2014-07-06 02:08:42 +04:00
|
|
|
package jwt
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto"
|
|
|
|
"crypto/hmac"
|
|
|
|
"errors"
|
|
|
|
)
|
|
|
|
|
2021-08-03 16:51:01 +03:00
|
|
|
// SigningMethodHMAC implements the HMAC-SHA family of signing methods.
|
2018-03-09 02:13:08 +03:00
|
|
|
// Expects key type of []byte for both signing and validation
|
2014-07-06 02:08:42 +04:00
|
|
|
type SigningMethodHMAC struct {
|
|
|
|
Name string
|
|
|
|
Hash crypto.Hash
|
|
|
|
}
|
|
|
|
|
2014-08-27 02:30:37 +04:00
|
|
|
// Specific instances for HS256 and company
|
2014-07-06 02:08:42 +04:00
|
|
|
var (
|
2014-10-20 09:09:02 +04:00
|
|
|
SigningMethodHS256 *SigningMethodHMAC
|
|
|
|
SigningMethodHS384 *SigningMethodHMAC
|
|
|
|
SigningMethodHS512 *SigningMethodHMAC
|
|
|
|
ErrSignatureInvalid = errors.New("signature is invalid")
|
2014-07-06 02:08:42 +04:00
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
// HS256
|
|
|
|
SigningMethodHS256 = &SigningMethodHMAC{"HS256", crypto.SHA256}
|
|
|
|
RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
|
|
|
|
return SigningMethodHS256
|
|
|
|
})
|
|
|
|
|
|
|
|
// HS384
|
|
|
|
SigningMethodHS384 = &SigningMethodHMAC{"HS384", crypto.SHA384}
|
|
|
|
RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
|
|
|
|
return SigningMethodHS384
|
|
|
|
})
|
|
|
|
|
|
|
|
// HS512
|
|
|
|
SigningMethodHS512 = &SigningMethodHMAC{"HS512", crypto.SHA512}
|
|
|
|
RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
|
|
|
|
return SigningMethodHS512
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (m *SigningMethodHMAC) Alg() string {
|
|
|
|
return m.Name
|
|
|
|
}
|
|
|
|
|
2023-03-31 14:19:48 +03:00
|
|
|
// Verify implements token verification for the SigningMethod. Returns nil if
|
|
|
|
// the signature is valid. Key must be []byte.
|
|
|
|
//
|
|
|
|
// Note it is not advised to provide a []byte which was converted from a 'human
|
|
|
|
// readable' string using a subset of ASCII characters. To maximize entropy, you
|
|
|
|
// should ideally be providing a []byte key which was produced from a
|
|
|
|
// cryptographically random source, e.g. crypto/rand. Additional information
|
|
|
|
// about this, and why we intentionally are not supporting string as a key can
|
|
|
|
// be found on our usage guide
|
|
|
|
// https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types.
|
2023-03-24 21:13:09 +03:00
|
|
|
func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interface{}) error {
|
2015-09-14 22:07:47 +03:00
|
|
|
// Verify the key is the right type
|
|
|
|
keyBytes, ok := key.([]byte)
|
|
|
|
if !ok {
|
2023-11-17 21:45:07 +03:00
|
|
|
return newError("HMAC verify expects []byte", ErrInvalidKeyType)
|
2015-09-14 22:07:47 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// Can we use the specified hashing method?
|
|
|
|
if !m.Hash.Available() {
|
|
|
|
return ErrHashUnavailable
|
|
|
|
}
|
|
|
|
|
|
|
|
// This signing method is symmetric, so we validate the signature
|
|
|
|
// by reproducing the signature from the signing string and key, then
|
|
|
|
// comparing that against the provided signature.
|
|
|
|
hasher := hmac.New(m.Hash.New, keyBytes)
|
|
|
|
hasher.Write([]byte(signingString))
|
|
|
|
if !hmac.Equal(sig, hasher.Sum(nil)) {
|
|
|
|
return ErrSignatureInvalid
|
|
|
|
}
|
|
|
|
|
|
|
|
// No validation errors. Signature is good.
|
|
|
|
return nil
|
2014-07-06 02:08:42 +04:00
|
|
|
}
|
|
|
|
|
2023-03-31 14:19:48 +03:00
|
|
|
// Sign implements token signing for the SigningMethod. Key must be []byte.
|
|
|
|
//
|
|
|
|
// Note it is not advised to provide a []byte which was converted from a 'human
|
|
|
|
// readable' string using a subset of ASCII characters. To maximize entropy, you
|
|
|
|
// should ideally be providing a []byte key which was produced from a
|
|
|
|
// cryptographically random source, e.g. crypto/rand. Additional information
|
|
|
|
// about this, and why we intentionally are not supporting string as a key can
|
|
|
|
// be found on our usage guide https://golang-jwt.github.io/jwt/usage/signing_methods/.
|
2023-03-24 21:13:09 +03:00
|
|
|
func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) {
|
2014-08-04 22:26:53 +04:00
|
|
|
if keyBytes, ok := key.([]byte); ok {
|
2014-08-27 02:00:15 +04:00
|
|
|
if !m.Hash.Available() {
|
2024-01-26 06:10:11 +03:00
|
|
|
return nil, ErrHashUnavailable
|
2014-08-27 02:00:15 +04:00
|
|
|
}
|
|
|
|
|
2014-08-04 22:26:53 +04:00
|
|
|
hasher := hmac.New(m.Hash.New, keyBytes)
|
|
|
|
hasher.Write([]byte(signingString))
|
|
|
|
|
2023-03-24 21:13:09 +03:00
|
|
|
return hasher.Sum(nil), nil
|
2014-08-04 22:26:53 +04:00
|
|
|
}
|
2014-07-06 02:08:42 +04:00
|
|
|
|
2024-01-26 06:10:11 +03:00
|
|
|
return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
|
2014-07-06 02:08:42 +04:00
|
|
|
}
|