Merge branch 'wider' into two_point_oh

hmac.go

@@ -0,0 +1,65 @@
+package jwt
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/hmac"
+	"errors"
+)
+
+type SigningMethodHMAC struct {
+	Name string
+	Hash crypto.Hash
+}
+
+var (
+	SigningMethodHS256 *SigningMethodHMAC
+	SigningMethodHS384 *SigningMethodHMAC
+	SigningMethodHS512 *SigningMethodHMAC
+)
+
+func init() {
+	// HS256
+	SigningMethodHS256 = &SigningMethodHMAC{"HS256", crypto.SHA256}
+	RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
+		return SigningMethodHS256
+	})
+
+	// HS384
+	SigningMethodHS384 = &SigningMethodHMAC{"HS384", crypto.SHA384}
+	RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
+		return SigningMethodHS384
+	})
+
+	// HS512
+	SigningMethodHS512 = &SigningMethodHMAC{"HS512", crypto.SHA512}
+	RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
+		return SigningMethodHS512
+	})
+}
+
+func (m *SigningMethodHMAC) Alg() string {
+	return m.Name
+}
+
+func (m *SigningMethodHMAC) Verify(signingString, signature string, key []byte) error {
+	// Key
+	var sig []byte
+	var err error
+	if sig, err = DecodeSegment(signature); err == nil {
+		hasher := hmac.New(m.Hash.New, key)
+		hasher.Write([]byte(signingString))
+
+		if !bytes.Equal(sig, hasher.Sum(nil)) {
+			err = errors.New("Signature is invalid")
+		}
+	}
+	return err
+}
+
+func (m *SigningMethodHMAC) Sign(signingString string, key []byte) (string, error) {
+	hasher := hmac.New(m.Hash.New, key)
+	hasher.Write([]byte(signingString))
+
+	return EncodeSegment(hasher.Sum(nil)), nil
+}

sha256_test.go → hmac_test.go

@@ -1,44 +1,57 @@
 package jwt
 
 import (
+	"io/ioutil"
 	"strings"
 	"testing"
 )
 
-var sha256TestData = []struct {
+var hmacTestData = []struct {
 	name        string
 	tokenString string
+	alg         string
 	claims      map[string]interface{}
 	valid       bool
 }{
 	{
 		"web sample",
 		"eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
+		"HS256",
+		map[string]interface{}{"iss": "joe", "exp": 1300819380, "http://example.com/is_root": true},
+		true,
+	},
+	{
+		"HS384",
+		"eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJleHAiOjEuMzAwODE5MzhlKzA5LCJodHRwOi8vZXhhbXBsZS5jb20vaXNfcm9vdCI6dHJ1ZSwiaXNzIjoiam9lIn0.KWZEuOD5lbBxZ34g7F-SlVLAQ_r5KApWNWlZIIMyQVz5Zs58a7XdNzj5_0EcNoOy",
+		"HS384",
+		map[string]interface{}{"iss": "joe", "exp": 1300819380, "http://example.com/is_root": true},
+		true,
+	},
+	{
+		"HS512",
+		"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEuMzAwODE5MzhlKzA5LCJodHRwOi8vZXhhbXBsZS5jb20vaXNfcm9vdCI6dHJ1ZSwiaXNzIjoiam9lIn0.CN7YijRX6Aw1n2jyI2Id1w90ja-DEMYiWixhYCyHnrZ1VfJRaFQz1bEbjjA5Fn4CLYaUG432dEYmSbS4Saokmw",
+		"HS512",
 		map[string]interface{}{"iss": "joe", "exp": 1300819380, "http://example.com/is_root": true},
 		true,
 	},
 	{
 		"web sample: invalid",
 		"eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXo",
+		"HS256",
 		map[string]interface{}{"iss": "joe", "exp": 1300819380, "http://example.com/is_root": true},
 		false,
 	},
 }
 
 // Sample data from http://tools.ietf.org/html/draft-jones-json-web-signature-04#appendix-A.1
-var sha256TestKey = []byte{
-	3, 35, 53, 75, 43, 15, 165, 188, 131, 126, 6, 101, 119, 123, 166,
-	143, 90, 179, 40, 230, 240, 84, 201, 40, 169, 15, 132, 178, 210, 80,
-	46, 191, 211, 251, 90, 146, 210, 6, 71, 239, 150, 138, 180, 195, 119,
-	98, 61, 34, 61, 46, 33, 114, 5, 46, 79, 8, 192, 205, 154, 245, 103,
-	208, 128, 163}
+var hmacTestKey, _ = ioutil.ReadFile("test/hmacTestKey")
 
-func TestHS256Verify(t *testing.T) {
-	for _, data := range sha256TestData {
+func TestHMACVerify(t *testing.T) {
+	for _, data := range hmacTestData {
 		parts := strings.Split(data.tokenString, ".")
 
-		method := GetSigningMethod("HS256")
-		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], sha256TestKey)
+		method := GetSigningMethod(data.alg)
+		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], hmacTestKey)
 		if data.valid && err != nil {
 			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
 		}
@@ -48,12 +61,12 @@ func TestHS256Verify(t *testing.T) {
 	}
 }
 
-func TestHS256Sign(t *testing.T) {
-	for _, data := range sha256TestData {
+func TestHMACSign(t *testing.T) {
+	for _, data := range hmacTestData {
 		if data.valid {
 			parts := strings.Split(data.tokenString, ".")
-			method := GetSigningMethod("HS256")
-			sig, err := method.Sign(strings.Join(parts[0:2], "."), sha256TestKey)
+			method := GetSigningMethod(data.alg)
+			sig, err := method.Sign(strings.Join(parts[0:2], "."), hmacTestKey)
 			if err != nil {
 				t.Errorf("[%v] Error signing token: %v", data.name, err)
 			}

rs256.go → rsa.go

@@ -4,25 +4,47 @@ import (
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
 )
 
-type SigningMethodRS256 struct{}
+type SigningMethodRSA struct {
+	Name string
+	Hash crypto.Hash
+}
+
+var (
+	SigningMethodRS256 *SigningMethodRSA
+	SigningMethodRS384 *SigningMethodRSA
+	SigningMethodRS512 *SigningMethodRSA
+)
 
 func init() {
-	RegisterSigningMethod("RS256", func() SigningMethod {
-		return new(SigningMethodRS256)
+	// RS256
+	SigningMethodRS256 = &SigningMethodRSA{"RS256", crypto.SHA256}
+	RegisterSigningMethod(SigningMethodRS256.Alg(), func() SigningMethod {
+		return SigningMethodRS256
+	})
+
+	// RS384
+	SigningMethodRS384 = &SigningMethodRSA{"RS384", crypto.SHA384}
+	RegisterSigningMethod(SigningMethodRS384.Alg(), func() SigningMethod {
+		return SigningMethodRS384
+	})
+
+	// RS512
+	SigningMethodRS512 = &SigningMethodRSA{"RS512", crypto.SHA512}
+	RegisterSigningMethod(SigningMethodRS512.Alg(), func() SigningMethod {
+		return SigningMethodRS512
 	})
 }
 
-func (m *SigningMethodRS256) Alg() string {
-	return "RS256"
+func (m *SigningMethodRSA) Alg() string {
+	return m.Name
 }
 
-func (m *SigningMethodRS256) Verify(signingString, signature string, key []byte) error {
+func (m *SigningMethodRSA) Verify(signingString, signature string, key []byte) error {
 	var err error
 
 	// Decode the signature
@@ -38,30 +60,30 @@ func (m *SigningMethodRS256) Verify(signingString, signature string, key []byte)
 	}
 
 	// Create hasher
-	hasher := sha256.New()
+	hasher := m.Hash.New()
 	hasher.Write([]byte(signingString))
 
 	// Verify the signature
-	return rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, hasher.Sum(nil), sig)
+	return rsa.VerifyPKCS1v15(rsaKey, m.Hash, hasher.Sum(nil), sig)
 }
 
 // Implements the Sign method from SigningMethod
 // For this signing method, must be PEM encoded PKCS1 or PKCS8 RSA private key
-func (m *SigningMethodRS256) Sign(signingString string, key []byte) (string, error) {
+func (m *SigningMethodRSA) Sign(signingString string, key []byte) (string, error) {
 	var err error
 
-	// Key
+	// Parse private key
 	var rsaKey *rsa.PrivateKey
 	if rsaKey, err = m.parsePrivateKey(key); err != nil {
 		return "", err
 	}
 
 	// Create the hasher
-	hasher := sha256.New()
+	hasher := m.Hash.New()
 	hasher.Write([]byte(signingString))
 
 	// Sign the string and return the encoded bytes
-	if sigBytes, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, crypto.SHA256, hasher.Sum(nil)); err == nil {
+	if sigBytes, err := rsa.SignPKCS1v15(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil)); err == nil {
 		return EncodeSegment(sigBytes), nil
 	} else {
 		return "", err
@@ -70,7 +92,7 @@ func (m *SigningMethodRS256) Sign(signingString string, key []byte) (string, err
 }
 
 // Parse PEM encoded PKCS1 or PKCS8 public key
-func (m *SigningMethodRS256) parsePublicKey(key []byte) (*rsa.PublicKey, error) {
+func (m *SigningMethodRSA) parsePublicKey(key []byte) (*rsa.PublicKey, error) {
 	var err error
 
 	// Parse PEM block
@@ -99,7 +121,7 @@ func (m *SigningMethodRS256) parsePublicKey(key []byte) (*rsa.PublicKey, error)
 }
 
 // Parse PEM encoded PKCS1 or PKCS8 private key
-func (m *SigningMethodRS256) parsePrivateKey(key []byte) (*rsa.PrivateKey, error) {
+func (m *SigningMethodRSA) parsePrivateKey(key []byte) (*rsa.PrivateKey, error) {
 	var err error
 
 	// Parse PEM block

rs256_test.go → rsa_test.go

@@ -9,30 +9,47 @@ import (
 var rsaTestData = []struct {
 	name        string
 	tokenString string
+	alg         string
 	claims      map[string]interface{}
 	valid       bool
 }{
 	{
-		"basic: foo => bar",
+		"Basic RS256",
 		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
+		"RS256",
+		map[string]interface{}{"foo": "bar"},
+		true,
+	},
+	{
+		"Basic RS384",
+		"eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.W-jEzRfBigtCWsinvVVuldiuilzVdU5ty0MvpLaSaqK9PlAWWlDQ1VIQ_qSKzwL5IXaZkvZFJXT3yL3n7OUVu7zCNJzdwznbC8Z-b0z2lYvcklJYi2VOFRcGbJtXUqgjk2oGsiqUMUMOLP70TTefkpsgqDxbRh9CDUfpOJgW-dU7cmgaoswe3wjUAUi6B6G2YEaiuXC0XScQYSYVKIzgKXJV8Zw-7AN_DBUI4GkTpsvQ9fVVjZM9csQiEXhYekyrKu1nu_POpQonGd8yqkIyXPECNmmqH5jH4sFiF67XhD7_JpkvLziBpI-uh86evBUadmHhb9Otqw3uV3NTaXLzJw",
+		"RS384",
+		map[string]interface{}{"foo": "bar"},
+		true,
+	},
+	{
+		"Basic RS512",
+		"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIifQ.zBlLlmRrUxx4SJPUbV37Q1joRcI9EW13grnKduK3wtYKmDXbgDpF1cZ6B-2Jsm5RB8REmMiLpGms-EjXhgnyh2TSHE-9W2gA_jvshegLWtwRVDX40ODSkTb7OVuaWgiy9y7llvcknFBTIg-FnVPVpXMmeV_pvwQyhaz1SSwSPrDyxEmksz1hq7YONXhXPpGaNbMMeDTNP_1oj8DZaqTIL9TwV8_1wb2Odt_Fy58Ke2RVFijsOLdnyEAjt2n9Mxihu9i3PhNBkkxa2GbnXBfq3kzvZ_xxGGopLdHhJjcGWXO-NiwI9_tiu14NRv4L2xC0ItD9Yz68v2ZIZEp_DuzwRQ",
+		"RS512",
 		map[string]interface{}{"foo": "bar"},
 		true,
 	},
 	{
 		"basic invalid: foo => bar",
 		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.EhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
+		"RS256",
 		map[string]interface{}{"foo": "bar"},
 		false,
 	},
 }
 
-func TestRS256Verify(t *testing.T) {
+func TestRSAVerify(t *testing.T) {
 	key, _ := ioutil.ReadFile("test/sample_key.pub")
 
 	for _, data := range rsaTestData {
 		parts := strings.Split(data.tokenString, ".")
 
-		method := GetSigningMethod("RS256")
+		method := GetSigningMethod(data.alg)
 		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], key)
 		if data.valid && err != nil {
 			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
@@ -43,13 +60,13 @@ func TestRS256Verify(t *testing.T) {
 	}
 }
 
-func TestRS256Sign(t *testing.T) {
+func TestRSASign(t *testing.T) {
 	key, _ := ioutil.ReadFile("test/sample_key")
 
 	for _, data := range rsaTestData {
 		if data.valid {
 			parts := strings.Split(data.tokenString, ".")
-			method := GetSigningMethod("RS256")
+			method := GetSigningMethod(data.alg)
 			sig, err := method.Sign(strings.Join(parts[0:2], "."), key)
 			if err != nil {
 				t.Errorf("[%v] Error signing token: %v", data.name, err)
@@ -65,7 +82,7 @@ func TestRSAKeyParsing(t *testing.T) {
 	key, _ := ioutil.ReadFile("test/sample_key")
 	pubKey, _ := ioutil.ReadFile("test/sample_key.pub")
 	badKey := []byte("All your base are belong to key")
-	method := GetSigningMethod("RS256").(*SigningMethodRS256)
+	method := GetSigningMethod("RS256").(*SigningMethodRSA)
 
 	// Test parsePrivateKey
 	if _, e := method.parsePrivateKey(key); e != nil {

test/hmacTestKey

@@ -0,0 +1 @@
+#5K+���~ew{��Z�(��T�(����P.���Z��G��wb="=.!r.O�͚�gЀ�