gose

package module
v0.8.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 19, 2021 License: MIT Imports: 29 Imported by: 1

README

Build Status

GOSE - JOSE and friends for the Go developer

Overview

GOSE is JOSE/JWT/JWK/JWS/JWKS implemented in Go with Helpers, and examples.

It contains implementations of the JOSE suite of types and helpers for many different use cases.

Mission

  • Simple
  • Compliant
  • Safe
  • Efficient
  • Extensible

Examples

Examples are provided under the /examples folder to illustrate correct use of this package.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidKey               = errors.New("invalid jwk")
	ErrInvalidKeyType           = errors.New("invalid jwk type")
	ErrUnsupportedKeyType       = errors.New("unsupported jwk type")
	ErrInvalidSigningKeyURL     = errors.New("invalid signing jwk url")
	ErrInvalidOperations        = errors.New("the jwk is invalid in this context")
	ErrInvalidCertificateHeader = errors.New("invalid certificate header")
	ErrUnknownKey               = errors.New("unknown jwk")
	ErrInvalidSignature         = errors.New("invalid signature")
	ErrInconsistentKeyValues    = errors.New("inconsistent jwk values")
	ErrInvalidKeyLength         = errors.New("invalid jwk length")
	ErrHashUnavailable          = errors.New("hash unavailable")

	// RSA errors
	ErrInvalidExponentEncoding error = &InvalidFormat{"invalid exponent encoding"}
	ErrInvalidExponent               = errors.New("invalid exponent value")
	ErrInvalidModulusEncoding  error = &InvalidFormat{"invalid modulus encoding"}

	//EC errors
	ErrInvalidXEncoding error = &InvalidFormat{("Invalid X encoding")}
	ErrInvalidYEncoding error = &InvalidFormat{("Invalid Y encoding")}

	//GCM errors
	ErrInvalidNonce = errors.New("invalid nonce")

	// JOSE errors
	ErrInvalidJwsCompactEncoding         error = &InvalidFormat{"invalid jws compact encoding"}
	ErrInvalidJwsBase64HeaderEncoding    error = &InvalidFormat{"invalid base64 jws header encoding"}
	ErrInvalidJwsHeaderEncoding          error = &InvalidFormat{"invalid jws header"}
	ErrInvalidJwsBase64BodyEncoding      error = &InvalidFormat{"invalid base64 jws body encoding"}
	ErrInvalidJwsBase64SignatureEncoding error = &InvalidFormat{"invalid base64 jws signature encoding"}
	ErrInvalidJwkEncoding                error = &InvalidFormat{"invalid jwk encoding"}
	ErrInvalidJwtEncoding                error = &InvalidFormat{"invalid jwt encoding"}
	ErrInvalidJwtTimeframe               error = &InvalidFormat{"invalid jwt time frame"}
	ErrInvalidKid                        error = &InvalidFormat{"invalid key ID"}
	ErrNoExpectedAudience                error = &InvalidFormat{"no expected audience"}
	ErrInvalidDelegateEncoding           error = &InvalidFormat{"invalid delegate encoding"}
	ErrInvalidManifestEncoding           error = &InvalidFormat{"invalid manifest encoding"}
	ErrInvalidKeySize                    error = &InvalidFormat{"invalid jwk size"}
	ErrInvalidAlgorithm                  error = &InvalidFormat{"invalid algorithm"}
	ErrInvalidEncryption                 error = &InvalidFormat{"invalid encryption"}
	ErrZipCompressionNotSupported        error = &InvalidFormat{"zip compression not supported"}
)

Errors.

Functions

func CalculateKeyID 

func CalculateKeyID(jwk jose.Jwk) (string, error)

CalculateKeyID deterministically calculates the ID for the given jwk

func JwkFromPrivateKey 

func JwkFromPrivateKey(privateKey crypto.Signer, operations []jose.KeyOps, certs []*x509.Certificate) (jose.Jwk, error)

JwkFromPrivateKey builds JWK, from a crypto.Signer, with certificates, and scoped to certain operations, or errors

func JwkFromPublicKey 

func JwkFromPublicKey(publicKey crypto.PublicKey, operations []jose.KeyOps, certs []*x509.Certificate) (jose.Jwk, error)

JwkFromPublicKey builds public JWK, from a crypto.Signer, with certificates, and scoped to certain operations, or errors

func JwkFromSymmetric 

func JwkFromSymmetric(key []byte, alg jose.Alg) (jwk *jose.OctSecretKey, err error)

JwkFromSymmetric converts a byte string to a jose.Jwk, given a particular JWK algorithm.

func JwkToString 

func JwkToString(jwk jose.Jwk) (string, error)

JwkToString return JWK as string

func JwtToString added in v0.8.0 

func JwtToString(jwt jose.Jwt) (full string, err error)

JwtToString returns the full string of the Jwt or error

func LoadJwk 

func LoadJwk(reader io.ReadSeeker, required []jose.KeyOps) (jwk jose.Jwk, err error)

LoadJwk load io.ReadSeeker as a JWK or error

func LoadJwkFromFile 

func LoadJwkFromFile(file string, required []jose.KeyOps) (jose.Jwk, error)

LoadJwkFromFile loads file as JWK or error

func LoadJws 

func LoadJws(jws string) (protectedHeader *jose.JwsHeader, header []byte, data []byte, payload []byte, signature []byte, err error)

LoadJws loads signature, or errors

func LoadPrivateKey 

func LoadPrivateKey(jwk jose.Jwk, required []jose.KeyOps) (crypto.Signer, error)

LoadPrivateKey loads the jwk into a crypto.Signer for performing signing operations

func LoadPublicKey 

func LoadPublicKey(jwk jose.Jwk, required []jose.KeyOps) (crypto.PublicKey, error)

LoadPublicKey loads jwk as a public key for cryptographic verification operations.

func LoadSymmetricAEAD 

func LoadSymmetricAEAD(jwk jose.Jwk, required []jose.KeyOps) (a cipher.AEAD, err error)

LoadSymmetricAEAD returns a cipher.AEAD for a jwk.

func PublicFromPrivate 

func PublicFromPrivate(in jose.Jwk) (jose.Jwk, error)

PublicFromPrivate extracts public jwk from private jwk in JWK format

Types

type AesGcmCryptor 

type AesGcmCryptor struct {
	// contains filtered or unexported fields
}

AesGcmCryptor provides AES GCM encryption and decryption functions.

func (*AesGcmCryptor) Algorithm 

func (cryptor *AesGcmCryptor) Algorithm() jose.Alg

Algorithm the supported algorithm

func (*AesGcmCryptor) GenerateNonce 

func (cryptor *AesGcmCryptor) GenerateNonce() ([]byte, error)

GenerateNonce generate a nonce of the correct size for use with GCM encryption/decryption from a random source.

func (*AesGcmCryptor) Kid 

func (cryptor *AesGcmCryptor) Kid() string

Kid the key identity

func (*AesGcmCryptor) Open 

func (cryptor *AesGcmCryptor) Open(operation jose.KeyOps, nonce, ciphertext, aad, tag []byte) (plaintext []byte, err error)

Open decrypt a previously encrypted ciphertext.

func (*AesGcmCryptor) Seal 

func (cryptor *AesGcmCryptor) Seal(operation jose.KeyOps, nonce, plaintext, aad []byte) (ciphertext, tag []byte, err error)

Seal encrypt a supplied plaintext and AAD.

type Algorithmed 

type Algorithmed interface {
	Algorithm() jose.Alg
}

Algorithmed is an interface that exposes which algorithm a type can be used with.

type AsymmetricDecryptionKey added in v0.8.0 

type AsymmetricDecryptionKey interface {
	Key
	Algorithmed
	Decrypt(jose.KeyOps, []byte) ([]byte, error)
	// Encryptor get the matching encryption key.
	Encryptor() (AsymmetricEncryptionKey, error)
}

AsymmetricDecryptionKey provides asymmetric decryption (private key) capabilities.

type AsymmetricDecryptionKeyStore added in v0.8.0 

type AsymmetricDecryptionKeyStore interface {
	Get(kid string) (k AsymmetricDecryptionKey, err error)
}

AsymmetricDecryptionKeyStore provides the ability to access asymmetric decryption keys.

type AsymmetricDecryptionKeyStoreImpl added in v0.8.0 

type AsymmetricDecryptionKeyStoreImpl struct {
	// contains filtered or unexported fields
}

AsymmetricDecryptionKeyStoreImpl implements the AsymmetricDecryptionKeyStore interface providing AsymmetricDecryptionKey lookup capabilities.

func NewAsymmetricDecryptionKeyStoreImpl added in v0.8.0 

func NewAsymmetricDecryptionKeyStoreImpl(keys map[string]AsymmetricDecryptionKey) (*AsymmetricDecryptionKeyStoreImpl, error)

NewAsymmetricDecryptionKeyStoreImpl creates a AsymmetricDecryptionKeyStoreImpl instances with the given keys.

func (*AsymmetricDecryptionKeyStoreImpl) Get added in v0.8.0 

func (a *AsymmetricDecryptionKeyStoreImpl) Get(kid string) (k AsymmetricDecryptionKey, err error)

Get returns a matching AsymmetricDecryptionKey fpr the given Key ID or an error (ErrUnknownKey) if the requested key cannot be found.

type AsymmetricEncryptionKey added in v0.8.0 

type AsymmetricEncryptionKey interface {
	Key
	MarshalableKey
	CertifiableKey
	Algorithmed
	Encrypt(jose.KeyOps, []byte) ([]byte, error)
}

AsymmetricEncryptionKey implements encryption using an asymmetric key.

type AuthenticatedEncryptionKey 

type AuthenticatedEncryptionKey interface {
	Key
	Algorithmed
	// GenerateNonce generates a nonce of the correct size for use in Sealinging operations.
	GenerateNonce() ([]byte, error)
	// Seal the given plaintext returning ciphertext and authentication tag.
	Seal(operation jose.KeyOps, nonce, plaintext, aad []byte) (ciphertext, tag []byte, err error)
	// Open and validate the given ciphertext and tag returning the plaintext.
	Open(operation jose.KeyOps, nonce, ciphertext, aad, tag []byte) (plaintext []byte, err error)
}

AuthenticatedEncryptionKey implements authenticated encryption and decryption.

func NewAesGcmCryptor 

func NewAesGcmCryptor(aead cipher.AEAD, rng io.Reader, kid string, alg jose.Alg, operations []jose.KeyOps) (AuthenticatedEncryptionKey, error)

NewAesGcmCryptor create a new instance of an AesGCmCryptor from the supplied parameters.

func NewAesGcmCryptorFromJwk 

func NewAesGcmCryptorFromJwk(jwk jose.Jwk, required []jose.KeyOps) (AuthenticatedEncryptionKey, error)

NewAesGcmCryptorFromJwk create a new instance of an AesGCmCryptor from a JWK.

type AuthenticatedEncryptionKeyGenerator 

type AuthenticatedEncryptionKeyGenerator struct{}

AuthenticatedEncryptionKeyGenerator can be used to create AuthenticatedEncryptionKeys.

func (*AuthenticatedEncryptionKeyGenerator) Generate 

func (g *AuthenticatedEncryptionKeyGenerator) Generate(alg jose.Alg, operations []jose.KeyOps) (AuthenticatedEncryptionKey, jose.Jwk, error)

Generate generate a Generate and JWK representation.

type CertifiableKey 

type CertifiableKey interface {
	// MarshalPem marshals a key to it's PEM representation.
	MarshalPem() (string, error)
	// Certificates returns the certificate chain for the given key.
	Certificates() []*x509.Certificate
}

CertifiableKey is an interface representing a key that can have an associated certificate and PEM representation.

type ECDSAOptions 

type ECDSAOptions struct {
	Hash crypto.Hash
	// contains filtered or unexported fields
}

ECDSAOptions Implements crypto.SignerOpts

func (*ECDSAOptions) HashFunc 

func (opts *ECDSAOptions) HashFunc() crypto.Hash

HashFunc returns the crypto.Hash

type ECDSASigningKey 

type ECDSASigningKey struct {
	// contains filtered or unexported fields
}

ECDSASigningKey implements ECDSA crypto.SigningKey

func (ECDSASigningKey) Algorithm 

func (signer ECDSASigningKey) Algorithm() jose.Alg

Algorithm returns the jose.Alg for this key

func (*ECDSASigningKey) Certificates 

func (signer *ECDSASigningKey) Certificates() []*x509.Certificate

Certificates returns certificate chain of this key

func (*ECDSASigningKey) Jwk 

func (signer *ECDSASigningKey) Jwk() (jose.Jwk, error)

Jwk returns key as a jose.JWK type, or errors

func (*ECDSASigningKey) Key 

func (signer *ECDSASigningKey) Key() crypto.Signer

Key returns the underlying key used to sign

func (*ECDSASigningKey) Kid 

func (signer *ECDSASigningKey) Kid() string

Kid returns the kid string value

func (*ECDSASigningKey) Marshal 

func (signer *ECDSASigningKey) Marshal() (string, error)

Marshal marshals the key into a compact JWK representation or error

func (*ECDSASigningKey) MarshalPem 

func (signer *ECDSASigningKey) MarshalPem() (p string, err error)

MarshalPem marshals the key into a PEM string or error

func (*ECDSASigningKey) Sign 

func (signer *ECDSASigningKey) Sign(requested jose.KeyOps, data []byte) (signature []byte, err error)

Sign digest and sign the given data. The output signature is encoded as r || s which is different to the standard go crypto interface specification. The serialization format is chosen instead to match that defined in the JSON Web Signature spec https://tools.ietf.org/html/rfc7515#appendix-A.3.1.

func (*ECDSASigningKey) Verifier 

func (signer *ECDSASigningKey) Verifier() (VerificationKey, error)

Verifier get the matching verification key.

type ECDSASigningKeyGenerator 

type ECDSASigningKeyGenerator struct {
}

ECDSASigningKeyGenerator handles generating an ECDSA signing key

func (*ECDSASigningKeyGenerator) Generate 

func (g *ECDSASigningKeyGenerator) Generate(alg jose.Alg, operations []jose.KeyOps) (SigningKey, error)

Generate an ECDSA key using a given algorithm, and scoped to certain jwk operations.

type ECVerificationKeyImpl 

type ECVerificationKeyImpl struct {
	// contains filtered or unexported fields
}

ECVerificationKeyImpl implements the ECDSA Verification Logic

func (*ECVerificationKeyImpl) Algorithm 

func (verifier *ECVerificationKeyImpl) Algorithm() jose.Alg

Algorithm return algorithm

func (*ECVerificationKeyImpl) Certificates 

func (verifier *ECVerificationKeyImpl) Certificates() []*x509.Certificate

Certificates returns the certs for this key

func (*ECVerificationKeyImpl) Jwk 

func (verifier *ECVerificationKeyImpl) Jwk() (jose.Jwk, error)

Jwk returns the key as a jose.JWK type, or error

func (*ECVerificationKeyImpl) Kid 

func (verifier *ECVerificationKeyImpl) Kid() string

Kid returns the key's id

func (*ECVerificationKeyImpl) Marshal 

func (verifier *ECVerificationKeyImpl) Marshal() (string, error)

Marshal marshals the key into a compact JWK string, or error

func (*ECVerificationKeyImpl) MarshalPem 

func (verifier *ECVerificationKeyImpl) MarshalPem() (string, error)

MarshalPem marshals the key as a PEM formatted string, or error

func (*ECVerificationKeyImpl) Verify 

func (verifier *ECVerificationKeyImpl) Verify(operation jose.KeyOps, data []byte, signature []byte) bool

Verify signed data matches signature and jwk The input signature is encoded as r || s which is different to the standard go crypto interface specification. The serialization format is chosen instead to match that defined in the JSON Web Signature spec https://tools.ietf.org/html/rfc7515#appendix-A.3.1.

type InvalidFormat 

type InvalidFormat struct {
	// contains filtered or unexported fields
}

InvalidFormat is an interface for handling invalid format errors

func (*InvalidFormat) Error 

func (err *InvalidFormat) Error() string

type JweDecryptor 

type JweDecryptor interface {
	Decrypt(jwe string) (plaintext, aad []byte, err error)
}

JweDecryptor implements decryption and verification of a given ciphertext and aad to a plaintext as defined by https://tools.ietf.org/html/rfc7516.

type JweDirectDecryptorImpl 

type JweDirectDecryptorImpl struct {
	// contains filtered or unexported fields
}

JweDirectDecryptorImpl is a concrete implementation of the JweDirectDecryptor interface.

func NewJweDirectDecryptorImpl 

func NewJweDirectDecryptorImpl(keys []AuthenticatedEncryptionKey) *JweDirectDecryptorImpl

NewJweDirectDecryptorImpl create a new instance of a JweDirectDecryptorImpl.

func (*JweDirectDecryptorImpl) Decrypt 

func (decryptor *JweDirectDecryptorImpl) Decrypt(jwe string) (plaintext, aad []byte, err error)

Decrypt and verify the given JWE returning both the plaintext and AAD.

type JweDirectEncryptionEncryptorImpl 

type JweDirectEncryptionEncryptorImpl struct {
	// contains filtered or unexported fields
}

JweDirectEncryptionEncryptorImpl implementation of JweDirectEncryptionEncryptor interface.

func NewJweDirectEncryptorImpl 

func NewJweDirectEncryptorImpl(key AuthenticatedEncryptionKey, externalIV bool) *JweDirectEncryptionEncryptorImpl

NewJweDirectEncryptorImpl construct an instance of a JweDirectEncryptionEncryptorImpl.

func (*JweDirectEncryptionEncryptorImpl) Encrypt 

func (encryptor *JweDirectEncryptionEncryptorImpl) Encrypt(plaintext, aad []byte) (string, error)

Encrypt encrypt and authenticate the given plaintext and AAD returning a compact JWE.

type JweEncryptor 

type JweEncryptor interface {
	Encrypt(plaintext, aad []byte) (string, error)
}

JweEncryptor implements encryption of arbitary plaintext into a compact JWE as defined by https://tools.ietf.org/html/rfc7516.

type JweRsaKeyEncryptionDecryptorImpl added in v0.8.0 

type JweRsaKeyEncryptionDecryptorImpl struct {
	// contains filtered or unexported fields
}

JweRsaKeyEncryptionDecryptorImpl implements RSA Key Encryption CEK mode.

func NewJweRsaKeyEncryptionDecryptorImpl added in v0.8.0 

func NewJweRsaKeyEncryptionDecryptorImpl(keystore AsymmetricDecryptionKeyStore) *JweRsaKeyEncryptionDecryptorImpl

NewJweRsaKeyEncryptionDecryptorImpl creates an instance of JweRsaKeyEncryptionDecryptorImpl with the given keystore.

func (*JweRsaKeyEncryptionDecryptorImpl) Decrypt added in v0.8.0 

func (d *JweRsaKeyEncryptionDecryptorImpl) Decrypt(jwe string) (plaintext, aad []byte, err error)

Decrypt decrypts the given JWE returning the contained plaintext and any additional authentic associated data.

type JweRsaKeyEncryptionEncryptorImpl added in v0.8.0 

type JweRsaKeyEncryptionEncryptorImpl struct {
	// contains filtered or unexported fields
}

JweRsaKeyEncryptionEncryptorImpl implements RSA Key Encryption CEK mode.

func NewJweRsaKeyEncryptionEncryptorImpl added in v0.8.0 

func NewJweRsaKeyEncryptionEncryptorImpl(recipient jose.Jwk, contentEncryptionAlg jose.Alg) (*JweRsaKeyEncryptionEncryptorImpl, error)

NewJweRsaKeyEncryptionEncryptorImpl returns an instance of JweRsaKeyEncryptionEncryptorImpl configured with the given JWK.

func (*JweRsaKeyEncryptionEncryptorImpl) Encrypt added in v0.8.0 

func (e *JweRsaKeyEncryptionEncryptorImpl) Encrypt(plaintext, aad []byte) (string, error)

Encrypt encrypts the given plaintext into a compact JWE. Optional authenticated data can be included which is appended to the JWE protected header.

type JwksTrustStore 

type JwksTrustStore struct {
	// contains filtered or unexported fields
}

JwksTrustStore is an implementation of the TrustStore interface and can be used for accessing VerificationKeys.

func NewJwksKeyStore 

func NewJwksKeyStore(issuerList, url string) *JwksTrustStore

NewJwksKeyStore creates a new instance of a TrustStore and can be used to load verification keys.

func (*JwksTrustStore) Add 

func (store *JwksTrustStore) Add(issuer string, jwk jose.Jwk) error

Add this method is not supported on a JwksTrustStore instance and will always return an error.

func (*JwksTrustStore) Get 

func (store *JwksTrustStore) Get(issuer, kid string) (vk VerificationKey, err error)

Get returns a verification key for the given issuer and key id. If no key is found nil is returned.

func (*JwksTrustStore) Remove 

func (store *JwksTrustStore) Remove(issuer, kid string) bool

Remove this method is not supported on a JwksTrustStore instance and will always return false.

type JwtSigner 

type JwtSigner interface {
	// Issuer returns the identity of the issuing authority
	Issuer() string
	// Sign signs a set of claims returning a serialized JWT.
	Sign(claims *jose.SettableJwtClaims, untyped map[string]interface{}) (string, error)
}

JwtSigner implements generation of signed compact JWTs as defined by https://tools.ietf.org/html/rfc7519.

type JwtSignerImpl 

type JwtSignerImpl struct {
	// contains filtered or unexported fields
}

JwtSignerImpl JWT implementation

func NewJwtSigner 

func NewJwtSigner(issuer string, key SigningKey) *JwtSignerImpl

NewJwtSigner returns a JWT Signer for a issuer and jwk

func (*JwtSignerImpl) Issuer 

func (signer *JwtSignerImpl) Issuer() string

Issuer returns issuer of JWT

func (*JwtSignerImpl) Sign 

func (signer *JwtSignerImpl) Sign(claims *jose.SettableJwtClaims, untyped map[string]interface{}) (string, error)

Sign claims to a JWT string

type JwtVerifier 

type JwtVerifier interface {
	// Verify verifies a JWT is a valid jwt where the caller can specify a number of allowable audiences.
	Verify(jwt string, audience []string) (kid string, claims *jose.JwtClaims, err error)
}

JwtVerifier implements verification of signed compact JWTs as defined by https://tools.ietf.org/html/rfc7519.

type JwtVerifierImpl 

type JwtVerifierImpl struct {
	// contains filtered or unexported fields
}

JwtVerifierImpl implements the JWT Verification API

func NewJwtVerifier 

func NewJwtVerifier(ks TrustStore) *JwtVerifierImpl

NewJwtVerifier creates a JWT Verifier for a given truststore

func (*JwtVerifierImpl) Verify 

func (verifier *JwtVerifierImpl) Verify(jwt string, audience []string) (kid string, claims *jose.JwtClaims, err error)

Verify the jwt and audience is valid

type Key 

type Key interface {
	// Kid returns the identity of the key.
	Kid() string
}

Key is an interface representing a cryptographic key.

type MarshalableKey 

type MarshalableKey interface {
	// Jwk returns the Key as a JSON Web Key.
	Jwk() (jose.Jwk, error)
	// Marshal marshals a key to it's compact JWK string representation.
	Marshal() (string, error)
}

MarshalableKey is an interface representing a key that can be marshaled into a JWK.

type RsaKeyDecryptionKeyGenerator added in v0.8.0 

type RsaKeyDecryptionKeyGenerator struct {
}

RsaKeyDecryptionKeyGenerator handles generating a RSA encryption keys

func (*RsaKeyDecryptionKeyGenerator) Generate added in v0.8.0 

func (generator *RsaKeyDecryptionKeyGenerator) Generate(alg jose.Alg, bitLen int, operations []jose.KeyOps) (AsymmetricDecryptionKey, error)

Generate an RSA key using a given algorithm, length, and scope to certain jwk operations.

type RsaPrivateKeyImpl added in v0.8.0 

type RsaPrivateKeyImpl struct {
	// contains filtered or unexported fields
}

RsaPrivateKeyImpl provides software based signing and decryption capabilities for use during JWT and JWE processing.

func NewRsaDecryptionKey added in v0.8.0 

func NewRsaDecryptionKey(jwk jose.Jwk) (*RsaPrivateKeyImpl, error)

NewRsaDecryptionKey returns a new instance of RsaPrivateKeyImpl configured using he given JWK.

func (*RsaPrivateKeyImpl) Algorithm added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Algorithm() jose.Alg

Algorithm returns the Algorithm

func (*RsaPrivateKeyImpl) Certificates added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Certificates() []*x509.Certificate

Certificates of signing key

func (*RsaPrivateKeyImpl) Decrypt added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Decrypt(requested jose.KeyOps, ciphertext []byte) ([]byte, error)

Decrypt decrypt the given ciphertext returning the derived plaintext.

func (*RsaPrivateKeyImpl) Encryptor added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Encryptor() (AsymmetricEncryptionKey, error)

Encryptor get encryption key

func (*RsaPrivateKeyImpl) Jwk added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Jwk() (jose.Jwk, error)

Jwk returns the JWK

func (*RsaPrivateKeyImpl) Key added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Key() crypto.Signer

Key returns the underlying crypto.Signer implementation.

func (*RsaPrivateKeyImpl) Kid added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Kid() string

Kid returns the jwk id

func (*RsaPrivateKeyImpl) Marshal added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Marshal() (string, error)

Marshal marshal the key to a JWK string, or error

func (*RsaPrivateKeyImpl) MarshalPem added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) MarshalPem() (string, error)

MarshalPem marshal the key to a PEM string, or error

func (*RsaPrivateKeyImpl) Operations added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Operations() []jose.KeyOps

Operations returns the allowed operations for the SigningKey

func (*RsaPrivateKeyImpl) Sign added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Sign(requested jose.KeyOps, data []byte) ([]byte, error)

Sign perform signing operations on data, or error

func (*RsaPrivateKeyImpl) Verifier added in v0.8.0 

func (rsaKey *RsaPrivateKeyImpl) Verifier() (VerificationKey, error)

Verifier verification key for signing jwk

type RsaPublicKeyImpl added in v0.8.0 

type RsaPublicKeyImpl struct {
	// contains filtered or unexported fields
}

RsaPublicKeyImpl implements RSA verification and encryption APIs

func NewRsaPublicKeyImpl added in v0.8.0 

func NewRsaPublicKeyImpl(jwk jose.Jwk) (*RsaPublicKeyImpl, error)

NewRsaPublicKeyImpl create a new RsaPublicKeyImpl instance.

func (*RsaPublicKeyImpl) Algorithm added in v0.8.0 

func (k *RsaPublicKeyImpl) Algorithm() jose.Alg

Algorithm returns algorithm

func (*RsaPublicKeyImpl) Certificates added in v0.8.0 

func (k *RsaPublicKeyImpl) Certificates() []*x509.Certificate

Certificates for verification key

func (*RsaPublicKeyImpl) Encrypt added in v0.8.0 

func (k *RsaPublicKeyImpl) Encrypt(requested jose.KeyOps, data []byte) ([]byte, error)

Encrypt encrypts the given plaintext returning the derived ciphertext.

func (*RsaPublicKeyImpl) Jwk added in v0.8.0 

func (k *RsaPublicKeyImpl) Jwk() (jose.Jwk, error)

Jwk returns the public JWK

func (*RsaPublicKeyImpl) Kid added in v0.8.0 

func (k *RsaPublicKeyImpl) Kid() string

Kid returns the key's id

func (*RsaPublicKeyImpl) Marshal added in v0.8.0 

func (k *RsaPublicKeyImpl) Marshal() (string, error)

Marshal returns the key marshalled to a JWK string, or error

func (*RsaPublicKeyImpl) MarshalPem added in v0.8.0 

func (k *RsaPublicKeyImpl) MarshalPem() (string, error)

MarshalPem returns the key marshalled to a PEM string, or error

func (*RsaPublicKeyImpl) Verify added in v0.8.0 

func (k *RsaPublicKeyImpl) Verify(operation jose.KeyOps, data []byte, signature []byte) bool

Verify data matches signature

type RsaSigningKeyGenerator 

type RsaSigningKeyGenerator struct {
}

RsaSigningKeyGenerator handles generating a RSA signing key

func (*RsaSigningKeyGenerator) Generate 

func (generator *RsaSigningKeyGenerator) Generate(alg jose.Alg, bitLen int, operations []jose.KeyOps) (SigningKey, error)

Generate an RSA key using a given algorithm, length, and scope to certain jwk operations.

type SigningKey 

type SigningKey interface {
	Key
	MarshalableKey
	CertifiableKey
	Algorithmed
	// Key returns the underlying key used to sign
	Key() crypto.Signer
	// Sign digest and sign the given data.
	Sign(jose.KeyOps, []byte) ([]byte, error)
	// Verifier get the matching verification key.
	Verifier() (VerificationKey, error)
}

SigningKey interface implementers both digest and signing of data.

func NewSigningKey 

func NewSigningKey(jwk jose.Jwk, required []jose.KeyOps) (SigningKey, error)

NewSigningKey returns a SignignKey for a jose.JWK with required jwk operations

type SigningKeyImpl 

type SigningKeyImpl struct {
	// contains filtered or unexported fields
}

SigningKeyImpl implements a RSA signing key

func (*SigningKeyImpl) Algorithm 

func (signer *SigningKeyImpl) Algorithm() jose.Alg

Algorithm returns the Algorithm

func (*SigningKeyImpl) Certificates 

func (signer *SigningKeyImpl) Certificates() []*x509.Certificate

Certificates of signing key

func (*SigningKeyImpl) Jwk 

func (signer *SigningKeyImpl) Jwk() (jose.Jwk, error)

Jwk returns the JWK

func (*SigningKeyImpl) Key 

func (signer *SigningKeyImpl) Key() crypto.Signer

Key returns the crypto.Signer

func (*SigningKeyImpl) Kid 

func (signer *SigningKeyImpl) Kid() string

Kid returns the jwk id

func (*SigningKeyImpl) Marshal 

func (signer *SigningKeyImpl) Marshal() (string, error)

Marshal marshal the key to a JWK string, or error

func (*SigningKeyImpl) MarshalPem 

func (signer *SigningKeyImpl) MarshalPem() (string, error)

MarshalPem marshal the key to a PEM string, or error

func (*SigningKeyImpl) Operations 

func (signer *SigningKeyImpl) Operations() []jose.KeyOps

Operations returns the allowed operations for the SigningKey

func (*SigningKeyImpl) Sign 

func (signer *SigningKeyImpl) Sign(requested jose.KeyOps, data []byte) ([]byte, error)

Sign perform signing operations on data, or error

func (*SigningKeyImpl) Verifier 

func (signer *SigningKeyImpl) Verifier() (VerificationKey, error)

Verifier verification key for signing jwk

type TrustKeyStoreImpl 

type TrustKeyStoreImpl struct {
	// contains filtered or unexported fields
}

TrustKeyStoreImpl implements the Trust Store API

func NewTrustKeyStore 

func NewTrustKeyStore(rootData map[string]jose.Jwk) (store *TrustKeyStoreImpl, err error)

NewTrustKeyStore loads truststore for map of jose.JWK

func NewTrustKeyStoreFromFile 

func NewTrustKeyStoreFromFile(root string) (store *TrustKeyStoreImpl, err error)

NewTrustKeyStoreFromFile loads truststore for a

func (*TrustKeyStoreImpl) Add 

func (store *TrustKeyStoreImpl) Add(issuer string, jwk jose.Jwk) error

Add add an issuer and JWK to the truststore

func (*TrustKeyStoreImpl) Get 

func (store *TrustKeyStoreImpl) Get(issuer, kid string) (vk VerificationKey, err error)

Get get verification jwk for issuer and jwk id

func (*TrustKeyStoreImpl) Remove 

func (store *TrustKeyStoreImpl) Remove(issuer, kid string) bool

Remove remove JWK for issuer and jwk id

type TrustStore 

type TrustStore interface {
	Add(issuer string, jwk jose.Jwk) error
	Remove(issuer, kid string) bool
	Get(issuer, kid string) (vk VerificationKey, err error)
}

TrustStore provides the ability to manage trusted root public keys for use when verifying cryptographic signatures.

type VerificationKey 

type VerificationKey interface {
	Key
	MarshalableKey
	CertifiableKey
	Algorithmed
	// Verify verifies the operation being performed is supported and
	// that the signature is derived from the data.
	Verify(operation jose.KeyOps, data []byte, signature []byte) bool
}

VerificationKey implements verification of a cryptographic signature.

func NewVerificationKey 

func NewVerificationKey(jwk jose.Jwk) (VerificationKey, error)

NewVerificationKey for jwk or error

Source Files

View all Source files

Directories

Path Synopsis
examples
jwe
jwt

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.