joseUtils

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 18, 2023 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// These are set by go-jose and shouldn't need to be set by consumers of the library.
	// HeaderAlgorithm   = "alg"  // string
	// HeaderEncryption  = "enc"  // ContentEncryption
	HeaderCompression = "zip" // CompressionAlgorithm

	HeaderAPU = "apu" // *byteBuffer
	HeaderAPV = "apv" // *byteBuffer
	// HeaderEPK = "epk" // *JSONWebKey
	HeaderIV  = "iv"  // *byteBuffer
	HeaderTag = "tag" // *byteBuffer
	HeaderX5c = "x5c" // []*x509.Certificate

	HeaderJWK = "jwk" // *JSONWebKey
	// HeaderKeyID = "kid"   // string
	HeaderNonce = "nonce" // string
	HeaderB64   = "b64"   // bool

	HeaderP2C = "p2c" // *byteBuffer (int)
	HeaderP2S = "p2s" // *byteBuffer ([]byte)
)

from go-jose header constants

View Source
const (
	// HeaderAlgorithm identifies:
	// For JWS: the cryptographic algorithm used to secure the JWS.
	// For JWE: the cryptographic algorithm used to encrypt or determine the value of the CEK.
	HeaderAlgorithm = "alg" // string

	// HeaderEncryption identifies the JWE content encryption algorithm.
	HeaderEncryption = "enc" // string

	// HeaderJWKSetURL is a URI that refers to a resource for a set of JSON-encoded public keys, one of which:
	// For JWS: corresponds to the key used to digitally sign the JWS.
	// For JWE: corresponds to the public key to which the JWE was encrypted.
	HeaderJWKSetURL = "jku" // string

	// HeaderJSONWebKey is:
	// For JWS: the public key that corresponds to the key used to digitally sign the JWS.
	// For JWE: the public key to which the JWE was encrypted.
	HeaderJSONWebKey = "jwk" // JSON

	// HeaderJSONWebKeySet in UHC is:
	// For JWS: array of public keys that corresponds to the sender's signature and encryption keys.
	// For JWE: do not use here
	HeaderJSONWebKeySet = "jwks" // JSON

	// HeaderKeyID is a hint:
	// For JWS: indicating which key was used to secure the JWS.
	// For JWE: which references the public key to which the JWE was encrypted.
	HeaderKeyID = "kid" // string

	// HeaderSenderKeyID is a hint:
	// For JWS: not used.
	// For JWE: which references the (sender) public key used in the JWE key derivation/wrapping to encrypt the CEK.
	HeaderSenderKeyID = "skid" // string

	// HeaderX509URL is a URI that refers to a resource for the X.509 public key certificate or certificate chain:
	// For JWS: corresponding to the key used to digitally sign the JWS.
	// For JWE: corresponding to the public key to which the JWE was encrypted.
	HeaderX509URL = "x5u"

	// HeaderX509CertificateChain contains the X.509 public key certificate or certificate chain:
	// For JWS: corresponding to the key used to digitally sign the JWS.
	// For JWE: corresponding to the public key to which the JWE was encrypted.
	HeaderX509CertificateChain = "x5c"

	// HeaderX509CertificateDigest (X.509 certificate SHA-1 thumbprint) is a base64url-encoded
	// SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate:
	// For JWS: corresponding to the key used to digitally sign the JWS.
	// For JWE: corresponding to the public key to which the JWE was encrypted.
	HeaderX509CertificateDigestSha1 = "x5t"

	// HeaderX509CertificateDigestSha256 (X.509 certificate SHA-256 thumbprint) is a base64url-encoded SHA-256
	// thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate:
	// For JWS: corresponding to the key used to digitally sign the JWS.
	// For JWE: corresponding to the public key to which the JWE was encrypted.
	HeaderX509CertificateDigestSha256 = "x5t#S256" // string

	// HeaderType is:
	// For JWS: used by JWS applications to declare the media type of this complete JWS.
	// For JWE: used by JWE applications to declare the media type of this complete JWE.
	HeaderType = "typ" // string

	// HeaderContentType is used by JWS applications to declare the media type of:
	// For JWS: the secured content (the payload).
	// For JWE: the secured content (the plaintext).
	HeaderContentType = "cty" // string

	// HeaderCritical indicates that extensions to:
	// For JWS: this JWS header specification and/or JWA are being used that MUST be understood and processed.
	// For JWE: this JWE header specification and/or JWA are being used that MUST be understood and processed.
	HeaderCritical = "crit" // array

	// HeaderEPK is used by JWE applications to wrap/unwrap the CEK for a recipient.
	HeaderEPK = "epk" // JSON
)

from Hyperledger Aries IANA registered JOSE headers (https://tools.ietf.org/html/rfc7515#section-4.1)

View Source
const (
	// HeaderB64 determines whether the payload is represented in the JWS and the JWS Signing
	// Input as ASCII(BASE64URL(JWS Payload)) or as the JWS Payload value itself with no encoding performed.
	HeaderB64Payload = "b64" // bool
	// A256GCMALG is the default content encryption algorithm value as per
	// the JWA specification: https://tools.ietf.org/html/rfc7518#section-5.1
	A256GCMALG = "A256GCM"
	// XC20PALG represents XChacha20Poly1305 content encryption algorithm value.
	XC20PALG = "XC20P"
	// A128CBCHS256ALG represents AES_128_CBC_HMAC_SHA_256 encryption algorithm value.
	A128CBCHS256ALG = "A128CBC-HS256"
	// A192CBCHS384ALG represents AES_192_CBC_HMAC_SHA_384 encryption algorithm value.
	A192CBCHS384ALG = "A192CBC-HS384"
	// A256CBCHS384ALG represents AES_256_CBC_HMAC_SHA_384 encryption algorithm value (not defined in JWA spec above).
	A256CBCHS384ALG = "A256CBC-HS384"
	// A256CBCHS512ALG represents AES_256_CBC_HMAC_SHA_512 encryption algorithm value.
	A256CBCHS512ALG = "A256CBC-HS512"
)

Header defined in https://tools.ietf.org/html/rfc7797

Variables

View Source
var (
	ErrUnsupportedKey   = errors.New("unsupported key")
	ErrCannotCreateData = errors.New("cannot create data")
	ErrCannotGetData    = errors.New("cannot get data")
	ErrSignature        = errors.New("signature error")
)
View Source
var ErrMsgExpired = "validation failed, token is expired (exp)"

ErrMsgExpired indicates that token is used after expiry time indicated in exp claim.

View Source
var ErrMsgInvalidAccessTokenJWT = "invalid access token format"
View Source
var ErrMsgInvalidAudience = "validation failed, invalid audience claim (aud)"

ErrMsgInvalidAudience indicated invalid aud claim.

View Source
var ErrMsgInvalidBearerAccessToken = "invalid bearer access token"
View Source
var ErrMsgInvalidClaims = "expected claims to be value convertible into JSON object"

ErrInvalidClaims indicates that given claims have invalid type.

View Source
var ErrMsgInvalidContentType = "expected content type to be JWT (cty header)"

ErrMsgInvalidContentType indicates that token requires JWT cty header.

View Source
var ErrMsgInvalidDPoPToken = "invalid DPoP token format"
View Source
var ErrMsgInvalidID = "validation failed, invalid ID claim (jti)"

ErrMsgInvalidID indicates invalid jti claim.

View Source
var ErrMsgInvalidIssuer = "validation failed, invalid issuer claim (iss)"

ErrInvalidIssuer indicates invalid iss claim.

View Source
var ErrMsgInvalidRequest = "request is empty or invalid"
View Source
var ErrMsgInvalidResponseType = "invalid response type"
View Source
var ErrMsgInvalidSubject = "validation failed, invalid subject claim (sub)"

ErrMsgInvalidSubject indicates invalid sub claim.

View Source
var ErrMsgIssuedInTheFuture = "validation field, token issued in the future (iat)"

ErrMsgIssuedInTheFuture indicates that the iat field is in the future.

View Source
var ErrMsgMissingDPoP = "missing DPoP token"
View Source
var ErrMsgMissingDecryptionKey = "missing decryption key"
View Source
var ErrMsgMissingSignVerificationKey = "missing signature verification key"
View Source
var ErrMsgNotValidYet = "validation failed, token not valid yet (nbf)"

ErrMsgNotValidYet indicates that token is used before time indicated in nbf claim.

View Source
var ErrMsgUnmarshalAudience = "expected string or array value to unmarshal to AudienceSlice"

ErrMsgUnmarshalAudience indicates that aud claim could not be unmarshalled.

View Source
var ErrMsgUnmarshalNumericDate = "expected number value to unmarshal NumericDate"

ErrMsgUnmarshalNumericDate indicates that JWT NumericDate could not be unmarshalled.

View Source
var GetDataJWT = func(compactJWT *string) *DataJWT {
	partsJWT := GetPartsJWT(compactJWT)
	if partsJWT == nil {
		return nil
	}

	data := GetDataByPartsJWT(partsJWT)
	return data
}

GetDataJWT returns nil or a deserialized JWT with header and payload as JSON data and signature as bytes.

Functions

func CheckNotExpiredDateEpochUNIX

func CheckNotExpiredDateEpochUNIX(timeUNIX int64) bool

CheckNotExpiredDateEpochUNIX returns true if the date is not expired or false if expired

func CheckNotExpiredDateISO

func CheckNotExpiredDateISO(datetime string) bool

CheckNotExpiredDateISO returns true if the date is not expired or false if expired or error

func DeserializeAndDecodeHeadersJWE

func DeserializeAndDecodeHeadersJWE(rawJWE *JWEncryptionRawJSON) (protectedHeaders *map[string]interface{}, unprotectedHeaders *map[string]interface{}, err error)

func GetInflatedDataByCompactJWT

func GetInflatedDataByCompactJWT(compactJWT *string) (headerJSON map[string]interface{}, payloadBytes []byte)

GetInflatedDataByCompactJWT decompress a JWT payload if required and returns payload bytes and header claims or nil if some error

func GetInflatedDataByPartsJWT

func GetInflatedDataByPartsJWT(partsJWT *PartsJWT) (headerJSON map[string]interface{}, payloadBytes []byte)

GetInflatedDataByPartsJWT decompress a JWT payload if required and returns payload bytes and header claims or nil if some error

Types

type AudienceSingle

type AudienceSingle string

AudienceSingle represents one of the recipients that the JWT is intended for.

func (*AudienceSingle) AudienceSingleToString

func (audienceString *AudienceSingle) AudienceSingleToString() string

AudienceSingleToString gets the string

type AudienceSlice

type AudienceSlice []string

AudienceSlice represents the recipients that the JWT is intended for.

func (AudienceSlice) AudienceSliceToString

func (audienceSlice AudienceSlice) AudienceSliceToString(v string) string

AudienceSliceToString joins the array of strings with white space characters in a single string

func (*AudienceSlice) AudienceSliceToStringsArray

func (audienceSlice *AudienceSlice) AudienceSliceToStringsArray() []string

AudienceSliceToStringsArray splits the audience string around each instance of one or more consecutive white space characters

func (AudienceSlice) Contains

func (audienceSlice AudienceSlice) Contains(v string) bool

Contains checks whether a given string is included in the AudienceSlice

type DataJWT

type DataJWT struct {
	Header    Headers                // The protected Header claims
	Payload   map[string]interface{} // JSON Payload claims
	Signature *[]byte                // Signature if already signed
}

func GetDataByPartsJWT

func GetDataByPartsJWT(partsJWT *PartsJWT) *DataJWT

GetDataByPartsJWT decodes and decompress the parts or the JWT and returns DataJWT

func (*DataJWT) CompactUnsignedJWT

func (dataJWT *DataJWT) CompactUnsignedJWT() string

CompactUnsignedJWT method returns an unsigned compact JWT which is an string with the format "base64url(headerBytes).base64url(payloadBytes)." (no signature after the last dot). It creates both the base64url encoded header and payload and concatenates it (empty signature). The last character "." SHALL be removed before doing the signature and then the signature SHALL added (concatenated).

func (*DataJWT) GetIssuer

func (dataJWT *DataJWT) GetIssuer() string

func (*DataJWT) PartsUnsignedJWT

func (dataJWT *DataJWT) PartsUnsignedJWT() *PartsJWT

CreatePartsUnsignedJWT method converts both headers and payload data to RawBase64UrlSafe format to return the encoded parts. (payload is compressed when the "zip" header claim is "DEF") It does not return the signature (nil).

type DecryptedOpenidJWE

type DecryptedOpenidJWE struct {
	ProtectedHeaders   map[string]interface{}
	UnprotectedHeaders map[string]interface{}
	Recipients         []*RecipientJWE
	NestedJWT          DataJWT
}

DecryptedOpenidJWE represents a RAW JSON decrypted JWE.

  • ProtectedHeaders
  • UnprotectedHeaders
  • Recipients
  • NestedJWT: headers, payload and signature (if any)

type HeaderRequestJWE

type HeaderRequestJWE struct {
	// Algorithm ("alg", required) is the cryptographic algorithm used to encrypt (encapsulate) the value of the CEK (Crystals-Kyber).
	Algorithm string `json:"alg,omitempty" bson:"alg,omitempty"`

	// ContentType ("cty", required in UHC) is used to declare the media type of secured content (the "plaintext" encrypted data).
	ContentType string `json:"cty,omitempty" bson:"cty,omitempty"`

	// Encryption ("enc", required) identifies the cryptographic algorithm used to encrypt the data using the CEK (e.g.: *"A256GCM"* for AES data encryption).
	Encryption string `json:"enc,omitempty" bson:"enc,omitempty"` // string

	// JSONWebKey ("jwk", conditional) is the public key to which the JWE was encrypted.
	JSONWebKey *jwkUtils.JWK `json:"jwk,omitempty" bson:"jwk,omitempty"` // JSON

	// JWKSetURL ("jku", conditional) is a URI that refers to a resource for a set of JSON-encoded public keys or the recipient, one of which
	// corresponds to the  public key to which the JWE was encrypted (determined by the recipient's encryption KeyID).
	JWKSetURL *string `json:"jku,omitempty" bson:"jku,omitempty"` // string

	// KeyID ("kid", conditional) indicates the recipient's public key to which the JWE was encrypted.
	KeyID *string `json:"kid,omitempty" bson:"kid,omitempty"`

	// SenderKeyID ("skid", required in UHC) is a hint which references the sender's public encryption key for authenticated encryption.
	SenderKeyID string `json:"skid,omitempty" bson:"skid,omitempty"` // string

	// Type ("typ", required) is used to declare the media type of the complete JWS. It is "jwt" as per the OpenID specification.
	Type string `json:"typ,omitempty" bson:"typ,omitempty"`
}
HeaderRequestJWE contains the JOSE header of an encrypted DIDComm-JAR message
following both JOSE ([RFC7516](https://www.rfc-editor.org/rfc/rfc7516.html#section-4)) and DIDComm specifications:
- the **"typ"** (*required*) field value is *"jwt"*.
- the **"cty"** (*required*) field value is set to *"didcomm-signed+json"* when the plaintext is a nested signed DIDComm message.
- the **"alg"** (*required*) field value identifies the **algorithm used to encrypt (encapsulate) the value of the CEK**.
- the **"enc"** (*required*) field value identifies the **algorithm used to encrypt the data using the CEK** (e.g.: *"A256GCM"* for AES data encryption).
- the **"skid"** (*required*) field value is the sender's public encryption keyID, and it is required in UHC for authenticated encryption.
- the **"kid"** (*conditional*) field value is the recipient's keyID (*kid*) to which the CEK was encrypted, calculated by the JWK Thumbprint of the recipient's public encryption key.
- the **"jku"** (*conditional*) field value is the recipient's JWK Set URL, to get the public key to which the JWE was encrypted by using the *"kid"* field as identifier.
- the **"jwk"** (*conditional*) field value is the recipient's public JWK to which the CEK was encrypted (rather than using both "kid" and "jku").
The main JWE "kid" header claim field is the recipient's public encryption keyID.

Note: *"x5u"* is not used in JAR because the certificate data can be included in the JWK (use the *"jwk"* or *"jku"* fields instead).

todo:

type HeaderRequestJWS

type HeaderRequestJWS struct {
	// Algorithm ("alg") is the cryptographic algorithm used to secure the JWS. MUST NOT be "none".
	Algorithm string `json:"alg,omitempty" bson:"alg,omitempty"`

	// ContentType ("cty") is used to declare the media type of secured content (the payload). It is set to
	ContentType string `json:"cty,omitempty" bson:"cty,omitempty"`

	// JSONWebKeySet ("jwks", optional) contains an array of public keys that corresponds in UHC to the sender's public signature JWK (first) and public encryption JWK (second, it can be already in the JWE "jwk" header).
	JSONWebKeySet *jwkUtils.JWKeySet `json:"jwks,omitempty" bson:"jwks,omitempty"` // JSON

	// KeyID ("kid") indicates which key was used to secure the JWS. It can be already defined in the payload's "client_id" (DID#KID URI).
	KeyID string `json:"kid,omitempty" bson:"kid,omitempty"`

	// To ("to") is the DID Service Endpoint.
	// It should be the same as the payload's "aud" field in case of the Authorization flow
	// or the "htu" field when using a DPoP token bound to an access token.
	To string `json:"to,omitempty" bson:"to,omitempty"`

	// Type ("typ") is used to declare the media type of the complete JWS. It is "jwt" as per the OpenID specification.
	Type string `json:"typ,omitempty" bson:"typ,omitempty"`

	// specifies if the payload bytes are compressed or not
	ZipCompression *string `json:"zip,omitempty" bson:"zip,omitempty"` // CompressionAlgorithm
}

joseUtils.HeaderRequestJWS contains the JOSE header of a signed DIDComm-JAR message. - the **"alg"** field value is the identifier of the digital signature algorithm. MUST NOT be "none". - the **"cty"** field value is set to *"didcomm-signed+json"*. - the "jwks" (optional) field value contains an array of public keys that corresponds in UHC to the sender's public signature JWK (first) and public encryption JWK (second, it can be already in the JWE "jwk" header). - the **"kid"** field value is the keyID (*kid*) calculated by the JWK Thumbprint of the public key used by the issuer. - the **"to"** field value is the DID Service Endpoint. It should be the same as the payload's "aud" field in case of the Authorization flow or the "htu" field when using a DPoP token bound to an access token. - the **"typ"** field value is *"jwt"*. - the "zip" (optional) field value can be "DEF" (deflated, compressed)

type Headers

type Headers map[string]interface{}

Headers represents JOSE headers.

func (Headers) Algorithm

func (h Headers) Algorithm() (string, bool)

Algorithm gets Algorithm from JOSE headers.

func (Headers) ContentType

func (h Headers) ContentType() (string, bool)

ContentType gets the payload content type from JOSE headers.

func (Headers) Encryption

func (h Headers) Encryption() (string, bool)

Encryption gets content encryption algorithm from JOSE headers.

func (Headers) KeyID

func (h Headers) KeyID() (string, bool)

KeyID gets Key ID from JOSE headers.

func (Headers) SenderKeyID

func (h Headers) SenderKeyID() (string, bool)

SenderKeyID gets the sender Key ID from Jose headers.

func (Headers) Type

func (h Headers) Type() (string, bool)

Type gets content encryption type from JOSE headers.

type JWEncryptionGo

type JWEncryptionGo struct {
	ProtectedHeaders   map[string]interface{}
	OrigProtectedHders string                 `json:"protected,omitempty"` // the original protected headers Base64Url encoded
	UnprotectedHeaders map[string]interface{} `json:"unprotected,omitempty"`
	Recipients         []*RecipientJWE        `json:"recipients,omitempty"`
	AAD                string                 `json:"aad,omitempty"`
	IV                 string                 `json:"iv,omitempty"`
	Ciphertext         string                 `json:"ciphertext,omitempty"`
	Tag                string                 `json:"tag,omitempty"`
}

JWEncryptionGo represents a JWE in Go (defined in https://tools.ietf.org/html/rfc7516). OpenID Connect specification mandates to use JWS compact serialization and JWE compact serialization whenever necessary Any JWT must follow compact serialization. A JWS or JWE token following JSON serialization cannot be called as a JWT. In contrast to the JWS compact serialization, the JWS JSON serialization can produce multiple signatures over the same JWS payload along with multiple JOSE headers. JWE COMPACT serialization is built with five key components, each separated by a period (.):

  • 1) JOSE header
  • 2) JWE Encrypted Key (CEK) // recipients list does not exist in compact serialization
  • 3) JWE Initialization Vector (IV)
  • 4) JWE Additional Authentication Data (AAD),
  • 5) JWE Ciphertext and JWE Authentication Tag// The header has the algorithm to encrypt the CEK to the recipients "alg" (Kyber) and the CEK symmetric encryption algorithm "enc" (A256GCM) algorithm.

func DeserializeCompactJWE

func DeserializeCompactJWE(serializedJWE string) (*JWEncryptionGo, error)

DeserializeCompactJWE gets the parts of a compact JWE:

  • ProtectedHeaders as map[string]interface{} (JSON)
  • OrigProtectedHders as Base64Url encoded string
  • UnprotectedHeaders as map[string]interface{} (JSON)
  • Recipients is an array of recipients which contains the encrypted CEK for each recipient (only one recipient is allowed in OpenID).
  • AAD: Additional Authentication Data encoded as Base64Url string.
  • IV (Initialization Vector): nonce / random bytes encoded as Base64Url string.
  • Ciphertext: the stringified and encrypted data bytes, encoded as Base64Url string.
  • Tag: bytes generated by the cipher algorithm, encoded as Base64Url string.

func DeserializeFromRawJWE

func DeserializeFromRawJWE(rawJWE *JWEncryptionRawJSON) (*JWEncryptionGo, error)

func DeserializeJWE

func DeserializeJWE(serializedJWE string) (*JWEncryptionGo, error)

DeserializeJWE deserializes the given serialized JWE into a JWEncryptionGo object.

  • ProtectedHeaders as map[string]interface{} (JSON)
  • OrigProtectedHders as Base64Url encoded string
  • UnprotectedHeaders as map[string]interface{} (JSON)
  • Recipients is an array of recipients which contains the encrypted CEK for each recipient (only one recipient is allowed in OpenID).
  • AAD: Additional Authentication Data encoded as Base64Url string.
  • IV (Initialization Vector): nonce / random bytes encoded as Base64Url string.
  • Ciphertext: the stringified and encrypted data bytes, encoded as Base64Url string.
  • Tag: bytes generated by the cipher algorithm, encoded as Base64Url string.

func DeserializeJsonJWE

func DeserializeJsonJWE(serializedJWE string) (*JWEncryptionGo, error)

DeserializeJsonJWE gets the parts of a JSON JWE (no compact serialization):

  • ProtectedHeaders as map[string]interface{} (JSON)
  • OrigProtectedHders as Base64Url encoded string
  • UnprotectedHeaders as map[string]interface{} (JSON)
  • Recipients is an array of recipients which contains the encrypted CEK for each recipient (only one recipient is allowed in OpenID).
  • AAD: Additional Authentication Data encoded as Base64Url string.
  • IV (Initialization Vector): nonce / random bytes encoded as Base64Url string.
  • Ciphertext: the stringified and encrypted data bytes, encoded as Base64Url string.
  • Tag: bytes generated by the cipher algorithm, encoded as Base64Url string.

func (*JWEncryptionGo) CompactSoleRecipientJWE

func (jweGo *JWEncryptionGo) CompactSoleRecipientJWE(jsonMarshal JsonMarshalFunc) (string, error)

CompactSoleRecipientJWE serializes the given JWE into a compact, URL-safe string as defined in https://tools.ietf.org/html/rfc7516#section-7.1 (e.g.: for OpenID) OpenID Connect specification mandates to use JWS compact serialization and JWE compact serialization whenever necessary Any JWT must follow compact serialization. A JWS or JWE token following JSON serialization cannot be called as a JWT. JWE compact serialization is built with five key components, each separated by a period (.):

  • 1) JOSE header
  • 2) JWE Encrypted Key (CEK)
  • 3) JWE Initialization Vector (IV)
  • 4) JWE Additional Authentication Data (AAD),
  • 5) JWE Ciphertext and JWE Authentication Tag

func (*JWEncryptionGo) PrepareHeadersJSON

func (jweGo *JWEncryptionGo) PrepareHeadersJSON(jsonMarshal JsonMarshalFunc) (string, json.RawMessage, error)

TODO: This servers both for JWE and JWS Headers?

func (*JWEncryptionGo) PrepareRecipientsJSON

func (jweGo *JWEncryptionGo) PrepareRecipientsJSON(jsonMarshal JsonMarshalFunc) (json.RawMessage, string, []byte, error)

func (*JWEncryptionGo) SerializeMultiRecipientBytes

func (jweGo *JWEncryptionGo) SerializeMultiRecipientBytes(marshal JsonMarshalFunc) ([]byte, error)

SerializeMultiRecipientBytes serializes the bytes of a JWE, as defined in https://tools.ietf.org/html/rfc7516#section-7.2. The full serialization syntax is used for multi-recipient JWE.

func (*JWEncryptionGo) SerializeMultiRecipientJSON

func (jweGo *JWEncryptionGo) SerializeMultiRecipientJSON() (map[string]interface{}, error)

SerializeMultiRecipientJSON returns JSON as defined in https://tools.ietf.org/html/rfc7516#section-7.2. The full serialization syntax is used for multi-recipient JWE.

func (*JWEncryptionGo) SerializeMultiRecipientRawJSON

func (jweGo *JWEncryptionGo) SerializeMultiRecipientRawJSON() (json.RawMessage, error)

SerializeMultiRecipientRawJSON serializes the JWE into RawMessage, as defined in https://tools.ietf.org/html/rfc7516#section-7.2. The full serialization syntax is used for multi-recipient JWE.

func (*JWEncryptionGo) SerializeMultiRecipientStringified

func (jweGo *JWEncryptionGo) SerializeMultiRecipientStringified() (string, error)

SerializeMultiRecipientStringified serializes and strigifies the JSON data, as defined in https://tools.ietf.org/html/rfc7516#section-7.2. The full serialization syntax is used for multi-recipient JWE.

type JWEncryptionRawJSON

type JWEncryptionRawJSON struct {
	B64ProtectedHeaders      string          `json:"protected,omitempty"`
	UnprotectedHeaders       json.RawMessage `json:"unprotected,omitempty"`
	Recipients               json.RawMessage `json:"recipients,omitempty"`
	B64SingleRecipientEncKey string          `json:"encrypted_key,omitempty"`
	SingleRecipientHeader    json.RawMessage `json:"header,omitempty"`
	B64AAD                   string          `json:"aad,omitempty"`
	B64IV                    string          `json:"iv,omitempty"`
	B64Ciphertext            string          `json:"ciphertext,omitempty"`
	B64Tag                   string          `json:"tag,omitempty"`
}

JWEncryptionRawJSON represents a RAW JSON JWE that is used for serialization/deserialization (JWEncryptionGo) OpenID Connect specification mandates to use JWS compact serialization and JWE compact serialization whenever necessary Any JWT must follow compact serialization. A JWS or JWE token following JSON serialization cannot be called as a JWT. In contrast to the JWS compact serialization, the JWS JSON serialization can produce multiple signatures over the same JWS payload along with multiple JOSE headers. JWE compact serialization is built with five key components, each separated by a period (.):

  • 1) JOSE header
  • 2) JWE Encrypted Key (CEK)
  • 3) JWE Initialization Vector (IV)
  • 4) JWE Additional Authentication Data (AAD),
  • 5) JWE Ciphertext and JWE Authentication Tag// The header has the algorithm to encrypt the CEK to the recipients "alg" (Kyber) and the CEK symmetric encryption algorithm "enc" (A256GCM) algorithm.

type JsonMarshalFunc

type JsonMarshalFunc func(interface{}) ([]byte, error)

Used to pass the json.Marshal functions to the methods

type NumericDate

type NumericDate int64

NumericDate represents date and time as the number of seconds since the epoch, ignoring leap seconds. Non-integer values can be represented in the serialized format, but we round to the nearest second. See RFC7519 Section 2: https://tools.ietf.org/html/rfc7519#section-2

func NewNumericDate

func NewNumericDate(t time.Time) *NumericDate

NewNumericDate constructs NumericDate from time.Time value.

func (NumericDate) MarshalJSON

func (n NumericDate) MarshalJSON() ([]byte, error)

MarshalJSON serializes the given NumericDate into its JSON representation.

func (*NumericDate) Time

func (n *NumericDate) Time() time.Time

Time returns time.Time representation of NumericDate.

func (*NumericDate) UnmarshalJSON

func (n *NumericDate) UnmarshalJSON(b []byte) error

UnmarshalJSON reads a date from its JSON representation.

type PartsJWT

type PartsJWT struct {
	Header    string  // Is the protected header (because signed claims)
	Payload   string  // payload claims to be signed also
	Signature *string // it does not exist when preparing the data for signature
}

This has the 3 parts encoded in Base64url format.

func CreatePartsUnsignedJWT

func CreatePartsUnsignedJWT(headerClaims Headers, payloadClaims interface{}) (*PartsJWT, error)

CreatePartsUnsignedJWT function converts both headers and payload data to RawBase64UrlSafe format to return the encoded parts. (payload is compressed when the "zip" header claim is "DEF") It does not return the signature (nil).

func GetPartsJWT

func GetPartsJWT(compactToken *string) *PartsJWT

GetPartsJWT gets a compact JWT/PartsJWT (string, not JSON) and returns an object with header, payload and signature (base64url encoded), or nil if error.

func (*PartsJWT) Compact

func (partsJWT *PartsJWT) Compact() string

func (*PartsJWT) GetData

func (partsJWT *PartsJWT) GetData() *DataJWT

GetData returns DataJWT with headers, payload and optional signature or nil

type PayloadClaims

type PayloadClaims struct {
	Issuer    string        `json:"iss,omitempty"`
	Subject   string        `json:"sub,omitempty"`
	Audience  AudienceSlice `json:"aud,omitempty"`
	Expiry    *NumericDate  `json:"exp,omitempty"`
	NotBefore *NumericDate  `json:"nbf,omitempty"`
	IssuedAt  *NumericDate  `json:"iat,omitempty"`
	ID        string        `json:"jti,omitempty"`
}

PayloadClaims represents public claim values (as specified in RFC 7519).

type RecipientHeaders

type RecipientHeaders struct {
	Alg string          `json:"alg,omitempty"`
	APU string          `json:"apu,omitempty"`
	APV string          `json:"apv,omitempty"`
	IV  string          `json:"iv,omitempty"`
	Tag string          `json:"tag,omitempty"`
	KID string          `json:"kid,omitempty"`
	EPK json.RawMessage `json:"epk,omitempty"`
}

RecipientHeaders are the recipient headers.

type RecipientJWE

type RecipientJWE struct {
	Header       *RecipientHeaders `json:"header,omitempty"`
	EncryptedKey string            `json:"encrypted_key,omitempty"`
}

RecipientJWE is a recipient of a JWE including the shared encryption key.

func DeserializeRecipientsJWE

func DeserializeRecipientsJWE(rawJWE *JWEncryptionRawJSON) ([]*RecipientJWE, error)

func ParseDeserializeRecipientsJWE

func ParseDeserializeRecipientsJWE(rawJWE *JWEncryptionRawJSON) ([]*RecipientJWE, error)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL