fix(jwt): reject empty JWT-SVID audiences

java-spiffe-core/src/main/java/io/spiffe/svid/jwtsvid/JwtSvid.java

@@ -103,19 +103,21 @@ private JwtSvid(SpiffeId spiffeId,
      *                                    when the signature cannot be verified,
      *                                    when the 'aud' claim has an audience that is not in the audience list
      *                                    provided as parameter
-     * @throws IllegalArgumentException   when the token is blank or cannot be parsed
+     * @throws IllegalArgumentException   when the token is blank, when the audience is empty, or when the token
+     *                                    cannot be parsed
      * @throws BundleNotFoundException    if the bundle for the trust domain of the spiffe id from the 'sub'
      *                                    cannot be found in the JwtBundleSource
      * @throws AuthorityNotFoundException if the authority cannot be found in the bundle using the value from
      *                                    the 'kid' header
      */
     public static JwtSvid parseAndValidate(String token,
                                            BundleSource<JwtBundle> jwtBundleSource,
-                                           Set<String> audience)
+                                           Set<String>   audience)
             throws JwtSvidException, BundleNotFoundException, AuthorityNotFoundException {
         Objects.requireNonNull(token, "token must not be null");
         Objects.requireNonNull(jwtBundleSource, "jwtBundleSource must not be null");
         Objects.requireNonNull(audience, "audience must not be null");
+        requireNonEmptyAudience(audience);
 
         return parseAndValidate(token, jwtBundleSource, audience, null);
     }
@@ -139,7 +141,8 @@ public static JwtSvid parseAndValidate(String token,
      *                                    when the signature cannot be verified,
      *                                    when the 'aud' claim has an audience that is not in the audience list
      *                                    provided as parameter
-     * @throws IllegalArgumentException   when the token is blank or cannot be parsed
+     * @throws IllegalArgumentException   when the token is blank, when the audience is empty, or when the token
+     *                                    cannot be parsed
      * @throws BundleNotFoundException    if the bundle for the trust domain of the spiffe id from the 'sub'
      *                                    cannot be found in the JwtBundleSource
      * @throws AuthorityNotFoundException if the authority cannot be found in the bundle using the value from
@@ -154,6 +157,7 @@ public static JwtSvid parseAndValidate(String token,
         Objects.requireNonNull(token, "token must not be null");
         Objects.requireNonNull(jwtBundleSource, "jwtBundleSource must not be null");
         Objects.requireNonNull(audience, "audience must not be null");
+        requireNonEmptyAudience(audience);
 
         if (StringUtils.isBlank(token)) {
             throw new IllegalArgumentException("token cannot be blank");
@@ -198,11 +202,12 @@ public static JwtSvid parseAndValidate(String token,
      *                                  when the 'aud' has an audience that is not in the audience provided as parameter,
      *                                  when the 'alg' is not supported (See {@link JwtSignatureAlgorithm}),
      *                                  when the header 'typ' is present and is not 'JWT' or 'JOSE'.
-     * @throws IllegalArgumentException when the token cannot be parsed
+     * @throws IllegalArgumentException when the audience is empty or when the token cannot be parsed
      */
     public static JwtSvid parseInsecure(String token, Set<String> audience) throws JwtSvidException {
         Objects.requireNonNull(token, "token must not be null");
         Objects.requireNonNull(audience, "audience must not be null");
+        requireNonEmptyAudience(audience);
         return parseInsecure(token, audience, null);
     }
 
@@ -220,11 +225,12 @@ public static JwtSvid parseInsecure(String token, Set<String> audience) throws J
      *                                  when the 'aud' has an audience that is not in the audience provided as parameter,
      *                                  when the 'alg' is not supported (See {@link JwtSignatureAlgorithm}),
      *                                  when the header 'typ' is present and is not 'JWT' or 'JOSE'.
-     * @throws IllegalArgumentException when the token cannot be parsed
+     * @throws IllegalArgumentException when the audience is empty or when the token cannot be parsed
      */
     public static JwtSvid parseInsecure(String token, Set<String> audience, final String hint) throws JwtSvidException {
         Objects.requireNonNull(token, "token must not be null");
         Objects.requireNonNull(audience, "audience must not be null");
+        requireNonEmptyAudience(audience);
         if (StringUtils.isBlank(token)) {
             throw new IllegalArgumentException("token cannot be blank");
         }
@@ -401,6 +407,12 @@ private static void validateAudience(List<String> audClaim, Set<String> expected
         }
     }
 
+    private static void requireNonEmptyAudience(Set<String> audience) {
+        if (audience.isEmpty()) {
+            throw new IllegalArgumentException("audience cannot be empty");
+        }
+    }
+
     private static JwtSignatureAlgorithm parseAlgorithm(JWSAlgorithm algorithm) throws JwtSvidException {
         if (algorithm == null) {
             throw new JwtSvidException("JWT header 'alg' is required");

java-spiffe-core/src/test/java/io/spiffe/svid/jwtsvid/JwtSvidParseAndValidateTest.java

@@ -259,6 +259,13 @@ static Stream<Arguments> provideFailureScenarios() {
                         .generateToken(() -> TestUtils.generateToken(claims, key1, "authority1"))
                         .expectedException(new JwtSvidException("expected audience in [another] (audience=[audience2, audience1])"))
                         .build()),
+                Arguments.of(TestCase.builder()
+                        .name("empty expected audience")
+                        .jwtBundle(jwtBundle)
+                        .expectedAudience(Collections.emptySet())
+                        .generateToken(() -> TestUtils.generateToken(claims, key1, "authority1"))
+                        .expectedException(new IllegalArgumentException("audience cannot be empty"))
+                        .build()),
                 Arguments.of(TestCase.builder()
                         .name("missing audience claim")
                         .jwtBundle(jwtBundle)

java-spiffe-core/src/test/java/io/spiffe/svid/jwtsvid/JwtSvidParseInsecureTest.java

@@ -209,6 +209,12 @@ static Stream<Arguments> provideFailureScenarios() {
                         .generateToken(() -> TestUtils.generateToken(claims, key1, "authority1"))
                         .expectedException(new JwtSvidException("expected audience in [another] (audience=[audience])"))
                         .build()),
+                Arguments.of(TestCase.builder()
+                        .name("empty expected audience")
+                        .expectedAudience(Collections.emptySet())
+                        .generateToken(() -> TestUtils.generateToken(claims, key1, "authority1"))
+                        .expectedException(new IllegalArgumentException("audience cannot be empty"))
+                        .build()),
                 Arguments.of(TestCase.builder()
                         .name("invalid subject claim")
                         .expectedAudience(audience)