1 package jwt_test
2
3 import (
4 "crypto"
5 "crypto/rsa"
6 "encoding/json"
7 "errors"
8 "fmt"
9 "reflect"
10 "testing"
11 "time"
12
13 "github.com/golang-jwt/jwt/v4"
14 "github.com/golang-jwt/jwt/v4/test"
15 )
16
17 var errKeyFuncError error = fmt.Errorf("error loading key")
18
19 var (
20 jwtTestDefaultKey *rsa.PublicKey
21 jwtTestRSAPrivateKey *rsa.PrivateKey
22 jwtTestEC256PublicKey crypto.PublicKey
23 jwtTestEC256PrivateKey crypto.PrivateKey
24 paddedKey crypto.PublicKey
25 defaultKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestDefaultKey, nil }
26 ecdsaKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestEC256PublicKey, nil }
27 paddedKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return paddedKey, nil }
28 emptyKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, nil }
29 errorKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, errKeyFuncError }
30 nilKeyFunc jwt.Keyfunc = nil
31 )
32
33 func init() {
34
35 jwtTestDefaultKey = test.LoadRSAPublicKeyFromDisk("test/sample_key.pub")
36 jwtTestEC256PublicKey = test.LoadECPublicKeyFromDisk("test/ec256-public.pem")
37
38
39
40 paddedKey = test.LoadECPublicKeyFromDisk("test/examplePaddedKey-public.pem")
41
42
43 jwtTestRSAPrivateKey = test.LoadRSAPrivateKeyFromDisk("test/sample_key")
44 jwtTestEC256PrivateKey = test.LoadECPrivateKeyFromDisk("test/ec256-private.pem")
45
46 }
47
48 var jwtTestData = []struct {
49 name string
50 tokenString string
51 keyfunc jwt.Keyfunc
52 claims jwt.Claims
53 valid bool
54 errors uint32
55 err []error
56 parser *jwt.Parser
57 signingMethod jwt.SigningMethod
58 }{
59 {
60 "basic",
61 "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
62 defaultKeyFunc,
63 jwt.MapClaims{"foo": "bar"},
64 true,
65 0,
66 nil,
67 nil,
68 jwt.SigningMethodRS256,
69 },
70 {
71 "basic expired",
72 "",
73 defaultKeyFunc,
74 jwt.MapClaims{"foo": "bar", "exp": float64(time.Now().Unix() - 100)},
75 false,
76 jwt.ValidationErrorExpired,
77 []error{jwt.ErrTokenExpired},
78 nil,
79 jwt.SigningMethodRS256,
80 },
81 {
82 "basic nbf",
83 "",
84 defaultKeyFunc,
85 jwt.MapClaims{"foo": "bar", "nbf": float64(time.Now().Unix() + 100)},
86 false,
87 jwt.ValidationErrorNotValidYet,
88 []error{jwt.ErrTokenNotValidYet},
89 nil,
90 jwt.SigningMethodRS256,
91 },
92 {
93 "expired and nbf",
94 "",
95 defaultKeyFunc,
96 jwt.MapClaims{"foo": "bar", "nbf": float64(time.Now().Unix() + 100), "exp": float64(time.Now().Unix() - 100)},
97 false,
98 jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
99 []error{jwt.ErrTokenNotValidYet},
100 nil,
101 jwt.SigningMethodRS256,
102 },
103 {
104 "basic invalid",
105 "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.EhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
106 defaultKeyFunc,
107 jwt.MapClaims{"foo": "bar"},
108 false,
109 jwt.ValidationErrorSignatureInvalid,
110 []error{jwt.ErrTokenSignatureInvalid, rsa.ErrVerification},
111 nil,
112 jwt.SigningMethodRS256,
113 },
114 {
115 "basic nokeyfunc",
116 "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
117 nilKeyFunc,
118 jwt.MapClaims{"foo": "bar"},
119 false,
120 jwt.ValidationErrorUnverifiable,
121 []error{jwt.ErrTokenUnverifiable},
122 nil,
123 jwt.SigningMethodRS256,
124 },
125 {
126 "basic nokey",
127 "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
128 emptyKeyFunc,
129 jwt.MapClaims{"foo": "bar"},
130 false,
131 jwt.ValidationErrorSignatureInvalid,
132 []error{jwt.ErrTokenSignatureInvalid},
133 nil,
134 jwt.SigningMethodRS256,
135 },
136 {
137 "basic errorkey",
138 "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
139 errorKeyFunc,
140 jwt.MapClaims{"foo": "bar"},
141 false,
142 jwt.ValidationErrorUnverifiable,
143 []error{jwt.ErrTokenUnverifiable, errKeyFuncError},
144 nil,
145 jwt.SigningMethodRS256,
146 },
147 {
148 "invalid signing method",
149 "",
150 defaultKeyFunc,
151 jwt.MapClaims{"foo": "bar"},
152 false,
153 jwt.ValidationErrorSignatureInvalid,
154 []error{jwt.ErrTokenSignatureInvalid},
155 &jwt.Parser{ValidMethods: []string{"HS256"}},
156 jwt.SigningMethodRS256,
157 },
158 {
159 "valid RSA signing method",
160 "",
161 defaultKeyFunc,
162 jwt.MapClaims{"foo": "bar"},
163 true,
164 0,
165 nil,
166 &jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
167 jwt.SigningMethodRS256,
168 },
169 {
170 "ECDSA signing method not accepted",
171 "",
172 ecdsaKeyFunc,
173 jwt.MapClaims{"foo": "bar"},
174 false,
175 jwt.ValidationErrorSignatureInvalid,
176 []error{jwt.ErrTokenSignatureInvalid},
177 &jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
178 jwt.SigningMethodES256,
179 },
180 {
181 "valid ECDSA signing method",
182 "",
183 ecdsaKeyFunc,
184 jwt.MapClaims{"foo": "bar"},
185 true,
186 0,
187 nil,
188 &jwt.Parser{ValidMethods: []string{"HS256", "ES256"}},
189 jwt.SigningMethodES256,
190 },
191 {
192 "JSON Number",
193 "",
194 defaultKeyFunc,
195 jwt.MapClaims{"foo": json.Number("123.4")},
196 true,
197 0,
198 nil,
199 &jwt.Parser{UseJSONNumber: true},
200 jwt.SigningMethodRS256,
201 },
202 {
203 "Standard Claims",
204 "",
205 defaultKeyFunc,
206 &jwt.StandardClaims{
207 ExpiresAt: time.Now().Add(time.Second * 10).Unix(),
208 },
209 true,
210 0,
211 nil,
212 &jwt.Parser{UseJSONNumber: true},
213 jwt.SigningMethodRS256,
214 },
215 {
216 "JSON Number - basic expired",
217 "",
218 defaultKeyFunc,
219 jwt.MapClaims{"foo": "bar", "exp": json.Number(fmt.Sprintf("%v", time.Now().Unix()-100))},
220 false,
221 jwt.ValidationErrorExpired,
222 []error{jwt.ErrTokenExpired},
223 &jwt.Parser{UseJSONNumber: true},
224 jwt.SigningMethodRS256,
225 },
226 {
227 "JSON Number - basic nbf",
228 "",
229 defaultKeyFunc,
230 jwt.MapClaims{"foo": "bar", "nbf": json.Number(fmt.Sprintf("%v", time.Now().Unix()+100))},
231 false,
232 jwt.ValidationErrorNotValidYet,
233 []error{jwt.ErrTokenNotValidYet},
234 &jwt.Parser{UseJSONNumber: true},
235 jwt.SigningMethodRS256,
236 },
237 {
238 "JSON Number - expired and nbf",
239 "",
240 defaultKeyFunc,
241 jwt.MapClaims{"foo": "bar", "nbf": json.Number(fmt.Sprintf("%v", time.Now().Unix()+100)), "exp": json.Number(fmt.Sprintf("%v", time.Now().Unix()-100))},
242 false,
243 jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
244 []error{jwt.ErrTokenNotValidYet},
245 &jwt.Parser{UseJSONNumber: true},
246 jwt.SigningMethodRS256,
247 },
248 {
249 "SkipClaimsValidation during token parsing",
250 "",
251 defaultKeyFunc,
252 jwt.MapClaims{"foo": "bar", "nbf": json.Number(fmt.Sprintf("%v", time.Now().Unix()+100))},
253 true,
254 0,
255 nil,
256 &jwt.Parser{UseJSONNumber: true, SkipClaimsValidation: true},
257 jwt.SigningMethodRS256,
258 },
259 {
260 "RFC7519 Claims",
261 "",
262 defaultKeyFunc,
263 &jwt.RegisteredClaims{
264 ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Second * 10)),
265 },
266 true,
267 0,
268 nil,
269 &jwt.Parser{UseJSONNumber: true},
270 jwt.SigningMethodRS256,
271 },
272 {
273 "RFC7519 Claims - single aud",
274 "",
275 defaultKeyFunc,
276 &jwt.RegisteredClaims{
277 Audience: jwt.ClaimStrings{"test"},
278 },
279 true,
280 0,
281 nil,
282 &jwt.Parser{UseJSONNumber: true},
283 jwt.SigningMethodRS256,
284 },
285 {
286 "RFC7519 Claims - multiple aud",
287 "",
288 defaultKeyFunc,
289 &jwt.RegisteredClaims{
290 Audience: jwt.ClaimStrings{"test", "test"},
291 },
292 true,
293 0,
294 nil,
295 &jwt.Parser{UseJSONNumber: true},
296 jwt.SigningMethodRS256,
297 },
298 {
299 "RFC7519 Claims - single aud with wrong type",
300 "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOjF9.8mAIDUfZNQT3TGm1QFIQp91OCpJpQpbB1-m9pA2mkHc",
301 defaultKeyFunc,
302 &jwt.RegisteredClaims{
303 Audience: nil,
304 },
305 false,
306 jwt.ValidationErrorMalformed,
307 []error{jwt.ErrTokenMalformed},
308 &jwt.Parser{UseJSONNumber: true},
309 jwt.SigningMethodRS256,
310 },
311 {
312 "RFC7519 Claims - multiple aud with wrong types",
313 "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsidGVzdCIsMV19.htEBUf7BVbfSmVoTFjXf3y6DLmDUuLy1vTJ14_EX7Ws",
314 defaultKeyFunc,
315 &jwt.RegisteredClaims{
316 Audience: nil,
317 },
318 false,
319 jwt.ValidationErrorMalformed,
320 []error{jwt.ErrTokenMalformed},
321 &jwt.Parser{UseJSONNumber: true},
322 jwt.SigningMethodRS256,
323 },
324 }
325
326
327 func signToken(claims jwt.Claims, signingMethod jwt.SigningMethod) string {
328 var privateKey interface{}
329 switch signingMethod {
330 case jwt.SigningMethodRS256:
331 privateKey = jwtTestRSAPrivateKey
332 case jwt.SigningMethodES256:
333 privateKey = jwtTestEC256PrivateKey
334 default:
335 return ""
336 }
337 return test.MakeSampleToken(claims, signingMethod, privateKey)
338 }
339
340 func TestParser_Parse(t *testing.T) {
341
342
343 for _, data := range jwtTestData {
344 t.Run(data.name, func(t *testing.T) {
345
346
347 if data.tokenString == "" {
348 data.tokenString = signToken(data.claims, data.signingMethod)
349 }
350
351
352 var token *jwt.Token
353 var ve *jwt.ValidationError
354 var err error
355 var parser = data.parser
356 if parser == nil {
357 parser = new(jwt.Parser)
358 }
359
360 switch data.claims.(type) {
361 case jwt.MapClaims:
362 token, err = parser.ParseWithClaims(data.tokenString, jwt.MapClaims{}, data.keyfunc)
363 case *jwt.StandardClaims:
364 token, err = parser.ParseWithClaims(data.tokenString, &jwt.StandardClaims{}, data.keyfunc)
365 case *jwt.RegisteredClaims:
366 token, err = parser.ParseWithClaims(data.tokenString, &jwt.RegisteredClaims{}, data.keyfunc)
367 }
368
369
370 if !reflect.DeepEqual(data.claims, token.Claims) {
371 t.Errorf("[%v] Claims mismatch. Expecting: %v Got: %v", data.name, data.claims, token.Claims)
372 }
373
374 if data.valid && err != nil {
375 t.Errorf("[%v] Error while verifying token: %T:%v", data.name, err, err)
376 }
377
378 if !data.valid && err == nil {
379 t.Errorf("[%v] Invalid token passed validation", data.name)
380 }
381
382 if (err == nil && !token.Valid) || (err != nil && token.Valid) {
383 t.Errorf("[%v] Inconsistent behavior between returned error and token.Valid", data.name)
384 }
385
386 if data.errors != 0 {
387 if err == nil {
388 t.Errorf("[%v] Expecting error. Didn't get one.", data.name)
389 } else {
390 if errors.As(err, &ve) {
391
392 if e := ve.Errors; e != data.errors {
393 t.Errorf("[%v] Errors don't match expectation. %v != %v", data.name, e, data.errors)
394 }
395
396 if err.Error() == errKeyFuncError.Error() && ve.Inner != errKeyFuncError {
397 t.Errorf("[%v] Inner error does not match expectation. %v != %v", data.name, ve.Inner, errKeyFuncError)
398 }
399 }
400 }
401 }
402
403 if data.err != nil {
404 if err == nil {
405 t.Errorf("[%v] Expecting error(s). Didn't get one.", data.name)
406 } else {
407 var all = false
408 for _, e := range data.err {
409 all = errors.Is(err, e)
410 }
411
412 if !all {
413 t.Errorf("[%v] Errors don't match expectation. %v should contain all of %v", data.name, err, data.err)
414 }
415 }
416 }
417
418 if data.valid {
419 if token.Signature == "" {
420 t.Errorf("[%v] Signature is left unpopulated after parsing", data.name)
421 }
422 if !token.Valid {
423
424 t.Errorf("[%v] Token.Valid field mismatch. Expecting true, got %v", data.name, token.Valid)
425 }
426 }
427 })
428 }
429 }
430
431 func TestParser_ParseUnverified(t *testing.T) {
432
433
434 for _, data := range jwtTestData {
435
436 if data.errors&jwt.ValidationErrorMalformed != 0 {
437 continue
438 }
439
440 t.Run(data.name, func(t *testing.T) {
441
442 if data.tokenString == "" {
443 data.tokenString = signToken(data.claims, data.signingMethod)
444 }
445
446
447 var token *jwt.Token
448 var err error
449 var parser = data.parser
450 if parser == nil {
451 parser = new(jwt.Parser)
452 }
453
454 switch data.claims.(type) {
455 case jwt.MapClaims:
456 token, _, err = parser.ParseUnverified(data.tokenString, jwt.MapClaims{})
457 case *jwt.StandardClaims:
458 token, _, err = parser.ParseUnverified(data.tokenString, &jwt.StandardClaims{})
459 case *jwt.RegisteredClaims:
460 token, _, err = parser.ParseUnverified(data.tokenString, &jwt.RegisteredClaims{})
461 }
462
463 if err != nil {
464 t.Errorf("[%v] Invalid token", data.name)
465 }
466
467
468 if !reflect.DeepEqual(data.claims, token.Claims) {
469 t.Errorf("[%v] Claims mismatch. Expecting: %v Got: %v", data.name, data.claims, token.Claims)
470 }
471
472 if data.valid && err != nil {
473 t.Errorf("[%v] Error while verifying token: %T:%v", data.name, err, err)
474 }
475 if token.Valid {
476
477 t.Errorf("[%v] Token.Valid field mismatch. Expecting false, got %v", data.name, token.Valid)
478 }
479 if token.Signature != "" {
480
481 t.Errorf("[%v] Token.Signature field mismatch. Expecting '', got %v", data.name, token.Signature)
482 }
483 })
484 }
485 }
486
487 var setPaddingTestData = []struct {
488 name string
489 tokenString string
490 claims jwt.Claims
491 paddedDecode bool
492 strictDecode bool
493 signingMethod jwt.SigningMethod
494 keyfunc jwt.Keyfunc
495 valid bool
496 }{
497 {
498 name: "Validated non-padded token with padding disabled",
499 tokenString: "",
500 claims: jwt.MapClaims{"foo": "paddedbar"},
501 paddedDecode: false,
502 signingMethod: jwt.SigningMethodRS256,
503 keyfunc: defaultKeyFunc,
504 valid: true,
505 },
506 {
507 name: "Validated non-padded token with padding enabled",
508 tokenString: "",
509 claims: jwt.MapClaims{"foo": "paddedbar"},
510 paddedDecode: true,
511 signingMethod: jwt.SigningMethodRS256,
512 keyfunc: defaultKeyFunc,
513 valid: true,
514 },
515 {
516 name: "Error for padded token with padding disabled",
517 tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ==.20kGGJaYekGTRFf8b0TwhuETcR8lv5z2363X5jf7G1yTWVTwOmte5Ii8L8_OQbYwPoiVHmZY6iJPbt_DhCN42AeFY74BcsUhR-BVrYUVhKK0RppuzEcSlILDNeQsJDLEL035CPm1VO6Jrgk7enQPIctVxUesRgswP71OpGvJxy3j1k_J8p0WzZvRZTe1D_2Misa0UDGwnEIHhmr97fIpMSZjFxlcygQw8QN34IHLHIXMaTY1eiCf4CCr6rOS9wUeu7P3CPkmFq9XhxBT_LLCmIMhHnxP5x27FUJE_JZlfek0MmARcrhpsZS2sFhHAiWrjxjOE27jkDtv1nEwn65wMw==",
518 claims: jwt.MapClaims{"foo": "paddedbar"},
519 paddedDecode: false,
520 signingMethod: jwt.SigningMethodRS256,
521 keyfunc: defaultKeyFunc,
522 valid: false,
523 },
524 {
525 name: "Validated padded token with padding enabled",
526 tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ==.20kGGJaYekGTRFf8b0TwhuETcR8lv5z2363X5jf7G1yTWVTwOmte5Ii8L8_OQbYwPoiVHmZY6iJPbt_DhCN42AeFY74BcsUhR-BVrYUVhKK0RppuzEcSlILDNeQsJDLEL035CPm1VO6Jrgk7enQPIctVxUesRgswP71OpGvJxy3j1k_J8p0WzZvRZTe1D_2Misa0UDGwnEIHhmr97fIpMSZjFxlcygQw8QN34IHLHIXMaTY1eiCf4CCr6rOS9wUeu7P3CPkmFq9XhxBT_LLCmIMhHnxP5x27FUJE_JZlfek0MmARcrhpsZS2sFhHAiWrjxjOE27jkDtv1nEwn65wMw==",
527 claims: jwt.MapClaims{"foo": "paddedbar"},
528 paddedDecode: true,
529 signingMethod: jwt.SigningMethodRS256,
530 keyfunc: defaultKeyFunc,
531 valid: true,
532 },
533 {
534 name: "Error for example padded token with padding disabled",
535 tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3grw==",
536 claims: nil,
537 paddedDecode: false,
538 signingMethod: jwt.SigningMethodES256,
539 keyfunc: paddedKeyFunc,
540 valid: false,
541 },
542 {
543 name: "Validated example padded token with padding enabled",
544 tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3grw==",
545 claims: nil,
546 paddedDecode: true,
547 signingMethod: jwt.SigningMethodES256,
548 keyfunc: paddedKeyFunc,
549 valid: true,
550 },
551
552 {
553 name: "Validated non-padded token with padding disabled, non-strict decode, non-tweaked signature",
554 tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ.bI15h-7mN0f-2diX5I4ErgNQy1uM-rJS5Sz7O0iTWtWSBxY1h6wy8Ywxe5EZTEO6GiIfk7Lk-72Ex-c5aA40QKhPwWB9BJ8O_LfKpezUVBOn0jRItDnVdsk4ccl2zsOVkbA4U4QvdrSbOYMbwoRHzDXfTFpoeMWtn3ez0aENJ8dh4E1echHp5ByI9Pu2aBsvM1WVcMt_BySweCL3f4T7jNZeXDr7Txd00yUd2gdsHYPjXorOvsgaBKN5GLsWd1zIY5z-2gCC8CRSN-IJ4NNX5ifh7l-bOXE2q7szTqa9pvyE9y6TQJhNMSE2FotRce_TOPBWgGpQ-K2I7E8x7wZ8O" +
555 "g",
556 claims: nil,
557 paddedDecode: false,
558 strictDecode: false,
559 signingMethod: jwt.SigningMethodRS256,
560 keyfunc: defaultKeyFunc,
561 valid: true,
562 },
563 {
564 name: "Validated non-padded token with padding disabled, non-strict decode, tweaked signature",
565 tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ.bI15h-7mN0f-2diX5I4ErgNQy1uM-rJS5Sz7O0iTWtWSBxY1h6wy8Ywxe5EZTEO6GiIfk7Lk-72Ex-c5aA40QKhPwWB9BJ8O_LfKpezUVBOn0jRItDnVdsk4ccl2zsOVkbA4U4QvdrSbOYMbwoRHzDXfTFpoeMWtn3ez0aENJ8dh4E1echHp5ByI9Pu2aBsvM1WVcMt_BySweCL3f4T7jNZeXDr7Txd00yUd2gdsHYPjXorOvsgaBKN5GLsWd1zIY5z-2gCC8CRSN-IJ4NNX5ifh7l-bOXE2q7szTqa9pvyE9y6TQJhNMSE2FotRce_TOPBWgGpQ-K2I7E8x7wZ8O" +
566 "h",
567 claims: nil,
568 paddedDecode: false,
569 strictDecode: false,
570 signingMethod: jwt.SigningMethodRS256,
571 keyfunc: defaultKeyFunc,
572 valid: true,
573 },
574 {
575 name: "Validated non-padded token with padding disabled, strict decode, non-tweaked signature",
576 tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ.bI15h-7mN0f-2diX5I4ErgNQy1uM-rJS5Sz7O0iTWtWSBxY1h6wy8Ywxe5EZTEO6GiIfk7Lk-72Ex-c5aA40QKhPwWB9BJ8O_LfKpezUVBOn0jRItDnVdsk4ccl2zsOVkbA4U4QvdrSbOYMbwoRHzDXfTFpoeMWtn3ez0aENJ8dh4E1echHp5ByI9Pu2aBsvM1WVcMt_BySweCL3f4T7jNZeXDr7Txd00yUd2gdsHYPjXorOvsgaBKN5GLsWd1zIY5z-2gCC8CRSN-IJ4NNX5ifh7l-bOXE2q7szTqa9pvyE9y6TQJhNMSE2FotRce_TOPBWgGpQ-K2I7E8x7wZ8O" +
577 "g",
578 claims: nil,
579 paddedDecode: false,
580 strictDecode: true,
581 signingMethod: jwt.SigningMethodRS256,
582 keyfunc: defaultKeyFunc,
583 valid: true,
584 },
585 {
586 name: "Error for non-padded token with padding disabled, strict decode, tweaked signature",
587 tokenString: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJwYWRkZWRiYXIifQ.bI15h-7mN0f-2diX5I4ErgNQy1uM-rJS5Sz7O0iTWtWSBxY1h6wy8Ywxe5EZTEO6GiIfk7Lk-72Ex-c5aA40QKhPwWB9BJ8O_LfKpezUVBOn0jRItDnVdsk4ccl2zsOVkbA4U4QvdrSbOYMbwoRHzDXfTFpoeMWtn3ez0aENJ8dh4E1echHp5ByI9Pu2aBsvM1WVcMt_BySweCL3f4T7jNZeXDr7Txd00yUd2gdsHYPjXorOvsgaBKN5GLsWd1zIY5z-2gCC8CRSN-IJ4NNX5ifh7l-bOXE2q7szTqa9pvyE9y6TQJhNMSE2FotRce_TOPBWgGpQ-K2I7E8x7wZ8O" +
588 "h",
589 claims: nil,
590 paddedDecode: false,
591 strictDecode: true,
592 signingMethod: jwt.SigningMethodRS256,
593 keyfunc: defaultKeyFunc,
594 valid: false,
595 },
596
597 {
598 name: "Validated padded token with padding enabled, non-strict decode, non-tweaked signature",
599 tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3gr" +
600 "w==",
601 claims: nil,
602 paddedDecode: true,
603 strictDecode: false,
604 signingMethod: jwt.SigningMethodES256,
605 keyfunc: paddedKeyFunc,
606 valid: true,
607 },
608 {
609 name: "Validated padded token with padding enabled, non-strict decode, tweaked signature",
610 tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3gr" +
611 "x==",
612 claims: nil,
613 paddedDecode: true,
614 strictDecode: false,
615 signingMethod: jwt.SigningMethodES256,
616 keyfunc: paddedKeyFunc,
617 valid: true,
618 },
619 {
620 name: "Validated padded token with padding enabled, strict decode, non-tweaked signature",
621 tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3gr" +
622 "w==",
623 claims: nil,
624 paddedDecode: true,
625 strictDecode: true,
626 signingMethod: jwt.SigningMethodES256,
627 keyfunc: paddedKeyFunc,
628 valid: true,
629 },
630 {
631 name: "Error for padded token with padding enabled, strict decode, tweaked signature",
632 tokenString: "eyJ0eXAiOiJKV1QiLCJraWQiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJhbGciOiJFUzI1NiIsImlzcyI6Imh0dHBzOi8vY29nbml0by1pZHAuZXUtd2VzdC0yLmFtYXpvbmF3cy5jb20vIiwiY2xpZW50IjoiN0xUY29QWnJWNDR6ZVg2WUs5VktBcHZPM3EiLCJzaWduZXIiOiJhcm46YXdzOmVsYXN0aWNsb2FkYmFsYW5jaW5nIiwiZXhwIjoxNjI5NDcwMTAxfQ==.eyJzdWIiOiIxMjM0NTY3OC1hYmNkLTEyMzQtYWJjZC0xMjM0NTY3OGFiY2QiLCJlbWFpbF92ZXJpZmllZCI6InRydWUiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IjEyMzQ1Njc4LWFiY2QtMTIzNC1hYmNkLTEyMzQ1Njc4YWJjZCIsImV4cCI6MTYyOTQ3MDEwMSwiaXNzIjoiaHR0cHM6Ly9jb2duaXRvLWlkcC5ldS13ZXN0LTIuYW1hem9uYXdzLmNvbS8ifQ==.sx0muJ754glJvwWgkHaPrOI3L1gaPjRLLUvOQRk0WitnqC5Dtt1knorcbOzlEcH9zwPM2jYYIAYQz_qEyM3gr" +
633 "x==",
634 claims: nil,
635 paddedDecode: true,
636 strictDecode: true,
637 signingMethod: jwt.SigningMethodES256,
638 keyfunc: paddedKeyFunc,
639 valid: false,
640 },
641 }
642
643
644 func TestSetPadding(t *testing.T) {
645 for _, data := range setPaddingTestData {
646 t.Run(data.name, func(t *testing.T) {
647 jwt.DecodePaddingAllowed = data.paddedDecode
648 jwt.DecodeStrict = data.strictDecode
649
650
651 if data.tokenString == "" {
652 data.tokenString = signToken(data.claims, data.signingMethod)
653 }
654
655
656 var token *jwt.Token
657 var err error
658 parser := new(jwt.Parser)
659 parser.SkipClaimsValidation = true
660
661
662 token, err = parser.ParseWithClaims(data.tokenString, jwt.MapClaims{}, data.keyfunc)
663
664 if (err == nil) != data.valid || token.Valid != data.valid {
665 t.Errorf("[%v] Error Parsing Token with decoding padding set to %v: %v",
666 data.name,
667 data.paddedDecode,
668 err,
669 )
670 }
671
672 })
673 jwt.DecodePaddingAllowed = false
674 jwt.DecodeStrict = false
675 }
676 }
677
678 func BenchmarkParseUnverified(b *testing.B) {
679
680
681 for _, data := range jwtTestData {
682
683 if data.tokenString == "" {
684 data.tokenString = signToken(data.claims, data.signingMethod)
685 }
686
687
688 var parser = data.parser
689 if parser == nil {
690 parser = new(jwt.Parser)
691 }
692
693 switch data.claims.(type) {
694 case jwt.MapClaims:
695 b.Run("map_claims", func(b *testing.B) {
696 benchmarkParsing(b, parser, data.tokenString, jwt.MapClaims{})
697 })
698 case *jwt.StandardClaims:
699 b.Run("standard_claims", func(b *testing.B) {
700 benchmarkParsing(b, parser, data.tokenString, &jwt.StandardClaims{})
701 })
702 }
703 }
704 }
705
706
707 func benchmarkParsing(b *testing.B, parser *jwt.Parser, tokenString string, claims jwt.Claims) {
708 b.Helper()
709 b.ReportAllocs()
710 b.ResetTimer()
711 b.RunParallel(func(pb *testing.PB) {
712 for pb.Next() {
713 _, _, err := parser.ParseUnverified(tokenString, jwt.MapClaims{})
714 if err != nil {
715 b.Fatal(err)
716 }
717 }
718 })
719 }
720
721
722 func benchmarkSigning(b *testing.B, method jwt.SigningMethod, key interface{}) {
723 b.Helper()
724 t := jwt.New(method)
725 b.ReportAllocs()
726 b.ResetTimer()
727 b.RunParallel(func(pb *testing.PB) {
728 for pb.Next() {
729 if _, err := t.SignedString(key); err != nil {
730 b.Fatal(err)
731 }
732 }
733 })
734 }
735
View as plain text