mirror of
https://github.com/netbirdio/dex.git
synced 2026-05-22 18:43:53 -07:00
Maksim Nabokikh
546e66cb5d
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com> Signed-off-by: Maksim Nabokikh <max.nabokih@gmail.com> Co-authored-by: Alwx <alwxsin@gmail.com>
41 lines
1.1 KiB
Go
41 lines
1.1 KiB
Go
package server
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
|
|
"google.golang.org/protobuf/proto"
|
|
|
|
"github.com/dexidp/dex/server/internal"
|
|
)
|
|
|
|
// computeHMAC computes a SHA-256 HMAC over a protobuf-encoded payload
|
|
// and returns the result as a base64 raw-URL-encoded string.
|
|
func computeHMAC(key []byte, values ...string) string {
|
|
msg := marshalHMACPayload(values)
|
|
h := hmac.New(sha256.New, key)
|
|
h.Write(msg)
|
|
return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
|
|
}
|
|
|
|
// verifyHMAC checks that encodedMAC (base64 raw-URL) matches the
|
|
// HMAC-SHA256 of the protobuf-encoded payload under key.
|
|
func verifyHMAC(key []byte, encodedMAC string, values ...string) bool {
|
|
mac, err := base64.RawURLEncoding.DecodeString(encodedMAC)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
msg := marshalHMACPayload(values)
|
|
h := hmac.New(sha256.New, key)
|
|
h.Write(msg)
|
|
return hmac.Equal(mac, h.Sum(nil))
|
|
}
|
|
|
|
func marshalHMACPayload(values []string) []byte {
|
|
payload := &internal.HMACPayload{Values: values}
|
|
// proto.Marshal is deterministic for the same input in the Go implementation.
|
|
data, _ := proto.Marshal(payload)
|
|
return data
|
|
}
|