Fix: do not try to parse a rsa key if algo is hmac #32

coupergateway · Sep 29, 2020 · f2e979c · f2e979c
2 parents 42724f9 + 614f5c4
commit f2e979c
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/accesscontrol/jwt.go b/accesscontrol/jwt.go
@@ -82,6 +82,10 @@ func NewJWT(algorithm, name string, claims Claims, reqClaims []string, src Sourc
 		sourceKey:      srcKey,
 	}
 
+	if algo.IsHMAC() {
+		return jwtObj, nil
+	}
+
 	pubKey, err := parsePublicPEMKey(key)
 	if err != nil && (err != jwt.ErrKeyMustBePEMEncoded || err != jwt.ErrNotRSAPublicKey) {
 		cert, err := x509.ParseCertificate(key)

diff --git a/accesscontrol/jwt_algorithm.go b/accesscontrol/jwt_algorithm.go
@@ -30,6 +30,15 @@ func NewAlgorithm(a string) Algorithm {
 	}
 }
 
+func (a Algorithm) IsHMAC() bool {
+	switch a {
+	case AlgorithmHMAC256, AlgorithmHMAC384, AlgorithmHMAC512:
+		return true
+	default:
+		return false
+	}
+}
+
 func (a Algorithm) String() string {
 	switch a {
 	case AlgorithmRSA256:

diff --git a/accesscontrol/jwt_test.go b/accesscontrol/jwt_test.go
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
-	"strings"
 	"testing"
 
 	"github.com/dgrijalva/jwt-go/v4"
@@ -40,12 +39,14 @@ func TestJWT_Validate(t *testing.T) {
 		var token string
 		var tokenErr error
 
-		if strings.HasPrefix(signingMethod.Alg(), "HS") {
+		algo := ac.NewAlgorithm(signingMethod.Alg())
+
+		if algo.IsHMAC() {
+			pubKeyBytes = []byte("mySecretK3y")
 			token, tokenErr = tok.SignedString(pubKeyBytes)
-		} else if strings.HasPrefix(signingMethod.Alg(), "RS") {
+		} else {
 			token, tokenErr = tok.SignedString(privKey)
 		}
-		algo := ac.NewAlgorithm(signingMethod.Alg())
 
 		if tokenErr != nil {
 			t.Error(tokenErr)