Merge pull request #15 from haproxytech/issue-13

NickMRamirez · web-flow · commit 8df6e3738fab · 2021-06-03T11:25:27.000-04:00
Fixes #13: Adding HS512 algorithm support.
diff --git a/README.md b/README.md
@@ -48,3 +48,4 @@ A sample application can be found at https://github.com/haproxytechblog/haproxy-
 
 * RS256
 * HS256
+* HS512
diff --git a/lib/jwtverify.lua b/lib/jwtverify.lua
@@ -101,8 +101,8 @@ local function algorithmIsValid(token)
   if token.headerdecoded.alg == nil then
       log("No 'alg' provided in JWT header.")
       return false
-  elseif token.headerdecoded.alg ~= 'HS256' and token.headerdecoded.alg ~= 'RS256' then
-      log("HS256 and RS256 supported. Incorrect alg in JWT: " .. token.headerdecoded.alg)
+  elseif token.headerdecoded.alg ~= 'HS256' and  token.headerdecoded.alg ~= 'HS512' and token.headerdecoded.alg ~= 'RS256' then
+      log("HS256, HS512 and RS256 supported. Incorrect alg in JWT: " .. token.headerdecoded.alg)
       return false
   end
 
@@ -123,6 +123,12 @@ local function hs256SignatureIsValid(token, secret)
   return checksum == token.signaturedecoded
 end
 
+local function hs512SignatureIsValid(token, secret)
+  local hmac = openssl.hmac.new(secret, 'SHA512')
+  local checksum = hmac:final(token.header .. '.' .. token.payload)
+  return checksum == token.signaturedecoded
+end
+
 local function expirationIsValid(token)
   return os.difftime(token.payloaddecoded.exp, core.now().sec) > 0
 end
@@ -149,7 +155,7 @@ function jwtverify(txn)
     goto out
   end
 
-  -- 2. Verify the signature algorithm is supported (HS256, RS256)
+  -- 2. Verify the signature algorithm is supported (HS256, HS512, RS256)
   if algorithmIsValid(token) == false then
       log("Algorithm not valid.")
       goto out
@@ -166,6 +172,11 @@ function jwtverify(txn)
       log("Signature not valid.")
       goto out
     end
+  elseif token.headerdecoded.alg == 'HS512' then
+    if hs512SignatureIsValid(token, hmacSecret) == false then
+      log("Signature not valid.")
+      goto out
+    end
   end
 
   -- 4. Verify that the token is not expired
@@ -217,7 +228,7 @@ local publicKeyPath = os.getenv("OAUTH_PUBKEY_PATH")
 local pem = readAll(publicKeyPath)
 config.publicKey = pem
 
--- when using an HS256 signature
+-- when using an HS256 or HS512 signature
 config.hmacSecret = os.getenv("OAUTH_HMAC_SECRET")
 
 log("PublicKeyPath: " .. publicKeyPath)

Original file line number	Diff line number	Diff line change
`@@ -48,3 +48,4 @@ A sample application can be found at https://github.com/haproxytechblog/haproxy-`
`48`	`48`
`49`	`49`	`* RS256`
`50`	`50`	`* HS256`
	`51`	`+* HS512`