Sebastiaan van Stijn
8e9d9ebf6f
Fix security vulnerability ( #40 )
...
Fixes a security vulnerability where a jwt token could potentially be validated having invalid string characters.
(cherry picked from commit a211650c6ae1cff6d7347d3e24070d65dcfb1122)
https://github.com/form3tech-oss/jwt-go/pull/14
Co-Authored-By: Giorgos Lampadakis <82932062+giorgos-f3@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-30 22:27:54 +02:00
Vasiliy Tolstov
324836737f
add ed25519 support ( #36 )
...
Signed-off-by: Vasiliy Tolstov <v.tolstov@unistack.org>
2021-07-29 23:57:09 +02:00
Josh Kline
860640e886
Allocation optimization ( #33 )
...
* Test to ensure ECDSA signature is valid
Add assertions to ensure ECDSA signing methods return valid signatures.
This is probably covered elsewhere as well, but putting it in
ecdsa_test.go makes it more obvious and easier to find.
* Benchmark ECDSA signing methods
Add benchmark coverage of ECDSA signing methods.
Benchmarks are run using the existing helper for comparability with
existing benchmarks.
Sign method is also tested directly, to avoid the overhead of *Token.
Report allocations for all benchmarks.
Allocation count for ES384 and ES512 fluctuate across test runs,
other signing methods consistently report the same number of allocations.
Sample output:
```
$ go test -bench=Bench -run=NONE .
2021/02/26 18:18:30 Listening...
goos: darwin
goarch: amd64
pkg: github.com/dgrijalva/jwt-go
BenchmarkECDSASigning/Basic_ES256-8 190572 6702 ns/op 4249 B/op 65 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 47383 24650 ns/op 3329 B/op 43 allocs/op
BenchmarkECDSASigning/Basic_ES384-8 1113 1252975 ns/op 1750744 B/op 14474 allocs/op
BenchmarkECDSASigning/Basic_ES384/sign-only-8 286 3937773 ns/op 1746175 B/op 14423 allocs/op
BenchmarkECDSASigning/Basic_ES512-8 662 1949937 ns/op 3028386 B/op 19608 allocs/op
BenchmarkECDSASigning/Basic_ES512/sign-only-8 170 6856189 ns/op 3025471 B/op 19571 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190638 6665 ns/op 4249 B/op 65 allocs/op
BenchmarkHS256Signing-8 1000000 1024 ns/op 1584 B/op 32 allocs/op
BenchmarkHS384Signing-8 917286 1447 ns/op 1969 B/op 32 allocs/op
BenchmarkHS512Signing-8 827744 1470 ns/op 2065 B/op 32 allocs/op
BenchmarkRS256Signing-8 3037 390077 ns/op 32576 B/op 136 allocs/op
BenchmarkRS384Signing-8 2976 379155 ns/op 32684 B/op 136 allocs/op
BenchmarkRS512Signing-8 3205 388628 ns/op 32704 B/op 136 allocs/op
```
* Reduce allocations during ECDSA signing
Reduce the number of byte arrays allocated by using big.Int.FillBytes
when calculating ECDSA signature.
After this change, Benchmarks of ES256 signing method consistently
report 4 fewer allocations.
Before:
```
BenchmarkECDSASigning/Basic_ES256-8 190572 6702 ns/op 4249 B/op 65 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 47383 24650 ns/op 3329 B/op 43 allocs/op
```
After:
```
BenchmarkECDSASigning/Basic_ES256-8 187682 6725 ns/op 4121 B/op 61 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 48656 24446 ns/op 3201 B/op 39 allocs/op
```
* Use base64.RawURLEncoding to avoid padding
JWT uses a non-padded base64 encoding.
Current code uses base64.URLEncoding to generate a padded string and
then removes the padding.
Likewise, current code adds padding before decoding.
Instead, use base64.RawURLEncoding which does not add or require the
padding in the first place.
In addition to making the code cleaner, this reduces memory allocations
as reported by benchmarks.
Before:
```
BenchmarkECDSASigning/Basic_ES256-8 191396 6917 ns/op 4121 B/op 61 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 49347 25039 ns/op 3201 B/op 39 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190668 6586 ns/op 4121 B/op 61 allocs/op
BenchmarkHS256Signing-8 1260060 1131 ns/op 1585 B/op 32 allocs/op
BenchmarkHS384Signing-8 861378 1387 ns/op 1969 B/op 32 allocs/op
BenchmarkHS512Signing-8 896745 1463 ns/op 2065 B/op 32 allocs/op
BenchmarkRS256Signing-8 3086 355769 ns/op 32576 B/op 136 allocs/op
BenchmarkRS384Signing-8 3414 353570 ns/op 32694 B/op 136 allocs/op
BenchmarkRS512Signing-8 3235 349394 ns/op 32706 B/op 136 allocs/op
```
After:
```
BenchmarkECDSASigning/Basic_ES256-8 176617 6827 ns/op 4021 B/op 58 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8 48038 24213 ns/op 3169 B/op 38 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 194352 6928 ns/op 4021 B/op 58 allocs/op
BenchmarkHS256Signing-8 1000000 1127 ns/op 1488 B/op 29 allocs/op
BenchmarkHS384Signing-8 972552 1369 ns/op 1873 B/op 29 allocs/op
BenchmarkHS512Signing-8 780751 1368 ns/op 1969 B/op 29 allocs/op
BenchmarkRS256Signing-8 3014 387326 ns/op 32475 B/op 133 allocs/op
BenchmarkRS384Signing-8 3044 361411 ns/op 32591 B/op 133 allocs/op
BenchmarkRS512Signing-8 3273 355504 ns/op 32607 B/op 133 allocs/op
```
Benchmarks of signing methods ES384 and ES512 are omitted because their
allocations are not consistent.
2021-07-13 08:31:42 +02:00
Amnon
3008b2bdea
remove support for Go <= 1.14 ( #28 )
...
* remove support for Go <= 1.14
* Add a note to README.md about supported Go versions.
* remove travis build as requested by @oxisto
* fix my spelling mistakes pointed out by @oxisto
* fix another spelling
* remove reference to specific Go versions
2021-06-22 12:49:56 -04:00
Christian Banse
5130b59fa7
Update VERSION_HISTORY.md and MIGRATION_GUIDE.md ( #27 )
...
* Update VERSION_HISTORY.md
* Updated README and migration
* Added replacement command
2021-06-08 14:18:15 +02:00
Christian Banse
8a7d546bae
Removing `go.mod` for v3 releases ( #26 )
...
* Removing `go.mod` for the v3-release branch
As discussed in full length here (#17 ), we have run into issues that forces us to abandon go modules, at least for the `v3.x.x` releases. After this is merged in, we can release a `v3.2.1+incompatible` version, which contains a security fix.
Afterwards, we will work on non-breaking quality of life fixes and then eventually run a `v4` version, which most likely will then support go modules and have a new SIV-style import path.
* Cloning into $GOPATH for GitHub actions
2021-06-04 16:47:42 +02:00
Alistair Hey
26c069a8d7
Add copyright notice to LICENSE ( #19 )
...
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
2021-05-29 16:18:34 +02:00
Alistair Hey
08e48a8c90
Update README.md ( #22 )
...
* Update README.md
* Adjusted godoc and RFC links
Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-05-29 12:59:05 +02:00
Alistair Hey
c018921cb3
Rename default branch references to main ( #24 )
...
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
2021-05-29 11:05:28 +01:00
Alistair Hey
0f726ea0e7
Fix issue with MapClaims VerifyAudience []string ( #12 )
...
* Fix issue with MapClaims VerifyAudience []string
There was an issue in MapClaims's VerifyAudiance where a []string (which
is valid in the spec) would return true (claim is found, or nil) when required
was not set.
It now checks interface types correctly and has tests written
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
* Keep aud validation constant time compare
Keep aud validation using constant time compare by not instantly
returning on a true comparison, keep comparing all options and store
result in a variable
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
Co-authored-by: Banse, Christian <christian.banse@aisec.fraunhofer.de>
2021-05-28 22:45:11 -03:00
Sadman Sakib
6a07921e68
Enable go module support for the project ( #3 )
...
* initial go module file
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* fix linting issues
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* rename module to golang-jwt/jwt
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* Renamed imports to match with go module name.
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* update travis for latest go versions
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* Set go version to 1.14
lowered the go version to make it consistent with matrix build
* revert accidental changes while renaming
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* remove travis CI
no longer needed since github actions workflow was created for the
project
Signed-off-by: sadmansakib <ssadman8@gmail.com>
* Revert "remove travis CI"
This reverts commit b3ae57f710
.
* update travis for older go versions
2021-05-28 21:26:41 -04:00
Christian Banse
fb1de35795
Providing (almost) full test matrix in GitHub actions ( #14 )
...
* Providing full test matrix
* Only testing Go version with module support on GitHub actions
* Only testing legacy versions on travis. Will be deprecated in time
2021-05-28 15:35:34 +02:00
Kévin Dunglas
42625203e8
chore: code cleanup ( #10 )
2021-05-27 19:26:21 -04:00
Christian Banse
9e96e96514
Added support for GitHub actions ( #4 )
2021-05-27 09:50:10 -03:00
Dave Grijalva
dc14462fd5
Merge pull request #302 from BattleBas/update_rfc
...
Update RFC link
2020-01-06 17:32:13 -08:00
Dave Grijalva
c2916b1122
Merge pull request #305 from skipor/fix_rsa_pss_salt_length
...
Use RSA PSS salt length equals hash - fix validation issue.
2020-01-06 17:31:46 -08:00
Dave Grijalva
aab9974e8c
Merge pull request #339 from swchoi727/fix-error-msg
...
Changed error msg to not be misleading for public key decoding errors
2020-01-06 17:30:03 -08:00
Dave Grijalva
43aa750e43
Merge pull request #344 from kamedono/parser-ecdsa-pkcs8
...
Add ECDSA pkcs8 parser
2020-01-06 17:29:25 -08:00
Dave Grijalva
b08b43b479
Merge pull request #362 from aboodman/patch-1
...
Clarify expected format for key files.
2020-01-06 17:26:35 -08:00
Aaron Boodman
195174e229
Clarify expected format for key files.
2019-10-28 21:57:07 -10:00
toshikihigaki
e02edc50e4
add parser
2019-07-26 16:30:49 +09:00
Seung-Woo Choi
29384ebfa4
changed error msg to not be misleading for public key decoding errors
2019-06-24 16:25:47 -07:00
Dave Grijalva
5e25c22bd5
added installation instructions to command readme
2019-06-20 11:01:02 -07:00
Dave Grijalva
7cd734deee
added troubleshooting section
2019-05-30 10:48:54 -07:00
Dave Grijalva
8a74229d83
Merge pull request #311 from fredbi/add-cli-support-for-rsapss
...
Added support for RSA-PSS in jwt CLI
2019-05-28 14:08:42 -07:00
Dave Grijalva
2f61636070
Merge pull request #328 from cbeach/master
...
Fixing a broken link
2019-05-28 12:18:04 -07:00
Casey Beach
5bff06a4f9
Fixing a broken link
...
I realized that I can actually fix this myself.
After the 75th time navigating through the "broken" link I'm going to
do just that.
2019-05-16 12:09:44 -07:00
Frederic BIDON
382e92cd09
Added support for RSA-PSS in jwt CLI
...
* input key is RSA for RS* _and_ PS* algs
Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
2019-01-03 16:53:25 +01:00
Vladimir Skipor
f47e6a7bc1
Use salt length equals hash, but verify auto salt length too in RSA PSS sign methods.
...
Fixes #285 .
2018-11-11 22:39:07 +03:00
Sebastian
494b63caeb
Update RFC link
...
Old link led to a page that was just a link to this new page.
2018-10-24 09:18:46 -05:00
Dave Grijalva
3af4c746e1
Merge pull request #292 from someone1/patch-1
...
Update README.md
2018-09-21 11:23:15 -06:00
Prateek Malhotra
febd124631
Update README.md
...
Update reference to gcp-jwt-go
2018-09-19 20:36:47 -04:00
Dave Grijalva
0b96aaa707
Merge pull request #280 from alias-dev/master
...
Fix dead link
2018-07-19 14:18:23 -07:00
Alex Andrews
a0d8783268
Fix dead link
2018-07-18 11:34:47 +01:00
Dave Grijalva
06ea103174
documentation around expected key types
2018-03-08 15:13:08 -08:00
Dave Grijalva
6a1c681b2a
Merge branch 'master' of github.com:dgrijalva/jwt-go
2018-03-08 15:04:15 -08:00
Dave Grijalva
6f4f904379
add options to ParseFromRequest
2018-03-08 15:04:09 -08:00
Dave Grijalva
1f05e5c95c
Merge pull request #181 from jsaguiar/master
...
Added password protect pem support
2018-03-08 14:50:15 -08:00
Dave Grijalva
3ad59cfd42
Moved old 3.0.0 notice to lower in the doc
2018-03-08 11:57:43 -08:00
Dave Grijalva
b5a423081b
notice about security issue before go 1.8.3
2018-03-08 11:55:13 -08:00
Dave Grijalva
27d85fe4a0
fixed a formatting error in a test
2018-03-08 11:28:04 -08:00
Dave Grijalva
b606e8202f
documenting changes for upcoming 3.2.0 release
2018-03-08 11:16:21 -08:00
Dave Grijalva
3265a9bebd
Merge pull request #152 from pusher/parse-unverified
...
Introduce (*Parser).ParseUnverified
2018-03-08 11:01:10 -08:00
Dave Grijalva
5cc2026634
Merge pull request #219 from geertjanvdk/feat/parse
...
Handle ValidationError returned by keyFunc in jwt.ParseWithClaims
2018-03-08 10:58:47 -08:00
Dave Grijalva
f75bbb3cc8
Merge pull request #205 from zamicol/icon_godoc
...
add godoc icon
2018-03-08 10:36:15 -08:00
Dave Grijalva
d6bbf373d8
Merge pull request #209 from zhyuri/patch-1
...
A better error msg
2018-03-08 10:34:53 -08:00
Dave Grijalva
40ec5516a0
Merge pull request #220 from polarina/readme-alt-include
...
readme: Bump version of alternative package include
2018-03-08 10:33:32 -08:00
Dave Grijalva
c3e930abb0
Notice about upcoming 4.0.0 release
2018-03-08 10:18:44 -08:00
Dave Grijalva
dbeaa9332f
3.1.0 changelog
2017-10-19 14:57:19 -07:00
Gabríel Arthúr Pétursson
08b573c692
readme: Bump version of alternative package include
2017-07-03 19:13:07 +00:00