Add ES256 (ECDSA P-256) JWT support for Apple Sign In
- Added SignES256 function with issuer, audience, and subject parameters - Added ParseES256 function for validation with issuer and audience - Comprehensive test coverage for ES256 signing and parsing - Supports Apple Sign In requirements with ES256 algorithm
This commit is contained in:
133
jwt/jwt_test.go
133
jwt/jwt_test.go
@@ -6,6 +6,9 @@
|
||||
package jwt
|
||||
|
||||
import (
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"testing"
|
||||
"time"
|
||||
@@ -85,3 +88,133 @@ func TestHS256(t *testing.T) {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func TestES256(t *testing.T) {
|
||||
// Generate ECDSA P-256 key pair for testing
|
||||
privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
claims := map[string]any{
|
||||
"email": "user@example.com",
|
||||
}
|
||||
issuer := "https://appleid.apple.com"
|
||||
audience := "com.example.app"
|
||||
subject := "001234.56789abcdef.1234"
|
||||
|
||||
// Sign with issuer, audience, and subject
|
||||
token, err := SignES256(privKey, issuer, audience, subject, time.Hour, claims)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
t.Log("ES256 token:", token)
|
||||
|
||||
// Parse with issuer and audience validation
|
||||
parsedClaims, err := ParseES256(&privKey.PublicKey, token, issuer, audience)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Verify claims
|
||||
if parsedClaims["sub"] != subject {
|
||||
t.Errorf("expected sub to be '%s', got %v", subject, parsedClaims["sub"])
|
||||
}
|
||||
if parsedClaims["aud"] != audience {
|
||||
t.Errorf("expected aud to be '%s', got %v", audience, parsedClaims["aud"])
|
||||
}
|
||||
if parsedClaims["email"] != "user@example.com" {
|
||||
t.Errorf("expected email to be 'user@example.com', got %v", parsedClaims["email"])
|
||||
}
|
||||
|
||||
t.Logf("Parsed claims: %v", parsedClaims)
|
||||
|
||||
// Test parsing without validation (empty strings)
|
||||
parsedClaims2, err := ParseES256(&privKey.PublicKey, token, "", "")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if parsedClaims2["sub"] != subject {
|
||||
t.Errorf("expected sub to be '%s', got %v", subject, parsedClaims2["sub"])
|
||||
}
|
||||
}
|
||||
|
||||
func TestES256_ExpiredToken(t *testing.T) {
|
||||
// Generate ECDSA P-256 key pair for testing
|
||||
privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
claims := map[string]any{}
|
||||
issuer := "https://appleid.apple.com"
|
||||
subject := "001234.56789abcdef.1234"
|
||||
|
||||
// Sign with very short duration
|
||||
token, err := SignES256(privKey, issuer, "", subject, time.Nanosecond, claims)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Wait for token to expire
|
||||
time.Sleep(10 * time.Millisecond)
|
||||
|
||||
// Parse should fail due to expiration
|
||||
_, err = ParseES256(&privKey.PublicKey, token, issuer, "")
|
||||
if err == nil {
|
||||
t.Error("expected error for expired token, got nil")
|
||||
}
|
||||
t.Logf("Expected error for expired token: %v", err)
|
||||
}
|
||||
|
||||
func TestES256_InvalidIssuer(t *testing.T) {
|
||||
// Generate ECDSA P-256 key pair for testing
|
||||
privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
claims := map[string]any{}
|
||||
issuer := "https://appleid.apple.com"
|
||||
subject := "001234.56789abcdef.1234"
|
||||
|
||||
// Sign with one issuer
|
||||
token, err := SignES256(privKey, issuer, "", subject, time.Hour, claims)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Parse with different issuer should fail
|
||||
_, err = ParseES256(&privKey.PublicKey, token, "https://wrong-issuer.com", "")
|
||||
if err == nil {
|
||||
t.Error("expected error for invalid issuer, got nil")
|
||||
}
|
||||
t.Logf("Expected error for invalid issuer: %v", err)
|
||||
}
|
||||
|
||||
func TestES256_InvalidAudience(t *testing.T) {
|
||||
// Generate ECDSA P-256 key pair for testing
|
||||
privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
claims := map[string]any{}
|
||||
issuer := "https://appleid.apple.com"
|
||||
audience := "com.example.app"
|
||||
subject := "001234.56789abcdef.1234"
|
||||
|
||||
// Sign with one audience
|
||||
token, err := SignES256(privKey, issuer, audience, subject, time.Hour, claims)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
// Parse with different audience should fail
|
||||
_, err = ParseES256(&privKey.PublicKey, token, issuer, "com.wrong.app")
|
||||
if err == nil {
|
||||
t.Error("expected error for invalid audience, got nil")
|
||||
}
|
||||
t.Logf("Expected error for invalid audience: %v", err)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user