123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104 |
- package jwt
-
- import (
- "crypto"
- "crypto/hmac"
- "errors"
- )
-
- // SigningMethodHMAC implements the HMAC-SHA family of signing methods.
- // Expects key type of []byte for both signing and validation
- type SigningMethodHMAC struct {
- Name string
- Hash crypto.Hash
- }
-
- // Specific instances for HS256 and company
- var (
- SigningMethodHS256 *SigningMethodHMAC
- SigningMethodHS384 *SigningMethodHMAC
- SigningMethodHS512 *SigningMethodHMAC
- ErrSignatureInvalid = errors.New("signature is invalid")
- )
-
- func init() {
- // HS256
- SigningMethodHS256 = &SigningMethodHMAC{"HS256", crypto.SHA256}
- RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
- return SigningMethodHS256
- })
-
- // HS384
- SigningMethodHS384 = &SigningMethodHMAC{"HS384", crypto.SHA384}
- RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
- return SigningMethodHS384
- })
-
- // HS512
- SigningMethodHS512 = &SigningMethodHMAC{"HS512", crypto.SHA512}
- RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
- return SigningMethodHS512
- })
- }
-
- func (m *SigningMethodHMAC) Alg() string {
- return m.Name
- }
-
- // Verify implements token verification for the SigningMethod. Returns nil if
- // the signature is valid. Key must be []byte.
- //
- // Note it is not advised to provide a []byte which was converted from a 'human
- // readable' string using a subset of ASCII characters. To maximize entropy, you
- // should ideally be providing a []byte key which was produced from a
- // cryptographically random source, e.g. crypto/rand. Additional information
- // about this, and why we intentionally are not supporting string as a key can
- // be found on our usage guide
- // https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types.
- func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interface{}) error {
- // Verify the key is the right type
- keyBytes, ok := key.([]byte)
- if !ok {
- return newError("HMAC verify expects []byte", ErrInvalidKeyType)
- }
-
- // Can we use the specified hashing method?
- if !m.Hash.Available() {
- return ErrHashUnavailable
- }
-
- // This signing method is symmetric, so we validate the signature
- // by reproducing the signature from the signing string and key, then
- // comparing that against the provided signature.
- hasher := hmac.New(m.Hash.New, keyBytes)
- hasher.Write([]byte(signingString))
- if !hmac.Equal(sig, hasher.Sum(nil)) {
- return ErrSignatureInvalid
- }
-
- // No validation errors. Signature is good.
- return nil
- }
-
- // Sign implements token signing for the SigningMethod. Key must be []byte.
- //
- // Note it is not advised to provide a []byte which was converted from a 'human
- // readable' string using a subset of ASCII characters. To maximize entropy, you
- // should ideally be providing a []byte key which was produced from a
- // cryptographically random source, e.g. crypto/rand. Additional information
- // about this, and why we intentionally are not supporting string as a key can
- // be found on our usage guide https://golang-jwt.github.io/jwt/usage/signing_methods/.
- func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) ([]byte, error) {
- if keyBytes, ok := key.([]byte); ok {
- if !m.Hash.Available() {
- return nil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
- }
-
- hasher := hmac.New(m.Hash.New, keyBytes)
- hasher.Write([]byte(signingString))
-
- return hasher.Sum(nil), nil
- }
-
- return nil, ErrInvalidKeyType
- }
|