Skip to content

Commit a13ac43

Browse files
NickMRamirezNickMRamirez
committed
Adding HS512 algorithm support.
1 parent 1d1bdd7 commit a13ac43

File tree

1 file changed

+15
-4
lines changed

1 file changed

+15
-4
lines changed

lib/jwtverify.lua

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -101,8 +101,8 @@ local function algorithmIsValid(token)
101101
if token.headerdecoded.alg == nil then
102102
log("No 'alg' provided in JWT header.")
103103
return false
104-
elseif token.headerdecoded.alg ~= 'HS256' and token.headerdecoded.alg ~= 'RS256' then
105-
log("HS256 and RS256 supported. Incorrect alg in JWT: " .. token.headerdecoded.alg)
104+
elseif token.headerdecoded.alg ~= 'HS256' and token.headerdecoded.alg ~= 'HS512' and token.headerdecoded.alg ~= 'RS256' then
105+
log("HS256, HS512 and RS256 supported. Incorrect alg in JWT: " .. token.headerdecoded.alg)
106106
return false
107107
end
108108

@@ -123,6 +123,12 @@ local function hs256SignatureIsValid(token, secret)
123123
return checksum == token.signaturedecoded
124124
end
125125

126+
local function hs512SignatureIsValid(token, secret)
127+
local hmac = openssl.hmac.new(secret, 'SHA512')
128+
local checksum = hmac:final(token.header .. '.' .. token.payload)
129+
return checksum == token.signaturedecoded
130+
end
131+
126132
local function expirationIsValid(token)
127133
return os.difftime(token.payloaddecoded.exp, core.now().sec) > 0
128134
end
@@ -149,7 +155,7 @@ function jwtverify(txn)
149155
goto out
150156
end
151157

152-
-- 2. Verify the signature algorithm is supported (HS256, RS256)
158+
-- 2. Verify the signature algorithm is supported (HS256, HS512, RS256)
153159
if algorithmIsValid(token) == false then
154160
log("Algorithm not valid.")
155161
goto out
@@ -166,6 +172,11 @@ function jwtverify(txn)
166172
log("Signature not valid.")
167173
goto out
168174
end
175+
elseif token.headerdecoded.alg == 'HS512' then
176+
if hs512SignatureIsValid(token, hmacSecret) == false then
177+
log("Signature not valid.")
178+
goto out
179+
end
169180
end
170181

171182
-- 4. Verify that the token is not expired
@@ -217,7 +228,7 @@ local publicKeyPath = os.getenv("OAUTH_PUBKEY_PATH")
217228
local pem = readAll(publicKeyPath)
218229
config.publicKey = pem
219230

220-
-- when using an HS256 signature
231+
-- when using an HS256 or HS512 signature
221232
config.hmacSecret = os.getenv("OAUTH_HMAC_SECRET")
222233

223234
log("PublicKeyPath: " .. publicKeyPath)

0 commit comments

Comments
 (0)