jose2go – github.com/dvsekhvalnov/jose2go Index | Files | Directories

package jose

import "github.com/dvsekhvalnov/jose2go"

Package jose provides high level functions for producing (signing, encrypting and compressing) or consuming (decoding) Json Web Tokens using Java Object Signing and Encryption spec

Index

Constants

const (
	NONE = "none" //plaintext (unprotected) without signature / encryption

	HS256 = "HS256" //HMAC using SHA-256 hash
	HS384 = "HS384" //HMAC using SHA-384 hash
	HS512 = "HS512" //HMAC using SHA-512 hash
	RS256 = "RS256" //RSASSA-PKCS-v1_5 using SHA-256 hash
	RS384 = "RS384" //RSASSA-PKCS-v1_5 using SHA-384 hash
	RS512 = "RS512" //RSASSA-PKCS-v1_5 using SHA-512 hash
	PS256 = "PS256" //RSASSA-PSS using SHA-256 hash
	PS384 = "PS384" //RSASSA-PSS using SHA-384 hash
	PS512 = "PS512" //RSASSA-PSS using SHA-512 hash
	ES256 = "ES256" //ECDSA using P-256 curve and SHA-256 hash
	ES384 = "ES384" //ECDSA using P-384 curve and SHA-384 hash
	ES512 = "ES512" //ECDSA using P-521 curve and SHA-512 hash

	A128CBC_HS256 = "A128CBC-HS256" //AES in CBC mode with PKCS #5 (NIST.800-38A) padding with HMAC using 256 bit key
	A192CBC_HS384 = "A192CBC-HS384" //AES in CBC mode with PKCS #5 (NIST.800-38A) padding with HMAC using 384 bit key
	A256CBC_HS512 = "A256CBC-HS512" //AES in CBC mode with PKCS #5 (NIST.800-38A) padding with HMAC using 512 bit key
	A128GCM       = "A128GCM"       //AES in GCM mode with 128 bit key
	A192GCM       = "A192GCM"       //AES in GCM mode with 192 bit key
	A256GCM       = "A256GCM"       //AES in GCM mode with 256 bit key

	DIR                = "dir"                //Direct use of pre-shared symmetric key
	RSA1_5             = "RSA1_5"             //RSAES with PKCS #1 v1.5 padding, RFC 3447
	RSA_OAEP           = "RSA-OAEP"           //RSAES using Optimal Assymetric Encryption Padding, RFC 3447
	RSA_OAEP_256       = "RSA-OAEP-256"       //RSAES using Optimal Assymetric Encryption Padding with SHA-256, RFC 3447
	RSA_OAEP_384       = "RSA-OAEP-384"       //RSAES using Optimal Assymetric Encryption Padding with SHA-384, RFC 3447
	RSA_OAEP_512       = "RSA-OAEP-512"       //RSAES using Optimal Assymetric Encryption Padding with SHA-512, RFC 3447
	A128KW             = "A128KW"             //AES Key Wrap Algorithm using 128 bit keys, RFC 3394
	A192KW             = "A192KW"             //AES Key Wrap Algorithm using 192 bit keys, RFC 3394
	A256KW             = "A256KW"             //AES Key Wrap Algorithm using 256 bit keys, RFC 3394
	A128GCMKW          = "A128GCMKW"          //AES GCM Key Wrap Algorithm using 128 bit keys
	A192GCMKW          = "A192GCMKW"          //AES GCM Key Wrap Algorithm using 192 bit keys
	A256GCMKW          = "A256GCMKW"          //AES GCM Key Wrap Algorithm using 256 bit keys
	PBES2_HS256_A128KW = "PBES2-HS256+A128KW" //Password Based Encryption using PBES2 schemes with HMAC-SHA and AES Key Wrap using 128 bit key
	PBES2_HS384_A192KW = "PBES2-HS384+A192KW" //Password Based Encryption using PBES2 schemes with HMAC-SHA and AES Key Wrap using 192 bit key
	PBES2_HS512_A256KW = "PBES2-HS512+A256KW" //Password Based Encryption using PBES2 schemes with HMAC-SHA and AES Key Wrap using 256 bit key
	ECDH_ES            = "ECDH-ES"            //Elliptic Curve Diffie Hellman key agreement
	ECDH_ES_A128KW     = "ECDH-ES+A128KW"     //Elliptic Curve Diffie Hellman key agreement with AES Key Wrap using 128 bit key
	ECDH_ES_A192KW     = "ECDH-ES+A192KW"     //Elliptic Curve Diffie Hellman key agreement with AES Key Wrap using 192 bit key
	ECDH_ES_A256KW     = "ECDH-ES+A256KW"     //Elliptic Curve Diffie Hellman key agreement with AES Key Wrap using 256 bit key

	DEF = "DEF" //DEFLATE compression, RFC 1951
)

Variables

var ErrSizeExceeded = errors.New("Deflate stream size exceeded limit.")

Functions

func Alg

func Alg(key interface{}, jws string) func(headers map[string]interface{}, payload string) interface{}

func Compress

func Compress(payload string, alg string, enc string, zip string, key interface{}) (token string, err error)

This method is DEPRICATED and subject to be removed in next version. Use Encrypt(..) with Zip option instead.

Compress produces encrypted & comressed JWT token given arbitrary payload, key management , encryption and compression algorithms to use (see constants for list of supported algs) and management key. Management key is of different type for different key management alg, see specific key management alg implementation documentation.

It returns 5 parts encrypted & compressed JWT token as string and not nil error if something went wrong.

func Decode

func Decode(token string, key interface{}) (string, map[string]interface{}, error)

Decode verifies, decrypts and decompresses given JWT token using management key. Management key is of different type for different key management or signing algorithms, see specific alg implementation documentation.

Returns decoded payload as a string, headers and not nil error if something went wrong.

func DecodeBytes

func DecodeBytes(token string, key interface{}) ([]byte, map[string]interface{}, error)

Decode verifies, decrypts and decompresses given JWT token using management key. Management key is of different type for different key management or signing algorithms, see specific alg implementation documentation.

Returns decoded payload as a raw bytes, headers and not nil error if something went wrong.

func Enc

func Enc(key interface{}, jwa string, jwe string) func(headers map[string]interface{}, payload string) interface{}

func Encrypt

func Encrypt(payload string, alg string, enc string, key interface{}, options ...func(*JoseConfig)) (token string, err error)

Encrypt produces encrypted JWT token given arbitrary string payload, key management and encryption algorithms to use (see constants for list of supported algs) and management key. Management key is of different type for different key management alg, see specific key management alg implementation documentation.

It returns 5 parts encrypted JWT token as string and not nil error if something went wrong.

func EncryptBytes

func EncryptBytes(payload []byte, alg string, enc string, key interface{}, options ...func(*JoseConfig)) (token string, err error)

Encrypt produces encrypted JWT token given arbitrary binary payload, key management and encryption algorithms to use (see constants for list of supported algs) and management key. Management key is of different type for different key management alg, see specific key management alg implementation documentation.

It returns 5 parts encrypted JWT token as string and not nil error if something went wrong.

func Header(name string, value interface{}) func(cfg *JoseConfig)

func Headers

func Headers(headers map[string]interface{}) func(cfg *JoseConfig)

func RegisterJwa

func RegisterJwa(alg JwaAlgorithm)

RegisterJwa register new key management algorithm

func RegisterJwc

func RegisterJwc(alg JwcAlgorithm)

RegisterJwc register new compression algorithm

func RegisterJwe

func RegisterJwe(alg JweEncryption)

RegisterJwe register new encryption algorithm

func RegisterJws

func RegisterJws(alg JwsAlgorithm)

RegisterJws register new signing algorithm

func Sign

func Sign(payload string, signingAlg string, key interface{}, options ...func(*JoseConfig)) (token string, err error)

Sign produces signed JWT token given arbitrary string payload, signature algorithm to use (see constants for list of supported algs), signing key and extra options (see option functions) Signing key is of different type for different signing alg, see specific signing alg implementation documentation.

It returns 3 parts signed JWT token as string and not nil error if something went wrong.

func SignBytes

func SignBytes(payload []byte, signingAlg string, key interface{}, options ...func(*JoseConfig)) (token string, err error)

Sign produces signed JWT token given arbitrary binary payload, signature algorithm to use (see constants for list of supported algs), signing key and extra options (see option functions) Signing key is of different type for different signing alg, see specific signing alg implementation documentation.

It returns 3 parts signed JWT token as string and not nil error if something went wrong.

func Zip

func Zip(alg string) func(cfg *JoseConfig)

Types

type AesCbcHmac

type AesCbcHmac struct {
	// contains filtered or unexported fields
}

AES CBC with HMAC authenticated encryption algorithm implementation

func (*AesCbcHmac) Decrypt

func (alg *AesCbcHmac) Decrypt(aad, cek, iv, cipherText, authTag []byte) (plainText []byte, err error)

func (*AesCbcHmac) Encrypt

func (alg *AesCbcHmac) Encrypt(aad, plainText, cek []byte) (iv, cipherText, authTag []byte, err error)

func (*AesCbcHmac) KeySizeBits

func (alg *AesCbcHmac) KeySizeBits() int

func (*AesCbcHmac) Name

func (alg *AesCbcHmac) Name() string

func (*AesCbcHmac) SetKeySizeBits

func (alg *AesCbcHmac) SetKeySizeBits(bits int)

type AesGcm

type AesGcm struct {
	// contains filtered or unexported fields
}

AES GCM authenticated encryption algorithm implementation

func (*AesGcm) Decrypt

func (alg *AesGcm) Decrypt(aad, cek, iv, cipherText, authTag []byte) (plainText []byte, err error)

func (*AesGcm) Encrypt

func (alg *AesGcm) Encrypt(aad, plainText, cek []byte) (iv, cipherText, authTag []byte, err error)

func (*AesGcm) KeySizeBits

func (alg *AesGcm) KeySizeBits() int

func (*AesGcm) Name

func (alg *AesGcm) Name() string

type AesGcmKW

type AesGcmKW struct {
	// contains filtered or unexported fields
}

AES GCM Key Wrap key management algorithm implementation

func (*AesGcmKW) Name

func (alg *AesGcmKW) Name() string

func (*AesGcmKW) Unwrap

func (alg *AesGcmKW) Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error)

func (*AesGcmKW) WrapNewKey

func (alg *AesGcmKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error)

type AesKW

type AesKW struct {
	// contains filtered or unexported fields
}

AES Key Wrap key management algorithm implementation

func (*AesKW) Name

func (alg *AesKW) Name() string

func (*AesKW) Unwrap

func (alg *AesKW) Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error)

func (*AesKW) WrapNewKey

func (alg *AesKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error)

type Deflate

type Deflate struct {
	// contains filtered or unexported fields
}

Deflate compression algorithm implementation

func (*Deflate) Compress

func (alg *Deflate) Compress(plainText []byte) []byte

func (*Deflate) Decompress

func (alg *Deflate) Decompress(compressedText []byte) ([]byte, error)

func (*Deflate) Name

func (alg *Deflate) Name() string

type Direct

type Direct struct {
}

Direct (pre-shared) key management algorithm implementation

func (*Direct) Name

func (alg *Direct) Name() string

func (*Direct) Unwrap

func (alg *Direct) Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error)

func (*Direct) WrapNewKey

func (alg *Direct) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error)

type Ecdh

type Ecdh struct {
	// contains filtered or unexported fields
}

Elliptic curve Diffie–Hellman key management (key agreement) algorithm implementation

func (*Ecdh) Name

func (alg *Ecdh) Name() string

func (*Ecdh) Unwrap

func (alg *Ecdh) Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error)

func (*Ecdh) WrapNewKey

func (alg *Ecdh) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error)

type EcdhAesKW

type EcdhAesKW struct {
	// contains filtered or unexported fields
}

Elliptic curve Diffie–Hellman with AES Key Wrap key management algorithm implementation

func (*EcdhAesKW) Name

func (alg *EcdhAesKW) Name() string

func (*EcdhAesKW) Unwrap

func (alg *EcdhAesKW) Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error)

func (*EcdhAesKW) WrapNewKey

func (alg *EcdhAesKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error)

type EcdsaUsingSha

type EcdsaUsingSha struct {
	// contains filtered or unexported fields
}

ECDSA signing algorithm implementation

func (*EcdsaUsingSha) Name

func (alg *EcdsaUsingSha) Name() string

func (*EcdsaUsingSha) Sign

func (alg *EcdsaUsingSha) Sign(securedInput []byte, key interface{}) (signature []byte, err error)

func (*EcdsaUsingSha) Verify

func (alg *EcdsaUsingSha) Verify(securedInput, signature []byte, key interface{}) error

type HmacUsingSha

type HmacUsingSha struct {
	// contains filtered or unexported fields
}

HMAC with SHA signing algorithm implementation

func (*HmacUsingSha) Name

func (alg *HmacUsingSha) Name() string

func (*HmacUsingSha) Sign

func (alg *HmacUsingSha) Sign(securedInput []byte, key interface{}) (signature []byte, err error)

func (*HmacUsingSha) Verify

func (alg *HmacUsingSha) Verify(securedInput, signature []byte, key interface{}) error

type JoseConfig

type JoseConfig struct {
	CompressionAlg string
	Headers        map[string]interface{}
}

type JwaAlgorithm

type JwaAlgorithm interface {
	WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error)
	Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error)
	Name() string
}

JwaAlgorithm is a contract for implementing key management algorithm

func DeregisterJwa

func DeregisterJwa(alg string) JwaAlgorithm

DeregisterJwa deregister existing key management algorithm

func NewPbse2HmacAesKWAlg

func NewPbse2HmacAesKWAlg(keySize int, maxIters int64, minIters int64) JwaAlgorithm

type JwcAlgorithm

type JwcAlgorithm interface {
	Compress(plainText []byte) []byte
	Decompress(compressedText []byte) ([]byte, error)
	Name() string
}

JwcAlgorithm is a contract for implementing compression algorithm

func DeregisterJwc

func DeregisterJwc(alg string) JwcAlgorithm

DeregisterJwc deregister existing compression algorithm

func NewDeflate

func NewDeflate(maxBufferSizeBytes int64) JwcAlgorithm

type JweEncryption

type JweEncryption interface {
	Encrypt(aad, plainText, cek []byte) (iv, cipherText, authTag []byte, err error)
	Decrypt(aad, cek, iv, cipherText, authTag []byte) (plainText []byte, err error)
	KeySizeBits() int
	Name() string
}

JweEncryption is a contract for implementing encryption algorithm

func DeregisterJwe

func DeregisterJwe(alg string) JweEncryption

DeregisterJws deregister existing encryption algorithm

type JwsAlgorithm

type JwsAlgorithm interface {
	Verify(securedInput, signature []byte, key interface{}) error
	Sign(securedInput []byte, key interface{}) (signature []byte, err error)
	Name() string
}

JwsAlgorithm is a contract for implementing signing algorithm

func DeregisterJws

func DeregisterJws(alg string) JwsAlgorithm

DeregisterJws deregister existing signing algorithm

type Pbse2HmacAesKW

type Pbse2HmacAesKW struct {
	// contains filtered or unexported fields
}

PBSE2 with HMAC key management algorithm implementation

func (*Pbse2HmacAesKW) Name

func (alg *Pbse2HmacAesKW) Name() string

func (*Pbse2HmacAesKW) Unwrap

func (alg *Pbse2HmacAesKW) Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error)

func (*Pbse2HmacAesKW) WrapNewKey

func (alg *Pbse2HmacAesKW) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error)

type Plaintext

type Plaintext struct{}

Plaintext (no signing) signing algorithm implementation

func (*Plaintext) Name

func (alg *Plaintext) Name() string

func (*Plaintext) Sign

func (alg *Plaintext) Sign(securedInput []byte, key interface{}) (signature []byte, err error)

func (*Plaintext) Verify

func (alg *Plaintext) Verify(securedInput []byte, signature []byte, key interface{}) error

type RsaOaep

type RsaOaep struct {
	// contains filtered or unexported fields
}

func (*RsaOaep) Name

func (alg *RsaOaep) Name() string

func (*RsaOaep) Unwrap

func (alg *RsaOaep) Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error)

func (*RsaOaep) WrapNewKey

func (alg *RsaOaep) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error)

type RsaPkcs1v15

type RsaPkcs1v15 struct {
}

RS-AES using PKCS #1 v1.5 padding key management algorithm implementation

func (*RsaPkcs1v15) Name

func (alg *RsaPkcs1v15) Name() string

func (*RsaPkcs1v15) Unwrap

func (alg *RsaPkcs1v15) Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error)

func (*RsaPkcs1v15) WrapNewKey

func (alg *RsaPkcs1v15) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error)

type RsaPssUsingSha

type RsaPssUsingSha struct {
	// contains filtered or unexported fields
}

RSA with PSS using SHA signing algorithm implementation

func (*RsaPssUsingSha) Name

func (alg *RsaPssUsingSha) Name() string

func (*RsaPssUsingSha) Sign

func (alg *RsaPssUsingSha) Sign(securedInput []byte, key interface{}) (signature []byte, err error)

func (*RsaPssUsingSha) Verify

func (alg *RsaPssUsingSha) Verify(securedInput, signature []byte, key interface{}) error

type RsaUsingSha

type RsaUsingSha struct {
	// contains filtered or unexported fields
}

RSA using SHA signature algorithm implementation

func (*RsaUsingSha) Name

func (alg *RsaUsingSha) Name() string

func (*RsaUsingSha) Sign

func (alg *RsaUsingSha) Sign(securedInput []byte, key interface{}) (signature []byte, err error)

func (*RsaUsingSha) Verify

func (alg *RsaUsingSha) Verify(securedInput, signature []byte, key interface{}) error

Source Files

aes_cbc_hmac.go aes_gcm.go aes_gcm_kw.go aeskw.go deflate.go direct.go ecdh.go ecdh_aeskw.go ecdsa_using_sha.go hmac.go hmac_using_sha.go jose.go pbse2_hmac_aeskw.go plaintext.go rsa_oaep.go rsa_pkcs1v15.go rsa_using_sha.go rsapss_using_sha.go sha.go

Directories

PathSynopsis
aesPackage aes contains provides AES Key Wrap and ECB mode implementations
arraysPackage arrays provides various byte array utilities
base64urlpackage base64url provides base64url encoding/decoding support
compactpackage compact provides function to work with json compact serialization format
kdfpackage kdf contains implementations of various key derivation functions
keys
keys/eccpackage ecc provides helpers for creating elliptic curve leys
keys/rsapackage Rsa provides helpers for creating rsa leys
paddingpackage padding provides various padding algorithms
sec_test
Version
v1.8.0 (latest)
Published
Nov 12, 2024
Platform
linux/amd64
Imports
26 packages
Last checked
4 days ago

Tools for package owners.