1
// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
2
// Licensed under the GNU Affero General Public License (AGPL).
3
// See License.AGPL.txt in the project root for license information.
4

5
package jws
6

7
import (
8
	"crypto/x509"
9
	"encoding/pem"
10
	"errors"
11
	"fmt"
12

13
	"github.com/golang-jwt/jwt/v5"
14
)
15

16
func NewHS256FromKeySet(keyset KeySet) *HS256 {
17
	// We treat the signing private key as our symmetric key, to do that, we first have to convert it to bytes
18
	// For bytes conversion, we encode it as PKCS1 PK, pem format
19
	raw := x509.MarshalPKCS1PrivateKey(keyset.Signing.Private)
20
	key := pem.EncodeToMemory(&pem.Block{
21
		Type:  "",
22
		Bytes: raw,
23
	})
24

25
	return NewHS256(key)
26
}
27

28
func NewHS256(symmetricKey []byte) *HS256 {
29
	return &HS256{
30
		key: symmetricKey,
31
	}
32
}
33

34
type HS256 struct {
35
	key []byte
36
}
37

38
func (s *HS256) Sign(token *jwt.Token) (string, error) {
39
	if token.Method != jwt.SigningMethodHS256 {
40
		return "", errors.New("invalid signing method, token must use HS256")
41
	}
42

43
	signed, err := token.SignedString(s.key)
44
	if err != nil {
45
		return "", fmt.Errorf("failed to sign jwt: %w", err)
46
	}
47

48
	return signed, nil
49
}
50

51
func (v *HS256) Verify(token string, claims jwt.Claims, opts ...jwt.ParserOption) (*jwt.Token, error) {
52
	parsed, err := jwt.ParseWithClaims(token, claims, jwt.Keyfunc(func(t *jwt.Token) (interface{}, error) {
53
		return v.key, nil
54
	}), opts...)
55

56
	if err != nil {
57
		return nil, fmt.Errorf("failed to parse jwt: %w", err)
58
	}
59

60
	return parsed, nil
61
}
62

63