Add SHA-3 support (#9308)

5 years ago · b2a8cb4aba
parent b412a222ae
commit b2a8cb4aba
3 changed files with 107 additions and 2 deletions
--- a/cmd/config/identity/openid/ecdsa-sha3.go
+++ b/cmd/config/identity/openid/ecdsa-sha3.go
@ -0,0 +1,51 @@
+/*
+ * MinIO Cloud Storage, (C) 2020 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import (
+	"crypto"
+	"github.com/dgrijalva/jwt-go"
+	// Needed for SHA3 to work - See: https://golang.org/src/crypto/crypto.go?s=1034:1288
+	_ "golang.org/x/crypto/sha3"
+)
+
+// Specific instances for EC256 and company
+var (
+	SigningMethodES3256 *jwt.SigningMethodECDSA
+	SigningMethodES3384 *jwt.SigningMethodECDSA
+	SigningMethodES3512 *jwt.SigningMethodECDSA
+)
+
+func init() {
+	// ES256
+	SigningMethodES3256 = &jwt.SigningMethodECDSA{Name: "ES3256", Hash: crypto.SHA3_256, KeySize: 32, CurveBits: 256}
+	jwt.RegisterSigningMethod(SigningMethodES3256.Alg(), func() jwt.SigningMethod {
+		return SigningMethodES3256
+	})
+
+	// ES384
+	SigningMethodES3384 = &jwt.SigningMethodECDSA{Name: "ES3384", Hash: crypto.SHA3_384, KeySize: 48, CurveBits: 384}
+	jwt.RegisterSigningMethod(SigningMethodES3384.Alg(), func() jwt.SigningMethod {
+		return SigningMethodES3384
+	})
+
+	// ES512
+	SigningMethodES3512 = &jwt.SigningMethodECDSA{Name: "ES3512", Hash: crypto.SHA3_512, KeySize: 66, CurveBits: 521}
+	jwt.RegisterSigningMethod(SigningMethodES3512.Alg(), func() jwt.SigningMethod {
+		return SigningMethodES3512
+	})
+}
--- a/cmd/config/identity/openid/jwt.go
+++ b/cmd/config/identity/openid/jwt.go
@ -30,7 +30,7 @@ import (
 	"github.com/minio/minio/cmd/config"
 	"github.com/minio/minio/pkg/auth"
 	"github.com/minio/minio/pkg/env"
-	iampolicy "github.com/minio/minio/pkg/iam/policy"
+	"github.com/minio/minio/pkg/iam/policy"
 	xnet "github.com/minio/minio/pkg/net"
 )

@ -168,7 +168,10 @@ func updateClaimsExpiry(dsecs string, claims map[string]interface{}) error {
 // Validate - validates the access token.
 func (p *JWT) Validate(token, dsecs string) (map[string]interface{}, error) {
 	jp := new(jwtgo.Parser)
-	jp.ValidMethods = []string{"RS256", "RS384", "RS512", "ES256", "ES384", "ES512"}
+	jp.ValidMethods = []string{
+		"RS256", "RS384", "RS512", "ES256", "ES384", "ES512",
+		"RS3256", "RS3384", "RS3512", "ES3256", "ES3384", "ES3512",
+	}

 	keyFuncCallback := func(jwtToken *jwtgo.Token) (interface{}, error) {
 		kid, ok := jwtToken.Header["kid"].(string)
--- a/cmd/config/identity/openid/rsa-sha3.go
+++ b/cmd/config/identity/openid/rsa-sha3.go
@ -0,0 +1,51 @@
+/*
+ * MinIO Cloud Storage, (C) 2020 MinIO, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package openid
+
+import (
+	"crypto"
+	"github.com/dgrijalva/jwt-go"
+	// Needed for SHA3 to work - See: https://golang.org/src/crypto/crypto.go?s=1034:1288
+	_ "golang.org/x/crypto/sha3"
+)
+
+// Specific instances for RS256 and company
+var (
+	SigningMethodRS3256 *jwt.SigningMethodRSA
+	SigningMethodRS3384 *jwt.SigningMethodRSA
+	SigningMethodRS3512 *jwt.SigningMethodRSA
+)
+
+func init() {
+	// RS3256
+	SigningMethodRS3256 = &jwt.SigningMethodRSA{Name: "RS3256", Hash: crypto.SHA3_256}
+	jwt.RegisterSigningMethod(SigningMethodRS3256.Alg(), func() jwt.SigningMethod {
+		return SigningMethodRS3256
+	})
+
+	// RS3384
+	SigningMethodRS3384 = &jwt.SigningMethodRSA{Name: "RS3384", Hash: crypto.SHA3_384}
+	jwt.RegisterSigningMethod(SigningMethodRS3384.Alg(), func() jwt.SigningMethod {
+		return SigningMethodRS3384
+	})
+
+	// RS3512
+	SigningMethodRS3512 = &jwt.SigningMethodRSA{Name: "RS3512", Hash: crypto.SHA3_512}
+	jwt.RegisterSigningMethod(SigningMethodRS3512.Alg(), func() jwt.SigningMethod {
+		return SigningMethodRS3512
+	})
+}