Documentation ¶
Overview ¶
JSON object signing and encryption definitions and utilities.
Index ¶
- Constants
- Variables
- func KeyById(jwks *jose.JSONWebKeySet, kid string) (*jose.JSONWebKey, error)
- func KeyForEncrypting(jwks *jose.JSONWebKeySet, alg EncryptionAlgorithm, rotationFactor int64) (*jose.JSONWebKey, error)
- func KeyForSigning(jwks *jose.JSONWebKeySet, alg SignatureAlgorithm, rotationFactor int64) (*jose.JSONWebKey, error)
- func NewJwksBuilder() *jwksBuilder
- func PublicKeyOnly(jwks *jose.JSONWebKeySet) *jose.JSONWebKeySet
- type ContentEncodingAlgorithm
- type EncryptionAlgorithm
- type Jwx
- type SignatureAlgorithm
Constants ¶
const ( EdDSA = SignatureAlgorithm(jose.EdDSA) HS256 = SignatureAlgorithm(jose.HS256) HS384 = SignatureAlgorithm(jose.HS384) HS512 = SignatureAlgorithm(jose.HS512) RS256 = SignatureAlgorithm(jose.RS256) RS384 = SignatureAlgorithm(jose.RS384) RS512 = SignatureAlgorithm(jose.RS512) ES256 = SignatureAlgorithm(jose.ES256) ES384 = SignatureAlgorithm(jose.ES384) ES512 = SignatureAlgorithm(jose.ES512) PS256 = SignatureAlgorithm(jose.PS256) PS384 = SignatureAlgorithm(jose.PS384) PS512 = SignatureAlgorithm(jose.PS512) NoSig = SignatureAlgorithm("none") )
A list of JWA signature algorithms.
const ( RSA1_5 = EncryptionAlgorithm(jose.RSA1_5) RSA_OAEP = EncryptionAlgorithm(jose.RSA_OAEP) RSA_OAEP_256 = EncryptionAlgorithm(jose.RSA_OAEP_256) A128KW = EncryptionAlgorithm(jose.A128KW) A192KW = EncryptionAlgorithm(jose.A192KW) A256KW = EncryptionAlgorithm(jose.A256KW) ECDH_ES = EncryptionAlgorithm(jose.ECDH_ES) ECDH_ES_A128KW = EncryptionAlgorithm(jose.ECDH_ES_A128KW) ECDH_ES_A192KW = EncryptionAlgorithm(jose.ECDH_ES_A192KW) ECDH_ES_A256KW = EncryptionAlgorithm(jose.ECDH_ES_A256KW) A128GCMKW = EncryptionAlgorithm(jose.A128GCMKW) A192GCMKW = EncryptionAlgorithm(jose.A192GCMKW) A256GCMKW = EncryptionAlgorithm(jose.A256GCMKW) NoEncrypt = EncryptionAlgorithm("none") // The following is currently not supported. ED25519 = EncryptionAlgorithm(jose.ED25519) PBES2_HS256_A128KW = EncryptionAlgorithm(jose.PBES2_HS256_A128KW) PBES2_HS384_A192KW = EncryptionAlgorithm(jose.PBES2_HS384_A192KW) PBES2_HS512_A256KW = EncryptionAlgorithm(jose.PBES2_HS512_A256KW) DIRECT = EncryptionAlgorithm(jose.DIRECT) )
A list of JWE encryption / key management algorithm.
These algorithms are kept independent but in sync with jose.SignatureAlgorithm in gopkg.in/square/go-jose.v2, so that we can avoid referencing the library when not needed.
const ( A128CBC_HS256 = ContentEncodingAlgorithm(jose.A128CBC_HS256) A192CBC_HS384 = ContentEncodingAlgorithm(jose.A192CBC_HS384) A256CBC_HS512 = ContentEncodingAlgorithm(jose.A256CBC_HS512) A128GCM = ContentEncodingAlgorithm(jose.A128GCM) A192GCM = ContentEncodingAlgorithm(jose.A192GCM) A256GCM = ContentEncodingAlgorithm(jose.A256GCM) NoEnc = ContentEncodingAlgorithm("none") )
A list of JWA content encoding/encryption algorithm.
These algorithms are kept independent but in sync with jose.SignatureAlgorithm in gopkg.in/square/go-jose.v2, so that we can avoid referencing the library when not needed.
Variables ¶
var ( ErrInvalidSignatureAlgorithm = fmt.Errorf(`"%w: invalid signature algorithm"`, oidc.ErrInvalidRequest) ErrInvalidEncryptionAlgorithm = fmt.Errorf(`"%w: invalid encryption algorithm"`, oidc.ErrInvalidRequest) ErrInvalidEncodingAlgorithm = fmt.Errorf(`"%w: invalid content encoding algorithm"`, oidc.ErrInvalidRequest) )
var (
ErrNoKey = fmt.Errorf("%w: no key available", oidc.ErrServerError)
)
Functions ¶
func KeyForEncrypting ¶
func KeyForEncrypting(jwks *jose.JSONWebKeySet, alg EncryptionAlgorithm, rotationFactor int64) (*jose.JSONWebKey, error)
KeyForEncrypting returns a JWK whose "use" is "enc" or empty that matches encryption algorithm. If multiple keys are qualified, rotationFactor is used to select one of them. If no key is qualified, ErrNoKey is returned.
This method does not assume callers intention to be encryption or decryption. Caller may need to invoke jose.JSONWebKey.Public to obtain public keys for encryption.
func KeyForSigning ¶
func KeyForSigning(jwks *jose.JSONWebKeySet, alg SignatureAlgorithm, rotationFactor int64) (*jose.JSONWebKey, error)
KeyForSigning returns a JWK whose "use" is "sig" or empty that matches signature algorithm. If multiple keys are qualified, rotationFactor is used to select one of them. If no key is qualified, ErrNoKey is returned.
This method does not assume callers intention to be signing or verifying signature. Caller may need to invoke jose.JSONWebKey.Public to obtain public keys for signature verification.
func NewJwksBuilder ¶
func NewJwksBuilder() *jwksBuilder
NewJwksBuilder returns a utility to build JWKS for test cases.
func PublicKeyOnly ¶
func PublicKeyOnly(jwks *jose.JSONWebKeySet) *jose.JSONWebKeySet
PublicKeyOnly takes an input JWKS and filter out the private key and symmetric key portions.
Types ¶
type ContentEncodingAlgorithm ¶
type ContentEncodingAlgorithm string
ContentEncodingAlgorithm is the JWE content encoding algorithm
func (ContentEncodingAlgorithm) CheckValid ¶
func (a ContentEncodingAlgorithm) CheckValid() error
CheckValid checks if the content encoding algorithm is among defined values, or empty. Otherwise, return ErrInvalidEncodingAlgorithm.
func (ContentEncodingAlgorithm) IsNone ¶
func (a ContentEncodingAlgorithm) IsNone() bool
IsNone returns true if no encryption algorithm is set.
type EncryptionAlgorithm ¶
type EncryptionAlgorithm string
EncryptionAlgorithm is the JWE key management algorithm
func (EncryptionAlgorithm) CheckValid ¶
func (a EncryptionAlgorithm) CheckValid() error
CheckValid checks if the encryption algorithm is among the defined algorithms. Otherwise, return ErrInvalidEncryptionAlgorithm
func (EncryptionAlgorithm) IsAsymmetric ¶
func (a EncryptionAlgorithm) IsAsymmetric() bool
IsAsymmetric returns true if the algorithm is public/private key based
func (EncryptionAlgorithm) IsNone ¶
func (a EncryptionAlgorithm) IsNone() bool
IsNone returns true if no encryption algorithm is set.
type Jwx ¶
type Jwx struct { SigAlg SignatureAlgorithm SigKeyFunc func(alg SignatureAlgorithm, kid string) (*jose.JSONWebKey, error) EncryptAlg EncryptionAlgorithm EncodingAlg ContentEncodingAlgorithm EncryptKeyFunc func(alg EncryptionAlgorithm, kid string) (*jose.JSONWebKey, error) }
Jwx is a utility for handling JWT and JWE. It abides by the common logic in the OpenID Connect specification that a piece of data can be signed, or encrypted, or signed and then encrypted. Jwx provides Encode and Decode capabilities to deal with the above mentioned three situations.
The three situations of signed, or encrypted, or signed and then encrypted are determined by the number of parameters set in Jwx. If SigAlg.IsNone, Jwx assumes only encryption is involved. Similarly, if EncryptAlg.IsNone, Jwx assumes only signing is involved. Only when both SigAlg.IsNone and EncryptAlg.IsNone are false will Jwx perform both signing and encryption algorithms.
func (*Jwx) Decode ¶
Decode decodes the content of the given token into destination. The token is regarded as JWT if only SigAlg is specified; it is regarded as plain JWE encoded JSON payload if only EncryptAlg/EncodingAlg is specified; it is regarded as nested JWT within JWE if both set of algorithms are specified. As a special case, if none of the algorithms are specified, the token content is just treated as plain JSON.
type SignatureAlgorithm ¶
type SignatureAlgorithm string
SignatureAlgorithm is the JWA used to sign and verify signatures.
func (SignatureAlgorithm) CheckValid ¶
func (a SignatureAlgorithm) CheckValid() error
CheckValid checks if the signature algorithm is among defined values, or empty. If not, returns ErrInvalidSignatureAlgorithm.
func (SignatureAlgorithm) IsAsymmetric ¶
func (a SignatureAlgorithm) IsAsymmetric() bool
IsAsymmetric returns true if the algorithm is public/private key based.
func (SignatureAlgorithm) IsNone ¶
func (a SignatureAlgorithm) IsNone() bool
IsNone returns true if the no signature algorithm was specified.