util.jwt: All the algorithms (+ all the tests!)

Except 'none'. Not implementing that one.
2025-04-03 21:27:38 +03:00 · 2022-07-02 15:29:04 +01:00 · 2022-07-02 15:29:04 +01:00 · fad58c5ab2
commit fad58c5ab2
parent 12a9ab92de
2 changed files with 98 additions and 24 deletions
--- a/spec/util_jwt_spec.lua
+++ b/spec/util_jwt_spec.lua
@ -1,6 +1,13 @@
 local jwt = require "util.jwt";
 local test_keys = require "spec.inputs.test_keys";

+local array = require "util.array";
+local iter = require "util.iterators";
+local set = require "util.set";
+
+-- Ignore long lines. We have some long tokens embedded here.
+--luacheck: ignore 631
+
 describe("util.jwt", function ()
 	it("validates", function ()
 		local key = "secret";
@ -21,6 +28,21 @@ describe("util.jwt", function ()
 		assert.falsy(ok)
 	end);

+	local function jwt_reference_token(token)
+		return {
+			name = "jwt.io reference";
+			token;
+			{     -- payload
+				sub = "1234567890";
+				name = "John Doe";
+				admin = true;
+				iat = 1516239022;
+			};
+		};
+	end
+
+	local untested_algorithms = set.new(array.collect(iter.keys(jwt._algorithms)));
+
 	local test_cases = {
 		{
 			algorithm = "HS256";
@ -28,15 +50,26 @@ describe("util.jwt", function ()
 				{ "your-256-bit-secret", "your-256-bit-secret" };
 				{ "another-secret", "another-secret" };
 			};
-			{
-				name = "jwt.io reference";
-				[[eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c]];
-				{     -- payload
-					sub = "1234567890";
-					name = "John Doe";
-					iat = 1516239022;
-				};
+
+			jwt_reference_token [[eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJhZG1pbiI6dHJ1ZX0.F-cvL2RcfQhUtCavIM7q7zYE8drmj2LJk0JRkrS6He4]];
+		};
+		{
+			algorithm = "HS384";
+			keys = {
+				{ "your-384-bit-secret", "your-384-bit-secret" };
+				{ "another-secret", "another-secret" };
 			};
+
+			jwt_reference_token [[eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.bQTnz6AuMJvmXXQsVPrxeQNvzDkimo7VNXxHeSBfClLufmCVZRUuyTwJF311JHuh]];
+		};
+		{
+			algorithm = "HS512";
+			keys = {
+				{ "your-512-bit-secret", "your-512-bit-secret" };
+				{ "another-secret", "another-secret" };
+			};
+
+			jwt_reference_token [[eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.VFb0qJ1LRg_4ujbZoRMXnVkUgiuKq5KxWqNdbKq_G9Vvz-S1zZa9LPxtHWKa64zDl2ofkT8F6jBt_K4riU-fPg]];
 		};
 		{
 			algorithm = "ES256";
@ -72,22 +105,50 @@ describe("util.jwt", function ()
 				};
 			};
 		};
+		{
+			algorithm = "RS384";
+			keys = {
+				{ test_keys.rsa_private_pem, test_keys.rsa_public_pem };
+				{ test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
+			};
+
+			jwt_reference_token [[eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.o1hC1xYbJolSyh0-bOY230w22zEQSk5TiBfc-OCvtpI2JtYlW-23-8B48NpATozzMHn0j3rE0xVUldxShzy0xeJ7vYAccVXu2Gs9rnTVqouc-UZu_wJHkZiKBL67j8_61L6SXswzPAQu4kVDwAefGf5hyYBUM-80vYZwWPEpLI8K4yCBsF6I9N1yQaZAJmkMp_Iw371Menae4Mp4JusvBJS-s6LrmG2QbiZaFaxVJiW8KlUkWyUCns8-qFl5OMeYlgGFsyvvSHvXCzQrsEXqyCdS4tQJd73ayYA4SPtCb9clz76N1zE5WsV4Z0BYrxeb77oA7jJhh994RAPzCG0hmQ]];
+		};
+		{
+			algorithm = "RS512";
+			keys = {
+				{ test_keys.rsa_private_pem, test_keys.rsa_public_pem };
+				{ test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
+			};
+
+			jwt_reference_token [[eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.jYW04zLDHfR1v7xdrW3lCGZrMIsVe0vWCfVkN2DRns2c3MN-mcp_-RE6TN9umSBYoNV-mnb31wFf8iun3fB6aDS6m_OXAiURVEKrPFNGlR38JSHUtsFzqTOj-wFrJZN4RwvZnNGSMvK3wzzUriZqmiNLsG8lktlEn6KA4kYVaM61_NpmPHWAjGExWv7cjHYupcjMSmR8uMTwN5UuAwgW6FRstCJEfoxwb0WKiyoaSlDuIiHZJ0cyGhhEmmAPiCwtPAwGeaL1yZMcp0p82cpTQ5Qb-7CtRov3N4DcOHgWYk6LomPR5j5cCkePAz87duqyzSMpCB0mCOuE3CU2VMtGeQ]];
+		};
 		{
 			algorithm = "PS256";
 			keys = {
 				{ test_keys.rsa_private_pem, test_keys.rsa_public_pem };
 				{ test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
 			};
-			{
-				name = "jwt.io reference";
-				[[eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.iOeNU4dAFFeBwNj6qdhdvm-IvDQrTa6R22lQVJVuWJxorJfeQww5Nwsra0PjaOYhAMj9jNMO5YLmud8U7iQ5gJK2zYyepeSuXhfSi8yjFZfRiSkelqSkU19I-Ja8aQBDbqXf2SAWA8mHF8VS3F08rgEaLCyv98fLLH4vSvsJGf6ueZSLKDVXz24rZRXGWtYYk_OYYTVgR1cg0BLCsuCvqZvHleImJKiWmtS0-CymMO4MMjCy_FIl6I56NqLE9C87tUVpo1mT-kbg5cHDD8I7MjCW5Iii5dethB4Vid3mZ6emKjVYgXrtkOQ-JyGMh6fnQxEFN1ft33GX2eRHluK9eg]];
-				{     -- payload
-					sub = "1234567890";
-					name = "John Doe";
-					admin = true;
-					iat = 1516239022;
-				};
+
+			jwt_reference_token [[eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.iOeNU4dAFFeBwNj6qdhdvm-IvDQrTa6R22lQVJVuWJxorJfeQww5Nwsra0PjaOYhAMj9jNMO5YLmud8U7iQ5gJK2zYyepeSuXhfSi8yjFZfRiSkelqSkU19I-Ja8aQBDbqXf2SAWA8mHF8VS3F08rgEaLCyv98fLLH4vSvsJGf6ueZSLKDVXz24rZRXGWtYYk_OYYTVgR1cg0BLCsuCvqZvHleImJKiWmtS0-CymMO4MMjCy_FIl6I56NqLE9C87tUVpo1mT-kbg5cHDD8I7MjCW5Iii5dethB4Vid3mZ6emKjVYgXrtkOQ-JyGMh6fnQxEFN1ft33GX2eRHluK9eg]];
+		};
+		{
+			algorithm = "PS384";
+			keys = {
+				{ test_keys.rsa_private_pem, test_keys.rsa_public_pem };
+				{ test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
 			};
+
+			jwt_reference_token [[eyJhbGciOiJQUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.Lfe_aCQme_gQpUk9-6l9qesu0QYZtfdzfy08w8uqqPH_gnw-IVyQwyGLBHPFBJHMbifdSMxPjJjkCD0laIclhnBhowILu6k66_5Y2z78GHg8YjKocAvB-wSUiBhuV6hXVxE5emSjhfVz2OwiCk2bfk2hziRpkdMvfcITkCx9dmxHU6qcEIsTTHuH020UcGayB1-IoimnjTdCsV1y4CMr_ECDjBrqMdnontkqKRIM1dtmgYFsJM6xm7ewi_ksG_qZHhaoBkxQ9wq9OVQRGiSZYowCp73d2BF3jYMhdmv2JiaUz5jRvv6lVU7Quq6ylVAlSPxeov9voYHO1mgZFCY1kQ]];
+		};
+		{
+			algorithm = "PS512";
+			keys = {
+				{ test_keys.rsa_private_pem, test_keys.rsa_public_pem };
+				{ test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
+			};
+
+			jwt_reference_token [[eyJhbGciOiJQUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.J5W09-rNx0pt5_HBiydR-vOluS6oD-RpYNa8PVWwMcBDQSXiw6-EPW8iSsalXPspGj3ouQjAnOP_4-zrlUUlvUIt2T79XyNeiKuooyIFvka3Y5NnGiOUBHWvWcWp4RcQFMBrZkHtJM23sB5D7Wxjx0-HFeNk-Y3UJgeJVhg5NaWXypLkC4y0ADrUBfGAxhvGdRdULZivfvzuVtv6AzW6NRuEE6DM9xpoWX_4here-yvLS2YPiBTZ8xbB3axdM99LhES-n52lVkiX5AWg2JJkEROZzLMpaacA_xlbUz_zbIaOaoqk8gB5oO7kI6sZej3QAdGigQy-hXiRnW_L98d4GQ]];
 		};
 	};

@ -127,17 +188,19 @@ describe("util.jwt", function ()

 		do_verify_test(algorithm, verifying_key, token, expect_success and test_payload or false);
 	end
-				


 	for _, algorithm_tests in ipairs(test_cases) do
 		local algorithm = algorithm_tests.algorithm;
 		local keypairs = algorithm_tests.keys;
+
+		untested_algorithms:remove(algorithm);
+
 		describe(algorithm, function ()
 			it("can do basic sign and verify", function ()
 				for _, keypair in ipairs(keypairs) do
 					local signing_key, verifying_key = keypair[1], keypair[2];
-					do_sign_verify_test(algorithm, keypair[1], keypair[2], true);
+					do_sign_verify_test(algorithm, signing_key, verifying_key, true);
 				end
 			end);

@ -169,5 +232,9 @@ describe("util.jwt", function ()
 			end
 		end);
 	end
+
+	for algorithm in untested_algorithms do
+		pending(algorithm.." tests", function () end);
+	end
 end);

--- a/util/jwt.lua
+++ b/util/jwt.lua
@ -34,9 +34,11 @@ local function new_static_header(algorithm_name)
 end

 -- HS*** family
-local function new_hmac_algorithm(name, hmac)
+local function new_hmac_algorithm(name)
 	local static_header = new_static_header(name);

+	local hmac = hashes["hmac_sha"..name:sub(-3)];
+
 	local function sign(key, payload)
 		local encoded_payload = json.encode(payload);
 		local signed = static_header .. b64url(encoded_payload);
@ -122,7 +124,11 @@ local function new_crypto_algorithm(name, key_type, c_sign, c_verify, sig_encode
 end

 -- RS***, PS***
-local function new_rsa_algorithm(name, c_sign, c_verify)
+local rsa_sign_algos = { RS = "rsassa_pkcs1", PS = "rsassa_pss" };
+local function new_rsa_algorithm(name)
+	local family, digest_bits = name:match("^(..)(...)$");
+	local c_sign = crypto[rsa_sign_algos[family].."_sha"..digest_bits.."_sign"];
+	local c_verify = crypto[rsa_sign_algos[family].."_sha"..digest_bits.."_verify"];
 	return new_crypto_algorithm(name, "rsaEncryption", c_sign, c_verify);
 end

@ -140,10 +146,10 @@ local function new_ecdsa_algorithm(name, c_sign, c_verify)
 end

 local algorithms = {
-	HS256 = new_hmac_algorithm("HS256", hashes.hmac_sha256);
+	HS256 = new_hmac_algorithm("HS256"), HS384 = new_hmac_algorithm("HS384"), HS512 = new_hmac_algorithm("HS512");
 	ES256 = new_ecdsa_algorithm("ES256", crypto.ecdsa_sha256_sign, crypto.ecdsa_sha256_verify);
-	RS256 = new_rsa_algorithm("RS256", crypto.rsassa_pkcs1_sha256_sign, crypto.rsassa_pkcs1_sha256_verify);
-	PS256 = new_rsa_algorithm("PS256", crypto.rsassa_pss_sha256_sign, crypto.rsassa_pss_sha256_verify);
+	RS256 = new_rsa_algorithm("RS256"), RS384 = new_rsa_algorithm("RS384"), RS512 = new_rsa_algorithm("RS512");
+	PS256 = new_rsa_algorithm("PS256"), PS384 = new_rsa_algorithm("PS384"), PS512 = new_rsa_algorithm("PS512");
 };

 local function new_signer(algorithm, key_input)
@ -167,6 +173,7 @@ end
 return {
 	new_signer = new_signer;
 	new_verifier = new_verifier;
+	_algorithms = algorithms;
 	-- Deprecated
 	sign = algorithms.HS256.sign;
 	verify = algorithms.HS256.verify;