本站源代码
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

96 line
2.4KB

  1. package jwt
  2. import (
  3. "crypto"
  4. "crypto/hmac"
  5. "errors"
  6. )
  7. // Implements the HMAC-SHA family of signing methods signing methods
  8. // Expects key type of []byte for both signing and validation
  9. type SigningMethodHMAC struct {
  10. Name string
  11. Hash crypto.Hash
  12. }
  13. // Specific instances for HS256 and company
  14. var (
  15. SigningMethodHS256 *SigningMethodHMAC
  16. SigningMethodHS384 *SigningMethodHMAC
  17. SigningMethodHS512 *SigningMethodHMAC
  18. ErrSignatureInvalid = errors.New("signature is invalid")
  19. )
  20. func init() {
  21. // HS256
  22. SigningMethodHS256 = &SigningMethodHMAC{"HS256", crypto.SHA256}
  23. RegisterSigningMethod(SigningMethodHS256.Alg(), func() SigningMethod {
  24. return SigningMethodHS256
  25. })
  26. // HS384
  27. SigningMethodHS384 = &SigningMethodHMAC{"HS384", crypto.SHA384}
  28. RegisterSigningMethod(SigningMethodHS384.Alg(), func() SigningMethod {
  29. return SigningMethodHS384
  30. })
  31. // HS512
  32. SigningMethodHS512 = &SigningMethodHMAC{"HS512", crypto.SHA512}
  33. RegisterSigningMethod(SigningMethodHS512.Alg(), func() SigningMethod {
  34. return SigningMethodHS512
  35. })
  36. }
  37. func (m *SigningMethodHMAC) Alg() string {
  38. return m.Name
  39. }
  40. // Verify the signature of HSXXX tokens. Returns nil if the signature is valid.
  41. func (m *SigningMethodHMAC) Verify(signingString, signature string, key interface{}) error {
  42. // Verify the key is the right type
  43. keyBytes, ok := key.([]byte)
  44. if !ok {
  45. return ErrInvalidKeyType
  46. }
  47. // Decode signature, for comparison
  48. sig, err := DecodeSegment(signature)
  49. if err != nil {
  50. return err
  51. }
  52. // Can we use the specified hashing method?
  53. if !m.Hash.Available() {
  54. return ErrHashUnavailable
  55. }
  56. // This signing method is symmetric, so we validate the signature
  57. // by reproducing the signature from the signing string and key, then
  58. // comparing that against the provided signature.
  59. hasher := hmac.New(m.Hash.New, keyBytes)
  60. hasher.Write([]byte(signingString))
  61. if !hmac.Equal(sig, hasher.Sum(nil)) {
  62. return ErrSignatureInvalid
  63. }
  64. // No validation errors. Signature is good.
  65. return nil
  66. }
  67. // Implements the Sign method from SigningMethod for this signing method.
  68. // Key must be []byte
  69. func (m *SigningMethodHMAC) Sign(signingString string, key interface{}) (string, error) {
  70. if keyBytes, ok := key.([]byte); ok {
  71. if !m.Hash.Available() {
  72. return "", ErrHashUnavailable
  73. }
  74. hasher := hmac.New(m.Hash.New, keyBytes)
  75. hasher.Write([]byte(signingString))
  76. return EncodeSegment(hasher.Sum(nil)), nil
  77. }
  78. return "", ErrInvalidKeyType
  79. }
上海开阖软件有限公司 沪ICP备12045867号-1