Documentation
¶
Overview ¶
Package cwt implements CBOR Web Token (CWT) as defined in RFC8392. https://datatracker.ietf.org/doc/html/rfc8392.
Index ¶
- type Claims
- type ClaimsMap
- func (cm ClaimsMap) Bytesify() []byte
- func (cm ClaimsMap) Get(claim any) any
- func (cm ClaimsMap) GetBool(claim any) (bool, error)
- func (cm ClaimsMap) GetBytes(claim any) ([]byte, error)
- func (cm ClaimsMap) GetInt(claim any) (int, error)
- func (cm ClaimsMap) GetInt64(claim any) (int64, error)
- func (cm ClaimsMap) GetMap(claim any) (key.CoseMap, error)
- func (cm ClaimsMap) GetString(claim any) (string, error)
- func (cm ClaimsMap) GetUint64(claim any) (uint64, error)
- func (cm ClaimsMap) Has(claim any) bool
- func (cm ClaimsMap) MarshalCBOR() ([]byte, error)
- func (cm ClaimsMap) Set(p, value any) error
- func (cm *ClaimsMap) UnmarshalCBOR(data []byte) error
- type Validator
- type ValidatorOpts
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Claims ¶
type Claims struct {
Issuer string `cbor:"1,keyasint,omitempty" json:"iss,omitempty"`
Subject string `cbor:"2,keyasint,omitempty" json:"sub,omitempty"`
Audience string `cbor:"3,keyasint,omitempty" json:"aud,omitempty"`
Expiration uint64 `cbor:"4,keyasint,omitempty" json:"exp,omitempty"` // seconds since epoch
NotBefore uint64 `cbor:"5,keyasint,omitempty" json:"nbf,omitempty"` // seconds since epoch
IssuedAt uint64 `cbor:"6,keyasint,omitempty" json:"iat,omitempty"` // seconds since epoch
CWTID key.ByteStr `cbor:"7,keyasint,omitempty" json:"cti,omitempty"`
}
Claims represents a set of common claims for CWT.
Example ¶
package main
import (
"fmt"
"time"
"github.com/ldclabs/cose/cose"
"github.com/ldclabs/cose/cwt"
"github.com/ldclabs/cose/key"
"github.com/ldclabs/cose/key/ed25519"
)
func main() {
// Create a ed25519 signer key
privKey, err := ed25519.GenerateKey()
if err != nil {
panic(err)
}
signer, err := privKey.Signer()
if err != nil {
panic(err)
}
// Create a verifier key
pubKey, err := ed25519.ToPublicKey(privKey)
if err != nil {
panic(err)
}
verifier, err := pubKey.Verifier()
if err != nil {
panic(err)
}
// create a claims set
claims := cwt.Claims{
Issuer: "ldc:ca",
Subject: "ldc:chain",
Audience: "ldc:txpool",
Expiration: 1670123579,
CWTID: []byte{1, 2, 3, 4},
}
// sign with Sign1Message
obj := cose.Sign1Message[cwt.Claims]{Payload: claims}
cwtData, err := obj.SignAndEncode(signer, nil)
if err != nil {
panic(err)
}
// decode and verify the cwt
obj2, err := cose.VerifySign1Message[cwt.Claims](verifier, cwtData, nil)
if err != nil {
panic(err)
}
// validate the cwt's claims
validator, err := cwt.NewValidator(&cwt.ValidatorOpts{
ExpectedIssuer: "ldc:ca",
ExpectedAudience: "ldc:txpool",
ClockSkew: time.Minute,
})
if err != nil {
panic(err)
}
err = validator.Validate(&obj2.Payload)
fmt.Printf("Validate Claims: %v\n", err)
// Validate Claims: cose/cwt: Validator.Validate: token has expired
cborData, err := key.MarshalCBOR(obj2.Payload)
// cborData, err := cbor.Marshal(myClaims)
if err != nil {
panic(err)
}
fmt.Printf("CBOR(%d bytes): %x\n", len(cborData), cborData)
// CBOR(44 bytes): a501666c64633a636102696c64633a636861696e036a6c64633a7478706f6f6c041a638c103b074401020304
}
Output: Validate Claims: cose/cwt: Validator.Validate: token has expired CBOR(44 bytes): a501666c64633a636102696c64633a636861696e036a6c64633a7478706f6f6c041a638c103b074401020304
type ClaimsMap ¶
ClaimsMap supports full claims for CWT.
Reference https://www.iana.org/assignments/cwt/cwt.xhtml
Example ¶
package main
import (
"fmt"
"time"
"github.com/ldclabs/cose/cose"
"github.com/ldclabs/cose/cwt"
"github.com/ldclabs/cose/iana"
"github.com/ldclabs/cose/key"
"github.com/ldclabs/cose/key/ecdsa"
"github.com/ldclabs/cose/key/ed25519"
)
func main() {
// Create a ed25519 signer key
privKey1, err := ed25519.GenerateKey()
if err != nil {
panic(err)
}
privKey2, err := ecdsa.GenerateKey(iana.AlgorithmES256)
if err != nil {
panic(err)
}
ks := key.KeySet{privKey1, privKey2}
// create a claims set
claims := cwt.ClaimsMap{
iana.CWTClaimIss: "ldc:ca",
iana.CWTClaimSub: "ldc:chain",
iana.CWTClaimAud: "ldc:txpool",
iana.CWTClaimExp: 1670123579,
iana.CWTClaimScope: "read,write",
}
// Sign the claims
signers, err := ks.Signers()
if err != nil {
panic(err)
}
// sign with SignMessage
obj := cose.SignMessage[cwt.ClaimsMap]{Payload: claims}
cwtData, err := obj.SignAndEncode(signers, nil)
if err != nil {
panic(err)
}
// decode and verify the cwt
verifiers, err := ks.Verifiers()
if err != nil {
panic(err)
}
obj2, err := cose.VerifySignMessage[cwt.ClaimsMap](verifiers, cwtData, nil)
if err != nil {
panic(err)
}
// Validate the claims
validator, err := cwt.NewValidator(&cwt.ValidatorOpts{
ExpectedIssuer: "ldc:ca",
ExpectedAudience: "ldc:txpool",
ClockSkew: time.Minute,
})
if err != nil {
panic(err)
}
err = validator.ValidateMap(obj2.Payload)
fmt.Printf("Validate Claims: %v\n", err)
// Validate Claims: cose/cwt: Validator.Validate: token has expired
cborData, err := key.MarshalCBOR(obj2.Payload)
// cborData, err := cbor.Marshal(myClaims)
if err != nil {
panic(err)
}
fmt.Printf("CBOR(%d bytes): %x\n", len(cborData), cborData)
// CBOR(50 bytes): a501666c64633a636102696c64633a636861696e036a6c64633a7478706f6f6c041a638c103b096a726561642c7772697465
}
Output: Validate Claims: cose/cwt: Validator.Validate: token has expired CBOR(50 bytes): a501666c64633a636102696c64633a636861696e036a6c64633a7478706f6f6c041a638c103b096a726561642c7772697465
func (ClaimsMap) Bytesify ¶
Bytesify returns a CBOR-encoded byte slice. It returns nil if MarshalCBOR failed.
func (ClaimsMap) GetBool ¶ added in v0.6.0
GetBool returns the value of the given claim as a bool, or a error.
func (ClaimsMap) GetBytes ¶
GetBytes returns the value of the given claim as a slice of bytes, or a error.
func (ClaimsMap) GetInt64 ¶ added in v0.6.0
GetInt64 returns the value of the given claim as a int64, or a error.
func (ClaimsMap) GetMap ¶ added in v1.3.0
GetMap returns the value of the given parameter as a key.CoseMap, or a error.
func (ClaimsMap) GetString ¶
GetString returns the value of the given claim as a string, or a error.
func (ClaimsMap) GetUint64 ¶ added in v0.6.0
GetUint64 returns the value of the given claim as a uint64, or a error.
func (ClaimsMap) MarshalCBOR ¶
MarshalCBOR implements the CBOR Marshaler interface for ClaimsMap.
func (*ClaimsMap) UnmarshalCBOR ¶ added in v0.6.6
UnmarshalCBOR implements the CBOR Unmarshaler interface for ClaimsMap.
type Validator ¶
type Validator struct {
// contains filtered or unexported fields
}
Validator defines how CBOR Web Tokens (CWT) should be validated.
func NewValidator ¶
func NewValidator(opts *ValidatorOpts) (*Validator, error)
NewValidator creates a new CWT Validator.
func (*Validator) ValidateMap ¶
ValidateMap validates a ClaimsMap according to the options provided.
Source Files
Click to show internal directories.
Click to hide internal directories.