32 local function new_static_header(algorithm_name) |
32 local function new_static_header(algorithm_name) |
33 return b64url('{"alg":"'..algorithm_name..'","typ":"JWT"}') .. '.'; |
33 return b64url('{"alg":"'..algorithm_name..'","typ":"JWT"}') .. '.'; |
34 end |
34 end |
35 |
35 |
36 -- HS*** family |
36 -- HS*** family |
37 local function new_hmac_algorithm(name, hmac) |
37 local function new_hmac_algorithm(name) |
38 local static_header = new_static_header(name); |
38 local static_header = new_static_header(name); |
|
39 |
|
40 local hmac = hashes["hmac_sha"..name:sub(-3)]; |
39 |
41 |
40 local function sign(key, payload) |
42 local function sign(key, payload) |
41 local encoded_payload = json.encode(payload); |
43 local encoded_payload = json.encode(payload); |
42 local signed = static_header .. b64url(encoded_payload); |
44 local signed = static_header .. b64url(encoded_payload); |
43 local signature = hmac(key, signed); |
45 local signature = hmac(key, signed); |
120 end; |
122 end; |
121 }; |
123 }; |
122 end |
124 end |
123 |
125 |
124 -- RS***, PS*** |
126 -- RS***, PS*** |
125 local function new_rsa_algorithm(name, c_sign, c_verify) |
127 local rsa_sign_algos = { RS = "rsassa_pkcs1", PS = "rsassa_pss" }; |
|
128 local function new_rsa_algorithm(name) |
|
129 local family, digest_bits = name:match("^(..)(...)$"); |
|
130 local c_sign = crypto[rsa_sign_algos[family].."_sha"..digest_bits.."_sign"]; |
|
131 local c_verify = crypto[rsa_sign_algos[family].."_sha"..digest_bits.."_verify"]; |
126 return new_crypto_algorithm(name, "rsaEncryption", c_sign, c_verify); |
132 return new_crypto_algorithm(name, "rsaEncryption", c_sign, c_verify); |
127 end |
133 end |
128 |
134 |
129 -- ES*** |
135 -- ES*** |
130 local function new_ecdsa_algorithm(name, c_sign, c_verify) |
136 local function new_ecdsa_algorithm(name, c_sign, c_verify) |
138 end |
144 end |
139 return new_crypto_algorithm(name, "id-ecPublicKey", c_sign, c_verify, encode_ecdsa_sig, decode_ecdsa_sig); |
145 return new_crypto_algorithm(name, "id-ecPublicKey", c_sign, c_verify, encode_ecdsa_sig, decode_ecdsa_sig); |
140 end |
146 end |
141 |
147 |
142 local algorithms = { |
148 local algorithms = { |
143 HS256 = new_hmac_algorithm("HS256", hashes.hmac_sha256); |
149 HS256 = new_hmac_algorithm("HS256"), HS384 = new_hmac_algorithm("HS384"), HS512 = new_hmac_algorithm("HS512"); |
144 ES256 = new_ecdsa_algorithm("ES256", crypto.ecdsa_sha256_sign, crypto.ecdsa_sha256_verify); |
150 ES256 = new_ecdsa_algorithm("ES256", crypto.ecdsa_sha256_sign, crypto.ecdsa_sha256_verify); |
145 RS256 = new_rsa_algorithm("RS256", crypto.rsassa_pkcs1_sha256_sign, crypto.rsassa_pkcs1_sha256_verify); |
151 RS256 = new_rsa_algorithm("RS256"), RS384 = new_rsa_algorithm("RS384"), RS512 = new_rsa_algorithm("RS512"); |
146 PS256 = new_rsa_algorithm("PS256", crypto.rsassa_pss_sha256_sign, crypto.rsassa_pss_sha256_verify); |
152 PS256 = new_rsa_algorithm("PS256"), PS384 = new_rsa_algorithm("PS384"), PS512 = new_rsa_algorithm("PS512"); |
147 }; |
153 }; |
148 |
154 |
149 local function new_signer(algorithm, key_input) |
155 local function new_signer(algorithm, key_input) |
150 local impl = assert(algorithms[algorithm], "Unknown JWT algorithm: "..algorithm); |
156 local impl = assert(algorithms[algorithm], "Unknown JWT algorithm: "..algorithm); |
151 local key = (impl.load_private_key or impl.load_key)(key_input); |
157 local key = (impl.load_private_key or impl.load_key)(key_input); |