jwt/hmac.go at main · golang-jwt/jwt · GitHub

Name: jwt/hmac.go at main · golang-jwt/jwt · GitHub
Rating: 4.9 (2347 reviews)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
package jwt

import (
"crypto"
"crypto/hmac"
"errors"
)

// SigningMethodHMAC implements the HMAC-SHA family of signing methods.
// Expects key type of []byte for both signing and validation
typeSigningMethodHMACstruct {
Namestring
Hash crypto.Hash
}

// Specific instances for HS256 and company
var (
SigningMethodHS256*SigningMethodHMAC
SigningMethodHS384*SigningMethodHMAC
SigningMethodHS512*SigningMethodHMAC
ErrSignatureInvalid=errors.New("signature is invalid")
)

funcinit() {
// HS256
SigningMethodHS256=&SigningMethodHMAC{"HS256", crypto.SHA256}
RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
returnSigningMethodHS256
 })

// HS384
SigningMethodHS384=&SigningMethodHMAC{"HS384", crypto.SHA384}
RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
returnSigningMethodHS384
 })

// HS512
SigningMethodHS512=&SigningMethodHMAC{"HS512", crypto.SHA512}
RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
returnSigningMethodHS512
 })
}

func (m*SigningMethodHMAC) Alg() string {
returnm.Name
}

// Verify implements token verification for the SigningMethod. Returns nil if
// the signature is valid. Key must be []byte.
//
// Note it is not advised to provide a []byte which was converted from a 'human
// readable' string using a subset of ASCII characters. To maximize entropy, you
// should ideally be providing a []byte key which was produced from a
// cryptographically random source, e.g. crypto/rand. Additional information
// about this, and why we intentionally are not supporting string as a key can
// be found on our usage guide
// https://golang-jwt.github.io/jwt/usage/signing_methods/#signing-methods-and-key-types.
func (m*SigningMethodHMAC) Verify(signingStringstring, sig []byte, keyinterface{}) error {
// Verify the key is the right type
keyBytes, ok:=key.([]byte)
if!ok {
returnnewError("HMAC verify expects []byte", ErrInvalidKeyType)
 }

// Can we use the specified hashing method?
if!m.Hash.Available() {
returnErrHashUnavailable
 }

// This signing method is symmetric, so we validate the signature
// by reproducing the signature from the signing string and key, then
// comparing that against the provided signature.
hasher:=hmac.New(m.Hash.New, keyBytes)
hasher.Write([]byte(signingString))
if!hmac.Equal(sig, hasher.Sum(nil)) {
returnErrSignatureInvalid
 }

// No validation errors. Signature is good.
returnnil
}

// Sign implements token signing for the SigningMethod. Key must be []byte.
//
// Note it is not advised to provide a []byte which was converted from a 'human
// readable' string using a subset of ASCII characters. To maximize entropy, you
// should ideally be providing a []byte key which was produced from a
// cryptographically random source, e.g. crypto/rand. Additional information
// about this, and why we intentionally are not supporting string as a key can
// be found on our usage guide https://golang-jwt.github.io/jwt/usage/signing_methods/.
func (m*SigningMethodHMAC) Sign(signingStringstring, keyinterface{}) ([]byte, error) {
ifkeyBytes, ok:=key.([]byte); ok {
if!m.Hash.Available() {
returnnil, ErrHashUnavailable
 }

hasher:=hmac.New(m.Hash.New, keyBytes)
hasher.Write([]byte(signingString))

returnhasher.Sum(nil), nil
 }

returnnil, newError("HMAC sign expects []byte", ErrInvalidKeyType)
}