Add implicit assertion to test vectors for v3/v4.

atholbro · atholbro · commit db288ce08829 · 2026-03-13T15:53:59.000-04:00
diff --git a/paseto/src/main/kotlin/net/aholbrook/paseto/TokenService.kt b/paseto/src/main/kotlin/net/aholbrook/paseto/TokenService.kt
@@ -218,7 +218,6 @@ internal class PublicTokenService internal constructor(
     private val json: Json = Json { explicitNulls = false },
 ) : TokenService {
     override fun encode(token: Token, implicitAssertion: String): String {
-        // TODO expand service-test-vectors for v4 with implicit assertions
         if (implicitAssertion.isNotEmpty() && !paseto.supportsImplicitAssertion) {
             throw ImplicitAssertionsNotSupportedException(paseto.version)
         }
@@ -239,7 +238,6 @@ internal class PublicTokenService internal constructor(
     }
 
     override fun decode(token: String, footer: Footer?, implicitAssertion: String): Token {
-        // TODO expand service-test-vectors for v4 with implicit assertions
         if (implicitAssertion.isNotEmpty() && !paseto.supportsImplicitAssertion) {
             throw ImplicitAssertionsNotSupportedException(paseto.version)
         }
diff --git a/paseto/src/test/kotlin/net/aholbrook/paseto/ServiceTestVectorsTests.kt b/paseto/src/test/kotlin/net/aholbrook/paseto/ServiceTestVectorsTests.kt
@@ -86,14 +86,18 @@ class ServiceTestVectorsTests {
             val currentTime = expected.notBefore ?: expected.issuedAt
 
             val actual = when (vector.mode) {
-                "local" -> localService(version, vector, currentTime).encode(expected)
-                "public" -> publicService(version, vector, currentTime).encode(expected)
+                "local" -> localService(version, vector, currentTime)
+                    .encode(expected, vector.implicitAssertion ?: "")
+
+                "public" -> publicService(version, vector, currentTime)
+                    .encode(expected, vector.implicitAssertion ?: "")
+
                 else -> error("Unsupported mode: ${vector.mode}")
             }
 
             if (version == Version.V1 && vector.mode == "public") {
                 val decoded = publicService(version, vector, currentTime)
-                    .decode(actual, expected.footer)
+                    .decode(actual, expected.footer, vector.implicitAssertion ?: "")
                 decoded shouldBe expected
             } else {
                 actual shouldBe vector.token
@@ -106,10 +110,10 @@ class ServiceTestVectorsTests {
 
             val actual = when (vector.mode) {
                 "local" -> localService(version, vector, currentTime)
-                    .decode(vector.token, expected.footer)
+                    .decode(vector.token, expected.footer, vector.implicitAssertion ?: "")
 
                 "public" -> publicService(version, vector, currentTime)
-                    .decode(vector.token, expected.footer)
+                    .decode(vector.token, expected.footer, vector.implicitAssertion ?: "")
 
                 else -> error("Unsupported mode: ${vector.mode}")
             }
diff --git a/paseto/src/test/resources/service-test-vectors/v3.json b/paseto/src/test/resources/service-test-vectors/v3.json
@@ -263,6 +263,57 @@
                 "kid": "key-1"
             },
             "token": "v3.public.e30IsoJvLCjwqnypFfAJ64AVYIggDbuTAxFLkhO_xiSeGzj3UTgj6wnWZfGU76TzaKQYaw52sz4lz1MfuYB9B-Qr06bptljULigj8DHgypEU7cwnkurayW3FSHS0iIbelEs.eyJraWQiOiJrZXktMSJ9"
+        },
+        {
+            "name": "TV_IA_1_V3_LOCAL",
+            "mode": "local",
+            "nonce": "d892e66e5ef2185186b161adbcefc1283157e5c90dbdae4d5db1cc481e2889fd",
+            "key": "3236753cafb041c87c87fe8f4fbe7303b5c22f61fd447c5d3e5bf9e4d6f9e327",
+            "payload": {},
+            "implicit-assertion": "ia-test-v3-local",
+            "token": "v3.local.2JLmbl7yGFGGsWGtvO_BKDFX5ckNva5NXbHMSB4oif16n-fFEYhD372dSNJtElDhjFSOwazuCICsAzxUQIxOcVF88FziBYtOPGplAsh5svIcHQ"
+        },
+        {
+            "name": "TV_IA_1_V3_LOCAL_WITH_FOOTER",
+            "mode": "local",
+            "nonce": "d892e66e5ef2185186b161adbcefc1283157e5c90dbdae4d5db1cc481e2889fd",
+            "key": "3236753cafb041c87c87fe8f4fbe7303b5c22f61fd447c5d3e5bf9e4d6f9e327",
+            "payload": {},
+            "footer": {
+                "kid": "key-1"
+            },
+            "implicit-assertion": "ia-test-v3-local-footer",
+            "token": "v3.local.2JLmbl7yGFGGsWGtvO_BKDFX5ckNva5NXbHMSB4oif16n_zzuTDEx4RIUbVVrTwqM5H35Qrrsh6YPgBgUdiPxZ6dsYETX9tscmWYUE6nuH5KsQ.eyJraWQiOiJrZXktMSJ9"
+        },
+        {
+            "name": "TV_IA_1_V3_PUBLIC",
+            "mode": "public",
+            "public-key": "039bd37f93bd00b144b991b91bd2937c59273ea3db9b564a084856842e645c2ff4c669754899a0b1f516972db997151952",
+            "secret-key": "1dd0e1156bbe26b2000b7ea251824076b1ece4796fca6eaa93306f65b6c1772d5d42ab60b62c610e901e7a7b6cbf7a47",
+            "payload": {},
+            "implicit-assertion": "ia-test-v3-public",
+            "token": "v3.public.e31WZerO5IER3p7wvtUE7Q6OhWZWK2iTpFryxHgPgEvOGuPohV5D1bbO5SMm4qcGsT9yyF59eloLIOoDc68lGWSoCnZ9udBa4g9BTTm2BFFpWd_ZCmzFfvEX6oKPsvKGU3U"
+        },
+        {
+            "name": "TV_IA_1_V3_PUBLIC_WITH_FOOTER",
+            "mode": "public",
+            "public-key": "039bd37f93bd00b144b991b91bd2937c59273ea3db9b564a084856842e645c2ff4c669754899a0b1f516972db997151952",
+            "secret-key": "1dd0e1156bbe26b2000b7ea251824076b1ece4796fca6eaa93306f65b6c1772d5d42ab60b62c610e901e7a7b6cbf7a47",
+            "payload": {},
+            "footer": {
+                "kid": "key-1"
+            },
+            "implicit-assertion": "ia-test-v3-public-footer",
+            "token": "v3.public.e32c4HpYQsWYJH3nZi6tinWelK_3-3hk2cykxnqoKRl7JBE7hdiP26g45H9s_rWYyY15c-9VaykOxXw0mD5ADdRzQ445trmlgzIEjjUs0u6ITdeUPIaxFVpUFuMYlh0rIs8.eyJraWQiOiJrZXktMSJ9"
+        },
+        {
+            "name": "TV_IA_NULL_V3_LOCAL",
+            "mode": "local",
+            "nonce": "d892e66e5ef2185186b161adbcefc1283157e5c90dbdae4d5db1cc481e2889fd",
+            "key": "3236753cafb041c87c87fe8f4fbe7303b5c22f61fd447c5d3e5bf9e4d6f9e327",
+            "payload": {},
+            "implicit-assertion": null,
+            "token": "v3.local.2JLmbl7yGFGGsWGtvO_BKDFX5ckNva5NXbHMSB4oif16n4_8721k4U0NIDG-eUwWjXhaqLfq9PM251pvIEu38c_Tww7CH9YATBWX2VB-EOP4MA"
         }
     ]
-}
+}
diff --git a/paseto/src/test/resources/service-test-vectors/v4.json b/paseto/src/test/resources/service-test-vectors/v4.json
@@ -263,6 +263,57 @@
                 "kid": "key-1"
             },
             "token": "v4.public.e30dIki_CWNjVyAgAolgKwksBFK53XcCBttt51UhiqSavDFEABNl-ioet3HVQDTnZetqJZTm7y5yrqRvoeVeOmQD.eyJraWQiOiJrZXktMSJ9"
+        },
+        {
+            "name": "TV_IA_1_V4_LOCAL",
+            "mode": "local",
+            "nonce": "3e2e599e3631b0e43595be4a31d4d615b7cb11b78d0b9d1bf703eb90ec2c0bba",
+            "key": "21a438bd432da3e9f87ec1a2e42136b77c1ec57fb5acfeb80fac8c9589ce066f",
+            "payload": {},
+            "implicit-assertion": "ia-test-v4-local",
+            "token": "v4.local.Pi5ZnjYxsOQ1lb5KMdTWFbfLEbeNC50b9wPrkOwsC7rWgAUbvteusd1WHY8LTuC5g9M3XJlDuV48rxIwC5yz8BMM"
+        },
+        {
+            "name": "TV_IA_1_V4_LOCAL_WITH_FOOTER",
+            "mode": "local",
+            "nonce": "3e2e599e3631b0e43595be4a31d4d615b7cb11b78d0b9d1bf703eb90ec2c0bba",
+            "key": "21a438bd432da3e9f87ec1a2e42136b77c1ec57fb5acfeb80fac8c9589ce066f",
+            "payload": {},
+            "footer": {
+                "kid": "key-1"
+            },
+            "implicit-assertion": "ia-test-v4-local-footer",
+            "token": "v4.local.Pi5ZnjYxsOQ1lb5KMdTWFbfLEbeNC50b9wPrkOwsC7rWgB4IAgGbX32Zn_RBZDFPICTlIqYV4Z0F5MflWIn7D_Em.eyJraWQiOiJrZXktMSJ9"
+        },
+        {
+            "name": "TV_IA_1_V4_PUBLIC",
+            "mode": "public",
+            "public-key": "968ca16429daed891fc74a34f1998968e9fc3b4172b2b8eefe01c11821abbe5c",
+            "secret-key": "737c0470b4e9b7ca8b0ee1403e41d8083b2ba76c44d48581468270f0b74fd647968ca16429daed891fc74a34f1998968e9fc3b4172b2b8eefe01c11821abbe5c",
+            "payload": {},
+            "implicit-assertion": "ia-test-v4-public",
+            "token": "v4.public.e33z8Z_SKTvH9EWzHle5ni6iqC5tyJpQReq6gGsNiopcSYNnep19KYwF9dwQOPUdUWpsJFnm-3ydEPYkHe2pJJ4A"
+        },
+        {
+            "name": "TV_IA_1_V4_PUBLIC_WITH_FOOTER",
+            "mode": "public",
+            "public-key": "968ca16429daed891fc74a34f1998968e9fc3b4172b2b8eefe01c11821abbe5c",
+            "secret-key": "737c0470b4e9b7ca8b0ee1403e41d8083b2ba76c44d48581468270f0b74fd647968ca16429daed891fc74a34f1998968e9fc3b4172b2b8eefe01c11821abbe5c",
+            "payload": {},
+            "footer": {
+                "kid": "key-1"
+            },
+            "implicit-assertion": "ia-test-v4-public-footer",
+            "token": "v4.public.e31b3quiFqZW2AzqqYXYEQ-pnGe5FhpNzDiWUTm7iB6RyTKvIxf6lnkGJ1Gha-puM_3-xKqwkHchFrFQRTvUQl8P.eyJraWQiOiJrZXktMSJ9"
+        },
+        {
+            "name": "TV_IA_NULL_V4_LOCAL",
+            "mode": "local",
+            "nonce": "3e2e599e3631b0e43595be4a31d4d615b7cb11b78d0b9d1bf703eb90ec2c0bba",
+            "key": "21a438bd432da3e9f87ec1a2e42136b77c1ec57fb5acfeb80fac8c9589ce066f",
+            "payload": {},
+            "implicit-assertion": null,
+            "token": "v4.local.Pi5ZnjYxsOQ1lb5KMdTWFbfLEbeNC50b9wPrkOwsC7rWgEhFA8BaCSmjB8wc6kE3pYHagpgK0q051d2Pwf-ZY16U"
         }
     ]
-}
+}
diff --git a/paseto/src/testFixtures/kotlin/net/aholbrook/paseto/ServiceTestVectorFixtures.kt b/paseto/src/testFixtures/kotlin/net/aholbrook/paseto/ServiceTestVectorFixtures.kt
@@ -31,6 +31,8 @@ data class ServiceTestVector(
     val secretKey: String? = null,
     val payload: JsonObject,
     val footer: JsonElement? = null,
+    @SerialName("implicit-assertion")
+    val implicitAssertion: String? = null,
     val token: String,
 )
 
diff --git a/vector-gen/src/main/kotlin/net/aholbrook/paseto/vectorgen/Main.kt b/vector-gen/src/main/kotlin/net/aholbrook/paseto/vectorgen/Main.kt
@@ -120,15 +120,16 @@ class GenerateCommand : CliktCommand(name = "vector-gen") {
         }
 
         val token = tokenFromVector(vector)
+        val implicitAssertion = vector.implicitAssertion ?: ""
         val encoded = withTestNonce(nonce) {
             val service = tokenService(pasetoVersion ?: inputVersion, Purpose.Local { key.copy() }) {
                 rules {
                     issuedInPast = null
                     notExpired = null
                 }
             }
-            val encoded = service.encode(token)
-            service.decode(encoded)
+            val encoded = service.encode(token, implicitAssertion)
+            service.decode(encoded, implicitAssertion = implicitAssertion)
             encoded
         }
 
@@ -169,14 +170,15 @@ class GenerateCommand : CliktCommand(name = "vector-gen") {
         }
 
         val token = tokenFromVector(vector)
+        val implicitAssertion = vector.implicitAssertion ?: ""
         val encoded = withTestNonce(vector.nonce?.toByteArray()) {
             val service = tokenService(pasetoVersion ?: inputVersion, Purpose.Public { keyPair.copy() }) {
                 rules {
                     issuedInPast = null
                     notExpired = null
                 }
             }
-            service.encode(token)
+            service.encode(token, implicitAssertion)
         }
 
         return vector.copy(

Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,6 @@ internal class PublicTokenService internal constructor(`
`218`	`218`	`private val json: Json = Json { explicitNulls = false },`
`219`	`219`	`) : TokenService {`
`220`	`220`	`override fun encode(token: Token, implicitAssertion: String): String {`
`221`		`- // TODO expand service-test-vectors for v4 with implicit assertions`
`222`	`221`	`if (implicitAssertion.isNotEmpty() && !paseto.supportsImplicitAssertion) {`
`223`	`222`	`throw ImplicitAssertionsNotSupportedException(paseto.version)`
`224`	`223`	`}`
`@@ -239,7 +238,6 @@ internal class PublicTokenService internal constructor(`
`239`	`238`	`}`
`240`	`239`
`241`	`240`	`override fun decode(token: String, footer: Footer?, implicitAssertion: String): Token {`
`242`		`- // TODO expand service-test-vectors for v4 with implicit assertions`
`243`	`241`	`if (implicitAssertion.isNotEmpty() && !paseto.supportsImplicitAssertion) {`
`244`	`242`	`throw ImplicitAssertionsNotSupportedException(paseto.version)`
`245`	`243`	`}`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,8 @@ data class ServiceTestVector(`
`31`	`31`	`val secretKey: String? = null,`
`32`	`32`	`val payload: JsonObject,`
`33`	`33`	`val footer: JsonElement? = null,`
	`34`	`+ @SerialName("implicit-assertion")`
	`35`	`+ val implicitAssertion: String? = null,`
`34`	`36`	`val token: String,`
`35`	`37`	`)`
`36`	`38`
Original file line number	Diff line number	Diff line change
`@@ -120,15 +120,16 @@ class GenerateCommand : CliktCommand(name = "vector-gen") {`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`val token = tokenFromVector(vector)`
	`123`	`+ val implicitAssertion = vector.implicitAssertion ?: ""`
`123`	`124`	`val encoded = withTestNonce(nonce) {`
`124`	`125`	`val service = tokenService(pasetoVersion ?: inputVersion, Purpose.Local { key.copy() }) {`
`125`	`126`	`rules {`
`126`	`127`	`issuedInPast = null`
`127`	`128`	`notExpired = null`
`128`	`129`	`}`
`129`	`130`	`}`
`130`		`- val encoded = service.encode(token)`
`131`		`- service.decode(encoded)`
	`131`	`+ val encoded = service.encode(token, implicitAssertion)`
	`132`	`+ service.decode(encoded, implicitAssertion = implicitAssertion)`
`132`	`133`	`encoded`
`133`	`134`	`}`
`134`	`135`
`@@ -169,14 +170,15 @@ class GenerateCommand : CliktCommand(name = "vector-gen") {`
`169`	`170`	`}`
`170`	`171`
`171`	`172`	`val token = tokenFromVector(vector)`
	`173`	`+ val implicitAssertion = vector.implicitAssertion ?: ""`
`172`	`174`	`val encoded = withTestNonce(vector.nonce?.toByteArray()) {`
`173`	`175`	`val service = tokenService(pasetoVersion ?: inputVersion, Purpose.Public { keyPair.copy() }) {`
`174`	`176`	`rules {`
`175`	`177`	`issuedInPast = null`
`176`	`178`	`notExpired = null`
`177`	`179`	`}`
`178`	`180`	`}`
`179`		`- service.encode(token)`
	`181`	`+ service.encode(token, implicitAssertion)`
`180`	`182`	`}`
`181`	`183`
`182`	`184`	`return vector.copy(`