blob: addbe5d401829cb555ebd16b7d6e5e7b6eacc3c9 [file] [log] [blame]
khenaidooab1f7bd2019-11-14 14:00:27 -05001package jwt
2
3import (
4 "crypto"
5 "crypto/hmac"
6 "errors"
7)
8
9// Implements the HMAC-SHA family of signing methods signing methods
10// Expects key type of []byte for both signing and validation
11type SigningMethodHMAC struct {
12 Name string
13 Hash crypto.Hash
14}
15
16// Specific instances for HS256 and company
17var (
18 SigningMethodHS256 *SigningMethodHMAC
19 SigningMethodHS384 *SigningMethodHMAC
20 SigningMethodHS512 *SigningMethodHMAC
21 ErrSignatureInvalid = errors.New("signature is invalid")
22)
23
24func init() {
25 // HS256
26 SigningMethodHS256 = &SigningMethodHMAC{"HS256", crypto.SHA256}
27 RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
28 return SigningMethodHS256
29 })
30
31 // HS384
32 SigningMethodHS384 = &SigningMethodHMAC{"HS384", crypto.SHA384}
33 RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
34 return SigningMethodHS384
35 })
36
37 // HS512
38 SigningMethodHS512 = &SigningMethodHMAC{"HS512", crypto.SHA512}
39 RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
40 return SigningMethodHS512
41 })
42}
43
44func (m *SigningMethodHMAC) Alg() string {
45 return m.Name
46}
47
48// Verify the signature of HSXXX tokens. Returns nil if the signature is valid.
49func (m *SigningMethodHMAC) Verify(signingString, signature string, key interface{}) error {
50 // Verify the key is the right type
51 keyBytes, ok := key.([]byte)
52 if !ok {
53 return ErrInvalidKeyType
54 }
55
56 // Decode signature, for comparison
57 sig, err := DecodeSegment(signature)
58 if err != nil {
59 return err
60 }
61
62 // Can we use the specified hashing method?
63 if !m.Hash.Available() {
64 return ErrHashUnavailable
65 }
66
67 // This signing method is symmetric, so we validate the signature
68 // by reproducing the signature from the signing string and key, then
69 // comparing that against the provided signature.
70 hasher := hmac.New(m.Hash.New, keyBytes)
71 hasher.Write([]byte(signingString))
72 if !hmac.Equal(sig, hasher.Sum(nil)) {
73 return ErrSignatureInvalid
74 }
75
76 // No validation errors. Signature is good.
77 return nil
78}
79
80// Implements the Sign method from SigningMethod for this signing method.
81// Key must be []byte
82func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) (string, error) {
83 if keyBytes, ok := key.([]byte); ok {
84 if !m.Hash.Available() {
85 return "", ErrHashUnavailable
86 }
87
88 hasher := hmac.New(m.Hash.New, keyBytes)
89 hasher.Write([]byte(signingString))
90
91 return EncodeSegment(hasher.Sum(nil)), nil
92 }
93
94 return "", ErrInvalidKeyType
95}