c76ad94492
This commit adds a build step to travis to auto-delete unstable archives older than 14 days (our regular release schedule) from Azure via ci.go purge. The commit also pulls in the latest Azure storage code, also switching over from the old import path (github.com/Azure/azure-sdk-for-go) to the new split one (github.com/Azure/azure-storage-go).
127 lines
2.7 KiB
Go
127 lines
2.7 KiB
Go
// +build go1.4
|
|
|
|
package jwt
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
)
|
|
|
|
// Implements the RSAPSS family of signing methods signing methods
|
|
type SigningMethodRSAPSS struct {
|
|
*SigningMethodRSA
|
|
Options *rsa.PSSOptions
|
|
}
|
|
|
|
// Specific instances for RS/PS and company
|
|
var (
|
|
SigningMethodPS256 *SigningMethodRSAPSS
|
|
SigningMethodPS384 *SigningMethodRSAPSS
|
|
SigningMethodPS512 *SigningMethodRSAPSS
|
|
)
|
|
|
|
func init() {
|
|
// PS256
|
|
SigningMethodPS256 = &SigningMethodRSAPSS{
|
|
&SigningMethodRSA{
|
|
Name: "PS256",
|
|
Hash: crypto.SHA256,
|
|
},
|
|
&rsa.PSSOptions{
|
|
SaltLength: rsa.PSSSaltLengthAuto,
|
|
Hash: crypto.SHA256,
|
|
},
|
|
}
|
|
RegisterSigningMethod(SigningMethodPS256.Alg(), func() SigningMethod {
|
|
return SigningMethodPS256
|
|
})
|
|
|
|
// PS384
|
|
SigningMethodPS384 = &SigningMethodRSAPSS{
|
|
&SigningMethodRSA{
|
|
Name: "PS384",
|
|
Hash: crypto.SHA384,
|
|
},
|
|
&rsa.PSSOptions{
|
|
SaltLength: rsa.PSSSaltLengthAuto,
|
|
Hash: crypto.SHA384,
|
|
},
|
|
}
|
|
RegisterSigningMethod(SigningMethodPS384.Alg(), func() SigningMethod {
|
|
return SigningMethodPS384
|
|
})
|
|
|
|
// PS512
|
|
SigningMethodPS512 = &SigningMethodRSAPSS{
|
|
&SigningMethodRSA{
|
|
Name: "PS512",
|
|
Hash: crypto.SHA512,
|
|
},
|
|
&rsa.PSSOptions{
|
|
SaltLength: rsa.PSSSaltLengthAuto,
|
|
Hash: crypto.SHA512,
|
|
},
|
|
}
|
|
RegisterSigningMethod(SigningMethodPS512.Alg(), func() SigningMethod {
|
|
return SigningMethodPS512
|
|
})
|
|
}
|
|
|
|
// Implements the Verify method from SigningMethod
|
|
// For this verify method, key must be an rsa.PublicKey struct
|
|
func (m *SigningMethodRSAPSS) Verify(signingString, signature string, key interface{}) error {
|
|
var err error
|
|
|
|
// Decode the signature
|
|
var sig []byte
|
|
if sig, err = DecodeSegment(signature); err != nil {
|
|
return err
|
|
}
|
|
|
|
var rsaKey *rsa.PublicKey
|
|
switch k := key.(type) {
|
|
case *rsa.PublicKey:
|
|
rsaKey = k
|
|
default:
|
|
return ErrInvalidKey
|
|
}
|
|
|
|
// Create hasher
|
|
if !m.Hash.Available() {
|
|
return ErrHashUnavailable
|
|
}
|
|
hasher := m.Hash.New()
|
|
hasher.Write([]byte(signingString))
|
|
|
|
return rsa.VerifyPSS(rsaKey, m.Hash, hasher.Sum(nil), sig, m.Options)
|
|
}
|
|
|
|
// Implements the Sign method from SigningMethod
|
|
// For this signing method, key must be an rsa.PrivateKey struct
|
|
func (m *SigningMethodRSAPSS) Sign(signingString string, key interface{}) (string, error) {
|
|
var rsaKey *rsa.PrivateKey
|
|
|
|
switch k := key.(type) {
|
|
case *rsa.PrivateKey:
|
|
rsaKey = k
|
|
default:
|
|
return "", ErrInvalidKeyType
|
|
}
|
|
|
|
// Create the hasher
|
|
if !m.Hash.Available() {
|
|
return "", ErrHashUnavailable
|
|
}
|
|
|
|
hasher := m.Hash.New()
|
|
hasher.Write([]byte(signingString))
|
|
|
|
// Sign the string and return the encoded bytes
|
|
if sigBytes, err := rsa.SignPSS(rand.Reader, rsaKey, m.Hash, hasher.Sum(nil), m.Options); err == nil {
|
|
return EncodeSegment(sigBytes), nil
|
|
} else {
|
|
return "", err
|
|
}
|
|
}
|