Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jws: Add expected algorithms for signatures #74

Merged
merged 1 commit into from
Nov 30, 2023
Merged

jws: Add expected algorithms for signatures #74

merged 1 commit into from
Nov 30, 2023

Conversation

jsha
Copy link
Collaborator

@jsha jsha commented Nov 30, 2023

Following the example of #69

@jsha jsha merged commit c74720d into main Nov 30, 2023
3 checks passed
@jsha jsha deleted the require-signature-algorithms branch November 30, 2023 17:37
@tgross tgross mentioned this pull request Apr 4, 2024
Closed
@tomhjp tomhjp mentioned this pull request Apr 19, 2024
Merged
@valters
Copy link

valters commented Jun 7, 2024
edited

Could you provide a migration guide when upgrading from v3, I have a call like

	parsedJwt, err := jwt.ParseSigned(encodedJwt)
	if err != nil {
		return "", err
	}

Now I need to know what algorithm the encodedJwt is using, but I don't necessarily know what it is or what to expect.
I need to provide a list SignatureAlgorithm to ParseSigned() call, a []SignatureAlgorithm, but is there a simple way to get common ones?

@mcpherrinm
Copy link
Collaborator

The full list of algorithims supported is:

go-jose/shared.go

Lines 106 to 118 in 696da50

EdDSA = SignatureAlgorithm("EdDSA")
HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256
HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384
HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512
RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256
RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384
RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512
ES256 = SignatureAlgorithm("ES256") // ECDSA using P-256 and SHA-256
ES384 = SignatureAlgorithm("ES384") // ECDSA using P-384 and SHA-384
ES512 = SignatureAlgorithm("ES512") // ECDSA using P-521 and SHA-512
PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256
PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384
PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512

What algorithms you want to support depends on your use-case. This parameter was added because it is often unsafe to blindly accept any algorithm.

@valters
Copy link

valters commented Jun 7, 2024
edited

Would it be possible to add a helper function all() or any() that just returns all of them so I don't have to make this list on my side?
It would be helpful to log the algorithm that was detected, so I can figure out what subset I can narrow down to.

@mcpherrinm
Copy link
Collaborator

mcpherrinm commented Jun 7, 2024
edited

We'd rather not, as that's generally not a safe behaviour if we added new unexpected algorithms, and would potentially be a silent breaking change if we ever removed algorithms.

@jsha
Copy link
Collaborator Author

jsha commented Jun 7, 2024

What is the system that produces the JWTs you're parsing? If it's a system you control, you can look at the source code and see what algorithm it uses to sign its output. If it's not a system you control, it should document the algorithms it uses, and you can use that documentation. And if there's no documentation of that, there's a good reason to file an enhancement request. 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarongable aarongable aarongable approved these changes

@mcpherrinm mcpherrinm Awaiting requested review from mcpherrinm

@beautifulentropy beautifulentropy Awaiting requested review from beautifulentropy

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jsha @valters @mcpherrinm @aarongable