feat: Extract algorithms to JWA

Author: kylef

JSONWebToken.podspec

@@ -6,14 +6,17 @@ Pod::Spec.new do |spec|
   spec.license = { :type => 'BSD', :file => 'LICENSE' }
   spec.author = { 'Kyle Fuller' => '[email protected]' }
   spec.source = { :git => 'https://github.com/kylef/JSONWebToken.swift.git', :tag => "#{spec.version}" }
-  spec.source_files = 'Sources/JWT/*.swift'
+  spec.source_files = [
+    'Sources/JWA/HMAC/*.swift',
+    'Sources/{JWA,JWT}/*.swift',
+  ]
   spec.ios.deployment_target = '8.0'
   spec.osx.deployment_target = '10.9'
   spec.tvos.deployment_target = '9.0'
   spec.watchos.deployment_target = '2.0'
   spec.requires_arc = true
   spec.module_name = 'JWT'
-  spec.exclude_files = ['Sources/JWT/HMACCryptoSwift.swift']
+  spec.exclude_files = ['Sources/JWA/HMAC/HMACCryptoSwift.swift']
 
   if ARGV.include?('lint')
     spec.pod_target_xcconfig = {

Package.swift

@@ -1,24 +1,33 @@
+// swift-tools-version:4.0
+
 import PackageDescription
 
 
 #if os(macOS) || os(iOS) || os(watchOS) || os(tvOS)
-let package = Package(
-  name: "JWT",
-  dependencies: [
-    .Package(url: "https://github.com/kylef-archive/CommonCrypto.git", majorVersion: 1),
-  ],
-  exclude: [
-    "Sources/JWT/HMACCryptoSwift.swift",
-  ]
-)
+let dependencies = [
+  Package.Dependency.package(url: "https://github.com/kylef-archive/CommonCrypto.git", from: "1.0.0"),
+]
+let excludes = ["HMAC/HMACCryptoSwift.swift"]
+let targetDependencies: [Target.Dependency] = []
 #else
+let dependencies = [
+  Package.Dependency.package(url: "https://github.com/krzyzanowskim/CryptoSwift.git", from: "0.8.0"),
+]
+let excludes = ["HMAC/HMACCommonCrypto.swift"]
+let targetDependencies: [Target.Dependency] = ["CryptoSwift"]
+#endif
+
+
 let package = Package(
   name: "JWT",
-  dependencies: [
-    .Package(url: "https://github.com/krzyzanowskim/CryptoSwift.git", majorVersion: 0, minor: 8),
+  products: [
+    .library(name: "JWT", targets: ["JWT"]),
   ],
-  exclude: [
-    "Sources/JWT/HMACCommonCrypto.swift",
+  dependencies: dependencies,
+  targets: [
+    .target(name: "JWA", dependencies: targetDependencies, exclude: excludes),
+    .target(name: "JWT", dependencies: ["JWA"]),
+    .testTarget(name: "JWATests", dependencies: ["JWA"]),
+    .testTarget(name: "JWTTests", dependencies: ["JWT"]),
   ]
 )
-#endif

Sources/JWA/HMAC/HMAC.swift

@@ -0,0 +1,36 @@
+import Foundation
+
+
+final public class HMACAlgorithm: Algorithm {
+  public let key: Data
+  public let hash: Hash
+
+  public enum Hash {
+    case sha256
+    case sha384
+    case sha512
+  }
+
+  public init(key: Data, hash: Hash) {
+    self.key = key
+    self.hash = hash
+  }
+
+  public init?(key: String, hash: Hash) {
+    guard let key = key.data(using: .utf8) else { return nil }
+
+    self.key = key
+    self.hash = hash
+  }
+
+  public var name: String {
+    switch hash {
+    case .sha256:
+      return "HS256"
+    case .sha384:
+      return "HS384"
+    case .sha512:
+      return "HS512"
+    }
+  }
+}

Sources/JWA/HMAC/HMACCommonCrypto.swift

@@ -0,0 +1,48 @@
+import Foundation
+import CommonCrypto
+
+
+extension HMACAlgorithm: SignAlgorithm, VerifyAlgorithm {
+  public func sign(_ message: Data) -> Data {
+    let context = UnsafeMutablePointer<CCHmacContext>.allocate(capacity: 1)
+    defer { context.deallocate(capacity: 1) }
+
+    key.withUnsafeBytes() { (buffer: UnsafePointer<UInt8>) in
+      CCHmacInit(context, hash.commonCryptoAlgorithm, buffer, size_t(key.count))
+    }
+
+    message.withUnsafeBytes { (buffer: UnsafePointer<UInt8>) in
+      CCHmacUpdate(context, buffer, size_t(message.count))
+    }
+
+    var hmac = Array<UInt8>(repeating: 0, count: Int(hash.commonCryptoDigestLength))
+    CCHmacFinal(context, &hmac)
+
+    return Data(hmac)
+  }
+}
+
+
+extension HMACAlgorithm.Hash {
+  var commonCryptoAlgorithm: CCHmacAlgorithm {
+    switch self {
+    case .sha256:
+      return CCHmacAlgorithm(kCCHmacAlgSHA256)
+    case .sha384:
+      return CCHmacAlgorithm(kCCHmacAlgSHA384)
+    case .sha512:
+      return CCHmacAlgorithm(kCCHmacAlgSHA512)
+    }
+  }
+
+  var commonCryptoDigestLength: Int32 {
+    switch self {
+    case .sha256:
+      return CC_SHA256_DIGEST_LENGTH
+    case .sha384:
+      return CC_SHA384_DIGEST_LENGTH
+    case .sha512:
+      return CC_SHA512_DIGEST_LENGTH
+    }
+  }
+}

Sources/JWA/HMAC/HMACCryptoSwift.swift

@@ -0,0 +1,32 @@
+import Foundation
+import CryptoSwift
+
+
+extension HMACAlgorithm: SignAlgorithm, VerifyAlgorithm {
+  public func sign(_ message: Data) -> Data {
+    let mac = HMAC(key: key.bytes, variant: hash.cryptoSwiftVariant)
+
+    let result: [UInt8]
+    do {
+      result = try mac.authenticate(message.bytes)
+    } catch {
+      result = []
+    }
+
+    return Data(bytes: result)
+  }
+}
+
+
+extension HMACAlgorithm.Hash {
+  var cryptoSwiftVariant: HMAC.Variant {
+    switch self {
+    case .sha256:
+      return .sha256
+    case .sha384:
+      return .sha384
+    case .sha512:
+      return .sha512
+    }
+  }
+}

Sources/JWA/JWA.swift

@@ -0,0 +1,32 @@
+import Foundation
+
+
+/// Represents a JSON Web Algorithm (JWA)
+/// https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
+public protocol Algorithm: class {
+  var name: String { get }
+}
+
+
+// MARK: Signing
+
+/// Represents a JSON Web Algorithm (JWA) that is capable of signing
+public protocol SignAlgorithm: Algorithm {
+  func sign(_ message: Data) -> Data
+}
+
+
+// MARK: Verifying
+
+/// Represents a JSON Web Algorithm (JWA) that is capable of verifying
+public protocol VerifyAlgorithm: Algorithm {
+  func verify(_ message: Data, signature: Data) -> Bool
+}
+
+
+extension SignAlgorithm {
+  /// Verify a signature for a message using the algorithm
+  public func verify(_ message: Data, signature: Data) -> Bool {
+    return sign(message) == signature
+  }
+}

Sources/JWA/None.swift

@@ -0,0 +1,15 @@
+import Foundation
+
+
+/// No Algorithm, i-e, insecure
+public final class NoneAlgorithm: Algorithm, SignAlgorithm, VerifyAlgorithm {
+   public var name: String {
+    return "none"
+  }
+
+  public init() {}
+
+  public func sign(_ message: Data) -> Data {
+    return Data()
+  }
+}

Sources/JWT/Algorithm.swift

@@ -0,0 +1,36 @@
+import Foundation
+import JWA
+
+
+/// Represents a JSON Web Algorithm (JWA)
+/// https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
+public enum Algorithm: CustomStringConvertible {
+  /// No Algorithm, i-e, insecure
+  case none
+
+  /// HMAC using SHA-256 hash algorithm
+  case hs256(Data)
+
+  /// HMAC using SHA-384 hash algorithm
+  case hs384(Data)
+
+  /// HMAC using SHA-512 hash algorithm
+  case hs512(Data)
+
+  var algorithm: SignAlgorithm {
+    switch self {
+    case .none:
+      return NoneAlgorithm()
+    case .hs256(let key):
+      return HMACAlgorithm(key: key, hash: .sha256)
+    case .hs384(let key):
+      return HMACAlgorithm(key: key, hash: .sha384)
+    case .hs512(let key):
+      return HMACAlgorithm(key: key, hash: .sha512)
+    }
+  }
+
+  public var description: String {
+    return algorithm.name
+  }
+}

Sources/JWT/Decode.swift

@@ -108,7 +108,7 @@ func verifySignature(_ algorithms: [Algorithm], header: JOSEHeader, signingInput
 
   let verifiedAlgorithms = algorithms
     .filter { algorithm in algorithm.description == alg }
-    .filter { algorithm in algorithm.verify(signingInput, signature: signature) }
+    .filter { algorithm in algorithm.algorithm.verify(signingInput.data(using: .utf8)!, signature: signature) }
 
   if verifiedAlgorithms.isEmpty {
     throw InvalidToken.invalidAlgorithm

Sources/JWT/Encode.swift

@@ -1,5 +1,6 @@
 import Foundation
 
+
 /*** Encode a set of claims
  - parameter claims: The set of claims
  - parameter algorithm: The algorithm to sign the payload with
@@ -17,7 +18,7 @@ public func encode(claims: ClaimSet, algorithm: Algorithm, headers: [String: Str
   let header = try! encoder.encodeString(headers)
   let payload = encoder.encodeString(claims.claims)!
   let signingInput = "\(header).\(payload)"
-  let signature = algorithm.sign(signingInput)
+  let signature = base64encode(algorithm.algorithm.sign(signingInput.data(using: .utf8)!))
   return "\(signingInput).\(signature)"
 }