jwt/rsa.go

package jwt

import (
	"crypto"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"errors"
)

type SigningMethodRSA struct {
	Name string
	Hash crypto.Hash
}

var (
	SigningMethodRS256 *SigningMethodRSA
	SigningMethodRS384 *SigningMethodRSA
	SigningMethodRS512 *SigningMethodRSA
)

func init() {
	// RS256
	SigningMethodRS256 = &SigningMethodRSA{"RS256", crypto.SHA256}
	RegisterSigningMethod(SigningMethodRS256.Alg(), func() SigningMethod {
		return SigningMethodRS256
	})

	// RS384
	SigningMethodRS384 = &SigningMethodRSA{"RS384", crypto.SHA384}
	RegisterSigningMethod(SigningMethodRS384.Alg(), func() SigningMethod {
		return SigningMethodRS384
	})

	// RS512
	SigningMethodRS512 = &SigningMethodRSA{"RS512", crypto.SHA512}
	RegisterSigningMethod(SigningMethodRS512.Alg(), func() SigningMethod {
		return SigningMethodRS512
	})
}

func (m *SigningMethodRSA) Alg() string {
	return m.Name
}

func (m *SigningMethodRSA) Verify(signingString, signature string, key []byte) error {
	var err error

	// Decode the signature
	var sig []byte
	if sig, err = DecodeSegment(signature); err != nil {
		return err
	}

	// Parse public key
	var rsaKey *rsa.PublicKey
	if rsaKey, err = m.parsePublicKey(key); err != nil {
		return err
	}

	// Create hasher
	hasher := m.Hash.New()
	hasher.Write([]byte(signingString))

	// Verify the signature
	return rsa.VerifyPKCS1v15(rsaKey, m.Hash, hasher.Sum(nil), sig)
}

// Implements the Sign method from SigningMethod
// For this signing method, must be PEM encoded PKCS1 or PKCS8 RSA private key
func (m *SigningMethodRSA) Sign(signingString string, key []byte) (string, error) {
	var err error

	// Parse private key
	var rsaKey *rsa.PrivateKey
	if rsaKey, err = m.parsePrivateKey(key); err != nil {
		return "", err
	}

	// Create the hasher
	hasher := m.Hash.New()
	hasher.Write([]byte(signingString))

	// Sign the string and return the encoded bytes
	if sigBytes, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil)); err == nil {
		return EncodeSegment(sigBytes), nil
	} else {
		return "", err
	}

}

// Parse PEM encoded PKCS1 or PKCS8 public key
func (m *SigningMethodRSA) parsePublicKey(key []byte) (*rsa.PublicKey, error) {
	var err error

	// Parse PEM block
	var block *pem.Block
	if block, _ = pem.Decode(key); block == nil {
		return nil, errors.New("Invalid Key: Key must be PEM encoded PKCS1 or PKCS8 private key")
	}

	// Parse the key
	var parsedKey interface{}
	if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
		if cert, err := x509.ParseCertificate(block.Bytes); err == nil {
			parsedKey = cert.PublicKey
		} else {
			return nil, err
		}
	}

	var pkey *rsa.PublicKey
	var ok bool
	if pkey, ok = parsedKey.(*rsa.PublicKey); !ok {
		return nil, errors.New("Key is not a valid RSA public key")
	}

	return pkey, nil
}

// Parse PEM encoded PKCS1 or PKCS8 private key
func (m *SigningMethodRSA) parsePrivateKey(key []byte) (*rsa.PrivateKey, error) {
	var err error

	// Parse PEM block
	var block *pem.Block
	if block, _ = pem.Decode(key); block == nil {
		return nil, errors.New("Invalid Key: Key must be PEM encoded PKCS1 or PKCS8 private key")
	}

	var parsedKey interface{}
	if parsedKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {
		if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {
			return nil, err
		}
	}

	var pkey *rsa.PrivateKey
	var ok bool
	if pkey, ok = parsedKey.(*rsa.PrivateKey); !ok {
		return nil, errors.New("Key is not a valid RSA private key")
	}

	return pkey, nil
}
starting to work on it 2012-04-18 03:49:21 +04:00			`package jwt`

almost working 2012-04-18 05:41:12 +04:00			`import (`
			`"crypto"`
gofmt 2012-07-07 04:02:20 +04:00			`"crypto/rand"`
almost working 2012-04-18 05:41:12 +04:00			`"crypto/rsa"`
gofmt 2012-04-18 23:59:37 +04:00			`"crypto/x509"`
			`"encoding/pem"`
			`"errors"`
almost working 2012-04-18 05:41:12 +04:00			`)`

Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`type SigningMethodRSA struct {`
			`Name string`
			`Hash crypto.Hash`
			`}`

			`var (`
			`SigningMethodRS256 *SigningMethodRSA`
			`SigningMethodRS384 *SigningMethodRSA`
			`SigningMethodRS512 *SigningMethodRSA`
			`)`
starting to work on it 2012-04-18 03:49:21 +04:00
			`func init() {`
Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`// RS256`
			`SigningMethodRS256 = &SigningMethodRSA{"RS256", crypto.SHA256}`
			`RegisterSigningMethod(SigningMethodRS256.Alg(), func() SigningMethod {`
			`return SigningMethodRS256`
			`})`

			`// RS384`
			`SigningMethodRS384 = &SigningMethodRSA{"RS384", crypto.SHA384}`
			`RegisterSigningMethod(SigningMethodRS384.Alg(), func() SigningMethod {`
			`return SigningMethodRS384`
			`})`

			`// RS512`
			`SigningMethodRS512 = &SigningMethodRSA{"RS512", crypto.SHA512}`
			`RegisterSigningMethod(SigningMethodRS512.Alg(), func() SigningMethod {`
			`return SigningMethodRS512`
starting to work on it 2012-04-18 03:49:21 +04:00			`})`
			`}`
framework 2012-04-18 03:58:52 +04:00
Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`func (m *SigningMethodRSA) Alg() string {`
			`return m.Name`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`}`

Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`func (m *SigningMethodRSA) Verify(signingString, signature string, key []byte) error {`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`var err error`

			`// Decode the signature`
almost working 2012-04-18 05:41:12 +04:00			`var sig []byte`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`if sig, err = DecodeSegment(signature); err != nil {`
			`return err`
almost working 2012-04-18 05:41:12 +04:00			`}`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00
			`// Parse public key`
			`var rsaKey *rsa.PublicKey`
			`if rsaKey, err = m.parsePublicKey(key); err != nil {`
			`return err`
			`}`

			`// Create hasher`
Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`hasher := m.Hash.New()`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`hasher.Write([]byte(signingString))`

			`// Verify the signature`
Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`return rsa.VerifyPKCS1v15(rsaKey, m.Hash, hasher.Sum(nil), sig)`
framework 2012-04-18 03:58:52 +04:00			`}`

documentation about key requirements 2014-06-28 22:31:26 +04:00			`// Implements the Sign method from SigningMethod`
			`// For this signing method, must be PEM encoded PKCS1 or PKCS8 RSA private key`
Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`func (m *SigningMethodRSA) Sign(signingString string, key []byte) (string, error) {`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`var err error`

Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`// Parse private key`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`var rsaKey *rsa.PrivateKey`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`if rsaKey, err = m.parsePrivateKey(key); err != nil {`
			`return "", err`
			`}`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`// Create the hasher`
Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`hasher := m.Hash.New()`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`hasher.Write([]byte(signingString))`

			`// Sign the string and return the encoded bytes`
Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`if sigBytes, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil)); err == nil {`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`return EncodeSegment(sigBytes), nil`
			`} else {`
			`return "", err`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`}`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00
gofmt 2012-04-18 23:59:37 +04:00			`}`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`// Parse PEM encoded PKCS1 or PKCS8 public key`
Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`func (m SigningMethodRSA) parsePublicKey(key []byte) (rsa.PublicKey, error) {`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`var err error`

			`// Parse PEM block`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`var block *pem.Block`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`if block, _ = pem.Decode(key); block == nil {`
			`return nil, errors.New("Invalid Key: Key must be PEM encoded PKCS1 or PKCS8 private key")`
			`}`

			`// Parse the key`
			`var parsedKey interface{}`
			`if parsedKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {`
			`if cert, err := x509.ParseCertificate(block.Bytes); err == nil {`
			`parsedKey = cert.PublicKey`
unit tests for parsePublicKey 2014-07-06 02:58:07 +04:00			`} else {`
			`return nil, err`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`}`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`}`

			`var pkey *rsa.PublicKey`
			`var ok bool`
			`if pkey, ok = parsedKey.(*rsa.PublicKey); !ok {`
			`return nil, errors.New("Key is not a valid RSA public key")`
			`}`

			`return pkey, nil`
			`}`

			`// Parse PEM encoded PKCS1 or PKCS8 private key`
Added support for RS384 and RS512 signing methods Renamed type SigningMethodRS256 to SigningMethodRSA Added contstants SigningMethodRS256, SigningMethodRS384, and SigningMethodRS512 to support each of these methods Added simple tests to support these new methods 2014-07-06 02:34:31 +04:00			`func (m SigningMethodRSA) parsePrivateKey(key []byte) (rsa.PrivateKey, error) {`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00			`var err error`

			`// Parse PEM block`
			`var block *pem.Block`
			`if block, _ = pem.Decode(key); block == nil {`
			`return nil, errors.New("Invalid Key: Key must be PEM encoded PKCS1 or PKCS8 private key")`
			`}`

			`var parsedKey interface{}`
			`if parsedKey, err = x509.ParsePKCS1PrivateKey(block.Bytes); err != nil {`
			`if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil {`
			`return nil, err`
added signing support to RS256 and HS256 2012-07-07 02:43:17 +04:00			`}`
			`}`
cleaned up RS256 implementation. no functional changes 2014-07-06 02:50:46 +04:00
			`var pkey *rsa.PrivateKey`
			`var ok bool`
			`if pkey, ok = parsedKey.(*rsa.PrivateKey); !ok {`
			`return nil, errors.New("Key is not a valid RSA private key")`
			`}`

			`return pkey, nil`
gofmt 2012-07-07 04:02:20 +04:00			`}`