From 20c1f699bdfb5c97ea41ffab938f627de08ac901 Mon Sep 17 00:00:00 2001 From: Nils Goroll Date: Thu, 5 Feb 2026 18:04:38 +0100 Subject: [PATCH] Refactor modules/jwtx: signing method resolution golang-jwt/jwt already has a GetSigningMethod() function which we should use to ensure that our signing methods are actually registered. Yet we should also keep our own check against a set of allowed methods such that we do not accidentally accept methods which we are not prepared to support. --- modules/jwtx/signingkey.go | 49 +++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/modules/jwtx/signingkey.go b/modules/jwtx/signingkey.go index 51622cd724..d3652d9414 100644 --- a/modules/jwtx/signingkey.go +++ b/modules/jwtx/signingkey.go @@ -228,33 +228,32 @@ func (key ecdsaSigningKey) PreProcessToken(token *jwt.Token) { token.Header["kid"] = key.id } +var allowedAlgorithms = map[string]bool{ + "HS256": true, + "HS384": true, + "HS512": true, + + "RS256": true, + "RS384": true, + "RS512": true, + + "ES256": true, + "ES384": true, + "ES512": true, + "EdDSA": true, +} + +func GetSigningMethod(algorithm string) jwt.SigningMethod { + if !allowedAlgorithms[algorithm] { + return nil + } + return jwt.GetSigningMethod(algorithm) +} + // CreateSigningKey creates a signing key from an algorithm / key pair. func CreateSigningKey(algorithm string, key any) (SigningKey, error) { - var signingMethod jwt.SigningMethod - switch algorithm { - case "HS256": - signingMethod = jwt.SigningMethodHS256 - case "HS384": - signingMethod = jwt.SigningMethodHS384 - case "HS512": - signingMethod = jwt.SigningMethodHS512 - - case "RS256": - signingMethod = jwt.SigningMethodRS256 - case "RS384": - signingMethod = jwt.SigningMethodRS384 - case "RS512": - signingMethod = jwt.SigningMethodRS512 - - case "ES256": - signingMethod = jwt.SigningMethodES256 - case "ES384": - signingMethod = jwt.SigningMethodES384 - case "ES512": - signingMethod = jwt.SigningMethodES512 - case "EdDSA": - signingMethod = jwt.SigningMethodEdDSA - default: + signingMethod := GetSigningMethod(algorithm) + if signingMethod == nil { return nil, ErrInvalidAlgorithmType{algorithm} }