Documentation ¶
Index ¶
- type CosignerClaims
- type PKToken
- func (p *PKToken) AddJKTHeader(opKey crypto.PublicKey) error
- func (p *PKToken) AddSignature(token []byte, sigType SignatureType) error
- func (p *PKToken) Compact(sig *Signature) ([]byte, error)deprecated
- func (p *PKToken) GetCicValues() (*clientinstance.Claims, error)
- func (p *PKToken) Hash() (string, error)
- func (p *PKToken) MarshalJSON() ([]byte, error)
- func (p *PKToken) NewSignedMessage(content []byte, signer crypto.Signer) ([]byte, error)
- func (p *PKToken) ProviderAlgorithm() (jwa.SignatureAlgorithm, bool)
- func (p *PKToken) Sign(sigType SignatureType, signer crypto.Signer, alg jwa.KeyAlgorithm, ...) error
- func (p *PKToken) SignToken(signer crypto.Signer, alg jwa.KeyAlgorithm, protected map[string]any) ([]byte, error)
- func (p *PKToken) UnmarshalJSON(data []byte) error
- func (p *PKToken) VerifyCicSig() error
- func (p *PKToken) VerifyCosSig() error
- func (p *PKToken) VerifyGQSig(pubKey *rsa.PublicKey, gqSecurityParameter int) error
- func (p *PKToken) VerifySignedMessage(osm []byte) ([]byte, error)
- type Signature
- type SignatureType
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CosignerClaims ¶
type CosignerClaims struct { Issuer string `json:"iss"` KeyID string `json:"kid"` Algorithm string `json:"alg"` AuthID string `json:"eid"` AuthTime int64 `json:"auth_time"` IssuedAt int64 `json:"iat"` // may differ from auth_time because of refresh Expiration int64 `json:"exp"` RedirectURI string `json:"ruri"` Nonce string `json:"nonce"` Typ string `json:"typ"` }
func ParseCosignerClaims ¶
func ParseCosignerClaims(protected []byte) (*CosignerClaims, error)
type PKToken ¶
type PKToken struct { Payload []byte // decoded payload Op *Signature // Provider Signature Cic *Signature // Client Signature Cos *Signature // Cosigner Signature // We keep the tokens around as unmarshalled values can no longer be verified OpToken []byte // Base64 encoded ID Token signed by the OP CicToken []byte // Base64 encoded Token signed by the Client CosToken []byte // Base64 encoded Token signed by the Cosigner // contains filtered or unexported fields }
func (*PKToken) AddJKTHeader ¶
kid isn't always present, and is only guaranteed to be unique within a given key set, so we can use the thumbprint of the key instead to identify it at verification time
func (*PKToken) AddSignature ¶
func (p *PKToken) AddSignature(token []byte, sigType SignatureType) error
func (*PKToken) Compact
deprecated
Deprecated: The PK Token now stores the signed tokens such as OpToken, CicToken, etc.... removing the need for this function. Instead of calling Compact, just get the token directly from the PK Token. Do `pkt.OpToken` instead of `opToken, err := pkt.Compact(pkt.Op)`
func (*PKToken) GetCicValues ¶
func (p *PKToken) GetCicValues() (*clientinstance.Claims, error)
func (*PKToken) MarshalJSON ¶
func (*PKToken) NewSignedMessage ¶
NewSignedMessage signs a message with the signer provided. The signed message is OSM (OpenPubkey Signed Message) which is a type of JWS (JSON Web Signature). OSMs commit to the PK Token which was used to generate the OSM.
func (*PKToken) ProviderAlgorithm ¶
func (p *PKToken) ProviderAlgorithm() (jwa.SignatureAlgorithm, bool)
func (*PKToken) Sign ¶
func (p *PKToken) Sign( sigType SignatureType, signer crypto.Signer, alg jwa.KeyAlgorithm, protected map[string]any, ) error
func (*PKToken) SignToken ¶
func (p *PKToken) SignToken( signer crypto.Signer, alg jwa.KeyAlgorithm, protected map[string]any, ) ([]byte, error)
Signs PK Token and then returns only the payload, header and signature as a JWT
func (*PKToken) UnmarshalJSON ¶
func (*PKToken) VerifyCicSig ¶
func (*PKToken) VerifyCosSig ¶
func (*PKToken) VerifyGQSig ¶
func (*PKToken) VerifySignedMessage ¶
NewSignedMessage verifies that an OSM (OpenPubkey Signed Message) using the public key in this PK Token. If verification is successful, VerifySignedMessage returns the content of the signed message. Otherwise it returns an error explaining why verification failed.
Note: VerifySignedMessage does not check this the PK Token is valid. The PK Token should always be verified first before calling VerifySignedMessage
type SignatureType ¶
type SignatureType string
const ( OIDC SignatureType = "JWT" CIC SignatureType = "CIC" COS SignatureType = "COS" )