Documentation ¶
Index ¶
- Constants
- Variables
- func IsCompactJWS(s string) bool
- type AlgSignatureVerifier
- type CompositeAlgSigVerifier
- type Decrypter
- type EncAlg
- type Encrypter
- type Headers
- type JSONWebEncryption
- type JSONWebSignature
- type JWEDecrypt
- type JWEEncrypt
- type JWK
- type JWSParseOpt
- type Recipient
- type RecipientHeaders
- type SignatureVerifier
- type SignatureVerifierFunc
- type Signer
Constants ¶
const ( // HeaderAlgorithm identifies: // For JWS: the cryptographic algorithm used to secure the JWS. // For JWE: the cryptographic algorithm used to encrypt or determine the value of the CEK. HeaderAlgorithm = "alg" // string // HeaderEncryption identifies the JWE content encryption algorithm. HeaderEncryption = "enc" // string // HeaderJWKSetURL is a URI that refers to a resource for a set of JSON-encoded public keys, one of which: // For JWS: corresponds to the key used to digitally sign the JWS. // For JWE: corresponds to the public key to which the JWE was encrypted. HeaderJWKSetURL = "jku" // string // HeaderJSONWebKey is: // For JWS: the public key that corresponds to the key used to digitally sign the JWS. // For JWE: the public key to which the JWE was encrypted. HeaderJSONWebKey = "jwk" // JSON // HeaderKeyID is a hint: // For JWS: indicating which key was used to secure the JWS. // For JWE: which references the public key to which the JWE was encrypted. HeaderKeyID = "kid" // string // HeaderSenderKeyID is a hint: // For JWS: not used. // For JWE: which references the (sender) public key used in the JWE key derivation/wrapping to encrypt the CEK. HeaderSenderKeyID = "skid" // string // HeaderX509URL is a URI that refers to a resource for the X.509 public key certificate or certificate chain: // For JWS: corresponding to the key used to digitally sign the JWS. // For JWE: corresponding to the public key to which the JWE was encrypted. HeaderX509URL = "x5u" // HeaderX509CertificateChain contains the X.509 public key certificate or certificate chain: // For JWS: corresponding to the key used to digitally sign the JWS. // For JWE: corresponding to the public key to which the JWE was encrypted. HeaderX509CertificateChain = "x5c" // HeaderX509CertificateDigest (X.509 certificate SHA-1 thumbprint) is a base64url-encoded // SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate: // For JWS: corresponding to the key used to digitally sign the JWS. // For JWE: corresponding to the public key to which the JWE was encrypted. HeaderX509CertificateDigestSha1 = "x5t" // HeaderX509CertificateDigestSha256 (X.509 certificate SHA-256 thumbprint) is a base64url-encoded SHA-256 // thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate: // For JWS: corresponding to the key used to digitally sign the JWS. // For JWE: corresponding to the public key to which the JWE was encrypted. HeaderX509CertificateDigestSha256 = "x5t#S256" // string // HeaderType is: // For JWS: used by JWS applications to declare the media type of this complete JWS. // For JWE: used by JWE applications to declare the media type of this complete JWE. HeaderType = "typ" // string // HeaderContentType is used by JWS applications to declare the media type of: // For JWS: the secured content (the payload). // For JWE: the secured content (the plaintext). HeaderContentType = "cty" // string // HeaderCritical indicates that extensions to: // For JWS: this JWS header specification and/or JWA are being used that MUST be understood and processed. // For JWE: this JWE header specification and/or JWA are being used that MUST be understood and processed. HeaderCritical = "crit" // array // HeaderEPK is used by JWE applications to wrap/unwrap the CEK for a recipient. HeaderEPK = "epk" // JSON )
IANA registered JOSE headers (https://tools.ietf.org/html/rfc7515#section-4.1)
const ( // A256GCM for AES256GCM content encryption. A256GCM = EncAlg(composite.A256GCM) )
const ( // HeaderB64 determines whether the payload is represented in the JWS and the JWS Signing // Input as ASCII(BASE64URL(JWS Payload)) or as the JWS Payload value itself with no encoding performed. HeaderB64Payload = "b64" // bool )
Header defined in https://tools.ietf.org/html/rfc7797
Variables ¶
var ErrInvalidKey = errors.New("invalid JWK")
ErrInvalidKey is returned when passed JWK is invalid.
Functions ¶
func IsCompactJWS ¶
IsCompactJWS checks weather input is a compact JWS (based on https://tools.ietf.org/html/rfc7516#section-9)
Types ¶
type AlgSignatureVerifier ¶
type AlgSignatureVerifier struct { Alg string Verifier SignatureVerifier }
AlgSignatureVerifier defines verifier for particular signature algorithm.
type CompositeAlgSigVerifier ¶
type CompositeAlgSigVerifier struct {
// contains filtered or unexported fields
}
CompositeAlgSigVerifier defines composite signature verifier based on the algorithm taken from JOSE header alg.
func NewCompositeAlgSigVerifier ¶
func NewCompositeAlgSigVerifier(v AlgSignatureVerifier, vOther ...AlgSignatureVerifier) *CompositeAlgSigVerifier
NewCompositeAlgSigVerifier creates a new CompositeAlgSigVerifier.
type Decrypter ¶ added in v0.1.3
type Decrypter interface { // Decrypt a deserialized JWE, extracts the corresponding recipient key to decrypt plaintext and returns it Decrypt(jwe *JSONWebEncryption) ([]byte, error) }
Decrypter interface to Decrypt JWE messages.
type EncAlg ¶ added in v0.1.3
type EncAlg string
EncAlg represents the JWE content encryption algorithm.
type Encrypter ¶ added in v0.1.3
type Encrypter interface { // EncryptWithAuthData encrypt plaintext and aad sent to more than 1 recipients and returns a valid // JSONWebEncryption instance EncryptWithAuthData(plaintext, aad []byte) (*JSONWebEncryption, error) // Encrypt plaintext with empty aad sent to 1 or more recipients and returns a valid JSONWebEncryption instance Encrypt(plaintext []byte) (*JSONWebEncryption, error) }
Encrypter interface to Encrypt/Decrypt JWE messages.
type Headers ¶
type Headers map[string]interface{}
Headers represents JOSE headers.
func (Headers) Encryption ¶ added in v0.1.3
Encryption gets content encryption algorithm from JOSE headers.
func (Headers) SenderKeyID ¶ added in v0.1.4
SenderKeyID gets the sender Key ID from Jose headers.
type JSONWebEncryption ¶ added in v0.1.3
type JSONWebEncryption struct { ProtectedHeaders Headers OrigProtectedHders string UnprotectedHeaders Headers Recipients []*Recipient AAD string IV string Ciphertext string Tag string }
JSONWebEncryption represents a JWE as defined in https://tools.ietf.org/html/rfc7516.
func Deserialize ¶ added in v0.1.3
func Deserialize(serializedJWE string) (*JSONWebEncryption, error)
Deserialize deserializes the given serialized JWE into a JSONWebEncryption object.
func (*JSONWebEncryption) CompactSerialize ¶ added in v0.1.4
func (e *JSONWebEncryption) CompactSerialize(marshal marshalFunc) (string, error)
CompactSerialize serializes the given JWE into a compact, URL-safe string as defined in https://tools.ietf.org/html/rfc7516#section-7.1.
func (*JSONWebEncryption) FullSerialize ¶ added in v0.1.4
func (e *JSONWebEncryption) FullSerialize(marshal marshalFunc) (string, error)
FullSerialize serializes the given JWE into JSON as defined in https://tools.ietf.org/html/rfc7516#section-7.2. The full serialization syntax is used. If there is only one recipient, then the flattened syntax is used.
type JSONWebSignature ¶
type JSONWebSignature struct { ProtectedHeaders Headers UnprotectedHeaders Headers Payload []byte // contains filtered or unexported fields }
JSONWebSignature defines JSON Web Signature (https://tools.ietf.org/html/rfc7515)
func NewJWS ¶
func NewJWS(protectedHeaders, unprotectedHeaders Headers, payload []byte, signer Signer) (*JSONWebSignature, error)
NewJWS creates JSON Web Signature.
func ParseJWS ¶
func ParseJWS(jws string, verifier SignatureVerifier, opts ...JWSParseOpt) (*JSONWebSignature, error)
ParseJWS parses serialized JWS. Currently only JWS Compact Serialization parsing is supported.
func (JSONWebSignature) SerializeCompact ¶
func (s JSONWebSignature) SerializeCompact(detached bool) (string, error)
SerializeCompact makes JWS Compact Serialization (https://tools.ietf.org/html/rfc7515#section-7.1)
func (JSONWebSignature) Signature ¶
func (s JSONWebSignature) Signature() []byte
Signature returns a copy of JWS signature.
type JWEDecrypt ¶ added in v0.1.3
type JWEDecrypt struct {
// contains filtered or unexported fields
}
JWEDecrypt is responsible for decrypting a JWE message and returns its protected plaintext.
func NewJWEDecrypt ¶ added in v0.1.3
func NewJWEDecrypt(store storage.Store, recipientKH *keyset.Handle) *JWEDecrypt
NewJWEDecrypt creates a new JWEDecrypt instance to parse and decrypt a JWE message for a given recipient store is needed for Authcrypt only (to fetch sender's pre agreed upon public key), it is not needed for Anoncrypt.
func (*JWEDecrypt) Decrypt ¶ added in v0.1.3
func (jd *JWEDecrypt) Decrypt(jwe *JSONWebEncryption) ([]byte, error)
Decrypt a deserialized JWE, decrypts its protected content and returns plaintext.
type JWEEncrypt ¶ added in v0.1.3
type JWEEncrypt struct {
// contains filtered or unexported fields
}
JWEEncrypt is responsible for encrypting a plaintext and its AAD into a protected JWE and decrypting it.
func NewJWEEncrypt ¶ added in v0.1.3
func NewJWEEncrypt(encAlg EncAlg, encType, senderKID string, senderKH *keyset.Handle, recipientsPubKeys []*composite.PublicKey) (*JWEEncrypt, error)
NewJWEEncrypt creates a new JWEEncrypt instance to build JWE with recipientsPubKeys senderKID and senderKH are used for Authcrypt (to authenticate the sender), if not set JWEEncrypt assumes Anoncrypt.
func (*JWEEncrypt) Encrypt ¶ added in v0.1.3
func (je *JWEEncrypt) Encrypt(plaintext []byte) (*JSONWebEncryption, error)
Encrypt encrypt plaintext with AAD and returns a JSONWebEncryption instance to serialize a JWE instance.
func (*JWEEncrypt) EncryptWithAuthData ¶ added in v0.1.4
func (je *JWEEncrypt) EncryptWithAuthData(plaintext, aad []byte) (*JSONWebEncryption, error)
EncryptWithAuthData encrypt plaintext with AAD and returns a JSONWebEncryption instance to serialize a JWE instance.
type JWK ¶
JWK (JSON Web Key) is a JSON data structure that represents a cryptographic key.
func JWKFromPublicKey ¶ added in v0.1.4
JWKFromPublicKey creates a JWK from public key struct. It's e.g. *ecdsa.PublicKey or ed25519.PublicKey.
func (*JWK) MarshalJSON ¶ added in v0.1.3
MarshalJSON serializes the given key to its JSON representation.
func (*JWK) PublicKeyBytes ¶ added in v0.1.3
PublicKeyBytes converts a public key to bytes.
func (*JWK) UnmarshalJSON ¶ added in v0.1.3
UnmarshalJSON reads a key from its JSON representation.
type JWSParseOpt ¶
type JWSParseOpt func(opts *jwsParseOpts)
JWSParseOpt is the JWS Parser option.
func WithJWSDetachedPayload ¶
func WithJWSDetachedPayload(payload []byte) JWSParseOpt
WithJWSDetachedPayload option is for definition of JWS detached payload.
type Recipient ¶ added in v0.1.3
type Recipient struct { Header *RecipientHeaders `json:"header,omitempty"` EncryptedKey string `json:"encrypted_key,omitempty"` }
Recipient is a recipient of a JWE including the shared encryption key.
type RecipientHeaders ¶ added in v0.1.3
type RecipientHeaders struct { Alg string `json:"alg,omitempty"` APU string `json:"apu,omitempty"` IV string `json:"iv,omitempty"` Tag string `json:"tag,omitempty"` KID string `json:"kid,omitempty"` EPK json.RawMessage `json:"epk,omitempty"` SPK json.RawMessage `json:"spk,omitempty"` }
RecipientHeaders are the recipient headers.
type SignatureVerifier ¶
type SignatureVerifier interface { // Verify verifies JWS based on the signing input. Verify(joseHeaders Headers, payload, signingInput, signature []byte) error }
SignatureVerifier makes verification of JSON Web Signature.
type SignatureVerifierFunc ¶
SignatureVerifierFunc is a function wrapper for SignatureVerifier.
type Signer ¶
type Signer interface { // Sign signs. Sign(data []byte) ([]byte, error) // Headers provides JWS headers. "alg" header must be provided (see https://tools.ietf.org/html/rfc7515#section-4.1) Headers() Headers }
Signer defines JWS Signer interface. It makes signing of data and provides custom JWS headers relevant to the signer.