go-sample-webpage/vendor/github.com/lestrrat-go/jwx/jws/message.go

364 lines
8.9 KiB
Go
Raw Normal View History

2021-11-04 01:14:51 +00:00
package jws
import (
"bytes"
"context"
"github.com/lestrrat-go/jwx/internal/base64"
"github.com/lestrrat-go/jwx/internal/json"
"github.com/lestrrat-go/jwx/internal/pool"
"github.com/lestrrat-go/jwx/jwk"
"github.com/pkg/errors"
)
func NewSignature() *Signature {
return &Signature{}
}
func (s Signature) PublicHeaders() Headers {
return s.headers
}
func (s *Signature) SetPublicHeaders(v Headers) *Signature {
s.headers = v
return s
}
func (s Signature) ProtectedHeaders() Headers {
return s.protected
}
func (s *Signature) SetProtectedHeaders(v Headers) *Signature {
s.protected = v
return s
}
func (s Signature) Signature() []byte {
return s.signature
}
func (s *Signature) SetSignature(v []byte) *Signature {
s.signature = v
return s
}
// Sign populates the signature field, with a signature generated by
// given the signer object and payload.
//
// The first return value is the raw signature in binary format.
// The second return value s the full three-segment signature
// (e.g. "eyXXXX.XXXXX.XXXX")
func (s *Signature) Sign(payload []byte, signer Signer, key interface{}) ([]byte, []byte, error) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
hdrs, err := mergeHeaders(ctx, s.headers, s.protected)
if err != nil {
return nil, nil, errors.Wrap(err, `failed to merge headers`)
}
if err := hdrs.Set(AlgorithmKey, signer.Algorithm()); err != nil {
return nil, nil, errors.Wrap(err, `failed to set "alg"`)
}
// If the key is a jwk.Key instance, obtain the raw key
if jwkKey, ok := key.(jwk.Key); ok {
// If we have a key ID specified by this jwk.Key, use that in the header
if kid := jwkKey.KeyID(); kid != "" {
if err := hdrs.Set(jwk.KeyIDKey, kid); err != nil {
return nil, nil, errors.Wrap(err, `set key ID from jwk.Key`)
}
}
}
hdrbuf, err := json.Marshal(hdrs)
if err != nil {
return nil, nil, errors.Wrap(err, `failed to marshal headers`)
}
buf := pool.GetBytesBuffer()
defer pool.ReleaseBytesBuffer(buf)
buf.WriteString(base64.EncodeToString(hdrbuf))
buf.WriteByte('.')
if getB64Value(hdrs) {
buf.WriteString(base64.EncodeToString(payload))
} else {
if bytes.ContainsRune(payload, '.') {
return nil, nil, errors.New(`payload must not contain a "." when b64 = false`)
}
buf.Write(payload)
}
signature, err := signer.Sign(buf.Bytes(), key)
if err != nil {
return nil, nil, errors.Wrap(err, `failed to sign payload`)
}
s.signature = signature
buf.WriteByte('.')
buf.WriteString(base64.EncodeToString(signature))
ret := make([]byte, buf.Len())
copy(ret, buf.Bytes())
return signature, ret, nil
}
func NewMessage() *Message {
return &Message{}
}
// Payload returns the decoded payload
func (m Message) Payload() []byte {
return m.payload
}
func (m *Message) SetPayload(v []byte) *Message {
m.payload = v
return m
}
func (m Message) Signatures() []*Signature {
return m.signatures
}
func (m *Message) AppendSignature(v *Signature) *Message {
m.signatures = append(m.signatures, v)
return m
}
func (m *Message) ClearSignatures() *Message {
m.signatures = nil
return m
}
// LookupSignature looks up a particular signature entry using
// the `kid` value
func (m Message) LookupSignature(kid string) []*Signature {
var sigs []*Signature
for _, sig := range m.signatures {
if hdr := sig.PublicHeaders(); hdr != nil {
hdrKeyID := hdr.KeyID()
if hdrKeyID == kid {
sigs = append(sigs, sig)
continue
}
}
if hdr := sig.ProtectedHeaders(); hdr != nil {
hdrKeyID := hdr.KeyID()
if hdrKeyID == kid {
sigs = append(sigs, sig)
continue
}
}
}
return sigs
}
type messageProxy struct {
Payload string `json:"payload"` // base64 URL encoded
Signatures []*signatureProxy `json:"signatures,omitempty"`
// These are only available when we're using flattened JSON
// (normally I would embed *signatureProxy, but because
// signatureProxy is not exported, we can't use that)
Header *json.RawMessage `json:"header,omitempty"`
Protected *string `json:"protected,omitempty"`
Signature *string `json:"signature,omitempty"`
}
type signatureProxy struct {
Header json.RawMessage `json:"header"`
Protected string `json:"protected"`
Signature string `json:"signature"`
}
func (m *Message) UnmarshalJSON(buf []byte) error {
var proxy messageProxy
if err := json.Unmarshal(buf, &proxy); err != nil {
return errors.Wrap(err, `failed to unmarshal into temporary structure`)
}
if proxy.Signature != nil {
if len(proxy.Signatures) > 0 {
return errors.New(`invalid format ("signatures" and "signature" keys cannot both be present)`)
}
var sigproxy signatureProxy
if hdr := proxy.Header; hdr != nil {
sigproxy.Header = *hdr
}
if hdr := proxy.Protected; hdr != nil {
sigproxy.Protected = *hdr
}
sigproxy.Signature = *proxy.Signature
proxy.Signatures = append(proxy.Signatures, &sigproxy)
}
b64 := true
for i, sigproxy := range proxy.Signatures {
var sig Signature
if len(sigproxy.Header) > 0 {
sig.headers = NewHeaders()
if err := json.Unmarshal(sigproxy.Header, sig.headers); err != nil {
return errors.Wrapf(err, `failed to unmarshal "header" for signature #%d`, i+1)
}
}
if len(sigproxy.Protected) > 0 {
buf, err := base64.DecodeString(sigproxy.Protected)
if err != nil {
return errors.Wrapf(err, `failed to decode "protected" for signature #%d`, i+1)
}
sig.protected = NewHeaders()
if err := json.Unmarshal(buf, sig.protected); err != nil {
return errors.Wrapf(err, `failed to unmarshal "protected" for signature #%d`, i+1)
}
if i == 0 {
b64 = getB64Value(sig.protected)
} else {
if b64 != getB64Value(sig.protected) {
return errors.Errorf(`b64 value must be the same for all signatures`)
}
}
}
if len(sigproxy.Signature) == 0 {
return errors.Errorf(`"signature" must be non-empty for signature #%d`, i+1)
}
buf, err := base64.DecodeString(sigproxy.Signature)
if err != nil {
return errors.Wrapf(err, `failed to decode "signature" for signature #%d`, i+1)
}
sig.signature = buf
m.signatures = append(m.signatures, &sig)
}
if !b64 {
m.payload = []byte(proxy.Payload)
} else {
// Everything in the proxy is base64 encoded, except for signatures.header
if len(proxy.Payload) == 0 {
return errors.New(`"payload" must be non-empty`)
}
buf, err := base64.DecodeString(proxy.Payload)
if err != nil {
return errors.Wrap(err, `failed to decode payload`)
}
m.payload = buf
}
m.b64 = b64
return nil
}
func (m Message) MarshalJSON() ([]byte, error) {
if len(m.signatures) == 1 {
return m.marshalFlattened()
}
return m.marshalFull()
}
func (m Message) marshalFlattened() ([]byte, error) {
buf := pool.GetBytesBuffer()
defer pool.ReleaseBytesBuffer(buf)
sig := m.signatures[0]
buf.WriteRune('{')
var wrote bool
if hdr := sig.headers; hdr != nil {
hdrjs, err := hdr.MarshalJSON()
if err != nil {
return nil, errors.Wrap(err, `failed to marshal "header" (flattened format)`)
}
buf.WriteString(`"header":`)
buf.Write(hdrjs)
wrote = true
}
if wrote {
buf.WriteRune(',')
}
buf.WriteString(`"payload":"`)
buf.WriteString(base64.EncodeToString(m.payload))
buf.WriteRune('"')
if protected := sig.protected; protected != nil {
protectedbuf, err := protected.MarshalJSON()
if err != nil {
return nil, errors.Wrap(err, `failed to marshal "protected" (flattened format)`)
}
buf.WriteString(`,"protected":"`)
buf.WriteString(base64.EncodeToString(protectedbuf))
buf.WriteRune('"')
}
buf.WriteString(`,"signature":"`)
buf.WriteString(base64.EncodeToString(sig.signature))
buf.WriteRune('"')
buf.WriteRune('}')
ret := make([]byte, buf.Len())
copy(ret, buf.Bytes())
return ret, nil
}
func (m Message) marshalFull() ([]byte, error) {
buf := pool.GetBytesBuffer()
defer pool.ReleaseBytesBuffer(buf)
buf.WriteString(`{"payload":"`)
buf.WriteString(base64.EncodeToString(m.payload))
buf.WriteString(`","signatures":[`)
for i, sig := range m.signatures {
if i > 0 {
buf.WriteRune(',')
}
buf.WriteRune('{')
var wrote bool
if hdr := sig.headers; hdr != nil {
hdrbuf, err := hdr.MarshalJSON()
if err != nil {
return nil, errors.Wrapf(err, `failed to marshal "header" for signature #%d`, i+1)
}
buf.WriteString(`"header":`)
buf.Write(hdrbuf)
wrote = true
}
if protected := sig.protected; protected != nil {
protectedbuf, err := protected.MarshalJSON()
if err != nil {
return nil, errors.Wrapf(err, `failed to marshal "protected" for signature #%d`, i+1)
}
if wrote {
buf.WriteRune(',')
}
buf.WriteString(`"protected":"`)
buf.WriteString(base64.EncodeToString(protectedbuf))
buf.WriteRune('"')
wrote = true
}
if wrote {
buf.WriteRune(',')
}
buf.WriteString(`"signature":"`)
buf.WriteString(base64.EncodeToString(sig.signature))
buf.WriteString(`"}`)
}
buf.WriteString(`]}`)
ret := make([]byte, buf.Len())
copy(ret, buf.Bytes())
return ret, nil
}