mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2026-05-17 00:26:36 +03:00
a108da8215
### Describe Your Changes It was [decided](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/9439#issuecomment-3612299461) that OIDC authentication in vmauth will be part of open source repo. That requires opensourcing lib/jwt. PR does not contain any changes in logic, just copy-paste from enterprise repository. Related to https://github.com/VictoriaMetrics/VictoriaMetrics/issues/9439 ### Checklist The following checks are **mandatory**: - [ ] My change adheres to [VictoriaMetrics contributing guidelines](https://docs.victoriametrics.com/victoriametrics/contributing/#pull-request-checklist). - [ ] My change adheres to [VictoriaMetrics development goals](https://docs.victoriametrics.com/victoriametrics/goals/).
61 lines
1.1 KiB
Go
61 lines
1.1 KiB
Go
package jwt
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/rsa"
|
|
)
|
|
|
|
// newVerifierRS returns a new RSA-based verifier.
|
|
func newVerifierRS(alg Algorithm, key *rsa.PublicKey) (*rsAlg, error) {
|
|
if key == nil {
|
|
return nil, ErrNilKey
|
|
}
|
|
hash, err := getHashRS(alg)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &rsAlg{
|
|
alg: alg,
|
|
hash: hash,
|
|
publicKey: key,
|
|
}, nil
|
|
}
|
|
|
|
func getHashRS(alg Algorithm) (crypto.Hash, error) {
|
|
var hash crypto.Hash
|
|
switch alg {
|
|
case RS256:
|
|
hash = crypto.SHA256
|
|
case RS384:
|
|
hash = crypto.SHA384
|
|
case RS512:
|
|
hash = crypto.SHA512
|
|
default:
|
|
return 0, ErrUnsupportedAlg
|
|
}
|
|
return hash, nil
|
|
}
|
|
|
|
type rsAlg struct {
|
|
alg Algorithm
|
|
hash crypto.Hash
|
|
publicKey *rsa.PublicKey
|
|
}
|
|
|
|
func (rs *rsAlg) Verify(token *Token) error {
|
|
return rs.verify(token.payload, token.signature)
|
|
}
|
|
|
|
func (rs *rsAlg) verify(payload, signature []byte) error {
|
|
digest, err := hashPayload(rs.hash, payload)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
errVerify := rsa.VerifyPKCS1v15(rs.publicKey, rs.hash, digest, signature)
|
|
if errVerify != nil {
|
|
return ErrInvalidSignature
|
|
}
|
|
return nil
|
|
}
|