Commit Graph

387 Commits

Author SHA1 Message Date
Christian Banse 5130b59fa7
Update VERSION_HISTORY.md and MIGRATION_GUIDE.md (#27)
* Update VERSION_HISTORY.md
* Updated README and migration
* Added replacement command
2021-06-08 14:18:15 +02:00
Christian Banse 8a7d546bae
Removing `go.mod` for v3 releases (#26)
* Removing `go.mod` for the v3-release branch

As discussed in full length here (#17), we have run into issues that forces us to abandon go modules, at least for the `v3.x.x` releases. After this is merged in, we can release a `v3.2.1+incompatible` version, which contains a security fix. 

Afterwards, we will work on non-breaking quality of life fixes and then eventually run a `v4` version, which most likely will then support go modules and have a new SIV-style import path.

* Cloning into $GOPATH for GitHub actions
2021-06-04 16:47:42 +02:00
Alistair Hey 26c069a8d7
Add copyright notice to LICENSE (#19)
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
2021-05-29 16:18:34 +02:00
Alistair Hey 08e48a8c90
Update README.md (#22)
* Update README.md
* Adjusted godoc and RFC links

Co-authored-by: Christian Banse <oxisto@aybaze.com>
2021-05-29 12:59:05 +02:00
Alistair Hey c018921cb3
Rename default branch references to main (#24)
Signed-off-by: Alistair Hey <alistair@heyal.co.uk>
2021-05-29 11:05:28 +01:00
Alistair Hey 0f726ea0e7
Fix issue with MapClaims VerifyAudience []string (#12)
* Fix issue with MapClaims VerifyAudience []string

There was an issue in MapClaims's VerifyAudiance where a []string (which
is valid in the spec) would return true (claim is found, or nil) when required
was not set.
It now checks interface types correctly and has tests written

Signed-off-by: Alistair Hey <alistair@heyal.co.uk>

* Keep aud validation constant time compare

Keep aud validation using constant time compare by not instantly
returning on a true comparison, keep comparing all options and store
result in a variable

Signed-off-by: Alistair Hey <alistair@heyal.co.uk>

Co-authored-by: Banse, Christian <christian.banse@aisec.fraunhofer.de>
2021-05-28 22:45:11 -03:00
Sadman Sakib 6a07921e68
Enable go module support for the project (#3)
* initial go module file

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* fix linting issues

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* rename module to golang-jwt/jwt

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* Renamed imports to match with go module name.

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* update travis for latest go versions

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* Set go version to 1.14

lowered the go version to make it consistent with matrix build

* revert accidental changes while renaming

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* remove travis CI

no longer needed since github actions workflow was created for the
project

Signed-off-by: sadmansakib <ssadman8@gmail.com>

* Revert "remove travis CI"

This reverts commit b3ae57f710.

* update travis for older go versions
2021-05-28 21:26:41 -04:00
Christian Banse fb1de35795
Providing (almost) full test matrix in GitHub actions (#14)
* Providing full test matrix
* Only testing Go version with module support on GitHub actions
* Only testing legacy versions on travis. Will be deprecated in time
2021-05-28 15:35:34 +02:00
Kévin Dunglas 42625203e8
chore: code cleanup (#10) 2021-05-27 19:26:21 -04:00
Christian Banse 9e96e96514
Added support for GitHub actions (#4) 2021-05-27 09:50:10 -03:00
Dave Grijalva dc14462fd5
Merge pull request #302 from BattleBas/update_rfc
Update RFC link
2020-01-06 17:32:13 -08:00
Dave Grijalva c2916b1122
Merge pull request #305 from skipor/fix_rsa_pss_salt_length
Use RSA PSS salt length equals hash - fix validation issue.
2020-01-06 17:31:46 -08:00
Dave Grijalva aab9974e8c
Merge pull request #339 from swchoi727/fix-error-msg
Changed error msg to not be misleading for public key decoding errors
2020-01-06 17:30:03 -08:00
Dave Grijalva 43aa750e43
Merge pull request #344 from kamedono/parser-ecdsa-pkcs8
Add ECDSA pkcs8 parser
2020-01-06 17:29:25 -08:00
Dave Grijalva b08b43b479
Merge pull request #362 from aboodman/patch-1
Clarify expected format for key files.
2020-01-06 17:26:35 -08:00
Aaron Boodman 195174e229
Clarify expected format for key files. 2019-10-28 21:57:07 -10:00
toshikihigaki e02edc50e4 add parser 2019-07-26 16:30:49 +09:00
Seung-Woo Choi 29384ebfa4 changed error msg to not be misleading for public key decoding errors 2019-06-24 16:25:47 -07:00
Dave Grijalva 5e25c22bd5
added installation instructions to command readme 2019-06-20 11:01:02 -07:00
Dave Grijalva 7cd734deee
added troubleshooting section 2019-05-30 10:48:54 -07:00
Dave Grijalva 8a74229d83
Merge pull request #311 from fredbi/add-cli-support-for-rsapss
Added support for RSA-PSS in jwt CLI
2019-05-28 14:08:42 -07:00
Dave Grijalva 2f61636070
Merge pull request #328 from cbeach/master
Fixing a broken link
2019-05-28 12:18:04 -07:00
Casey Beach 5bff06a4f9 Fixing a broken link
I realized that I can actually fix this myself.
  After the 75th time navigating through the "broken" link I'm going to
  do just that.
2019-05-16 12:09:44 -07:00
Frederic BIDON 382e92cd09
Added support for RSA-PSS in jwt CLI
* input key is RSA for RS* _and_ PS* algs

Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
2019-01-03 16:53:25 +01:00
Vladimir Skipor f47e6a7bc1 Use salt length equals hash, but verify auto salt length too in RSA PSS sign methods.
Fixes #285.
2018-11-11 22:39:07 +03:00
Sebastian 494b63caeb
Update RFC link
Old link led to a page that was just a link to this new page.
2018-10-24 09:18:46 -05:00
Dave Grijalva 3af4c746e1
Merge pull request #292 from someone1/patch-1
Update README.md
2018-09-21 11:23:15 -06:00
Prateek Malhotra febd124631
Update README.md
Update reference to gcp-jwt-go
2018-09-19 20:36:47 -04:00
Dave Grijalva 0b96aaa707
Merge pull request #280 from alias-dev/master
Fix dead link
2018-07-19 14:18:23 -07:00
Alex Andrews a0d8783268
Fix dead link 2018-07-18 11:34:47 +01:00
Dave Grijalva 06ea103174 documentation around expected key types 2018-03-08 15:13:08 -08:00
Dave Grijalva 6a1c681b2a Merge branch 'master' of github.com:dgrijalva/jwt-go 2018-03-08 15:04:15 -08:00
Dave Grijalva 6f4f904379 add options to ParseFromRequest 2018-03-08 15:04:09 -08:00
Dave Grijalva 1f05e5c95c
Merge pull request #181 from jsaguiar/master
Added password protect pem support
2018-03-08 14:50:15 -08:00
Dave Grijalva 3ad59cfd42
Moved old 3.0.0 notice to lower in the doc 2018-03-08 11:57:43 -08:00
Dave Grijalva b5a423081b
notice about security issue before go 1.8.3 2018-03-08 11:55:13 -08:00
Dave Grijalva 27d85fe4a0 fixed a formatting error in a test 2018-03-08 11:28:04 -08:00
Dave Grijalva b606e8202f documenting changes for upcoming 3.2.0 release 2018-03-08 11:16:21 -08:00
Dave Grijalva 3265a9bebd
Merge pull request #152 from pusher/parse-unverified
Introduce (*Parser).ParseUnverified
2018-03-08 11:01:10 -08:00
Dave Grijalva 5cc2026634
Merge pull request #219 from geertjanvdk/feat/parse
Handle ValidationError returned by keyFunc in jwt.ParseWithClaims
2018-03-08 10:58:47 -08:00
Dave Grijalva f75bbb3cc8
Merge pull request #205 from zamicol/icon_godoc
add godoc icon
2018-03-08 10:36:15 -08:00
Dave Grijalva d6bbf373d8
Merge pull request #209 from zhyuri/patch-1
A better error msg
2018-03-08 10:34:53 -08:00
Dave Grijalva 40ec5516a0
Merge pull request #220 from polarina/readme-alt-include
readme: Bump version of alternative package include
2018-03-08 10:33:32 -08:00
Dave Grijalva c3e930abb0
Notice about upcoming 4.0.0 release 2018-03-08 10:18:44 -08:00
Dave Grijalva dbeaa9332f 3.1.0 changelog 2017-10-19 14:57:19 -07:00
Gabríel Arthúr Pétursson 08b573c692 readme: Bump version of alternative package include 2017-07-03 19:13:07 +00:00
Geert Vanderkelen cb914dd542 Handle ValidationError returned by keyFunc in jwt.ParseWithClaims
Previously, returning a `jwt.ValidationError` from `jwt.Parse()` or
`jwt.ParseWithClaims()` would result values the error to be
ignored.
For example, when testing the signature while parsing the token, it
was not possible to return `jwt.ValidationErrorSignatureInvalid`.
The documentation shows an example for returning an `errors.Error`,
but this is not enough.

We change the `jwt.ParseWithClaims()`-function and check whether the
returned error from the `KeyFunc` is already a
`jwt.ValidationError`-type and return as-is.

This allows us to do the following:

  token, err := jwt.ParseWithClaims(authToken, claims, func(token
    *jwt.Token) (interface{}, error) {
    if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
        vErr := new(jwt.ValidationError)
        vErr.Errors = jwt.ValidationErrorSignatureInvalid
        vErr.Inner = fmt.Errorf("invalid signature")
        return nil, vErr
    }
    return []byte(MySecret), nil
  })

The idea is to then be able to check the `Errors`-member:

  } else if ve.Errors&jwt.ValidationErrorSignatureInvalid != 0 {
    return fmt.Errorf("Authentication Token has invalid signature")
  }
2017-06-28 09:16:23 +02:00
Dave Grijalva a539ee1a74 Merge pull request #218 from zoofood/patch-1
minor typo
2017-06-07 17:51:49 -07:00
Jeff Rouse b425822dfa minor typo 2017-06-07 17:13:34 -07:00
Dave Grijalva 6c8dedd55f updated note on alg type vulnerability 2017-05-08 09:54:58 -07:00