Documentation ¶
Index ¶
- Constants
- Variables
- func Decrypt(prompt string, data []byte, opts ...Option) ([]byte, error)
- func GenerateDefaultKeyPair(pass []byte) (*JSONWebKey, *JSONWebEncryption, error)
- func GetX5cInsecureHeader(jwt *JSONWebToken) ([]*x509.Certificate, error)
- func IsAsymmetric(k *JSONWebKey) bool
- func IsSymmetric(k *JSONWebKey) bool
- func ParseKeySet(filename string, opts ...Option) (*jose.JSONWebKey, error)
- func ReadJWKSet(filename string) ([]byte, error)
- func Thumbprint(jwk *JSONWebKey) (string, error)
- func TrimPrefix(err error) error
- func ValidateJWK(jwk *JSONWebKey) error
- func ValidateSSHPOP(certFile string, key interface{}) (string, error)
- func ValidateX5C(certFile string, key interface{}) ([]string, error)
- func ValidateX5T(certFile string, key interface{}) (string, error)
- type Audience
- type Builder
- type Claims
- type ContentEncryption
- type ContentType
- type Encrypter
- type EncrypterOptions
- type Expected
- type Header
- type HeaderKey
- type JSONWebEncryption
- type JSONWebKey
- type JSONWebKeySet
- type JSONWebSignature
- type JSONWebToken
- type KeyAlgorithm
- type NumericDate
- type Option
- func WithAlg(alg string) Option
- func WithInsecure(insecure bool) Option
- func WithKid(kid string) Option
- func WithNoDefaults(val bool) Option
- func WithPassword(pass []byte) Option
- func WithPasswordFile(filename string) Option
- func WithSubtle(subtle bool) Option
- func WithUIOptions(opts ...ui.Option) Option
- func WithUse(use string) Option
- type Recipient
- type Signature
- type SignatureAlgorithm
- type Signer
- type SignerOptions
- type SigningKey
Constants ¶
const ( RSA1_5 = KeyAlgorithm("RSA1_5") // RSA-PKCS1v1.5 RSA_OAEP = KeyAlgorithm("RSA-OAEP") // RSA-OAEP-SHA1 RSA_OAEP_256 = KeyAlgorithm("RSA-OAEP-256") // RSA-OAEP-SHA256 A128KW = KeyAlgorithm("A128KW") // AES key wrap (128) A192KW = KeyAlgorithm("A192KW") // AES key wrap (192) A256KW = KeyAlgorithm("A256KW") // AES key wrap (256) DIRECT = KeyAlgorithm("dir") // Direct encryption ECDH_ES = KeyAlgorithm("ECDH-ES") // ECDH-ES ECDH_ES_A128KW = KeyAlgorithm("ECDH-ES+A128KW") // ECDH-ES + AES key wrap (128) ECDH_ES_A192KW = KeyAlgorithm("ECDH-ES+A192KW") // ECDH-ES + AES key wrap (192) ECDH_ES_A256KW = KeyAlgorithm("ECDH-ES+A256KW") // ECDH-ES + AES key wrap (256) A128GCMKW = KeyAlgorithm("A128GCMKW") // AES-GCM key wrap (128) A192GCMKW = KeyAlgorithm("A192GCMKW") // AES-GCM key wrap (192) A256GCMKW = KeyAlgorithm("A256GCMKW") // AES-GCM key wrap (256) PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128) PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192) PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256) )
Key management algorithms
const ( HS256 = "HS256" // HMAC using SHA-256 HS384 = "HS384" // HMAC using SHA-384 HS512 = "HS512" // HMAC using SHA-512 RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256 RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384 RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512 ES256 = "ES256" // ECDSA using P-256 and SHA-256 ES384 = "ES384" // ECDSA using P-384 and SHA-384 ES512 = "ES512" // ECDSA using P-521 and SHA-512 PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256 PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384 PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512 EdDSA = "EdDSA" // Ed25591 )
Signature algorithms
const ( A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128) A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192) A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256) A128GCM = ContentEncryption("A128GCM") // AES-GCM (128) A192GCM = ContentEncryption("A192GCM") // AES-GCM (192) A256GCM = ContentEncryption("A256GCM") // AES-GCM (256) )
Content encryption algorithms
const ( P256 = "P-256" // P-256 curve (FIPS 186-3) P384 = "P-384" // P-384 curve (FIPS 186-3) P521 = "P-521" // P-521 curve (FIPS 186-3) )
Elliptic curves
const ( EC = "EC" // Elliptic curves RSA = "RSA" // RSA OKP = "OKP" // Ed25519 OCT = "oct" // Octet sequence )
Key types
const ( // Key management algorithms DefaultECKeyAlgorithm = ECDH_ES DefaultRSAKeyAlgorithm = RSA_OAEP_256 DefaultOctKeyAlgorithm = A256GCMKW // Signature algorithms DefaultRSASigAlgorithm = RS256 DefaultOctSigsAlgorithm = HS256 // Content encryption algorithm DefaultEncAlgorithm = A256GCM )
Default key management, signature, and content encryption algorithms to use if none is specified.
const ( DefaultRSASize = 2048 DefaultOctSize = 32 )
Default sizes
const Ed25519 = "Ed25519"
Ed25519 is the EdDSA signature scheme using SHA-512/256 and Curve25519
const MaxDecryptTries = 3
MaxDecryptTries is the maximum number of attempts to decrypt a file.
const PBKDF2Iterations = 100000
PBKDF2Iterations is the default number of iterations for PBKDF2, 100k iterations. Nist recommends at least 10k, 1Passsword uses 100k.
const PBKDF2SaltSize = 16
PBKDF2SaltSize is the default size of the salt for PBKDF2, 128-bit salt.
const SupportsPBKDF2 = true
SupportsPBKDF2 constant to know if the underlaying library supports password based cryptography algorithms.
Variables ¶
var ErrCryptoFailure = jose.ErrCryptoFailure
ErrCryptoFailure indicates an error in a cryptographic primitive.
var ErrExpired = jwt.ErrExpired
ErrExpired indicates that token is used after expiry time indicated in exp claim.
var ErrInvalidAudience = jwt.ErrInvalidAudience
ErrInvalidAudience indicated invalid aud claim.
var ErrInvalidID = jwt.ErrInvalidID
ErrInvalidID indicates invalid jti claim.
var ErrInvalidIssuer = jwt.ErrInvalidIssuer
ErrInvalidIssuer indicates invalid iss claim.
var ErrInvalidSubject = jwt.ErrInvalidSubject
ErrInvalidSubject indicates invalid sub claim.
var ErrNotValidYet = jwt.ErrNotValidYet
ErrNotValidYet indicates that token is used before time indicated in nbf claim.
var X5cInsecureKey = "x5cInsecure"
X5cInsecureKey is the key used to store the x5cInsecure cert chain in the JWT header.
Functions ¶
func Decrypt ¶
Decrypt returns the decrypted version of the given data if it's encrypted, it will return the raw data if it's not encrypted or the format is not valid.
func GenerateDefaultKeyPair ¶ added in v0.8.1
func GenerateDefaultKeyPair(pass []byte) (*JSONWebKey, *JSONWebEncryption, error)
GenerateDefaultKeyPair generates an asymmetric public/private key pair. Returns the public key as a JWK and the private key as an encrypted JWE.
func GetX5cInsecureHeader ¶ added in v0.14.0
func GetX5cInsecureHeader(jwt *JSONWebToken) ([]*x509.Certificate, error)
GetX5cInsecureHeader extracts the x5cInsecure certificate chain from the token.
func IsAsymmetric ¶
func IsAsymmetric(k *JSONWebKey) bool
Determine whether a JSONWebKey is asymmetric
func ParseKeySet ¶
func ParseKeySet(filename string, opts ...Option) (*jose.JSONWebKey, error)
ParseKeySet returns the JWK with the given key after parsing a JWKSet from a given file. func ParseKeySet(filename, alg, kid string, isSubtle bool) (*jose.JSONWebKey, error) {
func ReadJWKSet ¶
ReadJWKSet reads a JWK Set from a URL or filename. URLs must start with "https://".
func Thumbprint ¶ added in v0.8.1
func Thumbprint(jwk *JSONWebKey) (string, error)
Thumbprint computes the JWK Thumbprint of a key using SHA256 as the hash algorithm. It returns the hash encoded in the Base64 raw url encoding.
func TrimPrefix ¶
TrimPrefix removes the string "square/go-jose" from all errors.
func ValidateSSHPOP ¶ added in v0.14.0
ValidateSSHPOP validates the given SSH certificate and key for use in an sshpop header.
func ValidateX5C ¶ added in v0.14.0
ValidateX5C validates the given certificate chain and key for use as a token signer and x5t header.
func ValidateX5T ¶ added in v0.14.3
ValidateX5T validates the given certificate and key for use as a token signer and x5t header.
Types ¶
type Builder ¶
Builder is a utility for making JSON Web Tokens. Calls can be chained, and errors are accumulated until the final call to CompactSerialize/FullSerialize.
type ContentEncryption ¶
type ContentEncryption = jose.ContentEncryption
ContentEncryption represents a content encryption algorithm.
type ContentType ¶
type ContentType = jose.ContentType
ContentType represents type of the contained data.
type Encrypter ¶
Encrypter represents an encrypter which produces an encrypted JWE object.
func NewEncrypter ¶
func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) (Encrypter, error)
NewEncrypter creates an appropriate encrypter based on the key type.
type EncrypterOptions ¶
type EncrypterOptions = jose.EncrypterOptions
EncrypterOptions represents options that can be set on new encrypters.
type Expected ¶
Expected defines values used for protected claims validation. If field has zero value then validation is skipped.
type HeaderKey ¶ added in v0.8.1
HeaderKey represents the type used as a key in the protected header of a JWS object.
type JSONWebEncryption ¶
type JSONWebEncryption = jose.JSONWebEncryption
JSONWebEncryption represents an encrypted JWE object after parsing.
func EncryptJWK ¶ added in v0.8.1
func EncryptJWK(jwk *JSONWebKey) (*JSONWebEncryption, error)
EncryptJWK returns the given JWK encrypted with the default encryption algorithm (PBES2-HS256+A128KW).
func ParseEncrypted ¶
func ParseEncrypted(input string) (*JSONWebEncryption, error)
ParseEncrypted parses an encrypted message in compact or full serialization format.
type JSONWebKey ¶
type JSONWebKey = jose.JSONWebKey
JSONWebKey represents a public or private key in JWK format.
func GenerateJWK ¶
func GenerateJWK(kty, crv, alg, use, kid string, size int) (jwk *JSONWebKey, err error)
GenerateJWK generates a JWK given the key type, curve, alg, use, kid and the size of the RSA or oct keys if necessary.
func GenerateJWKFromPEM ¶
func GenerateJWKFromPEM(filename string, subtle bool) (*JSONWebKey, error)
GenerateJWKFromPEM returns an incomplete JSONWebKey using the key from a PEM file.
func ParseKey ¶
func ParseKey(filename string, opts ...Option) (*JSONWebKey, error)
ParseKey returns a JSONWebKey from the given JWK file or a PEM file. For password protected keys, it will ask the user for a password. func ParseKey(filename, use, alg, kid string, subtle bool) (*JSONWebKey, error) {
type JSONWebKeySet ¶
type JSONWebKeySet = jose.JSONWebKeySet
JSONWebKeySet represents a JWK Set object.
type JSONWebSignature ¶
type JSONWebSignature = jose.JSONWebSignature
JSONWebSignature represents a signed JWS object after parsing.
func ParseJWS ¶
func ParseJWS(s string) (*JSONWebSignature, error)
ParseJWS parses a signed message in compact or full serialization format.
type JSONWebToken ¶
type JSONWebToken = jwt.JSONWebToken
JSONWebToken represents a JSON Web Token (as specified in RFC7519).
func ParseSigned ¶
func ParseSigned(s string) (*JSONWebToken, error)
ParseSigned parses token from JWS form.
func ParseX5cInsecure ¶ added in v0.14.0
func ParseX5cInsecure(tok string, roots []*x509.Certificate) (*JSONWebToken, [][]*x509.Certificate, error)
ParseX5cInsecure parses an x5cInsecure token, validates the certificate chain in the token, and returns the JWT struct along with all the verified chains.
type KeyAlgorithm ¶
type KeyAlgorithm = jose.KeyAlgorithm
KeyAlgorithm represents a key management algorithm.
type NumericDate ¶
type NumericDate = jwt.NumericDate
NumericDate represents date and time as the number of seconds since the epoch, including leap seconds. Non-integer values can be represented in the serialized format, but we round to the nearest second.
func NewNumericDate ¶
func NewNumericDate(t time.Time) *NumericDate
NewNumericDate constructs NumericDate from time.Time value.
func UnixNumericDate ¶ added in v0.9.2
func UnixNumericDate(s int64) *NumericDate
UnixNumericDate returns a NumericDate from the given seconds since the UNIX Epoch time. For backward compatibility is s is 0, a nil value will be returned.
type Option ¶
type Option func(ctx *context) error
Option is the type used to add attributes to the context.
func WithInsecure ¶
WithInsecure marks the context as insecure.
func WithNoDefaults ¶
WithNoDefaults avoids that the parser loads defaults values, specially the default algorithms.
func WithPassword ¶
WithPassword is a method that adds the given password to the context.
func WithPasswordFile ¶ added in v0.8.1
WithPasswordFile is a method that adds the password in a file to the context.
func WithUIOptions ¶ added in v0.8.1
WithUIOptions adds UI package options to the password prompts.
type SignatureAlgorithm ¶
type SignatureAlgorithm = jose.SignatureAlgorithm
SignatureAlgorithm represents a signature (or MAC) algorithm.
type Signer ¶
Signer represents a signer which takes a payload and produces a signed JWS object.
func NewSigner ¶
func NewSigner(sig SigningKey, opts *SignerOptions) (Signer, error)
NewSigner creates an appropriate signer based on the key type
type SignerOptions ¶
type SignerOptions = jose.SignerOptions
SignerOptions represents options that can be set when creating signers.
type SigningKey ¶
type SigningKey = jose.SigningKey
SigningKey represents an algorithm/key used to sign a message.