From b2a8cb4aba3a3fdc37558f4a8994042e34717166 Mon Sep 17 00:00:00 2001 From: Taras Parkhomenko Date: Sat, 11 Apr 2020 00:59:52 +0300 Subject: [PATCH] Add SHA-3 support (#9308) --- cmd/config/identity/openid/ecdsa-sha3.go | 51 ++++++++++++++++++++++++ cmd/config/identity/openid/jwt.go | 7 +++- cmd/config/identity/openid/rsa-sha3.go | 51 ++++++++++++++++++++++++ 3 files changed, 107 insertions(+), 2 deletions(-) create mode 100644 cmd/config/identity/openid/ecdsa-sha3.go create mode 100644 cmd/config/identity/openid/rsa-sha3.go diff --git a/cmd/config/identity/openid/ecdsa-sha3.go b/cmd/config/identity/openid/ecdsa-sha3.go new file mode 100644 index 000000000..165b6b43a --- /dev/null +++ b/cmd/config/identity/openid/ecdsa-sha3.go @@ -0,0 +1,51 @@ +/* + * MinIO Cloud Storage, (C) 2020 MinIO, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package openid + +import ( + "crypto" + "github.com/dgrijalva/jwt-go" + // Needed for SHA3 to work - See: https://golang.org/src/crypto/crypto.go?s=1034:1288 + _ "golang.org/x/crypto/sha3" +) + +// Specific instances for EC256 and company +var ( + SigningMethodES3256 *jwt.SigningMethodECDSA + SigningMethodES3384 *jwt.SigningMethodECDSA + SigningMethodES3512 *jwt.SigningMethodECDSA +) + +func init() { + // ES256 + SigningMethodES3256 = &jwt.SigningMethodECDSA{Name: "ES3256", Hash: crypto.SHA3_256, KeySize: 32, CurveBits: 256} + jwt.RegisterSigningMethod(SigningMethodES3256.Alg(), func() jwt.SigningMethod { + return SigningMethodES3256 + }) + + // ES384 + SigningMethodES3384 = &jwt.SigningMethodECDSA{Name: "ES3384", Hash: crypto.SHA3_384, KeySize: 48, CurveBits: 384} + jwt.RegisterSigningMethod(SigningMethodES3384.Alg(), func() jwt.SigningMethod { + return SigningMethodES3384 + }) + + // ES512 + SigningMethodES3512 = &jwt.SigningMethodECDSA{Name: "ES3512", Hash: crypto.SHA3_512, KeySize: 66, CurveBits: 521} + jwt.RegisterSigningMethod(SigningMethodES3512.Alg(), func() jwt.SigningMethod { + return SigningMethodES3512 + }) +} diff --git a/cmd/config/identity/openid/jwt.go b/cmd/config/identity/openid/jwt.go index 6d822501b..768056eed 100644 --- a/cmd/config/identity/openid/jwt.go +++ b/cmd/config/identity/openid/jwt.go @@ -30,7 +30,7 @@ import ( "github.com/minio/minio/cmd/config" "github.com/minio/minio/pkg/auth" "github.com/minio/minio/pkg/env" - iampolicy "github.com/minio/minio/pkg/iam/policy" + "github.com/minio/minio/pkg/iam/policy" xnet "github.com/minio/minio/pkg/net" ) @@ -168,7 +168,10 @@ func updateClaimsExpiry(dsecs string, claims map[string]interface{}) error { // Validate - validates the access token. func (p *JWT) Validate(token, dsecs string) (map[string]interface{}, error) { jp := new(jwtgo.Parser) - jp.ValidMethods = []string{"RS256", "RS384", "RS512", "ES256", "ES384", "ES512"} + jp.ValidMethods = []string{ + "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", + "RS3256", "RS3384", "RS3512", "ES3256", "ES3384", "ES3512", + } keyFuncCallback := func(jwtToken *jwtgo.Token) (interface{}, error) { kid, ok := jwtToken.Header["kid"].(string) diff --git a/cmd/config/identity/openid/rsa-sha3.go b/cmd/config/identity/openid/rsa-sha3.go new file mode 100644 index 000000000..3eacd3f06 --- /dev/null +++ b/cmd/config/identity/openid/rsa-sha3.go @@ -0,0 +1,51 @@ +/* + * MinIO Cloud Storage, (C) 2020 MinIO, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package openid + +import ( + "crypto" + "github.com/dgrijalva/jwt-go" + // Needed for SHA3 to work - See: https://golang.org/src/crypto/crypto.go?s=1034:1288 + _ "golang.org/x/crypto/sha3" +) + +// Specific instances for RS256 and company +var ( + SigningMethodRS3256 *jwt.SigningMethodRSA + SigningMethodRS3384 *jwt.SigningMethodRSA + SigningMethodRS3512 *jwt.SigningMethodRSA +) + +func init() { + // RS3256 + SigningMethodRS3256 = &jwt.SigningMethodRSA{Name: "RS3256", Hash: crypto.SHA3_256} + jwt.RegisterSigningMethod(SigningMethodRS3256.Alg(), func() jwt.SigningMethod { + return SigningMethodRS3256 + }) + + // RS3384 + SigningMethodRS3384 = &jwt.SigningMethodRSA{Name: "RS3384", Hash: crypto.SHA3_384} + jwt.RegisterSigningMethod(SigningMethodRS3384.Alg(), func() jwt.SigningMethod { + return SigningMethodRS3384 + }) + + // RS3512 + SigningMethodRS3512 = &jwt.SigningMethodRSA{Name: "RS3512", Hash: crypto.SHA3_512} + jwt.RegisterSigningMethod(SigningMethodRS3512.Alg(), func() jwt.SigningMethod { + return SigningMethodRS3512 + }) +}