gose

package module
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 27, 2025 License: MIT Imports: 31 Imported by: 0

README

GOSE - JOSE and friends for the Go developer

Overview

GOSE is JOSE/JWT/JWK/JWS/JWKS implemented in Go with Helpers, and examples.

It contains implementations of the JOSE suite of types and helpers for many different use cases.

Known Issues

  • Direct encryption with AEAD mechanisms is not completely following RFC 7516

Mission

  • Simple
  • Compliant
  • Safe
  • Efficient
  • Extensible

Examples

Examples are provided under the /examples folder to illustrate correct use of this package.

Vulnerability check

$ govulncheck ./...

Scanning your code and 139 packages across 9 dependent modules for known vulnerabilities...

No vulnerabilities found.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidKey               = errors.New("invalid jwk")
	ErrInvalidKeyType           = errors.New("invalid jwk type")
	ErrUnsupportedKeyType       = errors.New("unsupported jwk type")
	ErrInvalidSigningKeyURL     = errors.New("invalid signing jwk url")
	ErrInvalidOperations        = errors.New("the jwk is invalid in this context")
	ErrInvalidCertificateHeader = errors.New("invalid certificate header")
	ErrUnknownKey               = errors.New("unknown jwk")
	ErrInvalidSignature         = errors.New("invalid signature")
	ErrInconsistentKeyValues    = errors.New("inconsistent jwk values")
	ErrInvalidKeyLength         = errors.New("invalid jwk length")
	ErrHashUnavailable          = errors.New("hash unavailable")

	// RSA errors
	ErrInvalidExponentEncoding error = &InvalidFormat{"invalid exponent encoding"}
	ErrInvalidExponent               = errors.New("invalid exponent value")
	ErrInvalidModulusEncoding  error = &InvalidFormat{"invalid modulus encoding"}

	//EC errors
	ErrInvalidXEncoding error = &InvalidFormat{("Invalid X encoding")}
	ErrInvalidYEncoding error = &InvalidFormat{("Invalid Y encoding")}

	//GCM errors
	ErrInvalidNonce = errors.New("invalid nonce")

	// JOSE errors
	ErrInvalidJwsCompactEncoding         error = &InvalidFormat{"invalid jws compact encoding"}
	ErrInvalidJwsBase64HeaderEncoding    error = &InvalidFormat{"invalid base64 jws header encoding"}
	ErrInvalidJwsHeaderEncoding          error = &InvalidFormat{"invalid jws header"}
	ErrInvalidJwsBase64BodyEncoding      error = &InvalidFormat{"invalid base64 jws body encoding"}
	ErrInvalidJwsBase64SignatureEncoding error = &InvalidFormat{"invalid base64 jws signature encoding"}
	ErrInvalidJwkEncoding                error = &InvalidFormat{"invalid jwk encoding"}
	ErrInvalidJwtEncoding                error = &InvalidFormat{"invalid jwt encoding"}
	ErrInvalidJwtTimeframe               error = &InvalidFormat{"invalid jwt time frame"}
	ErrInvalidKid                        error = &InvalidFormat{"invalid key ID"}
	ErrNoExpectedAudience                error = &InvalidFormat{"no expected audience"}
	ErrInvalidDelegateEncoding           error = &InvalidFormat{"invalid delegate encoding"}
	ErrInvalidManifestEncoding           error = &InvalidFormat{"invalid manifest encoding"}
	ErrInvalidKeySize                    error = &InvalidFormat{"invalid jwk size"}
	ErrInvalidAlgorithm                  error = &InvalidFormat{"invalid algorithm"}
	ErrInvalidEncryption                 error = &InvalidFormat{"invalid encryption"}
	ErrZipCompressionNotSupported        error = &InvalidFormat{"zip compression not supported"}
)

Errors.

Functions

func CalculateKeyID 

func CalculateKeyID(jwk jose.Jwk) (string, error)

CalculateKeyID deterministically calculates the ID for the given jwk

func GetALFromAAD added in v0.9.1 

func GetALFromAAD(aad []byte) (al []byte)

GetALFromAAD takes the AAD field of a JWE and compute the AL field AL is the octet string of the number of bits in AAD expressed as a big endian 64-bit unsigned integer. For example, if AAD is 51 bytes long, which is 408 bits long, the octet string AL, which is the number of bits in AAD expressed as a big endian 64 bit unsigned integer is [0, 0, 0, 0, 0, 0, 1, 152].

func JwkFromPrivateKey 

func JwkFromPrivateKey(privateKey crypto.Signer, operations []jose.KeyOps, certs []*x509.Certificate) (jose.Jwk, error)

JwkFromPrivateKey builds JWK, from a crypto.Signer, with certificates, and scoped to certain operations, or errors

func JwkFromPublicKey 

func JwkFromPublicKey(publicKey crypto.PublicKey, operations []jose.KeyOps, certs []*x509.Certificate) (jose.Jwk, error)

JwkFromPublicKey builds public JWK, from a crypto.Signer, with certificates, and scoped to certain operations, or errors

func JwkFromSymmetric 

func JwkFromSymmetric(key []byte, alg jose.Alg) (jwk *jose.OctSecretKey, err error)

JwkFromSymmetric converts a byte string to a jose.Jwk, given a particular JWK algorithm.

func JwkToString 

func JwkToString(jwk jose.Jwk) (string, error)

JwkToString return JWK as string

func LoadJwk 

func LoadJwk(reader io.ReadSeeker, required []jose.KeyOps) (jwk jose.Jwk, err error)

LoadJwk load io.ReadSeeker as a JWK or error

func LoadJwkFromFile 

func LoadJwkFromFile(file string, required []jose.KeyOps) (jose.Jwk, error)

LoadJwkFromFile loads file as JWK or error

func LoadJws 

func LoadJws(jws string) (protectedHeader *jose.JwsHeader, header []byte, data []byte, payload []byte, signature []byte, err error)

LoadJws loads signature, or errors

func LoadPrivateKey 

func LoadPrivateKey(jwk jose.Jwk, required []jose.KeyOps) (crypto.Signer, error)

LoadPrivateKey loads the jwk into a crypto.Signer for performing signing operations

func LoadPublicKey 

func LoadPublicKey(jwk jose.Jwk, required []jose.KeyOps) (crypto.PublicKey, error)

LoadPublicKey loads jwk as a public key for cryptographic verification operations.

func LoadSymmetricAEAD 

func LoadSymmetricAEAD(jwk jose.Jwk, required []jose.KeyOps) (a cipher.AEAD, err error)

LoadSymmetricAEAD returns a cipher.AEAD for a jwk.

func PublicFromPrivate 

func PublicFromPrivate(in jose.Jwk) (jose.Jwk, error)

PublicFromPrivate extracts public jwk from private jwk in JWK format

Types

type AeadEncryptionKey 

type AeadEncryptionKey interface {
	Key
	Algorithmed
	// GenerateNonce generates a nonce of the correct size for use in Sealinging operations.
	GenerateNonce() ([]byte, error)
	// Seal the given plaintext returning ciphertext and authentication tag.
	Seal(operation jose.KeyOps, nonce, plaintext, aad []byte) (ciphertext, tag []byte, err error)
	// Open and validate the given ciphertext and tag returning the plaintext.
	Open(operation jose.KeyOps, nonce, ciphertext, aad, tag []byte) (plaintext []byte, err error)
}

AeadEncryptionKey implements authenticated encryption and decryption.

func NewAesGcmCryptor 

func NewAesGcmCryptor(aead cipher.AEAD, rng io.Reader, kid string, alg jose.Alg, operations []jose.KeyOps) (AeadEncryptionKey, error)

NewAesGcmCryptor create a new instance of an AesGCmCryptor from the supplied parameters.

func NewAesGcmCryptorFromJwk 

func NewAesGcmCryptorFromJwk(jwk jose.Jwk, required []jose.KeyOps) (AeadEncryptionKey, error)

NewAesGcmCryptorFromJwk create a new instance of an AesGCmCryptor from a JWK.

type AesCbcCryptor 

type AesCbcCryptor struct {
	// contains filtered or unexported fields
}

AesCbcCryptor provides AES CBC encryption and decryption functions. It implements BlockEcryptionKey

func (*AesCbcCryptor) Algorithm 

func (cryptor *AesCbcCryptor) Algorithm() jose.Alg

func (*AesCbcCryptor) Kid 

func (cryptor *AesCbcCryptor) Kid() string

func (*AesCbcCryptor) Open 

func (cryptor *AesCbcCryptor) Open(ciphertext []byte) []byte

func (*AesCbcCryptor) Seal 

func (cryptor *AesCbcCryptor) Seal(plaintext []byte) []byte

type AesGcmCryptor 

type AesGcmCryptor struct {
	// contains filtered or unexported fields
}

AesGcmCryptor provides AES GCM encryption and decryption functions.

func (*AesGcmCryptor) Algorithm 

func (cryptor *AesGcmCryptor) Algorithm() jose.Alg

Algorithm the supported algorithm

func (*AesGcmCryptor) GenerateNonce 

func (cryptor *AesGcmCryptor) GenerateNonce() ([]byte, error)

GenerateNonce generate a nonce of the correct size for use with GCM encryption/decryption from a random source.

func (*AesGcmCryptor) Kid 

func (cryptor *AesGcmCryptor) Kid() string

Kid the key identity

func (*AesGcmCryptor) Open 

func (cryptor *AesGcmCryptor) Open(operation jose.KeyOps, nonce, ciphertext, aad, tag []byte) (plaintext []byte, err error)

Open decrypt a previously encrypted ciphertext.

func (*AesGcmCryptor) Seal 

func (cryptor *AesGcmCryptor) Seal(operation jose.KeyOps, nonce, plaintext, aad []byte) (ciphertext, tag []byte, err error)

Seal encrypt a supplied plaintext and AAD.

type Algorithmed 

type Algorithmed interface {
	Algorithm() jose.Alg
}

Algorithmed is an interface that exposes which algorithm a type can be used with.

type AsymmetricDecryptionKey 

type AsymmetricDecryptionKey interface {
	Key
	Algorithmed
	Decrypt(ops jose.KeyOps, hash crypto.Hash, bytes []byte) ([]byte, error)
	// Encryptor get the matching encryption key.
	Encryptor() (AsymmetricEncryptionKey, error)
}

AsymmetricDecryptionKey provides asymmetric decryption (private key) capabilities.

type AsymmetricDecryptionKeyStore 

type AsymmetricDecryptionKeyStore interface {
	Get(kid string) (k AsymmetricDecryptionKey, err error)
}

AsymmetricDecryptionKeyStore provides the ability to access asymmetric decryption keys.

type AsymmetricDecryptionKeyStoreImpl 

type AsymmetricDecryptionKeyStoreImpl struct {
	// contains filtered or unexported fields
}

AsymmetricDecryptionKeyStoreImpl implements the AsymmetricDecryptionKeyStore interface providing AsymmetricDecryptionKey lookup capabilities.

func NewAsymmetricDecryptionKeyStoreImpl 

func NewAsymmetricDecryptionKeyStoreImpl(keys map[string]AsymmetricDecryptionKey) (*AsymmetricDecryptionKeyStoreImpl, error)

NewAsymmetricDecryptionKeyStoreImpl creates a AsymmetricDecryptionKeyStoreImpl instances with the given keys.

func (*AsymmetricDecryptionKeyStoreImpl) Get 

func (a *AsymmetricDecryptionKeyStoreImpl) Get(kid string) (k AsymmetricDecryptionKey, err error)

Get returns a matching AsymmetricDecryptionKey fpr the given Key ID or an error (ErrUnknownKey) if the requested key cannot be found.

type AsymmetricEncryptionKey 

type AsymmetricEncryptionKey interface {
	Key
	MarshalableKey
	CertifiableKey
	Algorithmed
	Encrypt(ops jose.KeyOps, hash crypto.Hash, bytes []byte) ([]byte, error)
}

AsymmetricEncryptionKey implements encryption using an asymmetric key.

type AuthenticatedEncryptionKeyGenerator 

type AuthenticatedEncryptionKeyGenerator struct{}

AuthenticatedEncryptionKeyGenerator can be used to create AuthenticatedEncryptionKeys.

func (*AuthenticatedEncryptionKeyGenerator) Generate 

func (g *AuthenticatedEncryptionKeyGenerator) Generate(alg jose.Alg, operations []jose.KeyOps) (AeadEncryptionKey, jose.Jwk, error)

Generate generate a Generate and JWK representation.

type BlockEncryptionKey 

type BlockEncryptionKey interface {
	Key
	Algorithmed
	// Seal the given plaintext returning ciphertext
	Seal(plaintext []byte) []byte
	// Open and validate the given ciphertext
	Open(ciphertext []byte) []byte
}

BlockEncryptionKey implements encryption and decryption operations with block modes and symmetric keys

func NewAesCbcCryptor 

func NewAesCbcCryptor(blockCipher cipher.BlockMode, kid string, alg jose.Alg) BlockEncryptionKey

NewAesCbcCryptor create a new instance of an AesCbcCryptor from the supplied parameters. It implements AeadEncryptionKey

type CertifiableKey 

type CertifiableKey interface {
	// MarshalPem marshals a key to it's PEM representation.
	MarshalPem() (string, error)
	// Certificates returns the certificate chain for the given key.
	Certificates() []*x509.Certificate
}

CertifiableKey is an interface representing a key that can have an associated certificate and PEM representation.

type ECDSAOptions 

type ECDSAOptions struct {
	Hash crypto.Hash
	// contains filtered or unexported fields
}

ECDSAOptions Implements crypto.SignerOpts

func (*ECDSAOptions) HashFunc 

func (opts *ECDSAOptions) HashFunc() crypto.Hash

HashFunc returns the crypto.Hash

type ECDSASigningKey 

type ECDSASigningKey struct {
	// contains filtered or unexported fields
}

ECDSASigningKey implements ECDSA crypto.SigningKey

func (ECDSASigningKey) Algorithm 

func (signer ECDSASigningKey) Algorithm() jose.Alg

Algorithm returns the jose.Alg for this key

func (*ECDSASigningKey) Certificates 

func (signer *ECDSASigningKey) Certificates() []*x509.Certificate

Certificates returns certificate chain of this key

func (*ECDSASigningKey) Jwk 

func (signer *ECDSASigningKey) Jwk() (jose.Jwk, error)

Jwk returns key as a jose.JWK type, or errors

func (*ECDSASigningKey) Key 

func (signer *ECDSASigningKey) Key() crypto.Signer

Key returns the underlying key used to sign

func (*ECDSASigningKey) Kid 

func (signer *ECDSASigningKey) Kid() string

Kid returns the kid string value

func (*ECDSASigningKey) Marshal 

func (signer *ECDSASigningKey) Marshal() (string, error)

Marshal marshals the key into a compact JWK representation or error

func (*ECDSASigningKey) MarshalPem 

func (signer *ECDSASigningKey) MarshalPem() (p string, err error)

MarshalPem marshals the key into a PEM string or error

func (*ECDSASigningKey) Sign 

func (signer *ECDSASigningKey) Sign(requested jose.KeyOps, data []byte) (signature []byte, err error)

Sign digest and sign the given data. The output signature is encoded as r || s which is different to the standard go crypto interface specification. The serialization format is chosen instead to match that defined in the JSON Web Signature spec https://tools.ietf.org/html/rfc7515#appendix-A.3.1.

func (*ECDSASigningKey) Verifier 

func (signer *ECDSASigningKey) Verifier() (VerificationKey, error)

Verifier get the matching verification key.

type ECDSASigningKeyGenerator 

type ECDSASigningKeyGenerator struct {
}

ECDSASigningKeyGenerator handles generating an ECDSA signing key

func (*ECDSASigningKeyGenerator) Generate 

func (g *ECDSASigningKeyGenerator) Generate(alg jose.Alg, operations []jose.KeyOps) (SigningKey, error)

Generate an ECDSA key using a given algorithm, and scoped to certain jwk operations.

type ECVerificationKeyImpl 

type ECVerificationKeyImpl struct {
	// contains filtered or unexported fields
}

ECVerificationKeyImpl implements the ECDSA Verification Logic

func (*ECVerificationKeyImpl) Algorithm 

func (verifier *ECVerificationKeyImpl) Algorithm() jose.Alg

Algorithm return algorithm

func (*ECVerificationKeyImpl) Certificates 

func (verifier *ECVerificationKeyImpl) Certificates() []*x509.Certificate

Certificates returns the certs for this key

func (*ECVerificationKeyImpl) Jwk 

func (verifier *ECVerificationKeyImpl) Jwk() (jose.Jwk, error)

Jwk returns the key as a jose.JWK type, or error

func (*ECVerificationKeyImpl) Kid 

func (verifier *ECVerificationKeyImpl) Kid() string

Kid returns the key's id

func (*ECVerificationKeyImpl) Marshal 

func (verifier *ECVerificationKeyImpl) Marshal() (string, error)

Marshal marshals the key into a compact JWK string, or error

func (*ECVerificationKeyImpl) MarshalPem 

func (verifier *ECVerificationKeyImpl) MarshalPem() (string, error)

MarshalPem marshals the key as a PEM formatted string, or error

func (*ECVerificationKeyImpl) Verify 

func (verifier *ECVerificationKeyImpl) Verify(operation jose.KeyOps, data []byte, signature []byte) bool

Verify signed data matches signature and jwk The input signature is encoded as r || s which is different to the standard go crypto interface specification. The serialization format is chosen instead to match that defined in the JSON Web Signature spec https://tools.ietf.org/html/rfc7515#appendix-A.3.1.

type HmacKey 

type HmacKey interface {
	Key
	// Hash method gets bytes as input and sum it all to return a hashed result in a 32 bytes array
	Hash(input []byte) []byte
}

func NewHmacShaCryptor 

func NewHmacShaCryptor(kid string, hash hash.Hash) HmacKey

NewHmacShaCryptor create a new instance of an HmacShaCryptor from the supplied parameters. It implements HmacKey

type HmacShaCryptor 

type HmacShaCryptor struct {
	// contains filtered or unexported fields
}

HmacShaCryptor provides HMAC SHA functions. It implements the HmacKey interface. The hash SHA mechanism is held directly by the key corresponding to the key id (kid). It means that if the key provides SHA-256 mechanism, then the Hash is SHA-256

func (HmacShaCryptor) Hash 

func (h HmacShaCryptor) Hash(input []byte) []byte

Hash returns the result from the SHA operation executed by the provided key

func (HmacShaCryptor) Kid 

func (h HmacShaCryptor) Kid() string

type InvalidFormat 

type InvalidFormat struct {
	// contains filtered or unexported fields
}

InvalidFormat is an interface for handling invalid format errors

func (*InvalidFormat) Error 

func (err *InvalidFormat) Error() string

type JweDecryptor 

type JweDecryptor interface {
	Decrypt(jwe string) (plaintext, aad []byte, err error)
}

JweDecryptor implements decryption and verification of a given ciphertext and aad to a plaintext as defined by https://tools.ietf.org/html/rfc7516.

type JweDirectDecryptorAeadImpl 

type JweDirectDecryptorAeadImpl struct {
	// contains filtered or unexported fields
}

JweDirectDecryptorAeadImpl is a concrete implementation of the JweDirectDecryptor interface.

func NewJweDirectDecryptorAeadImpl 

func NewJweDirectDecryptorAeadImpl(keys []AeadEncryptionKey) *JweDirectDecryptorAeadImpl

NewJweDirectDecryptorAeadImpl create a new instance of a JweDirectDecryptorAeadImpl.

func (*JweDirectDecryptorAeadImpl) Decrypt 

func (decryptor *JweDirectDecryptorAeadImpl) Decrypt(jwe string) (plaintext, aad []byte, err error)

Decrypt and verify the given JWE returning both the plaintext and AAD.

type JweDirectDecryptorBlock 

type JweDirectDecryptorBlock struct {
	// contains filtered or unexported fields
}

func NewJweDirectDecryptorBlock 

func NewJweDirectDecryptorBlock(aesKey BlockEncryptionKey, hmacKey HmacKey) *JweDirectDecryptorBlock

NewJweDirectDecryptorBlock create a new instance of a JweDirectDecryptorBlock.

func (*JweDirectDecryptorBlock) Decrypt 

func (decryptor *JweDirectDecryptorBlock) Decrypt(marshalledJwe string) (plaintext, aad []byte, err error)

Decrypt and verify the given JWE returning the plaintext. never return a non nil aad. aad is just here to satisfy the JweDecryptor interface

type JweDirectEncryptorAead 

type JweDirectEncryptorAead struct {
	// contains filtered or unexported fields
}

JweDirectEncryptorAead implementation of JweDirectEncryptionEncryptor interface.

func NewJweDirectEncryptorAead 

func NewJweDirectEncryptorAead(key AeadEncryptionKey, externalIV bool) *JweDirectEncryptorAead

NewJweDirectEncryptorAead construct an instance of a JweDirectEncryptorAead.

func (*JweDirectEncryptorAead) Encrypt 

func (encryptor *JweDirectEncryptorAead) Encrypt(plaintext, aad []byte) (string, error)

Encrypt encrypt and authenticate the given plaintext and AAD returning a compact JWE.

type JweDirectEncryptorBlock 

type JweDirectEncryptorBlock struct {
	// contains filtered or unexported fields
}

JweDirectEncryptorBlock implementation of JweDirectEncryptionEncryptor interface for BlockMode which is more efficient than Block for bulk operations

func NewJweDirectEncryptorBlock 

func NewJweDirectEncryptorBlock(aesKey BlockEncryptionKey, hmacKey HmacKey, iv []byte) *JweDirectEncryptorBlock

NewJweDirectEncryptorBlock construct an instance of a JweDirectEncryptorBlock.

func (*JweDirectEncryptorBlock) Encrypt 

func (encryptor *JweDirectEncryptorBlock) Encrypt(plaintext, aad []byte) (string, error)

Encrypt encrypts the given plaintext and returns a compact JWE. 

WARNING aad is useless here : according to RFC7516, the AAD is computed from the JWE's private header
It is just here to statisfy the interface implementation

type JweEncryptor 

type JweEncryptor interface {
	Encrypt(plaintext, aad []byte) (string, error)
}

JweEncryptor implements encryption of arbitary plaintext into a compact JWE as defined by https://tools.ietf.org/html/rfc7516.

type JweHmacVerifier 

type JweHmacVerifier interface {
	// ComputeHash computes the authentication Tag for of a Jwe by hashing the concatenated values in argument
	//  aad is the protected header of the JWE encoded in b64
	//  IV is the initialization vector of the JWE recipient for the encryption/decryption operations
	//  Ciphertext is the result of the encryption operation using the current IV
	//  AL is representing the number of bits (length) in AAD expressed as a big-endian 64-bit unsigned integer
	// Returns the hash result of a hmac operation given the concatenated slice of the values above
	ComputeHash(aad []byte, iv []byte, ciphertext []byte) []byte
	// VerifyCompact a compact jwe (rfc 7516) in input and computes its authentication TAG with a hmac operation with
	// the authentication TAG in the JWE.
	// Returns false if the integrity check fails, i.e the tags are different
	VerifyCompact(jwe jose.JweRfc7516Compact) (result bool, err error)
}

type JweHmacVerifierImpl 

type JweHmacVerifierImpl struct {
	// contains filtered or unexported fields
}

JweHmacVerifierImpl implements the JWE Verification API

func NewJweHmacVerifier 

func NewJweHmacVerifier(hmacKey HmacKey) *JweHmacVerifierImpl

NewJweHmacVerifier creates a JWT Verifier for a given truststore

func (*JweHmacVerifierImpl) ComputeHash 

func (verifier *JweHmacVerifierImpl) ComputeHash(aad []byte, iv []byte, ciphertext []byte) []byte

func (*JweHmacVerifierImpl) VerifyCompact 

func (verifier *JweHmacVerifierImpl) VerifyCompact(jwe jose.JweRfc7516Compact) (result bool, err error)

type JweRsaKeyEncryptionDecryptorImpl 

type JweRsaKeyEncryptionDecryptorImpl struct {
	// contains filtered or unexported fields
}

JweRsaKeyEncryptionDecryptorImpl implements RSA Key Encryption CEK mode.

func NewJweRsaKeyEncryptionDecryptorImpl 

func NewJweRsaKeyEncryptionDecryptorImpl(keystore AsymmetricDecryptionKeyStore) *JweRsaKeyEncryptionDecryptorImpl

NewJweRsaKeyEncryptionDecryptorImpl creates an instance of JweRsaKeyEncryptionDecryptorImpl with the given keystore.

func (*JweRsaKeyEncryptionDecryptorImpl) Decrypt 

func (d *JweRsaKeyEncryptionDecryptorImpl) Decrypt(jweRaw string, oaepHash crypto.Hash) (plaintext, aad []byte, err error)

Decrypt decrypts the given JWE returning the contained plaintext and any additional authentic associated data. This method follow recommendations of https://datatracker.ietf.org/doc/html/rfc7516#section-5.2

type JweRsaKeyEncryptionEncryptorImpl 

type JweRsaKeyEncryptionEncryptorImpl struct {
	// contains filtered or unexported fields
}

JweRsaKeyEncryptionEncryptorImpl implements RSA Key Encryption CEK mode.

func NewJweRsaKeyEncryptionEncryptorImpl 

func NewJweRsaKeyEncryptionEncryptorImpl(rsaPublicKeyRecipient jose.Jwk, randomSource io.Reader) (*JweRsaKeyEncryptionEncryptorImpl, error)

NewJweRsaKeyEncryptionEncryptorImpl returns an instance of JweRsaKeyEncryptionEncryptorImpl configured with the given JWK. rsaPublicKeyRecipient is the jwk describing the public key that will be used to encrypt the CEK. randomSource is the random generator used by :

  • the RSA OAEP algorithm for entropy source for each encryption operation on CEKs
  • the encryption of the data performed by the CEK with AES GCM algorithm, for the IV

func (*JweRsaKeyEncryptionEncryptorImpl) Encrypt 

func (e *JweRsaKeyEncryptionEncryptorImpl) Encrypt(plaintext []byte, oaepHash crypto.Hash) (jwe string, err error)

Encrypt encrypts the given plaintext into a compact JWE. The Content Encryption Key is encrypted to the recipient using the RSAES-OAEP algorithm to produce the JWE Encrypted Key. Authenticated encryption is performed on the plaintext using the AES GCM algorithm with a 256-bit key to produce the ciphertext and the Authentication Tag.

type JwksTrustStore 

type JwksTrustStore struct {
	// contains filtered or unexported fields
}

JwksTrustStore is an implementation of the TrustStore interface and can be used for accessing VerificationKeys.

func NewJwksKeyStore 

func NewJwksKeyStore(issuerList, url string) *JwksTrustStore

NewJwksKeyStore creates a new instance of a TrustStore and can be used to load verification keys.

func (*JwksTrustStore) Add 

func (store *JwksTrustStore) Add(issuer string, jwk jose.Jwk) error

Add this method is not supported on a JwksTrustStore instance and will always return an error.

func (*JwksTrustStore) Get 

func (store *JwksTrustStore) Get(issuer, kid string) (vk VerificationKey, err error)

Get returns a verification key for the given issuer and key id. If no key is found nil is returned.

func (*JwksTrustStore) Remove 

func (store *JwksTrustStore) Remove(issuer, kid string) bool

Remove this method is not supported on a JwksTrustStore instance and will always return false.

type JwtSigner 

type JwtSigner interface {
	// Issuer returns the identity of the issuing authority
	Issuer() string
	// Sign signs a set of claims returning a serialized JWT.
	Sign(claims *jose.SettableJwtClaims, untyped map[string]interface{}) (string, error)
}

JwtSigner implements generation of signed compact JWTs as defined by https://tools.ietf.org/html/rfc7519.

type JwtSignerImpl 

type JwtSignerImpl struct {
	// contains filtered or unexported fields
}

JwtSignerImpl JWT implementation

func NewJwtSigner 

func NewJwtSigner(issuer string, key SigningKey) *JwtSignerImpl

NewJwtSigner returns a JWT Signer for a issuer and jwk

func (*JwtSignerImpl) Issuer 

func (signer *JwtSignerImpl) Issuer() string

Issuer returns issuer of JWT

func (*JwtSignerImpl) Sign 

func (signer *JwtSignerImpl) Sign(claims *jose.SettableJwtClaims, untyped map[string]interface{}) (string, error)

Sign claims to a JWT string

type JwtVerifier 

type JwtVerifier interface {
	// Verify verifies a JWT is a valid jwt where the caller can specify a number of allowable audiences.
	Verify(jwt string, audience []string) (kid string, claims *jose.JwtClaims, err error)
}

JwtVerifier implements verification of signed compact JWTs as defined by https://tools.ietf.org/html/rfc7519.

type JwtVerifierImpl 

type JwtVerifierImpl struct {
	// contains filtered or unexported fields
}

JwtVerifierImpl implements the JWT Verification API

func NewJwtVerifier 

func NewJwtVerifier(ks TrustStore) *JwtVerifierImpl

NewJwtVerifier creates a JWT Verifier for a given truststore

func (*JwtVerifierImpl) Verify 

func (verifier *JwtVerifierImpl) Verify(jwt string, audience []string) (kid string, claims *jose.JwtClaims, err error)

Verify the jwt and audience is valid

type Key 

type Key interface {
	// Kid returns the identity of the key.
	Kid() string
}

Key is an interface representing a cryptographic key.

type MarshalableKey 

type MarshalableKey interface {
	// Jwk returns the Key as a JSON Web Key.
	Jwk() (jose.Jwk, error)
	// Marshal marshals a key to it's compact JWK string representation.
	Marshal() (string, error)
}

MarshalableKey is an interface representing a key that can be marshaled into a JWK.

type RsaKeyDecryptionKeyGenerator 

type RsaKeyDecryptionKeyGenerator struct {
}

RsaKeyDecryptionKeyGenerator handles generating a RSA encryption keys

func (*RsaKeyDecryptionKeyGenerator) Generate 

func (generator *RsaKeyDecryptionKeyGenerator) Generate(alg jose.Alg, bitLen int, operations []jose.KeyOps) (AsymmetricDecryptionKey, error)

Generate an RSA key using a given algorithm, length, and scope to certain jwk operations.

type RsaPrivateKeyImpl 

type RsaPrivateKeyImpl struct {
	// contains filtered or unexported fields
}

RsaPrivateKeyImpl provides software based signing and decryption capabilities for use during JWT and JWE processing.

func NewRsaDecryptionKey 

func NewRsaDecryptionKey(jwk jose.Jwk) (*RsaPrivateKeyImpl, error)

NewRsaDecryptionKey returns a new instance of RsaPrivateKeyImpl configured using he given JWK.

func (*RsaPrivateKeyImpl) Algorithm 

func (rsaKey *RsaPrivateKeyImpl) Algorithm() jose.Alg

Algorithm returns the Algorithm

func (*RsaPrivateKeyImpl) Certificates 

func (rsaKey *RsaPrivateKeyImpl) Certificates() []*x509.Certificate

Certificates of signing key

func (*RsaPrivateKeyImpl) Decrypt 

func (rsaKey *RsaPrivateKeyImpl) Decrypt(requested jose.KeyOps, hash crypto.Hash, ciphertext []byte) ([]byte, error)

Decrypt decrypt the given ciphertext returning the derived plaintext.

func (*RsaPrivateKeyImpl) Encryptor 

func (rsaKey *RsaPrivateKeyImpl) Encryptor() (AsymmetricEncryptionKey, error)

Encryptor get encryption key

func (*RsaPrivateKeyImpl) Jwk 

func (rsaKey *RsaPrivateKeyImpl) Jwk() (jose.Jwk, error)

Jwk returns the JWK

func (*RsaPrivateKeyImpl) Key 

func (rsaKey *RsaPrivateKeyImpl) Key() crypto.Signer

Key returns the underlying crypto.Signer implementation.

func (*RsaPrivateKeyImpl) Kid 

func (rsaKey *RsaPrivateKeyImpl) Kid() string

Kid returns the jwk id

func (*RsaPrivateKeyImpl) Marshal 

func (rsaKey *RsaPrivateKeyImpl) Marshal() (string, error)

Marshal marshal the key to a JWK string, or error

func (*RsaPrivateKeyImpl) MarshalPem 

func (rsaKey *RsaPrivateKeyImpl) MarshalPem() (string, error)

MarshalPem marshal the key to a PEM string, or error

func (*RsaPrivateKeyImpl) Operations 

func (rsaKey *RsaPrivateKeyImpl) Operations() []jose.KeyOps

Operations returns the allowed operations for the SigningKey

func (*RsaPrivateKeyImpl) Sign 

func (rsaKey *RsaPrivateKeyImpl) Sign(requested jose.KeyOps, data []byte) ([]byte, error)

Sign perform signing operations on data, or error

func (*RsaPrivateKeyImpl) Verifier 

func (rsaKey *RsaPrivateKeyImpl) Verifier() (VerificationKey, error)

Verifier verification key for signing jwk

type RsaPublicKeyImpl 

type RsaPublicKeyImpl struct {
	// contains filtered or unexported fields
}

RsaPublicKeyImpl implements RSA verification and encryption APIs

func NewRsaPublicKeyImpl 

func NewRsaPublicKeyImpl(jwk jose.Jwk) (*RsaPublicKeyImpl, error)

NewRsaPublicKeyImpl create a new RsaPublicKeyImpl instance.

func (*RsaPublicKeyImpl) Algorithm 

func (k *RsaPublicKeyImpl) Algorithm() jose.Alg

Algorithm returns algorithm

func (*RsaPublicKeyImpl) Certificates 

func (k *RsaPublicKeyImpl) Certificates() []*x509.Certificate

Certificates for verification key

func (*RsaPublicKeyImpl) Encrypt 

func (k *RsaPublicKeyImpl) Encrypt(requested jose.KeyOps, hash crypto.Hash, data []byte) ([]byte, error)

Encrypt encrypts the given plaintext returning the derived ciphertext.

func (*RsaPublicKeyImpl) Jwk 

func (k *RsaPublicKeyImpl) Jwk() (jose.Jwk, error)

Jwk returns the public JWK

func (*RsaPublicKeyImpl) Kid 

func (k *RsaPublicKeyImpl) Kid() string

Kid returns the key's id

func (*RsaPublicKeyImpl) Marshal 

func (k *RsaPublicKeyImpl) Marshal() (string, error)

Marshal returns the key marshalled to a JWK string, or error

func (*RsaPublicKeyImpl) MarshalPem 

func (k *RsaPublicKeyImpl) MarshalPem() (string, error)

MarshalPem returns the key marshalled to a PEM string, or error

func (*RsaPublicKeyImpl) Verify 

func (k *RsaPublicKeyImpl) Verify(operation jose.KeyOps, data []byte, signature []byte) bool

Verify data matches signature

type RsaSigningKeyGenerator 

type RsaSigningKeyGenerator struct {
}

RsaSigningKeyGenerator handles generating a RSA signing key

func (*RsaSigningKeyGenerator) Generate 

func (generator *RsaSigningKeyGenerator) Generate(alg jose.Alg, bitLen int, operations []jose.KeyOps) (SigningKey, error)

Generate an RSA key using a given algorithm, length, and scope to certain jwk operations.

type SigningKey 

type SigningKey interface {
	Key
	MarshalableKey
	CertifiableKey
	Algorithmed
	// Key returns the underlying key used to sign
	Key() crypto.Signer
	// Sign digest and sign the given data.
	Sign(jose.KeyOps, []byte) ([]byte, error)
	// Verifier get the matching verification key.
	Verifier() (VerificationKey, error)
}

SigningKey interface implementers both digest and signing of data.

func NewSigningKey 

func NewSigningKey(jwk jose.Jwk, required []jose.KeyOps) (SigningKey, error)

NewSigningKey returns a SignignKey for a jose.JWK with required jwk operations

type SigningKeyImpl 

type SigningKeyImpl struct {
	// contains filtered or unexported fields
}

SigningKeyImpl implements a RSA signing key

func (*SigningKeyImpl) Algorithm 

func (signer *SigningKeyImpl) Algorithm() jose.Alg

Algorithm returns the Algorithm

func (*SigningKeyImpl) Certificates 

func (signer *SigningKeyImpl) Certificates() []*x509.Certificate

Certificates of signing key

func (*SigningKeyImpl) Jwk 

func (signer *SigningKeyImpl) Jwk() (jose.Jwk, error)

Jwk returns the JWK

func (*SigningKeyImpl) Key 

func (signer *SigningKeyImpl) Key() crypto.Signer

Key returns the crypto.Signer

func (*SigningKeyImpl) Kid 

func (signer *SigningKeyImpl) Kid() string

Kid returns the jwk id

func (*SigningKeyImpl) Marshal 

func (signer *SigningKeyImpl) Marshal() (string, error)

Marshal marshal the key to a JWK string, or error

func (*SigningKeyImpl) MarshalPem 

func (signer *SigningKeyImpl) MarshalPem() (string, error)

MarshalPem marshal the key to a PEM string, or error

func (*SigningKeyImpl) Operations 

func (signer *SigningKeyImpl) Operations() []jose.KeyOps

Operations returns the allowed operations for the SigningKey

func (*SigningKeyImpl) Sign 

func (signer *SigningKeyImpl) Sign(requested jose.KeyOps, data []byte) ([]byte, error)

Sign perform signing operations on data, or error

func (*SigningKeyImpl) Verifier 

func (signer *SigningKeyImpl) Verifier() (VerificationKey, error)

Verifier verification key for signing jwk

type TrustKeyStoreImpl 

type TrustKeyStoreImpl struct {
	// contains filtered or unexported fields
}

TrustKeyStoreImpl implements the Trust Store API

func NewTrustKeyStore 

func NewTrustKeyStore(rootData map[string]jose.Jwk) (store *TrustKeyStoreImpl, err error)

NewTrustKeyStore loads truststore for map of jose.JWK

func NewTrustKeyStoreFromFile 

func NewTrustKeyStoreFromFile(root string) (store *TrustKeyStoreImpl, err error)

NewTrustKeyStoreFromFile loads truststore for a

func (*TrustKeyStoreImpl) Add 

func (store *TrustKeyStoreImpl) Add(issuer string, jwk jose.Jwk) error

Add add an issuer and JWK to the truststore

func (*TrustKeyStoreImpl) Get 

func (store *TrustKeyStoreImpl) Get(issuer, kid string) (vk VerificationKey, err error)

Get get verification jwk for issuer and jwk id

func (*TrustKeyStoreImpl) Remove 

func (store *TrustKeyStoreImpl) Remove(issuer, kid string) bool

Remove remove JWK for issuer and jwk id

type TrustStore 

type TrustStore interface {
	Add(issuer string, jwk jose.Jwk) error
	Remove(issuer, kid string) bool
	Get(issuer, kid string) (vk VerificationKey, err error)
}

TrustStore provides the ability to manage trusted root public keys for use when verifying cryptographic signatures.

type VerificationKey 

type VerificationKey interface {
	Key
	MarshalableKey
	CertifiableKey
	Algorithmed
	// Verify verifies the operation being performed is supported and
	// that the signature is derived from the data.
	Verify(operation jose.KeyOps, data []byte, signature []byte) bool
}

VerificationKey implements verification of a cryptographic signature.

func NewVerificationKey 

func NewVerificationKey(jwk jose.Jwk) (VerificationKey, error)

NewVerificationKey for jwk or error

Source Files

View all Source files

Directories

Path Synopsis
examples
jwe
jwt

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.