Documentation

Index

Constants

View Source
const (
	RSA1_5             = KeyAlgorithm("RSA1_5")             // RSA-PKCS1v1.5
	RSA_OAEP           = KeyAlgorithm("RSA-OAEP")           // RSA-OAEP-SHA1
	RSA_OAEP_256       = KeyAlgorithm("RSA-OAEP-256")       // RSA-OAEP-SHA256
	A128KW             = KeyAlgorithm("A128KW")             // AES key wrap (128)
	A192KW             = KeyAlgorithm("A192KW")             // AES key wrap (192)
	A256KW             = KeyAlgorithm("A256KW")             // AES key wrap (256)
	DIRECT             = KeyAlgorithm("dir")                // Direct encryption
	ECDH_ES            = KeyAlgorithm("ECDH-ES")            // ECDH-ES
	ECDH_ES_A128KW     = KeyAlgorithm("ECDH-ES+A128KW")     // ECDH-ES + AES key wrap (128)
	ECDH_ES_A192KW     = KeyAlgorithm("ECDH-ES+A192KW")     // ECDH-ES + AES key wrap (192)
	ECDH_ES_A256KW     = KeyAlgorithm("ECDH-ES+A256KW")     // ECDH-ES + AES key wrap (256)
	A128GCMKW          = KeyAlgorithm("A128GCMKW")          // AES-GCM key wrap (128)
	A192GCMKW          = KeyAlgorithm("A192GCMKW")          // AES-GCM key wrap (192)
	A256GCMKW          = KeyAlgorithm("A256GCMKW")          // AES-GCM key wrap (256)
	PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128)
	PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192)
	PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256)
)

    Key management algorithms

    View Source
    const (
    	HS256 = "HS256" // HMAC using SHA-256
    	HS384 = "HS384" // HMAC using SHA-384
    	HS512 = "HS512" // HMAC using SHA-512
    	RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
    	RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
    	RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
    	ES256 = "ES256" // ECDSA using P-256 and SHA-256
    	ES384 = "ES384" // ECDSA using P-384 and SHA-384
    	ES512 = "ES512" // ECDSA using P-521 and SHA-512
    	PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
    	PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
    	PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
    	EdDSA = "EdDSA" // Ed25591
    )

      Signature algorithms

      View Source
      const (
      	A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128)
      	A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192)
      	A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256)
      	A128GCM       = ContentEncryption("A128GCM")       // AES-GCM (128)
      	A192GCM       = ContentEncryption("A192GCM")       // AES-GCM (192)
      	A256GCM       = ContentEncryption("A256GCM")       // AES-GCM (256)
      )

        Content encryption algorithms

        View Source
        const (
        	P256 = "P-256" // P-256 curve (FIPS 186-3)
        	P384 = "P-384" // P-384 curve (FIPS 186-3)
        	P521 = "P-521" // P-521 curve (FIPS 186-3)
        )

          Elliptic curves

          View Source
          const (
          	EC  = "EC"  // Elliptic curves
          	RSA = "RSA" // RSA
          	OKP = "OKP" // Ed25519
          	OCT = "oct" // Octet sequence
          )

            Key types

            View Source
            const (
            	// Key management algorithms
            	DefaultECKeyAlgorithm  = ECDH_ES
            	DefaultRSAKeyAlgorithm = RSA_OAEP_256
            	DefaultOctKeyAlgorithm = A256GCMKW
            	// Signature algorithms
            	DefaultRSASigAlgorithm  = RS256
            	DefaultOctSigsAlgorithm = HS256
            	// Content encryption algorithm
            	DefaultEncAlgorithm = A256GCM
            )

              Default key management, signature, and content encryption algorithms to use if none is specified.

              View Source
              const (
              	DefaultRSASize = 2048
              	DefaultOctSize = 32
              )

                Default sizes

                View Source
                const Ed25519 = "Ed25519"

                  Ed25519 is the EdDSA signature scheme using SHA-512/256 and Curve25519

                  View Source
                  const MaxDecryptTries = 3

                    MaxDecryptTries is the maximum number of attempts to decrypt a file.

                    View Source
                    const PBKDF2Iterations = 100000

                      PBKDF2Iterations is the default number of iterations for PBKDF2, 100k iterations. Nist recommends at least 10k, 1Passsword uses 100k.

                      View Source
                      const PBKDF2SaltSize = 16

                        PBKDF2SaltSize is the default size of the salt for PBKDF2, 128-bit salt.

                        View Source
                        const SupportsPBKDF2 = true

                          SupportsPBKDF2 constant to know if the underlaying library supports password based cryptography algorithms.

                          Variables

                          View Source
                          var ErrCryptoFailure = jose.ErrCryptoFailure

                            ErrCryptoFailure indicates an error in a cryptographic primitive.

                            View Source
                            var ErrExpired = jwt.ErrExpired

                              ErrExpired indicates that token is used after expiry time indicated in exp claim.

                              View Source
                              var ErrInvalidAudience = jwt.ErrInvalidAudience

                                ErrInvalidAudience indicated invalid aud claim.

                                View Source
                                var ErrInvalidID = jwt.ErrInvalidID

                                  ErrInvalidID indicates invalid jti claim.

                                  View Source
                                  var ErrInvalidIssuer = jwt.ErrInvalidIssuer

                                    ErrInvalidIssuer indicates invalid iss claim.

                                    View Source
                                    var ErrInvalidSubject = jwt.ErrInvalidSubject

                                      ErrInvalidSubject indicates invalid sub claim.

                                      View Source
                                      var ErrNotValidYet = jwt.ErrNotValidYet

                                        ErrNotValidYet indicates that token is used before time indicated in nbf claim.

                                        View Source
                                        var X5cInsecureKey = "x5cInsecure"

                                          X5cInsecureKey is the key used to store the x5cInsecure cert chain in the JWT header.

                                          Functions

                                          func Decrypt

                                          func Decrypt(prompt string, data []byte, opts ...Option) ([]byte, error)

                                            Decrypt returns the decrypted version of the given data if it's encrypted, it will return the raw data if it's not encrypted or the format is not valid.

                                            func GenerateDefaultKeyPair

                                            func GenerateDefaultKeyPair(pass []byte) (*JSONWebKey, *JSONWebEncryption, error)

                                              GenerateDefaultKeyPair generates an asymmetric public/private key pair. Returns the public key as a JWK and the private key as an encrypted JWE.

                                              func GetX5cInsecureHeader

                                              func GetX5cInsecureHeader(jwt *JSONWebToken) ([]*x509.Certificate, error)

                                                GetX5cInsecureHeader extracts the x5cInsecure certificate chain from the token.

                                                func IsAsymmetric

                                                func IsAsymmetric(k *JSONWebKey) bool

                                                  Determine whether a JSONWebKey is asymmetric

                                                  func IsSymmetric

                                                  func IsSymmetric(k *JSONWebKey) bool

                                                    Determine whether a JSONWebKey is symmetric

                                                    func ParseKeySet

                                                    func ParseKeySet(filename string, opts ...Option) (*jose.JSONWebKey, error)

                                                      ParseKeySet returns the JWK with the given key after parsing a JWKSet from a given file. func ParseKeySet(filename, alg, kid string, isSubtle bool) (*jose.JSONWebKey, error) {

                                                      func ReadJWKSet

                                                      func ReadJWKSet(filename string) ([]byte, error)

                                                        ReadJWKSet reads a JWK Set from a URL or filename. URLs must start with "https://".

                                                        func Thumbprint

                                                        func Thumbprint(jwk *JSONWebKey) (string, error)

                                                          Thumbprint computes the JWK Thumbprint of a key using SHA256 as the hash algorithm. It returns the hash encoded in the Base64 raw url encoding.

                                                          func TrimPrefix

                                                          func TrimPrefix(err error) error

                                                            TrimPrefix removes the string "square/go-jose" from all errors.

                                                            func ValidateJWK

                                                            func ValidateJWK(jwk *JSONWebKey) error

                                                              ValidateJWK validates the given JWK.

                                                              func ValidateSSHPOP

                                                              func ValidateSSHPOP(certFile string, key interface{}) (string, error)

                                                                ValidateSSHPOP validates the given SSH certificate and key for use in an sshpop header.

                                                                func ValidateX5C

                                                                func ValidateX5C(certFile string, key interface{}) ([]string, error)

                                                                  ValidateX5C validates the given certificate chain and key for use as a token signer and x5t header.

                                                                  func ValidateX5T

                                                                  func ValidateX5T(certFile string, key interface{}) (string, error)

                                                                    ValidateX5T validates the given certificate and key for use as a token signer and x5t header.

                                                                    Types

                                                                    type Audience

                                                                    type Audience = jwt.Audience

                                                                      Audience represents the recipients that the token is intended for.

                                                                      type Builder

                                                                      type Builder = jwt.Builder

                                                                        Builder is a utility for making JSON Web Tokens. Calls can be chained, and errors are accumulated until the final call to CompactSerialize/FullSerialize.

                                                                        func Signed

                                                                        func Signed(sig Signer) Builder

                                                                          Signed creates builder for signed tokens.

                                                                          type Claims

                                                                          type Claims = jwt.Claims

                                                                            Claims represents public claim values (as specified in RFC 7519).

                                                                            type ContentEncryption

                                                                            type ContentEncryption = jose.ContentEncryption

                                                                              ContentEncryption represents a content encryption algorithm.

                                                                              type ContentType

                                                                              type ContentType = jose.ContentType

                                                                                ContentType represents type of the contained data.

                                                                                type Encrypter

                                                                                type Encrypter = jose.Encrypter

                                                                                  Encrypter represents an encrypter which produces an encrypted JWE object.

                                                                                  func NewEncrypter

                                                                                  func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) (Encrypter, error)

                                                                                    NewEncrypter creates an appropriate encrypter based on the key type.

                                                                                    type EncrypterOptions

                                                                                    type EncrypterOptions = jose.EncrypterOptions

                                                                                      EncrypterOptions represents options that can be set on new encrypters.

                                                                                      type Expected

                                                                                      type Expected = jwt.Expected

                                                                                        Expected defines values used for protected claims validation. If field has zero value then validation is skipped.

                                                                                        type Header = jose.Header

                                                                                          Header represents the read-only JOSE header for JWE/JWS objects.

                                                                                          type HeaderKey

                                                                                          type HeaderKey = jose.HeaderKey

                                                                                            HeaderKey represents the type used as a key in the protected header of a JWS object.

                                                                                            type JSONWebEncryption

                                                                                            type JSONWebEncryption = jose.JSONWebEncryption

                                                                                              JSONWebEncryption represents an encrypted JWE object after parsing.

                                                                                              func EncryptJWK

                                                                                              func EncryptJWK(jwk *JSONWebKey) (*JSONWebEncryption, error)

                                                                                                EncryptJWK returns the given JWK encrypted with the default encryption algorithm (PBES2-HS256+A128KW).

                                                                                                func ParseEncrypted

                                                                                                func ParseEncrypted(input string) (*JSONWebEncryption, error)

                                                                                                  ParseEncrypted parses an encrypted message in compact or full serialization format.

                                                                                                  type JSONWebKey

                                                                                                  type JSONWebKey = jose.JSONWebKey

                                                                                                    JSONWebKey represents a public or private key in JWK format.

                                                                                                    func GenerateJWK

                                                                                                    func GenerateJWK(kty, crv, alg, use, kid string, size int) (jwk *JSONWebKey, err error)

                                                                                                      GenerateJWK generates a JWK given the key type, curve, alg, use, kid and the size of the RSA or oct keys if necessary.

                                                                                                      func GenerateJWKFromPEM

                                                                                                      func GenerateJWKFromPEM(filename string, subtle bool) (*JSONWebKey, error)

                                                                                                        GenerateJWKFromPEM returns an incomplete JSONWebKey using the key from a PEM file.

                                                                                                        func ParseKey

                                                                                                        func ParseKey(filename string, opts ...Option) (*JSONWebKey, error)

                                                                                                          ParseKey returns a JSONWebKey from the given JWK file or a PEM file. For password protected keys, it will ask the user for a password. func ParseKey(filename, use, alg, kid string, subtle bool) (*JSONWebKey, error) {

                                                                                                          type JSONWebKeySet

                                                                                                          type JSONWebKeySet = jose.JSONWebKeySet

                                                                                                            JSONWebKeySet represents a JWK Set object.

                                                                                                            type JSONWebSignature

                                                                                                            type JSONWebSignature = jose.JSONWebSignature

                                                                                                              JSONWebSignature represents a signed JWS object after parsing.

                                                                                                              func ParseJWS

                                                                                                              func ParseJWS(s string) (*JSONWebSignature, error)

                                                                                                                ParseJWS parses a signed message in compact or full serialization format.

                                                                                                                type JSONWebToken

                                                                                                                type JSONWebToken = jwt.JSONWebToken

                                                                                                                  JSONWebToken represents a JSON Web Token (as specified in RFC7519).

                                                                                                                  func ParseSigned

                                                                                                                  func ParseSigned(s string) (*JSONWebToken, error)

                                                                                                                    ParseSigned parses token from JWS form.

                                                                                                                    func ParseX5cInsecure

                                                                                                                    func ParseX5cInsecure(tok string, roots []*x509.Certificate) (*JSONWebToken, [][]*x509.Certificate, error)

                                                                                                                      ParseX5cInsecure parses an x5cInsecure token, validates the certificate chain in the token, and returns the JWT struct along with all the verified chains.

                                                                                                                      type KeyAlgorithm

                                                                                                                      type KeyAlgorithm = jose.KeyAlgorithm

                                                                                                                        KeyAlgorithm represents a key management algorithm.

                                                                                                                        type NumericDate

                                                                                                                        type NumericDate = jwt.NumericDate

                                                                                                                          NumericDate represents date and time as the number of seconds since the epoch, including leap seconds. Non-integer values can be represented in the serialized format, but we round to the nearest second.

                                                                                                                          func NewNumericDate

                                                                                                                          func NewNumericDate(t time.Time) *NumericDate

                                                                                                                            NewNumericDate constructs NumericDate from time.Time value.

                                                                                                                            func UnixNumericDate

                                                                                                                            func UnixNumericDate(s int64) *NumericDate

                                                                                                                              UnixNumericDate returns a NumericDate from the given seconds since the UNIX Epoch time. For backward compatibility is s is 0, a nil value will be returned.

                                                                                                                              type Option

                                                                                                                              type Option func(ctx *context) error

                                                                                                                                Option is the type used to add attributes to the context.

                                                                                                                                func WithAlg

                                                                                                                                func WithAlg(alg string) Option

                                                                                                                                  WithAlg adds the alg claim to the context.

                                                                                                                                  func WithInsecure

                                                                                                                                  func WithInsecure(insecure bool) Option

                                                                                                                                    WithInsecure marks the context as insecure.

                                                                                                                                    func WithKid

                                                                                                                                    func WithKid(kid string) Option

                                                                                                                                      WithKid adds the kid property to the context.

                                                                                                                                      func WithNoDefaults

                                                                                                                                      func WithNoDefaults(val bool) Option

                                                                                                                                        WithNoDefaults avoids that the parser loads defaults values, specially the default algorithms.

                                                                                                                                        func WithPassword

                                                                                                                                        func WithPassword(pass []byte) Option

                                                                                                                                          WithPassword is a method that adds the given password to the context.

                                                                                                                                          func WithPasswordFile

                                                                                                                                          func WithPasswordFile(filename string) Option

                                                                                                                                            WithPasswordFile is a method that adds the password in a file to the context.

                                                                                                                                            func WithSubtle

                                                                                                                                            func WithSubtle(subtle bool) Option

                                                                                                                                              WithSubtle marks the context as subtle.

                                                                                                                                              func WithUIOptions

                                                                                                                                              func WithUIOptions(opts ...ui.Option) Option

                                                                                                                                                WithUIOptions adds UI package options to the password prompts.

                                                                                                                                                func WithUse

                                                                                                                                                func WithUse(use string) Option

                                                                                                                                                  WithUse adds the use claim to the context.

                                                                                                                                                  type Recipient

                                                                                                                                                  type Recipient = jose.Recipient

                                                                                                                                                    Recipient represents an algorithm/key to encrypt messages to.

                                                                                                                                                    type Signature

                                                                                                                                                    type Signature = jose.Signature

                                                                                                                                                      Signature represents a signature.

                                                                                                                                                      type SignatureAlgorithm

                                                                                                                                                      type SignatureAlgorithm = jose.SignatureAlgorithm

                                                                                                                                                        SignatureAlgorithm represents a signature (or MAC) algorithm.

                                                                                                                                                        type Signer

                                                                                                                                                        type Signer = jose.Signer

                                                                                                                                                          Signer represents a signer which takes a payload and produces a signed JWS object.

                                                                                                                                                          func NewSigner

                                                                                                                                                          func NewSigner(sig SigningKey, opts *SignerOptions) (Signer, error)

                                                                                                                                                            NewSigner creates an appropriate signer based on the key type

                                                                                                                                                            type SignerOptions

                                                                                                                                                            type SignerOptions = jose.SignerOptions

                                                                                                                                                              SignerOptions represents options that can be set when creating signers.

                                                                                                                                                              type SigningKey

                                                                                                                                                              type SigningKey = jose.SigningKey

                                                                                                                                                                SigningKey represents an algorithm/key used to sign a message.