Revert "Prepare release 3.2.2 (golang-jwt#42)"

This reverts commit 4bbdd8a.

.github/workflows/build.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: [1.15, 1.16]
+        go: [1.11, 1.12, 1.13, 1.14, 1.15, 1.16]
     steps:
       - name: Checkout
         uses: actions/checkout@v2

.travis.yml

@@ -0,0 +1,11 @@
+language: go
+
+script:
+    - go vet ./...
+    - go test -v ./...
+
+go:
+  - 1.7
+  - 1.8
+  - 1.9
+  - 1.10

README.md

@@ -9,17 +9,10 @@ A [go](http://www.golang.org) (or 'golang' for search engine friendliness) imple
 
 Future releases will be using the `github.com/golang-jwt/jwt` import path and continue the existing versioning scheme of `v3.x.x+incompatible`. Backwards-compatible patches and fixes will be done on the `v3` release branch, where as new build-breaking features will be developed in a `v4` release, possibly including a SIV-style import path.
 
-**SECURITY NOTICE:** Some older versions of Go have a security issue in the crypto/elliptic. Recommendation is to upgrade to at least 1.15 See issue [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more detail.
+**SECURITY NOTICE:** Some older versions of Go have a security issue in the crypto/elliptic. Recommendation is to upgrade to at least 1.8.3. See issue [dgrijalva/jwt-go#216](https://github.com/dgrijalva/jwt-go/issues/216) for more detail.
 
 **SECURITY NOTICE:** It's important that you [validate the `alg` presented is what you expect](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). This library attempts to make it easy to do the right thing by requiring key types match the expected alg, but you should take the extra step to verify it in your usage.  See the examples provided.
 
-### Supported Go versions
-
-Our support of Go versions is aligned with Go's [version release policy](https://golang.org/doc/devel/release#policy).
-So we will support a major version of Go until there are two newer major releases.
-We no longer support building jwt-go with unsupported Go versions, as these contain security vulnerabilities
-which will not be fixed.
-
 ## What the heck is a JWT?
 
 JWT.io has [a great introduction](https://jwt.io/introduction) to JSON Web Tokens.

VERSION_HISTORY.md

@@ -1,12 +1,5 @@
 ## `jwt-go` Version History
 
-#### 3.2.2
-
-* Starting from this release, we are adopting the policy to support the most 2 recent versions of Go currently available. By the time of this release, this is Go 1.15 and 1.16 ([#28](https://github.com/golang-jwt/jwt/pull/28)).
-* Fixed a potential issue that could occur when the verification of `exp`, `iat` or `nbf` was not required and contained invalid contents, i.e. non-numeric/date. Thanks for @thaJeztah for making us aware of that and @giorgos-f3 for originally reporting it to the formtech fork ([#40](https://github.com/golang-jwt/jwt/pull/40)).
-* Added support for EdDSA / ED25519 ([#36](https://github.com/golang-jwt/jwt/pull/36)).
-* Optimized allocations ([#33](https://github.com/golang-jwt/jwt/pull/33)).
-
 #### 3.2.1
 
 * **Import Path Change**: See MIGRATION_GUIDE.md for tips on updating your code

cmd/jwt/app.go

@@ -136,8 +136,6 @@ func verifyToken() error {
 			return jwt.ParseECPublicKeyFromPEM(data)
 		} else if isRs() {
 			return jwt.ParseRSAPublicKeyFromPEM(data)
-		} else if isEd() {
-			return jwt.ParseEdPublicKeyFromPEM(data)
 		}
 		return data, nil
 	})
@@ -231,15 +229,6 @@ func signToken() error {
 				return err
 			}
 		}
-	} else if isEd() {
-		if k, ok := key.([]byte); !ok {
-			return fmt.Errorf("Couldn't convert key data to key")
-		} else {
-			key, err = jwt.ParseEdPrivateKeyFromPEM(k)
-			if err != nil {
-				return err
-			}
-		}
 	}
 
 	if out, err := token.SignedString(key); err == nil {
@@ -291,7 +280,3 @@ func isEs() bool {
 func isRs() bool {
 	return strings.HasPrefix(*flagAlg, "RS") || strings.HasPrefix(*flagAlg, "PS")
 }
-
-func isEd() bool {
-	return strings.HasPrefix(strings.ToUpper(*flagAlg), "Ed")
-}

ecdsa.go

@@ -128,12 +128,18 @@ func (m *SigningMethodECDSA) Sign(signingString string, key interface{}) (string
 			keyBytes += 1
 		}
 
-		// We serialize the outputs (r and s) into big-endian byte arrays
-		// padded with zeros on the left to make sure the sizes work out.
-		// Output must be 2*keyBytes long.
-		out := make([]byte, 2*keyBytes)
-		r.FillBytes(out[0:keyBytes]) // r is assigned to the first half of output.
-		s.FillBytes(out[keyBytes:])  // s is assigned to the second half of output.
+		// We serialize the outpus (r and s) into big-endian byte arrays and pad
+		// them with zeros on the left to make sure the sizes work out. Both arrays
+		// must be keyBytes long, and the output must be 2*keyBytes long.
+		rBytes := r.Bytes()
+		rBytesPadded := make([]byte, keyBytes)
+		copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
+
+		sBytes := s.Bytes()
+		sBytesPadded := make([]byte, keyBytes)
+		copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
+
+		out := append(rBytesPadded, sBytesPadded...)
 
 		return EncodeSegment(out), nil
 	} else {

ecdsa_test.go

@@ -87,60 +87,14 @@ func TestECDSASign(t *testing.T) {
 
 		if data.valid {
 			parts := strings.Split(data.tokenString, ".")
-			toSign := strings.Join(parts[0:2], ".")
 			method := jwt.GetSigningMethod(data.alg)
-			sig, err := method.Sign(toSign, ecdsaKey)
-
+			sig, err := method.Sign(strings.Join(parts[0:2], "."), ecdsaKey)
 			if err != nil {
 				t.Errorf("[%v] Error signing token: %v", data.name, err)
 			}
 			if sig == parts[2] {
 				t.Errorf("[%v] Identical signatures\nbefore:\n%v\nafter:\n%v", data.name, parts[2], sig)
 			}
-
-			err = method.Verify(toSign, sig, ecdsaKey.Public())
-			if err != nil {
-				t.Errorf("[%v] Sign produced an invalid signature: %v", data.name, err)
-			}
-		}
-	}
-}
-
-func BenchmarkECDSASigning(b *testing.B) {
-	for _, data := range ecdsaTestData {
-		key, _ := ioutil.ReadFile(data.keys["private"])
-
-		ecdsaKey, err := jwt.ParseECPrivateKeyFromPEM(key)
-		if err != nil {
-			b.Fatalf("Unable to parse ECDSA private key: %v", err)
 		}
-
-		method := jwt.GetSigningMethod(data.alg)
-
-		b.Run(data.name, func(b *testing.B) {
-			benchmarkSigning(b, method, ecdsaKey)
-		})
-
-		// Directly call method.Sign without the decoration of *Token.
-		b.Run(data.name+"/sign-only", func(b *testing.B) {
-			if !data.valid {
-				b.Skipf("Skipping because data is not valid")
-			}
-
-			parts := strings.Split(data.tokenString, ".")
-			toSign := strings.Join(parts[0:2], ".")
-
-			b.ReportAllocs()
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				sig, err := method.Sign(toSign, ecdsaKey)
-				if err != nil {
-					b.Fatalf("[%v] Error signing token: %v", data.name, err)
-				}
-				if sig == parts[2] {
-					b.Fatalf("[%v] Identical signatures\nbefore:\n%v\nafter:\n%v", data.name, parts[2], sig)
-				}
-			}
-		})
 	}
 }