Skip to content

Fixes #13: Adding HS512 algorithm support. #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 3, 2021
Merged

Fixes #13: Adding HS512 algorithm support. #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a13ac43
Adding HS512 algorithm support.
NickMRamirez Jun 3, 2021
3a98baf
Updated README to list HS512 as a supported algorithm.
NickMRamirez Jun 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,4 @@ A sample application can be found at https://github.com/haproxytechblog/haproxy-

* RS256
* HS256
* HS512
19 changes: 15 additions & 4 deletions lib/jwtverify.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,8 +101,8 @@ local function algorithmIsValid(token)
if token.headerdecoded.alg == nil then
log("No 'alg' provided in JWT header.")
return false
elseif token.headerdecoded.alg ~= 'HS256' and token.headerdecoded.alg ~= 'RS256' then
log("HS256 and RS256 supported. Incorrect alg in JWT: " .. token.headerdecoded.alg)
elseif token.headerdecoded.alg ~= 'HS256' and token.headerdecoded.alg ~= 'HS512' and token.headerdecoded.alg ~= 'RS256' then
log("HS256, HS512 and RS256 supported. Incorrect alg in JWT: " .. token.headerdecoded.alg)
return false
end

Expand All @@ -123,6 +123,12 @@ local function hs256SignatureIsValid(token, secret)
return checksum == token.signaturedecoded
end

local function hs512SignatureIsValid(token, secret)
local hmac = openssl.hmac.new(secret, 'SHA512')
local checksum = hmac:final(token.header .. '.' .. token.payload)
return checksum == token.signaturedecoded
end

local function expirationIsValid(token)
return os.difftime(token.payloaddecoded.exp, core.now().sec) > 0
end
Expand All @@ -149,7 +155,7 @@ function jwtverify(txn)
goto out
end

-- 2. Verify the signature algorithm is supported (HS256, RS256)
-- 2. Verify the signature algorithm is supported (HS256, HS512, RS256)
if algorithmIsValid(token) == false then
log("Algorithm not valid.")
goto out
Expand All @@ -166,6 +172,11 @@ function jwtverify(txn)
log("Signature not valid.")
goto out
end
elseif token.headerdecoded.alg == 'HS512' then
if hs512SignatureIsValid(token, hmacSecret) == false then
log("Signature not valid.")
goto out
end
end

-- 4. Verify that the token is not expired
Expand Down Expand Up @@ -217,7 +228,7 @@ local publicKeyPath = os.getenv("OAUTH_PUBKEY_PATH")
local pem = readAll(publicKeyPath)
config.publicKey = pem

-- when using an HS256 signature
-- when using an HS256 or HS512 signature
config.hmacSecret = os.getenv("OAUTH_HMAC_SECRET")

log("PublicKeyPath: " .. publicKeyPath)
Expand Down