Moving DecodeSegement to Parser

This would allow us to remove some global variables and move them to parser options as well as potentially introduce interfaces for json and b64 encoding/decoding to replace the std lib, if someone wanted to do that for performance reasons.

We keep the functions exported because of explicit user demand.

Author: oxisto

ecdsa.go

@@ -55,15 +55,7 @@ func (m *SigningMethodECDSA) Alg() string {
 
 // Verify implements token verification for the SigningMethod.
 // For this verify method, key must be an ecdsa.PublicKey struct
-func (m *SigningMethodECDSA) Verify(signingString, signature string, key interface{}) error {
-	var err error
-
-	// Decode the signature
-	var sig []byte
-	if sig, err = DecodeSegment(signature); err != nil {
-		return err
-	}
-
+func (m *SigningMethodECDSA) Verify(signingString string, sig []byte, key interface{}) error {
 	// Get the key
 	var ecdsaKey *ecdsa.PublicKey
 	switch k := key.(type) {

ecdsa_test.go

@@ -65,7 +65,7 @@ func TestECDSAVerify(t *testing.T) {
 		parts := strings.Split(data.tokenString, ".")
 
 		method := jwt.GetSigningMethod(data.alg)
-		err = method.Verify(strings.Join(parts[0:2], "."), parts[2], ecdsaKey)
+		err = method.Verify(strings.Join(parts[0:2], "."), decodeSegment(t, parts[2]), ecdsaKey)
 		if data.valid && err != nil {
 			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
 		}
@@ -98,7 +98,7 @@ func TestECDSASign(t *testing.T) {
 				t.Errorf("[%v] Identical signatures\nbefore:\n%v\nafter:\n%v", data.name, parts[2], sig)
 			}
 
-			err = method.Verify(toSign, sig, ecdsaKey.Public())
+			err = method.Verify(toSign, decodeSegment(t, sig), ecdsaKey.Public())
 			if err != nil {
 				t.Errorf("[%v] Sign produced an invalid signature: %v", data.name, err)
 			}
@@ -162,3 +162,13 @@ func BenchmarkECDSASigning(b *testing.B) {
 		})
 	}
 }
+
+func decodeSegment(t *testing.T, signature string) (sig []byte) {
+	var err error
+	sig, err = jwt.NewParser().DecodeSegment(signature)
+	if err != nil {
+		t.Fatalf("could not decode segment: %v", err)
+	}
+
+	return
+}

ed25519.go

@@ -34,8 +34,7 @@ func (m *SigningMethodEd25519) Alg() string {
 
 // Verify implements token verification for the SigningMethod.
 // For this verify method, key must be an ed25519.PublicKey
-func (m *SigningMethodEd25519) Verify(signingString, signature string, key interface{}) error {
-	var err error
+func (m *SigningMethodEd25519) Verify(signingString string, sig []byte, key interface{}) error {
 	var ed25519Key ed25519.PublicKey
 	var ok bool
 
@@ -47,12 +46,6 @@ func (m *SigningMethodEd25519) Verify(signingString, signature string, key inter
 		return ErrInvalidKey
 	}
 
-	// Decode the signature
-	var sig []byte
-	if sig, err = DecodeSegment(signature); err != nil {
-		return err
-	}
-
 	// Verify the signature
 	if !ed25519.Verify(ed25519Key, []byte(signingString), sig) {
 		return ErrEd25519Verification

ed25519_test.go

@@ -49,7 +49,7 @@ func TestEd25519Verify(t *testing.T) {
 
 		method := jwt.GetSigningMethod(data.alg)
 
-		err = method.Verify(strings.Join(parts[0:2], "."), parts[2], ed25519Key)
+		err = method.Verify(strings.Join(parts[0:2], "."), decodeSegment(t, parts[2]), ed25519Key)
 		if data.valid && err != nil {
 			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
 		}

hmac.go

@@ -46,19 +46,13 @@ func (m *SigningMethodHMAC) Alg() string {
 }
 
 // Verify implements token verification for the SigningMethod. Returns nil if the signature is valid.
-func (m *SigningMethodHMAC) Verify(signingString, signature string, key interface{}) error {
+func (m *SigningMethodHMAC) Verify(signingString string, sig []byte, key interface{}) error {
 	// Verify the key is the right type
 	keyBytes, ok := key.([]byte)
 	if !ok {
 		return ErrInvalidKeyType
 	}
 
-	// Decode signature, for comparison
-	sig, err := DecodeSegment(signature)
-	if err != nil {
-		return err
-	}
-
 	// Can we use the specified hashing method?
 	if !m.Hash.Available() {
 		return ErrHashUnavailable

hmac_test.go

@@ -53,7 +53,7 @@ func TestHMACVerify(t *testing.T) {
 		parts := strings.Split(data.tokenString, ".")
 
 		method := jwt.GetSigningMethod(data.alg)
-		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], hmacTestKey)
+		err := method.Verify(strings.Join(parts[0:2], "."), decodeSegment(t, parts[2]), hmacTestKey)
 		if data.valid && err != nil {
 			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
 		}

none.go

@@ -25,14 +25,14 @@ func (m *signingMethodNone) Alg() string {
 }
 
 // Only allow 'none' alg type if UnsafeAllowNoneSignatureType is specified as the key
-func (m *signingMethodNone) Verify(signingString, signature string, key interface{}) (err error) {
+func (m *signingMethodNone) Verify(signingString string, sig []byte, key interface{}) (err error) {
 	// Key must be UnsafeAllowNoneSignatureType to prevent accidentally
 	// accepting 'none' signing method
 	if _, ok := key.(unsafeNoneMagicConstant); !ok {
 		return NoneSignatureTypeDisallowedError
 	}
 	// If signing method is none, signature must be an empty string
-	if signature != "" {
+	if string(sig) != "" {
 		return newError("'none' signing method with non-empty signature", ErrTokenUnverifiable)
 	}
 

none_test.go

@@ -46,7 +46,7 @@ func TestNoneVerify(t *testing.T) {
 		parts := strings.Split(data.tokenString, ".")
 
 		method := jwt.GetSigningMethod(data.alg)
-		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], data.key)
+		err := method.Verify(strings.Join(parts[0:2], "."), decodeSegment(t, parts[2]), data.key)
 		if data.valid && err != nil {
 			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
 		}

parser.go

@@ -2,6 +2,7 @@ package jwt
 
 import (
 	"bytes"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"strings"
@@ -79,8 +80,13 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
 		return token, newError("error while executing keyfunc", ErrTokenUnverifiable, err)
 	}
 
+	// Decode signature
+	token.Signature, err = p.DecodeSegment(parts[2])
+	if err != nil {
+		return token, newError("could not base64 decode signature", ErrTokenMalformed, err)
+	}
+
 	// Perform signature validation
-	token.Signature = parts[2]
 	if err = token.Method.Verify(strings.Join(parts[0:2], "."), token.Signature, key); err != nil {
 		return token, newError("", ErrTokenSignatureInvalid, err)
 	}
@@ -119,7 +125,7 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 
 	// parse Header
 	var headerBytes []byte
-	if headerBytes, err = DecodeSegment(parts[0]); err != nil {
+	if headerBytes, err = p.DecodeSegment(parts[0]); err != nil {
 		if strings.HasPrefix(strings.ToLower(tokenString), "bearer ") {
 			return token, parts, newError("tokenstring should not contain 'bearer '", ErrTokenMalformed)
 		}
@@ -133,7 +139,7 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 	var claimBytes []byte
 	token.Claims = claims
 
-	if claimBytes, err = DecodeSegment(parts[1]); err != nil {
+	if claimBytes, err = p.DecodeSegment(parts[1]); err != nil {
 		return token, parts, newError("could not base64 decode claim", ErrTokenMalformed, err)
 	}
 	dec := json.NewDecoder(bytes.NewBuffer(claimBytes))
@@ -162,3 +168,23 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
 
 	return token, parts, nil
 }
+
+// DecodeSegment decodes a JWT specific base64url encoding with padding stripped
+//
+// Deprecated: In a future release, we will demote this function to a
+// non-exported function, since it should only be used internally
+func (p *Parser) DecodeSegment(seg string) ([]byte, error) {
+	encoding := base64.RawURLEncoding
+
+	if DecodePaddingAllowed {
+		if l := len(seg) % 4; l > 0 {
+			seg += strings.Repeat("=", 4-l)
+		}
+		encoding = base64.URLEncoding
+	}
+
+	if DecodeStrict {
+		encoding = encoding.Strict()
+	}
+	return encoding.DecodeString(seg)
+}

parser_test.go

@@ -415,7 +415,7 @@ func TestParser_Parse(t *testing.T) {
 			}
 
 			if data.valid {
-				if token.Signature == "" {
+				if len(token.Signature) == 0 {
 					t.Errorf("[%v] Signature is left unpopulated after parsing", data.name)
 				}
 				if !token.Valid {
@@ -473,7 +473,7 @@ func TestParser_ParseUnverified(t *testing.T) {
 				// The 'Valid' field should not be set to true when invoking ParseUnverified()
 				t.Errorf("[%v] Token.Valid field mismatch. Expecting false, got %v", data.name, token.Valid)
 			}
-			if token.Signature != "" {
+			if len(token.Signature) != 0 {
 				// The signature was not validated, hence the 'Signature' field is not populated.
 				t.Errorf("[%v] Token.Signature field mismatch. Expecting '', got %v", data.name, token.Signature)
 			}

rsa.go

@@ -46,15 +46,7 @@ func (m *SigningMethodRSA) Alg() string {
 
 // Verify implements token verification for the SigningMethod
 // For this signing method, must be an *rsa.PublicKey structure.
-func (m *SigningMethodRSA) Verify(signingString, signature string, key interface{}) error {
-	var err error
-
-	// Decode the signature
-	var sig []byte
-	if sig, err = DecodeSegment(signature); err != nil {
-		return err
-	}
-
+func (m *SigningMethodRSA) Verify(signingString string, sig []byte, key interface{}) error {
 	var rsaKey *rsa.PublicKey
 	var ok bool
 

rsa_pss.go

@@ -82,15 +82,7 @@ func init() {
 
 // Verify implements token verification for the SigningMethod.
 // For this verify method, key must be an rsa.PublicKey struct
-func (m *SigningMethodRSAPSS) Verify(signingString, signature string, key interface{}) error {
-	var err error
-
-	// Decode the signature
-	var sig []byte
-	if sig, err = DecodeSegment(signature); err != nil {
-		return err
-	}
-
+func (m *SigningMethodRSAPSS) Verify(signingString string, sig []byte, key interface{}) error {
 	var rsaKey *rsa.PublicKey
 	switch k := key.(type) {
 	case *rsa.PublicKey:

rsa_pss_test.go

@@ -64,7 +64,7 @@ func TestRSAPSSVerify(t *testing.T) {
 		parts := strings.Split(data.tokenString, ".")
 
 		method := jwt.GetSigningMethod(data.alg)
-		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], rsaPSSKey)
+		err := method.Verify(strings.Join(parts[0:2], "."), decodeSegment(t, parts[2]), rsaPSSKey)
 		if data.valid && err != nil {
 			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
 		}
@@ -114,19 +114,19 @@ func TestRSAPSSSaltLengthCompatibility(t *testing.T) {
 			SaltLength: rsa.PSSSaltLengthAuto,
 		},
 	}
-	if !verify(jwt.SigningMethodPS256, makeToken(ps256SaltLengthEqualsHash)) {
+	if !verify(t, jwt.SigningMethodPS256, makeToken(ps256SaltLengthEqualsHash)) {
 		t.Error("SigningMethodPS256 should accept salt length that is defined in RFC")
 	}
-	if !verify(ps256SaltLengthEqualsHash, makeToken(jwt.SigningMethodPS256)) {
+	if !verify(t, ps256SaltLengthEqualsHash, makeToken(jwt.SigningMethodPS256)) {
 		t.Error("Sign by SigningMethodPS256 should have salt length that is defined in RFC")
 	}
-	if !verify(jwt.SigningMethodPS256, makeToken(ps256SaltLengthAuto)) {
+	if !verify(t, jwt.SigningMethodPS256, makeToken(ps256SaltLengthAuto)) {
 		t.Error("SigningMethodPS256 should accept auto salt length to be compatible with previous versions")
 	}
-	if !verify(ps256SaltLengthAuto, makeToken(jwt.SigningMethodPS256)) {
+	if !verify(t, ps256SaltLengthAuto, makeToken(jwt.SigningMethodPS256)) {
 		t.Error("Sign by SigningMethodPS256 should be accepted by previous versions")
 	}
-	if verify(ps256SaltLengthEqualsHash, makeToken(ps256SaltLengthAuto)) {
+	if verify(t, ps256SaltLengthEqualsHash, makeToken(ps256SaltLengthAuto)) {
 		t.Error("Auto salt length should be not accepted, when RFC salt length is required")
 	}
 }
@@ -144,8 +144,8 @@ func makeToken(method jwt.SigningMethod) string {
 	return signed
 }
 
-func verify(signingMethod jwt.SigningMethod, token string) bool {
+func verify(t *testing.T, signingMethod jwt.SigningMethod, token string) bool {
 	segments := strings.Split(token, ".")
-	err := signingMethod.Verify(strings.Join(segments[:2], "."), segments[2], test.LoadRSAPublicKeyFromDisk("test/sample_key.pub"))
+	err := signingMethod.Verify(strings.Join(segments[:2], "."), decodeSegment(t, segments[2]), test.LoadRSAPublicKeyFromDisk("test/sample_key.pub"))
 	return err == nil
 }

rsa_test.go

@@ -48,7 +48,7 @@ func TestRSAVerify(t *testing.T) {
 		parts := strings.Split(data.tokenString, ".")
 
 		method := jwt.GetSigningMethod(data.alg)
-		err := method.Verify(strings.Join(parts[0:2], "."), parts[2], key)
+		err := method.Verify(strings.Join(parts[0:2], "."), decodeSegment(t, parts[2]), key)
 		if data.valid && err != nil {
 			t.Errorf("[%v] Error while verifying key: %v", data.name, err)
 		}
@@ -85,7 +85,7 @@ func TestRSAVerifyWithPreParsedPrivateKey(t *testing.T) {
 	}
 	testData := rsaTestData[0]
 	parts := strings.Split(testData.tokenString, ".")
-	err = jwt.SigningMethodRS256.Verify(strings.Join(parts[0:2], "."), parts[2], parsedKey)
+	err = jwt.SigningMethodRS256.Verify(strings.Join(parts[0:2], "."), decodeSegment(t, parts[2]), parsedKey)
 	if err != nil {
 		t.Errorf("[%v] Error while verifying key: %v", testData.name, err)
 	}

signing_method.go

@@ -9,9 +9,9 @@ var signingMethodLock = new(sync.RWMutex)
 
 // SigningMethod can be used add new methods for signing or verifying tokens.
 type SigningMethod interface {
-	Verify(signingString, signature string, key interface{}) error // Returns nil if signature is valid
-	Sign(signingString string, key interface{}) (string, error)    // Returns encoded signature or error
-	Alg() string                                                   // returns the alg identifier for this method (example: 'HS256')
+	Verify(signingString string, sig []byte, key interface{}) error // Returns nil if signature is valid
+	Sign(signingString string, key interface{}) (string, error)     // Returns encoded signature or error
+	Alg() string                                                    // returns the alg identifier for this method (example: 'HS256')
 }
 
 // RegisterSigningMethod registers the "alg" name and a factory function for signing method.

token.go

@@ -37,7 +37,7 @@ type Token struct {
 	Method    SigningMethod          // Method is the signing method used or to be used
 	Header    map[string]interface{} // Header is the first segment of the token
 	Claims    Claims                 // Claims is the second segment of the token
-	Signature string                 // Signature is the  third segment of the token.  Populated when you Parse a token
+	Signature []byte                 // Signature is the third segment of the token.  Populated when you Parse a token
 	Valid     bool                   // Valid specifies if the token is valid.  Populated when you Parse/Verify a token
 }
 
@@ -123,23 +123,3 @@ func ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc, options
 func EncodeSegment(seg []byte) string {
 	return base64.RawURLEncoding.EncodeToString(seg)
 }
-
-// DecodeSegment decodes a JWT specific base64url encoding with padding stripped
-//
-// Deprecated: In a future release, we will demote this function to a
-// non-exported function, since it should only be used internally
-func DecodeSegment(seg string) ([]byte, error) {
-	encoding := base64.RawURLEncoding
-
-	if DecodePaddingAllowed {
-		if l := len(seg) % 4; l > 0 {
-			seg += strings.Repeat("=", 4-l)
-		}
-		encoding = base64.URLEncoding
-	}
-
-	if DecodeStrict {
-		encoding = encoding.Strict()
-	}
-	return encoding.DecodeString(seg)
-}

token_test.go

@@ -12,7 +12,7 @@ func TestToken_SigningString(t1 *testing.T) {
 		Method    jwt.SigningMethod
 		Header    map[string]interface{}
 		Claims    jwt.Claims
-		Signature string
+		Signature []byte
 		Valid     bool
 	}
 	tests := []struct {
@@ -30,9 +30,8 @@ func TestToken_SigningString(t1 *testing.T) {
 					"typ": "JWT",
 					"alg": jwt.SigningMethodHS256.Alg(),
 				},
-				Claims:    jwt.RegisteredClaims{},
-				Signature: "",
-				Valid:     false,
+				Claims: jwt.RegisteredClaims{},
+				Valid:  false,
 			},
 			want:    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30",
 			wantErr: false,