jwt/ecdsa.go

package jwt

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/rand"
	"errors"
	"math/big"
)

var (
	// Sadly this is missing from crypto/ecdsa compared to crypto/rsa
	ErrECDSAVerification = errors.New("crypto/ecdsa: verification error")
)

// Implements the ECDSA family of signing methods signing methods
// Expects *ecdsa.PrivateKey for signing and *ecdsa.PublicKey for verification
type SigningMethodECDSA struct {
	Name      string
	Hash      crypto.Hash
	KeySize   int
	CurveBits int
}

// Specific instances for EC256 and company
var (
	SigningMethodES256 *SigningMethodECDSA
	SigningMethodES384 *SigningMethodECDSA
	SigningMethodES512 *SigningMethodECDSA
)

func init() {
	// ES256
	SigningMethodES256 = &SigningMethodECDSA{"ES256", crypto.SHA256, 32, 256}
	RegisterSigningMethod(SigningMethodES256.Alg(), func() SigningMethod {
		return SigningMethodES256
	})

	// ES384
	SigningMethodES384 = &SigningMethodECDSA{"ES384", crypto.SHA384, 48, 384}
	RegisterSigningMethod(SigningMethodES384.Alg(), func() SigningMethod {
		return SigningMethodES384
	})

	// ES512
	SigningMethodES512 = &SigningMethodECDSA{"ES512", crypto.SHA512, 66, 521}
	RegisterSigningMethod(SigningMethodES512.Alg(), func() SigningMethod {
		return SigningMethodES512
	})
}

func (m *SigningMethodECDSA) Alg() string {
	return m.Name
}

// Implements the Verify method from SigningMethod
// For this verify method, key must be an ecdsa.PublicKey struct
func (m *SigningMethodECDSA) Verify(signingString, signature string, key interface{}) error {
	var err error

	// Decode the signature
	var sig []byte
	if sig, err = DecodeSegment(signature); err != nil {
		return err
	}

	// Get the key
	var ecdsaKey *ecdsa.PublicKey
	switch k := key.(type) {
	case *ecdsa.PublicKey:
		ecdsaKey = k
	default:
		return ErrInvalidKeyType
	}

	if len(sig) != 2*m.KeySize {
		return ErrECDSAVerification
	}

	r := big.NewInt(0).SetBytes(sig[:m.KeySize])
	s := big.NewInt(0).SetBytes(sig[m.KeySize:])

	// Create hasher
	if !m.Hash.Available() {
		return ErrHashUnavailable
	}
	hasher := m.Hash.New()
	hasher.Write([]byte(signingString))

	// Verify the signature
	if verifystatus := ecdsa.Verify(ecdsaKey, hasher.Sum(nil), r, s); verifystatus {
		return nil
	}

	return ErrECDSAVerification
}

// Implements the Sign method from SigningMethod
// For this signing method, key must be an ecdsa.PrivateKey struct
func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) (string, error) {
	// Get the key
	var ecdsaKey *ecdsa.PrivateKey
	switch k := key.(type) {
	case *ecdsa.PrivateKey:
		ecdsaKey = k
	default:
		return "", ErrInvalidKeyType
	}

	// Create the hasher
	if !m.Hash.Available() {
		return "", ErrHashUnavailable
	}

	hasher := m.Hash.New()
	hasher.Write([]byte(signingString))

	// Sign the string and return r, s
	if r, s, err := ecdsa.Sign(rand.Reader, ecdsaKey, hasher.Sum(nil)); err == nil {
		curveBits := ecdsaKey.Curve.Params().BitSize

		if m.CurveBits != curveBits {
			return "", ErrInvalidKey
		}

		keyBytes := curveBits / 8
		if curveBits%8 > 0 {
			keyBytes += 1
		}

		// We serialize the outputs (r and s) into big-endian byte arrays
		// padded with zeros on the left to make sure the sizes work out.
		// Output must be 2*keyBytes long.
		out := make([]byte, 2*keyBytes)
		r.FillBytes(out[0:keyBytes]) // r is assigned to the first half of output.
		s.FillBytes(out[keyBytes:])  // s is assigned to the second half of output.

		return EncodeSegment(out), nil
	} else {
		return "", err
	}
}
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`package jwt`

			`import (`
			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/rand"`
			`"errors"`
			`"math/big"`
			`)`

			`var (`
			`// Sadly this is missing from crypto/ecdsa compared to crypto/rsa`
			`ErrECDSAVerification = errors.New("crypto/ecdsa: verification error")`
			`)`

			`// Implements the ECDSA family of signing methods signing methods`
documentation around expected key types 2018-03-09 02:13:08 +03:00			`// Expects ecdsa.PrivateKey for signing and ecdsa.PublicKey for verification`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`type SigningMethodECDSA struct {`
Fix ES signature serialization 2015-09-17 05:53:08 +03:00			`Name string`
			`Hash crypto.Hash`
			`KeySize int`
			`CurveBits int`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`}`

			`// Specific instances for EC256 and company`
			`var (`
			`SigningMethodES256 *SigningMethodECDSA`
			`SigningMethodES384 *SigningMethodECDSA`
			`SigningMethodES512 *SigningMethodECDSA`
			`)`

			`func init() {`
			`// ES256`
Fix ES signature serialization 2015-09-17 05:53:08 +03:00			`SigningMethodES256 = &SigningMethodECDSA{"ES256", crypto.SHA256, 32, 256}`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`RegisterSigningMethod(SigningMethodES256.Alg(), func() SigningMethod {`
			`return SigningMethodES256`
			`})`

			`// ES384`
Fix ES signature serialization 2015-09-17 05:53:08 +03:00			`SigningMethodES384 = &SigningMethodECDSA{"ES384", crypto.SHA384, 48, 384}`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`RegisterSigningMethod(SigningMethodES384.Alg(), func() SigningMethod {`
			`return SigningMethodES384`
			`})`

			`// ES512`
Fix ES signature serialization 2015-09-17 05:53:08 +03:00			`SigningMethodES512 = &SigningMethodECDSA{"ES512", crypto.SHA512, 66, 521}`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`RegisterSigningMethod(SigningMethodES512.Alg(), func() SigningMethod {`
			`return SigningMethodES512`
			`})`
			`}`

			`func (m *SigningMethodECDSA) Alg() string {`
			`return m.Name`
			`}`

			`// Implements the Verify method from SigningMethod`
			`// For this verify method, key must be an ecdsa.PublicKey struct`
			`func (m *SigningMethodECDSA) Verify(signingString, signature string, key interface{}) error {`
			`var err error`

			`// Decode the signature`
			`var sig []byte`
			`if sig, err = DecodeSegment(signature); err != nil {`
			`return err`
			`}`

			`// Get the key`
			`var ecdsaKey *ecdsa.PublicKey`
			`switch k := key.(type) {`
			`case *ecdsa.PublicKey:`
			`ecdsaKey = k`
			`default:`
Merge branch 'master' of https://github.com/martinlindhe/jwt-go into patch_109 2016-06-07 20:34:06 +03:00			`return ErrInvalidKeyType`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`}`

Fix ES signature serialization 2015-09-17 05:53:08 +03:00			`if len(sig) != 2*m.KeySize {`
			`return ErrECDSAVerification`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`}`

Fix ES signature serialization 2015-09-17 05:53:08 +03:00			`r := big.NewInt(0).SetBytes(sig[:m.KeySize])`
			`s := big.NewInt(0).SetBytes(sig[m.KeySize:])`

Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`// Create hasher`
			`if !m.Hash.Available() {`
			`return ErrHashUnavailable`
			`}`
			`hasher := m.Hash.New()`
			`hasher.Write([]byte(signingString))`

			`// Verify the signature`
chore: code cleanup (#10) 2021-05-28 02:26:21 +03:00			`if verifystatus := ecdsa.Verify(ecdsaKey, hasher.Sum(nil), r, s); verifystatus {`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`return nil`
			`}`
chore: code cleanup (#10) 2021-05-28 02:26:21 +03:00
			`return ErrECDSAVerification`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`}`

			`// Implements the Sign method from SigningMethod`
			`// For this signing method, key must be an ecdsa.PrivateKey struct`
			`func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) (string, error) {`
			`// Get the key`
			`var ecdsaKey *ecdsa.PrivateKey`
			`switch k := key.(type) {`
			`case *ecdsa.PrivateKey:`
			`ecdsaKey = k`
			`default:`
Merge branch 'master' of https://github.com/martinlindhe/jwt-go into patch_109 2016-06-07 20:34:06 +03:00			`return "", ErrInvalidKeyType`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`}`

			`// Create the hasher`
			`if !m.Hash.Available() {`
			`return "", ErrHashUnavailable`
			`}`

			`hasher := m.Hash.New()`
			`hasher.Write([]byte(signingString))`

			`// Sign the string and return r, s`
			`if r, s, err := ecdsa.Sign(rand.Reader, ecdsaKey, hasher.Sum(nil)); err == nil {`
Fix ES signature serialization 2015-09-17 05:53:08 +03:00			`curveBits := ecdsaKey.Curve.Params().BitSize`

			`if m.CurveBits != curveBits {`
			`return "", ErrInvalidKey`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`}`
Fix ES signature serialization 2015-09-17 05:53:08 +03:00
			`keyBytes := curveBits / 8`
			`if curveBits%8 > 0 {`
			`keyBytes += 1`
			`}`

Allocation optimization (#33) * Test to ensure ECDSA signature is valid Add assertions to ensure ECDSA signing methods return valid signatures. This is probably covered elsewhere as well, but putting it in ecdsa_test.go makes it more obvious and easier to find. * Benchmark ECDSA signing methods Add benchmark coverage of ECDSA signing methods. Benchmarks are run using the existing helper for comparability with existing benchmarks. Sign method is also tested directly, to avoid the overhead of Token. Report allocations for all benchmarks. Allocation count for ES384 and ES512 fluctuate across test runs, other signing methods consistently report the same number of allocations. Sample output: ``` $ go test -bench=Bench -run=NONE . 2021/02/26 18:18:30 Listening... goos: darwin goarch: amd64 pkg: github.com/dgrijalva/jwt-go BenchmarkECDSASigning/Basic_ES256-8 190572 6702 ns/op 4249 B/op 65 allocs/op BenchmarkECDSASigning/Basic_ES256/sign-only-8 47383 24650 ns/op 3329 B/op 43 allocs/op BenchmarkECDSASigning/Basic_ES384-8 1113 1252975 ns/op 1750744 B/op 14474 allocs/op BenchmarkECDSASigning/Basic_ES384/sign-only-8 286 3937773 ns/op 1746175 B/op 14423 allocs/op BenchmarkECDSASigning/Basic_ES512-8 662 1949937 ns/op 3028386 B/op 19608 allocs/op BenchmarkECDSASigning/Basic_ES512/sign-only-8 170 6856189 ns/op 3025471 B/op 19571 allocs/op BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190638 6665 ns/op 4249 B/op 65 allocs/op BenchmarkHS256Signing-8 1000000 1024 ns/op 1584 B/op 32 allocs/op BenchmarkHS384Signing-8 917286 1447 ns/op 1969 B/op 32 allocs/op BenchmarkHS512Signing-8 827744 1470 ns/op 2065 B/op 32 allocs/op BenchmarkRS256Signing-8 3037 390077 ns/op 32576 B/op 136 allocs/op BenchmarkRS384Signing-8 2976 379155 ns/op 32684 B/op 136 allocs/op BenchmarkRS512Signing-8 3205 388628 ns/op 32704 B/op 136 allocs/op ``` Reduce allocations during ECDSA signing Reduce the number of byte arrays allocated by using big.Int.FillBytes when calculating ECDSA signature. After this change, Benchmarks of ES256 signing method consistently report 4 fewer allocations. Before: ``` BenchmarkECDSASigning/Basic_ES256-8 190572 6702 ns/op 4249 B/op 65 allocs/op BenchmarkECDSASigning/Basic_ES256/sign-only-8 47383 24650 ns/op 3329 B/op 43 allocs/op ``` After: ``` BenchmarkECDSASigning/Basic_ES256-8 187682 6725 ns/op 4121 B/op 61 allocs/op BenchmarkECDSASigning/Basic_ES256/sign-only-8 48656 24446 ns/op 3201 B/op 39 allocs/op ``` * Use base64.RawURLEncoding to avoid padding JWT uses a non-padded base64 encoding. Current code uses base64.URLEncoding to generate a padded string and then removes the padding. Likewise, current code adds padding before decoding. Instead, use base64.RawURLEncoding which does not add or require the padding in the first place. In addition to making the code cleaner, this reduces memory allocations as reported by benchmarks. Before: ``` BenchmarkECDSASigning/Basic_ES256-8 191396 6917 ns/op 4121 B/op 61 allocs/op BenchmarkECDSASigning/Basic_ES256/sign-only-8 49347 25039 ns/op 3201 B/op 39 allocs/op BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 190668 6586 ns/op 4121 B/op 61 allocs/op BenchmarkHS256Signing-8 1260060 1131 ns/op 1585 B/op 32 allocs/op BenchmarkHS384Signing-8 861378 1387 ns/op 1969 B/op 32 allocs/op BenchmarkHS512Signing-8 896745 1463 ns/op 2065 B/op 32 allocs/op BenchmarkRS256Signing-8 3086 355769 ns/op 32576 B/op 136 allocs/op BenchmarkRS384Signing-8 3414 353570 ns/op 32694 B/op 136 allocs/op BenchmarkRS512Signing-8 3235 349394 ns/op 32706 B/op 136 allocs/op ``` After: ``` BenchmarkECDSASigning/Basic_ES256-8 176617 6827 ns/op 4021 B/op 58 allocs/op BenchmarkECDSASigning/Basic_ES256/sign-only-8 48038 24213 ns/op 3169 B/op 38 allocs/op BenchmarkECDSASigning/basic_ES256_invalid:_foo_=>_bar-8 194352 6928 ns/op 4021 B/op 58 allocs/op BenchmarkHS256Signing-8 1000000 1127 ns/op 1488 B/op 29 allocs/op BenchmarkHS384Signing-8 972552 1369 ns/op 1873 B/op 29 allocs/op BenchmarkHS512Signing-8 780751 1368 ns/op 1969 B/op 29 allocs/op BenchmarkRS256Signing-8 3014 387326 ns/op 32475 B/op 133 allocs/op BenchmarkRS384Signing-8 3044 361411 ns/op 32591 B/op 133 allocs/op BenchmarkRS512Signing-8 3273 355504 ns/op 32607 B/op 133 allocs/op ``` Benchmarks of signing methods ES384 and ES512 are omitted because their allocations are not consistent. 2021-07-13 09:31:42 +03:00			`// We serialize the outputs (r and s) into big-endian byte arrays`
			`// padded with zeros on the left to make sure the sizes work out.`
			`// Output must be 2*keyBytes long.`
			`out := make([]byte, 2*keyBytes)`
			`r.FillBytes(out[0:keyBytes]) // r is assigned to the first half of output.`
			`s.FillBytes(out[keyBytes:]) // s is assigned to the second half of output.`
Fix ES signature serialization 2015-09-17 05:53:08 +03:00
			`return EncodeSegment(out), nil`
Add ECDSA signatures 2015-07-16 21:26:45 +03:00			`} else {`
			`return "", err`
			`}`
			`}`