Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Hardware Security Module support #611

Merged
merged 1 commit into from
Oct 13, 2021
Merged

feat: Hardware Security Module support #611

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 34 additions & 6 deletions token/jwt/jwt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ var SHA256HashSize = crypto.SHA256.Size()

// RS256JWTStrategy is responsible for generating and validating JWT challenges
type RS256JWTStrategy struct {
PrivateKey *rsa.PrivateKey
PrivateKey interface{}
}

// Generate generates a new authorize code or returns an error. set secret
Expand All @@ -61,12 +61,26 @@ func (j *RS256JWTStrategy) Generate(ctx context.Context, claims MapClaims, heade

// Validate validates a token and returns its signature or an error if the token is not valid.
func (j *RS256JWTStrategy) Validate(ctx context.Context, token string) (string, error) {
return validateToken(token, &j.PrivateKey.PublicKey)
switch t := j.PrivateKey.(type) {
case *rsa.PrivateKey:
return validateToken(token, t.PublicKey)
case jose.OpaqueSigner:
return validateToken(token, t.Public().Key)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is t.Public() always set for jose.OpaqueSigner or could it cause panics?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is
https://github.com/square/go-jose/blob/v2/cryptosigner/cryptosigner.go#L35-L51

default:
return "", errors.New("Unable to validate token. Invalid PrivateKey type")
}
}

// Decode will decode a JWT token
func (j *RS256JWTStrategy) Decode(ctx context.Context, token string) (*Token, error) {
return decodeToken(token, &j.PrivateKey.PublicKey)
switch t := j.PrivateKey.(type) {
case *rsa.PrivateKey:
return decodeToken(token, t.PublicKey)
case jose.OpaqueSigner:
return decodeToken(token, t.Public().Key)
default:
return nil, errors.New("Unable to decode token. Invalid PrivateKey type")
}
}

// GetSignature will return the signature of a token
Expand All @@ -86,7 +100,7 @@ func (j *RS256JWTStrategy) GetSigningMethodLength() int {

// ES256JWTStrategy is responsible for generating and validating JWT challenges
type ES256JWTStrategy struct {
PrivateKey *ecdsa.PrivateKey
PrivateKey interface{}
}

// Generate generates a new authorize code or returns an error. set secret
Expand All @@ -96,12 +110,26 @@ func (j *ES256JWTStrategy) Generate(ctx context.Context, claims MapClaims, heade

// Validate validates a token and returns its signature or an error if the token is not valid.
func (j *ES256JWTStrategy) Validate(ctx context.Context, token string) (string, error) {
return validateToken(token, &j.PrivateKey.PublicKey)
switch t := j.PrivateKey.(type) {
case *ecdsa.PrivateKey:
return validateToken(token, t.PublicKey)
case jose.OpaqueSigner:
return validateToken(token, t.Public().Key)
default:
return "", errors.New("Unable to validate token. Invalid PrivateKey type")
}
}

// Decode will decode a JWT token
func (j *ES256JWTStrategy) Decode(ctx context.Context, token string) (*Token, error) {
return decodeToken(token, &j.PrivateKey.PublicKey)
switch t := j.PrivateKey.(type) {
case *ecdsa.PrivateKey:
return decodeToken(token, t.PublicKey)
case jose.OpaqueSigner:
return decodeToken(token, t.Public().Key)
default:
return nil, errors.New("Unable to decode token. Invalid PrivateKey type")
}
}

// GetSignature will return the signature of a token
Expand Down