cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add HS256/384/512 hash support

Browse source
This commit is contained in:
Roman Isaev 2025-02-25 00:30:03 +00:00
parent 4ef9529012
commit e9f1bbc972
No known key found for this signature in database
GPG key ID: 7BE2B6A6C89AEC7F
5 changed files with 24 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

24
pkg/client/rp/verifier_test.go
View file

@ -255,7 +255,11 @@ func TestVerifyIDToken(t *testing.T) {
func TestVerifyAccessToken(t *testing.T) { func TestVerifyAccessToken(t *testing.T) {
token, _ := tu.ValidAccessToken() token, _ := tu.ValidAccessToken()
hash, err := oidc.ClaimHash(token, tu.SignatureAlgorithm) sigAlgoRS256 := jose.RS256
hashRS256, err := oidc.ClaimHash(token, sigAlgoRS256)
require.NoError(t, err)
sigAlgoHS256 := jose.HS256
hashHS256, err := oidc.ClaimHash(token, sigAlgoHS256)
require.NoError(t, err) require.NoError(t, err)
type args struct { type args struct {
@ -272,18 +276,26 @@ func TestVerifyAccessToken(t *testing.T) {
name: "empty hash", name: "empty hash",
}, },
{ {
name: "success", name: "success RS256",
args: args{ args: args{
accessToken: token, accessToken: token,
atHash: hash, atHash: hashRS256,
sigAlgorithm: tu.SignatureAlgorithm, sigAlgorithm: sigAlgoRS256,
},
},
{
name: "success HS256",
args: args{
accessToken: token,
atHash: hashHS256,
sigAlgorithm: sigAlgoHS256,
}, },
}, },
{ {
name: "invalid algorithm", name: "invalid algorithm",
args: args{ args: args{
accessToken: token, accessToken: token,
atHash: hash, atHash: hashRS256,
sigAlgorithm: "foo", sigAlgorithm: "foo",
}, },
wantErr: true, wantErr: true,
@ -293,7 +305,7 @@ func TestVerifyAccessToken(t *testing.T) {
args: args{ args: args{
accessToken: token, accessToken: token,
atHash: "~~", atHash: "~~",
sigAlgorithm: tu.SignatureAlgorithm, sigAlgorithm: sigAlgoRS256,
}, },
wantErr: true, wantErr: true,
}, },

6
pkg/crypto/hash.go
View file

@ -15,11 +15,11 @@ var ErrUnsupportedAlgorithm = errors.New("unsupported signing algorithm")
func GetHashAlgorithm(sigAlgorithm jose.SignatureAlgorithm) (hash.Hash, error) { func GetHashAlgorithm(sigAlgorithm jose.SignatureAlgorithm) (hash.Hash, error) {
switch sigAlgorithm { switch sigAlgorithm {
case jose.RS256, jose.ES256, jose.PS256: case jose.RS256, jose.ES256, jose.PS256, jose.HS256:
return sha256.New(), nil return sha256.New(), nil
case jose.RS384, jose.ES384, jose.PS384: case jose.RS384, jose.ES384, jose.PS384, jose.HS384:
return sha512.New384(), nil return sha512.New384(), nil
case jose.RS512, jose.ES512, jose.PS512: case jose.RS512, jose.ES512, jose.PS512, jose.HS512:
return sha512.New(), nil return sha512.New(), nil
// There is no published spec for this yet, but we have confirmation it will get published. // There is no published spec for this yet, but we have confirmation it will get published.

2
pkg/oidc/verifier.go
View file

@ -186,7 +186,7 @@ func toJoseSignatureAlgorithms(algorithms []string) []jose.SignatureAlgorithm {
out[i] = jose.SignatureAlgorithm(algorithms[i]) out[i] = jose.SignatureAlgorithm(algorithms[i])
} }
if len(out) == 0 { if len(out) == 0 {
out = append(out, jose.RS256, jose.ES256, jose.PS256) out = append(out, jose.RS256, jose.ES256, jose.PS256, jose.RS256)
} }
return out return out
} }