Commit Graph

368 Commits

Author SHA1 Message Date
tfonfara c435f38291
#129: Added VerifyIssuer method to RegisteredClaims (#130) 2021-11-24 14:27:41 +01:00
Alexander Yastrebov a725c1f60c
cmd: list supported algorithms (-alg flag) (#123) 2021-11-16 09:00:45 -05:00
Kevin de Berk 823c014036
Unwrap for ValidationError (#125) 2021-11-15 09:25:32 -05:00
Alexander Yastrebov 1275a5b909
Allow `none` algorithm in jwt command (#121) 2021-11-10 07:33:04 +01:00
ajermaky f4865cddea
Revert Encoding/Decoding changes for better compatibility (#117) 2021-11-06 07:21:20 -04:00
Alexander Yastrebov 9c3665f0fc
Fixes jwt command to support EdDSA algorithm (#118)
Fixes
```
$ echo '{"foo":"bar"}' | jwt -key test/ed25519-private.pem -alg EdDSA -sign -
Error: error signing token: key is of invalid type
```

Signed-off-by: Alexander Yastrebov <yastrebov.alex@gmail.com>
2021-11-03 09:14:30 -04:00
PiotrKozimor a2aa655627
Fix int64 overflow in newNumericDateFromSeconds (#112) 2021-10-26 21:14:01 -04:00
Sebastien Rosset c0ffb890f3
Improve code comments, including security consideration (#107)
* improve code comments, including security consideration

* Add link to URL with details about security vulnerabilities.

* Update token.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>

* Update token.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>

* update code comments

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-10-15 09:48:31 -03:00
Christian Banse 65357b9e5b
Introducing functional-style options for the Parser type (#108) 2021-10-13 19:36:33 +02:00
Ichinose Shogo cac353cdc2
fix the comment of VerifyExpiresAt (#109) 2021-10-09 18:17:39 -03:00
Sebastien Rosset fd8cd69d8e
Adjusted `parser_test.go` to include RSA and ECDSA tokens (#106) 2021-09-24 21:32:29 +02:00
Hinagiku Soranoba 02bc1ac506
When exp indicates the present, make it invalid. (#86)
* When exp indicates the present, make it invalid.

* Update map_claims_test.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-09-10 17:44:55 -04:00
Hyun d2c5d5ab01
Add EdDSA to "Signing methods and Key types" in README.md (#103) 2021-09-10 20:30:13 +02:00
Yoan Blanc 205b3dc4bb
fix link (#102) 2021-09-10 08:27:13 -04:00
Michael Fridman 93130d3c71
Create codeql-analysis.yml (#101) 2021-09-09 10:42:26 -04:00
yoogo 3f50a786ff
Harmonising capitalisation of "token" in error strings (#97) 2021-08-29 20:45:24 +02:00
Mark Karpelès 2bd8ee77fc
Accept `crypto.Signer` that contains a `ed25519.PublicKey` in ed25519 (#95)
* accept generic crypto.Signer in ed25519 in order to allow usage of other ed25519 providers than crypto/ed25519

* add check to ensure the key is indeed of type ed25519

* adding comment clarifying crypto.Hash(0)

* Update ed25519.go

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-08-23 22:56:11 -03:00
Christian Banse 80625fb516
Backwards-compatible implementation of RFC7519's registered claim's structure (#15)
This PR aims at implementing compliance to RFC7519, as documented in #11 without breaking the public API. It creates a new struct `RegisteredClaims` and deprecates (but not removes) the `StandardClaims`. It introduces a new type `NumericDate`, which represents a JSON numeric date value as specified in the RFC. This allows us to handle float as well as int-based time fields in `aud`, `exp` and `nbf`. Additionally, it introduces the type `StringArray`, which is basically a wrapper around `[]string` to deal with the oddities of the JWT `aud` field.
2021-08-22 19:23:13 +02:00
Luis Gabriel Gomez c9ab96ba53
jwt: Fix Verify methods documentation (#83) 2021-08-22 10:18:33 +02:00
Alexander F. Rødseth eac9e9edf2
Format code with "go fmt" (#53) 2021-08-20 20:43:08 -03:00
Michael Fridman a06361ba65
ci: add support for go1.17 (#89) 2021-08-17 10:05:04 +02:00
Zach Wasserman bac80eaac8
Link to migration guide in README.md (#87) 2021-08-11 16:19:58 -03:00
Francois Lebel 85f0a979dd
Fix typo in note (#82) 2021-08-03 17:59:46 -03:00
Luis Gabriel Gomez 3258b3fca0
jwt: Add parser benchmarks (#70) 2021-08-03 17:57:36 -03:00
Christian Banse bd2db2d4a2
Changing pkg.go.dev URL to github.com/golang-jwt/jwt/v4 (#77)
* Changing pkg.go.dev URL to https://pkg.go.dev/github.com/golang-jwt/jwt/v4

Otherwise, people will end up at the v3 release and might miss on clicking the small "there is a v4 hint" on pkg.go.dev
2021-08-03 19:41:00 +02:00
Michael Fridman 2ebb50f957
Adds go module support /v4 (#41)
Additionally, added `staticcheck` for basic static code analysis (#44)

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-08-03 15:51:01 +02:00
Christian Banse 4bbdd8ac62
Prepare release 3.2.2 (#42) 2021-07-30 16:54:04 -04:00
Sebastiaan van Stijn 8e9d9ebf6f
Fix security vulnerability (#40)
Fixes a security vulnerability where a jwt token could potentially be validated having invalid string characters.

(cherry picked from commit a211650c6ae1cff6d7347d3e24070d65dcfb1122)
https://github.com/form3tech-oss/jwt-go/pull/14

Co-Authored-By: Giorgos Lampadakis <82932062+giorgos-f3@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-30 22:27:54 +02:00
Vasiliy Tolstov 324836737f
add ed25519 support (#36)
Signed-off-by: Vasiliy Tolstov <v.tolstov@unistack.org>
2021-07-29 23:57:09 +02:00
Josh Kline 860640e886
Allocation optimization (#33)
* Test to ensure ECDSA signature is valid

Add assertions to ensure ECDSA signing methods return valid signatures.

This is probably covered elsewhere as well, but putting it in
ecdsa_test.go makes it more obvious and easier to find.

* Benchmark ECDSA signing methods

Add benchmark coverage of ECDSA signing methods.

Benchmarks are run using the existing helper for comparability with
existing benchmarks.

Sign method is also tested directly, to avoid the overhead of *Token.

Report allocations for all benchmarks.

Allocation count for ES384 and ES512 fluctuate across test runs,
other signing methods consistently report the same number of allocations.

Sample output:
```
$ go test -bench=Bench -run=NONE .
2021/02/26 18:18:30 Listening...
goos: darwin
goarch: amd64
pkg: github.com/dgrijalva/jwt-go
BenchmarkECDSASigning/Basic_ES256-8                     190572      6702 ns/op    4249 B/op      65 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8            47383     24650 ns/op    3329 B/op      43 allocs/op
BenchmarkECDSASigning/Basic_ES384-8                       1113   1252975 ns/op 1750744 B/op   14474 allocs/op
BenchmarkECDSASigning/Basic_ES384/sign-only-8              286   3937773 ns/op 1746175 B/op   14423 allocs/op
BenchmarkECDSASigning/Basic_ES512-8                        662   1949937 ns/op 3028386 B/op   19608 allocs/op
BenchmarkECDSASigning/Basic_ES512/sign-only-8              170   6856189 ns/op 3025471 B/op   19571 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190638      6665 ns/op    4249 B/op      65 allocs/op
BenchmarkHS256Signing-8                                1000000      1024 ns/op    1584 B/op      32 allocs/op
BenchmarkHS384Signing-8                                 917286      1447 ns/op    1969 B/op      32 allocs/op
BenchmarkHS512Signing-8                                 827744      1470 ns/op    2065 B/op      32 allocs/op
BenchmarkRS256Signing-8                                   3037    390077 ns/op   32576 B/op     136 allocs/op
BenchmarkRS384Signing-8                                   2976    379155 ns/op   32684 B/op     136 allocs/op
BenchmarkRS512Signing-8                                   3205    388628 ns/op   32704 B/op     136 allocs/op
```

* Reduce allocations during ECDSA signing

Reduce the number of byte arrays allocated by using big.Int.FillBytes
when calculating ECDSA signature.

After this change, Benchmarks of ES256 signing method consistently
report 4 fewer allocations.

Before:
```
BenchmarkECDSASigning/Basic_ES256-8              190572         6702 ns/op       4249 B/op         65 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8     47383        24650 ns/op       3329 B/op         43 allocs/op
```

After:
```
BenchmarkECDSASigning/Basic_ES256-8              187682         6725 ns/op       4121 B/op         61 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8     48656        24446 ns/op       3201 B/op         39 allocs/op
```

* Use base64.RawURLEncoding to avoid padding

JWT uses a non-padded base64 encoding.

Current code uses base64.URLEncoding to generate a padded string and
then removes the padding.
Likewise, current code adds padding before decoding.

Instead, use base64.RawURLEncoding which does not add or require the
padding in the first place.

In addition to making the code cleaner, this reduces memory allocations
as reported by benchmarks.

Before:
```
BenchmarkECDSASigning/Basic_ES256-8                     191396         6917 ns/op       4121 B/op         61 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8            49347        25039 ns/op       3201 B/op         39 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190668         6586 ns/op       4121 B/op         61 allocs/op
BenchmarkHS256Signing-8                                1260060         1131 ns/op       1585 B/op         32 allocs/op
BenchmarkHS384Signing-8                                 861378         1387 ns/op       1969 B/op         32 allocs/op
BenchmarkHS512Signing-8                                 896745         1463 ns/op       2065 B/op         32 allocs/op
BenchmarkRS256Signing-8                                   3086       355769 ns/op      32576 B/op        136 allocs/op
BenchmarkRS384Signing-8                                   3414       353570 ns/op      32694 B/op        136 allocs/op
BenchmarkRS512Signing-8                                   3235       349394 ns/op      32706 B/op        136 allocs/op
```

After:
```
BenchmarkECDSASigning/Basic_ES256-8                     176617         6827 ns/op       4021 B/op         58 allocs/op
BenchmarkECDSASigning/Basic_ES256/sign-only-8            48038        24213 ns/op       3169 B/op         38 allocs/op
BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 194352         6928 ns/op       4021 B/op         58 allocs/op
BenchmarkHS256Signing-8                                1000000         1127 ns/op       1488 B/op         29 allocs/op
BenchmarkHS384Signing-8                                 972552         1369 ns/op       1873 B/op         29 allocs/op
BenchmarkHS512Signing-8                                 780751         1368 ns/op       1969 B/op         29 allocs/op
BenchmarkRS256Signing-8                                   3014       387326 ns/op      32475 B/op        133 allocs/op
BenchmarkRS384Signing-8                                   3044       361411 ns/op      32591 B/op        133 allocs/op
BenchmarkRS512Signing-8                                   3273       355504 ns/op      32607 B/op        133 allocs/op
```

Benchmarks of signing methods ES384 and ES512 are omitted because their
allocations are not consistent.
2021-07-13 08:31:42 +02:00
Amnon 3008b2bdea
remove support for Go <= 1.14 (#28)
* remove support for Go <= 1.14

* Add a note to README.md about supported Go versions.

* remove travis build as requested by @oxisto

* fix my spelling mistakes pointed out by @oxisto

* fix another spelling

* remove reference to specific Go versions
2021-06-22 12:49:56 -04:00
Christian Banse 5130b59fa7
Update VERSION_HISTORY.md and MIGRATION_GUIDE.md (#27)
* Update VERSION_HISTORY.md
* Updated README and migration
* Added replacement command
2021-06-08 14:18:15 +02:00
Christian Banse 8a7d546bae
Removing `go.mod` for v3 releases (#26)
* Removing `go.mod` for the v3-release branch

As discussed in full length here (#17), we have run into issues that forces us to abandon go modules, at least for the `v3.x.x` releases. After this is merged in, we can release a `v3.2.1+incompatible` version, which contains a security fix. 

Afterwards, we will work on non-breaking quality of life fixes and then eventually run a `v4` version, which most likely will then support go modules and have a new SIV-style import path.

* Cloning into $GOPATH for GitHub actions
2021-06-04 16:47:42 +02:00
Alistair Hey 26c069a8d7
Add copyright notice to LICENSE (#19)
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
2021-05-29 16:18:34 +02:00
Alistair Hey 08e48a8c90
Update README.md (#22)
* Update README.md
* Adjusted godoc and RFC links

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-05-29 12:59:05 +02:00
Alistair Hey c018921cb3
Rename default branch references to main (#24)
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
2021-05-29 11:05:28 +01:00
Alistair Hey 0f726ea0e7
Fix issue with MapClaims VerifyAudience []string (#12)
* Fix issue with MapClaims VerifyAudience []string

There was an issue in MapClaims's VerifyAudiance where a []string (which
is valid in the spec) would return true (claim is found, or nil) when required
was not set.
It now checks interface types correctly and has tests written

Signed-off-by: Alistair Hey <alistair@heyal.co.uk>

* Keep aud validation constant time compare

Keep aud validation using constant time compare by not instantly
returning on a true comparison, keep comparing all options and store
result in a variable

Signed-off-by: Alistair Hey <alistair@heyal.co.uk>

Co-authored-by: Banse, Christian <christian.banse@aisec.fraunhofer.de>
2021-05-28 22:45:11 -03:00
Sadman Sakib 6a07921e68
Enable go module support for the project (#3)
* initial go module file

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* fix linting issues

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* rename module to golang-jwt/jwt

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* Renamed imports to match with go module name.

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* update travis for latest go versions

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* Set go version to 1.14

lowered the go version to make it consistent with matrix build

* revert accidental changes while renaming

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* remove travis CI

no longer needed since github actions workflow was created for the
project

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* Revert "remove travis CI"

This reverts commit b3ae57f710.

* update travis for older go versions
2021-05-28 21:26:41 -04:00
Christian Banse fb1de35795
Providing (almost) full test matrix in GitHub actions (#14)
* Providing full test matrix
* Only testing Go version with module support on GitHub actions
* Only testing legacy versions on travis. Will be deprecated in time
2021-05-28 15:35:34 +02:00
Kévin Dunglas 42625203e8
chore: code cleanup (#10) 2021-05-27 19:26:21 -04:00
Christian Banse 9e96e96514
Added support for GitHub actions (#4) 2021-05-27 09:50:10 -03:00
Dave Grijalva dc14462fd5
Merge pull request #302 from BattleBas/update_rfc
Update RFC link
2020-01-06 17:32:13 -08:00
Dave Grijalva c2916b1122
Merge pull request #305 from skipor/fix_rsa_pss_salt_length
Use RSA PSS salt length equals hash - fix validation issue.
2020-01-06 17:31:46 -08:00
Dave Grijalva aab9974e8c
Merge pull request #339 from swchoi727/fix-error-msg
Changed error msg to not be misleading for public key decoding errors
2020-01-06 17:30:03 -08:00
Dave Grijalva 43aa750e43
Merge pull request #344 from kamedono/parser-ecdsa-pkcs8
Add ECDSA pkcs8 parser
2020-01-06 17:29:25 -08:00
Dave Grijalva b08b43b479
Merge pull request #362 from aboodman/patch-1
Clarify expected format for key files.
2020-01-06 17:26:35 -08:00
Aaron Boodman 195174e229
Clarify expected format for key files. 2019-10-28 21:57:07 -10:00
toshikihigaki e02edc50e4 add parser 2019-07-26 16:30:49 +09:00
Seung-Woo Choi 29384ebfa4 changed error msg to not be misleading for public key decoding errors 2019-06-24 16:25:47 -07:00
Dave Grijalva 5e25c22bd5
added installation instructions to command readme 2019-06-20 11:01:02 -07:00