issuedAt})", "iat", token)
 
-class ExpiredTokenException @InternalApi constructor(time: Instant, rule: Rule, token: Token) :
-    RuleValidationException("Token expired at $time.", "exp", rule, token)
+class TokenIsNotValidUntilAfterExpiration @InternalApi constructor(token: Token, ) :
+    RuleValidationException("token is not valid (${token.notBefore}) until after it expires (${token.expiresAt})", "exp", token)
+
+class MissingClaimException @InternalApi constructor(claim: String, token: Token, ) :
+    RuleValidationException("Token is missing required claim $claim.", claim, token)
+
+class ExpiredTokenException @InternalApi constructor(time: Instant, token: Token) :
+    RuleValidationException("Token expired at $time.", "exp", token)
 
 class IncorrectAudienceException @InternalApi constructor(
     val expected: String,
     val audience: String?,
-    rule: Rule,
     token: Token,
-) : RuleValidationException("Token audience is \"$audience\", required: \"$expected\"", "aud", rule, token)
+) : RuleValidationException("Token audience is \"$audience\", required: \"$expected\"", "aud", token)
 
 class IncorrectTokenIdException @InternalApi constructor(
     val expected: String,
     val tokenId: String?,
-    rule: Rule,
     token: Token,
-) : RuleValidationException("Token ID is \"$tokenId\", required: \"$expected\"", "jti", rule, token)
+) : RuleValidationException("Token ID is \"$tokenId\", required: \"$expected\"", "jti", token)
 
 class IncorrectIssuerException @InternalApi constructor(
     val expected: String,
     val issuer: String?,
-    rule: Rule,
     token: Token,
-) : RuleValidationException("Token issued by \"$issuer\", required: \"$expected\"", "iss", rule, token)
+) : RuleValidationException("Token issued by \"$issuer\", required: \"$expected\"", "iss", token)
 
 class IncorrectSubjectException @InternalApi constructor(
-    val expected: String?,
+    val expected: String,
     val subject: String,
-    rule: Rule,
     token: Token,
-) : RuleValidationException("Token subject is \"$subject\", required: \"$expected\"", "sub", rule, token)
+) : RuleValidationException("Token subject is \"$subject\", required: \"$expected\"", "sub", token)
 
-class IssuedInFutureException @InternalApi constructor(now: Instant, issuedAt: Instant?, rule: Rule, token: Token) :
-    RuleValidationException("Token was issued at a future date/time $issuedAt, currently: $now", "iat", rule, token)
+class IssuedInFutureException @InternalApi constructor(now: Instant, issuedAt: Instant?, token: Token) :
+    RuleValidationException("Token was issued at a future date/time $issuedAt, currently: $now", "iat", token)
 
-class NotYetValidTokenException @InternalApi constructor(time: Instant, rule: Rule, token: Token) :
-    RuleValidationException("Token is not valid until $time.", "nbf", rule, token)
+class NotYetValidException @InternalApi constructor(time: Instant, token: Token) :
+    RuleValidationException("Token is not valid until $time.", "nbf", token)
 
-class MultipleValidationExceptions @InternalApi constructor(token: Token) :
-    PasetoTokenException("Multiple verification errors.", token) {
+class MultipleValidationErrorsException @InternalApi constructor(val token: Token) :
+    PasetoException("Multiple verification errors.") {
 
-    private val internalExceptions = mutableListOf<PasetoTokenException>()
-    val exceptions: List<PasetoTokenException> get() = internalExceptions
+    private val internalExceptions = mutableListOf<RuleValidationException>()
+    val exceptions: List<RuleValidationException> get() = internalExceptions
 
-    fun add(e: PasetoTokenException) {
+    internal fun add(e: RuleValidationException) {
         internalExceptions.add(e)
     }