From 4d0c7db30e979f143b0b9772f8d94eca6265b095 Mon Sep 17 00:00:00 2001 From: Christian Banse Date: Tue, 18 Apr 2023 15:56:46 +0200 Subject: [PATCH] Adds support for `v5` of the `golang-jwt` library (#15) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Adds support for `v5` of the `golang-jwt` library For better future maintainability, we had to change the way signing methods work slightly. Instead of decoding/encoding the token in the signing method, this is now done in the library itself. This should also make code in projects like this a little bit easier and cleaner. Fixes #13 * v5 release --------- Co-authored-by: Máté Lang --- .github/workflows/go.yml | 2 +- example/example.go | 14 +++++++------- go.mod | 17 +++++++++++++++-- go.sum | 4 ++-- jwtkms/init.go | 3 ++- jwtkms/kms_signing_method.go | 28 ++++++++++++---------------- jwtkms/kms_signingmethod_test.go | 2 +- 7 files changed, 40 insertions(+), 30 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index b56312c..9753952 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v2 with: - go-version: 1.16 + go-version: 1.18 - name: Build run: go build -v ./... diff --git a/example/example.go b/example/example.go index 23f1bbd..e16944b 100644 --- a/example/example.go +++ b/example/example.go @@ -7,7 +7,7 @@ import ( "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/kms" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/matelang/jwt-go-aws-kms/v2/jwtkms" ) @@ -21,13 +21,13 @@ func main() { } now := time.Now() - jwtToken := jwt.NewWithClaims(jwtkms.SigningMethodECDSA256, &jwt.StandardClaims{ - Audience: "api.example.com", - ExpiresAt: now.Add(1 * time.Hour * 24).Unix(), - Id: "1234-5678", - IssuedAt: now.Unix(), + jwtToken := jwt.NewWithClaims(jwtkms.SigningMethodECDSA256, &jwt.RegisteredClaims{ + Audience: jwt.ClaimStrings{"api.example.com"}, + ExpiresAt: jwt.NewNumericDate(now.Add(1 * time.Hour * 24)), + ID: "1234-5678", + IssuedAt: jwt.NewNumericDate(now), Issuer: "sso.example.com", - NotBefore: now.Unix(), + NotBefore: jwt.NewNumericDate(now), Subject: "john.doe@example.com", }) diff --git a/go.mod b/go.mod index b53eb90..e43c1de 100644 --- a/go.mod +++ b/go.mod @@ -1,11 +1,24 @@ module github.com/matelang/jwt-go-aws-kms/v2 -go 1.16 +go 1.18 require ( github.com/aws/aws-sdk-go-v2 v1.17.7 github.com/aws/aws-sdk-go-v2/config v1.18.19 github.com/aws/aws-sdk-go-v2/service/kms v1.20.8 - github.com/golang-jwt/jwt/v4 v4.5.0 + github.com/golang-jwt/jwt/v5 v5.0.0 github.com/google/uuid v1.3.0 ) + +require ( + github.com/aws/aws-sdk-go-v2/credentials v1.13.18 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.1 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.31 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.25 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.32 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.25 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.12.6 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.18.7 // indirect + github.com/aws/smithy-go v1.13.5 // indirect +) diff --git a/go.sum b/go.sum index 6a67674..3a42125 100644 --- a/go.sum +++ b/go.sum @@ -25,8 +25,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.18.7/go.mod h1:JuTnSoeePXmMVe9G8Ncjj github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= -github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE= +github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= diff --git a/jwtkms/init.go b/jwtkms/init.go index d2836b0..5493110 100644 --- a/jwtkms/init.go +++ b/jwtkms/init.go @@ -9,8 +9,9 @@ package jwtkms import ( "crypto" + "github.com/aws/aws-sdk-go-v2/service/kms/types" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" ) var ( diff --git a/jwtkms/kms_signing_method.go b/jwtkms/kms_signing_method.go index 98c8f15..e514c1e 100644 --- a/jwtkms/kms_signing_method.go +++ b/jwtkms/kms_signing_method.go @@ -6,11 +6,12 @@ import ( "crypto/rsa" "crypto/x509" "encoding/asn1" + "math/big" + "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/kms" "github.com/aws/aws-sdk-go-v2/service/kms/types" - "github.com/golang-jwt/jwt/v4" - "math/big" + "github.com/golang-jwt/jwt/v5" ) type fallbackSigningMethodCompatibilityCheckerFunc func(keyConfig interface{}) bool @@ -94,7 +95,7 @@ func (m *KMSSigningMethod) Alg() string { return m.fallbackSigningMethod.Alg() } -func (m *KMSSigningMethod) Verify(signingString string, signature string, keyConfig interface{}) error { +func (m *KMSSigningMethod) Verify(signingString string, sig []byte, keyConfig interface{}) (err error) { // Expecting a jwtkms.Config as the keyConfig to use AWS KMS to Verify tokens. cfg, ok := keyConfig.(*Config) @@ -104,17 +105,12 @@ func (m *KMSSigningMethod) Verify(signingString string, signature string, keyCon keyConfigIsForFallbackSigningMethod := m.fallbackSigningMethodKeyConfigCheckerFunc(keyConfig) if keyConfigIsForFallbackSigningMethod { - return m.fallbackSigningMethod.Verify(signingString, signature, keyConfig) + return m.fallbackSigningMethod.Verify(signingString, sig, keyConfig) } return jwt.ErrInvalidKeyType } - sig, err := jwt.DecodeSegment(signature) - if err != nil { - return err - } - if !m.hash.Available() { return jwt.ErrHashUnavailable } @@ -169,10 +165,10 @@ func (m *KMSSigningMethod) Verify(signingString string, signature string, keyCon pubkeyCache.Add(cfg.kmsKeyID, cachedKey) } - return m.fallbackSigningMethod.Verify(signingString, signature, cachedKey) + return m.fallbackSigningMethod.Verify(signingString, sig, cachedKey) } -func (m *KMSSigningMethod) Sign(signingString string, keyConfig interface{}) (string, error) { +func (m *KMSSigningMethod) Sign(signingString string, keyConfig interface{}) ([]byte, error) { // Expecting a jwtkms.Config as the keyConfig to use AWS KMS to Sign tokens. cfg, ok := keyConfig.(*Config) @@ -185,11 +181,11 @@ func (m *KMSSigningMethod) Sign(signingString string, keyConfig interface{}) (st return m.fallbackSigningMethod.Sign(signingString, keyConfig) } - return "", jwt.ErrInvalidKeyType + return nil, jwt.ErrInvalidKeyType } if !m.hash.Available() { - return "", jwt.ErrHashUnavailable + return nil, jwt.ErrHashUnavailable } hasher := m.hash.New() @@ -205,16 +201,16 @@ func (m *KMSSigningMethod) Sign(signingString string, keyConfig interface{}) (st signOutput, err := cfg.kmsClient.Sign(cfg.ctx, signInput) if err != nil { - return "", err + return nil, err } formattedSig := signOutput.Signature if m.postSignatureSigFormatterFunc != nil { formattedSig, err = m.postSignatureSigFormatterFunc(signOutput.Signature) if err != nil { - return "", err + return nil, err } } - return jwt.EncodeSegment(formattedSig), nil + return formattedSig, nil } diff --git a/jwtkms/kms_signingmethod_test.go b/jwtkms/kms_signingmethod_test.go index 7728f0b..61cfcf8 100644 --- a/jwtkms/kms_signingmethod_test.go +++ b/jwtkms/kms_signingmethod_test.go @@ -3,7 +3,7 @@ package jwtkms import ( "testing" - "github.com/golang-jwt/jwt/v4" + "github.com/golang-jwt/jwt/v5" "github.com/matelang/jwt-go-aws-kms/v2/jwtkms/internal/mockkms" )