|
| 1 | +package crypto |
| 2 | + |
| 3 | +import ( |
| 4 | + "crypto/hmac" |
| 5 | + "crypto/rand" |
| 6 | + "crypto/sha256" |
| 7 | + "crypto/subtle" |
| 8 | + "encoding/base64" |
| 9 | + "encoding/binary" |
| 10 | + "errors" |
| 11 | + "math" |
| 12 | + |
| 13 | + "github.com/gofrs/uuid" |
| 14 | +) |
| 15 | + |
| 16 | +func GenerateRefreshTokenHmacKey() []byte { |
| 17 | + key := make([]byte, 32) |
| 18 | + must(rand.Read(key)) |
| 19 | + |
| 20 | + return key |
| 21 | +} |
| 22 | + |
| 23 | +const refreshTokenChecksumLength = 4 |
| 24 | +const refreshTokenSignatureLength = 16 |
| 25 | +const minRefreshTokenLength = 1 + 16 + 1 + refreshTokenSignatureLength + refreshTokenChecksumLength |
| 26 | +const maxRefreshTokenLength = minRefreshTokenLength + 8 |
| 27 | + |
| 28 | +// RefreshToken is an object that encodes a cryptographically authenticated |
| 29 | +// (signed) message containing a version, session ID and monotonically |
| 30 | +// increasing non-negative counter. |
| 31 | +// |
| 32 | +// The signature is a truncated (first 128 bits) of HMAC-SHA-256, which saves |
| 33 | +// on encoded length without sacrificing security. The checksum of 4 bytes at |
| 34 | +// the end is to lessen the load on the server with invalid strings (those that |
| 35 | +// are not likely to be a proper refresh token). |
| 36 | +type RefreshToken struct { |
| 37 | + Raw []byte |
| 38 | + |
| 39 | + Version byte |
| 40 | + SessionID uuid.UUID |
| 41 | + Counter int64 |
| 42 | + Signature []byte |
| 43 | +} |
| 44 | + |
| 45 | +func (RefreshToken) TableName() string { |
| 46 | + panic("crypto.RefreshToken is not meant to be saved in the database") |
| 47 | +} |
| 48 | + |
| 49 | +func (r *RefreshToken) CheckSignature(hmacSha256Key []byte) bool { |
| 50 | + bytes := r.Raw[:len(r.Raw)-refreshTokenSignatureLength-refreshTokenChecksumLength] |
| 51 | + |
| 52 | + h := hmac.New(sha256.New, hmacSha256Key) |
| 53 | + h.Write(bytes) |
| 54 | + signature := h.Sum(nil)[:refreshTokenSignatureLength] |
| 55 | + |
| 56 | + return hmac.Equal(signature, r.Signature) |
| 57 | +} |
| 58 | + |
| 59 | +func (r *RefreshToken) Encode(hmacSha256Key []byte) string { |
| 60 | + result := make([]byte, 0, maxRefreshTokenLength) |
| 61 | + |
| 62 | + result = append(result, 0) |
| 63 | + result = append(result, r.SessionID.Bytes()...) |
| 64 | + result = binary.AppendUvarint(result, safeUint64(r.Counter)) |
| 65 | + |
| 66 | + // Note on truncating the HMAC-SHA-256 output: |
| 67 | + // This does not impact security as the brute-force space is 2^128 and |
| 68 | + // the collision space is 2^64, both unattainable in practice. |
| 69 | + |
| 70 | + h := hmac.New(sha256.New, hmacSha256Key) |
| 71 | + h.Write(result) |
| 72 | + signature := h.Sum(nil)[:refreshTokenSignatureLength] |
| 73 | + |
| 74 | + result = append(result, signature...) |
| 75 | + |
| 76 | + checksum := sha256.Sum256(result) |
| 77 | + result = append(result, checksum[:refreshTokenChecksumLength]...) |
| 78 | + |
| 79 | + r.Version = 0 |
| 80 | + r.Raw = result |
| 81 | + r.Signature = signature |
| 82 | + |
| 83 | + return base64.RawURLEncoding.EncodeToString(result) |
| 84 | +} |
| 85 | + |
| 86 | +var ( |
| 87 | + ErrRefreshTokenLength = errors.New("crypto: refresh token length is not valid") |
| 88 | + ErrRefreshTokenUnknownVersion = errors.New("crypto: refresh token version is not 0") |
| 89 | + ErrRefreshTokenChecksumInvalid = errors.New("crypto: refresh token checksum is not valid") |
| 90 | + ErrRefreshTokenCounterInvalid = errors.New("crypto: refresh token's counter is not valid") |
| 91 | +) |
| 92 | + |
| 93 | +func safeInt64(v uint64) int64 { |
| 94 | + if v > math.MaxInt64 { |
| 95 | + return math.MaxInt64 |
| 96 | + } |
| 97 | + |
| 98 | + return int64(v) |
| 99 | +} |
| 100 | + |
| 101 | +func safeUint64(v int64) uint64 { |
| 102 | + if v < 0 { |
| 103 | + return 0 |
| 104 | + } |
| 105 | + |
| 106 | + return uint64(v) |
| 107 | +} |
| 108 | + |
| 109 | +func ParseRefreshToken(token string) (*RefreshToken, error) { |
| 110 | + bytes, err := base64.RawURLEncoding.DecodeString(token) |
| 111 | + if err != nil { |
| 112 | + return nil, err |
| 113 | + } |
| 114 | + |
| 115 | + if len(bytes) < minRefreshTokenLength { |
| 116 | + return nil, ErrRefreshTokenLength |
| 117 | + } |
| 118 | + |
| 119 | + if bytes[0] != 0 { |
| 120 | + return nil, ErrRefreshTokenUnknownVersion |
| 121 | + } |
| 122 | + |
| 123 | + parseFrom := bytes[1 : len(bytes)-refreshTokenChecksumLength] |
| 124 | + |
| 125 | + checksum256 := sha256.Sum256(bytes[:len(bytes)-refreshTokenChecksumLength]) |
| 126 | + if subtle.ConstantTimeCompare(checksum256[:refreshTokenChecksumLength], bytes[len(bytes)-refreshTokenChecksumLength:]) != 1 { |
| 127 | + return nil, ErrRefreshTokenChecksumInvalid |
| 128 | + } |
| 129 | + |
| 130 | + sessionID := uuid.FromBytesOrNil(parseFrom[0:16]) |
| 131 | + |
| 132 | + parseFrom = parseFrom[16:] |
| 133 | + |
| 134 | + counter, counterBytes := binary.Uvarint(parseFrom) |
| 135 | + if counterBytes <= 0 { |
| 136 | + return nil, ErrRefreshTokenCounterInvalid |
| 137 | + } |
| 138 | + |
| 139 | + parseFrom = parseFrom[counterBytes:] |
| 140 | + |
| 141 | + if len(parseFrom) != 16 { |
| 142 | + return nil, ErrRefreshTokenLength |
| 143 | + } |
| 144 | + |
| 145 | + signature := parseFrom |
| 146 | + |
| 147 | + return &RefreshToken{ |
| 148 | + Raw: bytes, |
| 149 | + |
| 150 | + Version: 0, |
| 151 | + SessionID: sessionID, |
| 152 | + Counter: safeInt64(counter), |
| 153 | + Signature: signature, |
| 154 | + }, nil |
| 155 | +} |
0 commit comments