jose

package
v0.22.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 8, 2022 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source
const (
	RSA1_5             = KeyAlgorithm("RSA1_5")             // RSA-PKCS1v1.5
	RSA_OAEP           = KeyAlgorithm("RSA-OAEP")           // RSA-OAEP-SHA1
	RSA_OAEP_256       = KeyAlgorithm("RSA-OAEP-256")       // RSA-OAEP-SHA256
	A128KW             = KeyAlgorithm("A128KW")             // AES key wrap (128)
	A192KW             = KeyAlgorithm("A192KW")             // AES key wrap (192)
	A256KW             = KeyAlgorithm("A256KW")             // AES key wrap (256)
	DIRECT             = KeyAlgorithm("dir")                // Direct encryption
	ECDH_ES            = KeyAlgorithm("ECDH-ES")            // ECDH-ES
	ECDH_ES_A128KW     = KeyAlgorithm("ECDH-ES+A128KW")     // ECDH-ES + AES key wrap (128)
	ECDH_ES_A192KW     = KeyAlgorithm("ECDH-ES+A192KW")     // ECDH-ES + AES key wrap (192)
	ECDH_ES_A256KW     = KeyAlgorithm("ECDH-ES+A256KW")     // ECDH-ES + AES key wrap (256)
	A128GCMKW          = KeyAlgorithm("A128GCMKW")          // AES-GCM key wrap (128)
	A192GCMKW          = KeyAlgorithm("A192GCMKW")          // AES-GCM key wrap (192)
	A256GCMKW          = KeyAlgorithm("A256GCMKW")          // AES-GCM key wrap (256)
	PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128)
	PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192)
	PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256)
)

Key management algorithms

View Source
const (
	HS256 = "HS256" // HMAC using SHA-256
	HS384 = "HS384" // HMAC using SHA-384
	HS512 = "HS512" // HMAC using SHA-512
	RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
	RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
	RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
	ES256 = "ES256" // ECDSA using P-256 and SHA-256
	ES384 = "ES384" // ECDSA using P-384 and SHA-384
	ES512 = "ES512" // ECDSA using P-521 and SHA-512
	PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
	PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
	PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
	EdDSA = "EdDSA" // Ed25591
)

Signature algorithms

View Source
const (
	A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128)
	A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192)
	A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256)
	A128GCM       = ContentEncryption("A128GCM")       // AES-GCM (128)
	A192GCM       = ContentEncryption("A192GCM")       // AES-GCM (192)
	A256GCM       = ContentEncryption("A256GCM")       // AES-GCM (256)
)

Content encryption algorithms

View Source
const (
	P256 = "P-256" // P-256 curve (FIPS 186-3)
	P384 = "P-384" // P-384 curve (FIPS 186-3)
	P521 = "P-521" // P-521 curve (FIPS 186-3)
)

Elliptic curves

View Source
const (
	EC  = "EC"  // Elliptic curves
	RSA = "RSA" // RSA
	OKP = "OKP" // Ed25519
	OCT = "oct" // Octet sequence
)

Key types

View Source
const (
	// Key management algorithms
	DefaultECKeyAlgorithm  = ECDH_ES
	DefaultRSAKeyAlgorithm = RSA_OAEP_256
	DefaultOctKeyAlgorithm = A256GCMKW
	// Signature algorithms
	DefaultRSASigAlgorithm  = RS256
	DefaultOctSigsAlgorithm = HS256
	// Content encryption algorithm
	DefaultEncAlgorithm = A256GCM
)

Default key management, signature, and content encryption algorithms to use if none is specified.

View Source
const (
	DefaultRSASize = 2048
	DefaultOctSize = 32
)

Default sizes

View Source
const Ed25519 = "Ed25519"

Ed25519 is the EdDSA signature scheme using SHA-512/256 and Curve25519

View Source
const MaxDecryptTries = 3

MaxDecryptTries is the maximum number of attempts to decrypt a file.

View Source
const PBKDF2Iterations = 100000

PBKDF2Iterations is the default number of iterations for PBKDF2, 100k iterations. Nist recommends at least 10k, 1Passsword uses 100k.

View Source
const PBKDF2SaltSize = 16

PBKDF2SaltSize is the default size of the salt for PBKDF2, 128-bit salt.

View Source
const SupportsPBKDF2 = true

SupportsPBKDF2 constant to know if the underlaying library supports password based cryptography algorithms.

Variables

View Source
var ErrCryptoFailure = jose.ErrCryptoFailure

ErrCryptoFailure indicates an error in a cryptographic primitive.

View Source
var ErrExpired = jwt.ErrExpired

ErrExpired indicates that token is used after expiry time indicated in exp claim.

View Source
var ErrInvalidAudience = jwt.ErrInvalidAudience

ErrInvalidAudience indicated invalid aud claim.

View Source
var ErrInvalidID = jwt.ErrInvalidID

ErrInvalidID indicates invalid jti claim.

View Source
var ErrInvalidIssuer = jwt.ErrInvalidIssuer

ErrInvalidIssuer indicates invalid iss claim.

View Source
var ErrInvalidSubject = jwt.ErrInvalidSubject

ErrInvalidSubject indicates invalid sub claim.

View Source
var ErrNotValidYet = jwt.ErrNotValidYet

ErrNotValidYet indicates that token is used before time indicated in nbf claim.

View Source
var X5cInsecureKey = "x5cInsecure"

X5cInsecureKey is the key used to store the x5cInsecure cert chain in the JWT header.

Functions

func Decrypt

func Decrypt(prompt string, data []byte, opts ...Option) ([]byte, error)

Decrypt returns the decrypted version of the given data if it's encrypted, it will return the raw data if it's not encrypted or the format is not valid.

func GenerateDefaultKeyPair added in v0.8.1

func GenerateDefaultKeyPair(pass []byte) (*JSONWebKey, *JSONWebEncryption, error)

GenerateDefaultKeyPair generates an asymmetric public/private key pair. Returns the public key as a JWK and the private key as an encrypted JWE.

func GetX5cInsecureHeader added in v0.14.0

func GetX5cInsecureHeader(jwt *JSONWebToken) ([]*x509.Certificate, error)

GetX5cInsecureHeader extracts the x5cInsecure certificate chain from the token.

func IsAsymmetric

func IsAsymmetric(k *JSONWebKey) bool

Determine whether a JSONWebKey is asymmetric

func IsSymmetric

func IsSymmetric(k *JSONWebKey) bool

Determine whether a JSONWebKey is symmetric

func ParseKeySet

func ParseKeySet(filename string, opts ...Option) (*jose.JSONWebKey, error)

ParseKeySet returns the JWK with the given key after parsing a JWKSet from a given file. func ParseKeySet(filename, alg, kid string, isSubtle bool) (*jose.JSONWebKey, error) {

func ReadJWKSet

func ReadJWKSet(filename string) ([]byte, error)

ReadJWKSet reads a JWK Set from a URL or filename. URLs must start with "https://".

func Thumbprint added in v0.8.1

func Thumbprint(jwk *JSONWebKey) (string, error)

Thumbprint computes the JWK Thumbprint of a key using SHA256 as the hash algorithm. It returns the hash encoded in the Base64 raw url encoding.

func TrimPrefix

func TrimPrefix(err error) error

TrimPrefix removes the string "square/go-jose" from all errors.

func ValidateJWK

func ValidateJWK(jwk *JSONWebKey) error

ValidateJWK validates the given JWK.

func ValidateSSHPOP added in v0.14.0

func ValidateSSHPOP(certFile string, key interface{}) (string, error)

ValidateSSHPOP validates the given SSH certificate and key for use in an sshpop header.

func ValidateX5C added in v0.14.0

func ValidateX5C(certFile string, key interface{}) ([]string, error)

ValidateX5C validates the given certificate chain and key for use as a token signer and x5t header.

func ValidateX5T added in v0.14.3

func ValidateX5T(certFile string, key interface{}) (string, error)

ValidateX5T validates the given certificate and key for use as a token signer and x5t header.

Types

type Audience

type Audience = jwt.Audience

Audience represents the recipients that the token is intended for.

type Builder

type Builder = jwt.Builder

Builder is a utility for making JSON Web Tokens. Calls can be chained, and errors are accumulated until the final call to CompactSerialize/FullSerialize.

func Signed

func Signed(sig Signer) Builder

Signed creates builder for signed tokens.

type Claims

type Claims = jwt.Claims

Claims represents public claim values (as specified in RFC 7519).

type ContentEncryption

type ContentEncryption = jose.ContentEncryption

ContentEncryption represents a content encryption algorithm.

type ContentType

type ContentType = jose.ContentType

ContentType represents type of the contained data.

type Encrypter

type Encrypter = jose.Encrypter

Encrypter represents an encrypter which produces an encrypted JWE object.

func NewEncrypter

func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) (Encrypter, error)

NewEncrypter creates an appropriate encrypter based on the key type.

type EncrypterOptions

type EncrypterOptions = jose.EncrypterOptions

EncrypterOptions represents options that can be set on new encrypters.

type Expected

type Expected = jwt.Expected

Expected defines values used for protected claims validation. If field has zero value then validation is skipped.

type Header = jose.Header

Header represents the read-only JOSE header for JWE/JWS objects.

type HeaderKey added in v0.8.1

type HeaderKey = jose.HeaderKey

HeaderKey represents the type used as a key in the protected header of a JWS object.

type JSONWebEncryption

type JSONWebEncryption = jose.JSONWebEncryption

JSONWebEncryption represents an encrypted JWE object after parsing.

func EncryptJWK added in v0.8.1

func EncryptJWK(jwk *JSONWebKey, opts ...Option) (*JSONWebEncryption, error)

EncryptJWK returns the given JWK encrypted with the default encryption algorithm (PBES2-HS256+A128KW).

func ParseEncrypted

func ParseEncrypted(input string) (*JSONWebEncryption, error)

ParseEncrypted parses an encrypted message in compact or full serialization format.

type JSONWebKey

type JSONWebKey = jose.JSONWebKey

JSONWebKey represents a public or private key in JWK format.

func GenerateJWK

func GenerateJWK(kty, crv, alg, use, kid string, size int) (jwk *JSONWebKey, err error)

GenerateJWK generates a JWK given the key type, curve, alg, use, kid and the size of the RSA or oct keys if necessary.

func GenerateJWKFromPEM

func GenerateJWKFromPEM(filename string, subtle bool) (*JSONWebKey, error)

GenerateJWKFromPEM returns an incomplete JSONWebKey using the key from a PEM file.

func ParseKey

func ParseKey(filename string, opts ...Option) (*JSONWebKey, error)

ParseKey returns a JSONWebKey from the given JWK file or a PEM file. For password protected keys, it will ask the user for a password. func ParseKey(filename, use, alg, kid string, subtle bool) (*JSONWebKey, error) {

type JSONWebKeySet

type JSONWebKeySet = jose.JSONWebKeySet

JSONWebKeySet represents a JWK Set object.

type JSONWebSignature

type JSONWebSignature = jose.JSONWebSignature

JSONWebSignature represents a signed JWS object after parsing.

func ParseJWS

func ParseJWS(s string) (*JSONWebSignature, error)

ParseJWS parses a signed message in compact or full serialization format.

type JSONWebToken

type JSONWebToken = jwt.JSONWebToken

JSONWebToken represents a JSON Web Token (as specified in RFC7519).

func ParseSigned

func ParseSigned(s string) (*JSONWebToken, error)

ParseSigned parses token from JWS form.

func ParseX5cInsecure added in v0.14.0

func ParseX5cInsecure(tok string, roots []*x509.Certificate) (*JSONWebToken, [][]*x509.Certificate, error)

ParseX5cInsecure parses an x5cInsecure token, validates the certificate chain in the token, and returns the JWT struct along with all the verified chains.

type KeyAlgorithm

type KeyAlgorithm = jose.KeyAlgorithm

KeyAlgorithm represents a key management algorithm.

type NumericDate

type NumericDate = jwt.NumericDate

NumericDate represents date and time as the number of seconds since the epoch, including leap seconds. Non-integer values can be represented in the serialized format, but we round to the nearest second.

func NewNumericDate

func NewNumericDate(t time.Time) *NumericDate

NewNumericDate constructs NumericDate from time.Time value.

func UnixNumericDate added in v0.9.2

func UnixNumericDate(s int64) *NumericDate

UnixNumericDate returns a NumericDate from the given seconds since the UNIX Epoch time. For backward compatibility is s is 0, a nil value will be returned.

type Option

type Option func(ctx *context) error

Option is the type used to add attributes to the context.

func WithAlg

func WithAlg(alg string) Option

WithAlg adds the alg claim to the context.

func WithInsecure

func WithInsecure(insecure bool) Option

WithInsecure marks the context as insecure.

func WithKid

func WithKid(kid string) Option

WithKid adds the kid property to the context.

func WithNoDefaults

func WithNoDefaults(val bool) Option

WithNoDefaults avoids that the parser loads defaults values, specially the default algorithms.

func WithPassword

func WithPassword(pass []byte) Option

WithPassword is a method that adds the given password to the context.

func WithPasswordFile added in v0.8.1

func WithPasswordFile(filename string) Option

WithPasswordFile is a method that adds the password in a file to the context.

func WithSubtle

func WithSubtle(subtle bool) Option

WithSubtle marks the context as subtle.

func WithUIOptions added in v0.8.1

func WithUIOptions(opts ...ui.Option) Option

WithUIOptions adds UI package options to the password prompts.

func WithUse

func WithUse(use string) Option

WithUse adds the use claim to the context.

type Recipient

type Recipient = jose.Recipient

Recipient represents an algorithm/key to encrypt messages to.

type Signature added in v0.11.0

type Signature = jose.Signature

Signature represents a signature.

type SignatureAlgorithm

type SignatureAlgorithm = jose.SignatureAlgorithm

SignatureAlgorithm represents a signature (or MAC) algorithm.

type Signer

type Signer = jose.Signer

Signer represents a signer which takes a payload and produces a signed JWS object.

func NewSigner

func NewSigner(sig SigningKey, opts *SignerOptions) (Signer, error)

NewSigner creates an appropriate signer based on the key type

type SignerOptions

type SignerOptions = jose.SignerOptions

SignerOptions represents options that can be set when creating signers.

type SigningKey

type SigningKey = jose.SigningKey

SigningKey represents an algorithm/key used to sign a message.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL