jwx

package
v0.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 22, 2025 License: MIT Imports: 27 Imported by: 5

Documentation

Index

Constants

View Source 
const (
	KeyStorageTypeFederation = "federation"
	KeyStorageTypeOIDC       = "oidc"
)

Constants for TypeIDs used in a KeyStorage

Variables

This section is empty.

Functions

func SignPayload 

func SignPayload(payload []byte, signingAlg jwa.SignatureAlgorithm, key crypto.Signer, headers jws.Headers) (
	[]byte,
	error,
)

SignPayload signs a payload with the passed properties and adds the kid to the jwt header

func SignWithType 

func SignWithType(payload []byte, typ string, signingAlg jwa.SignatureAlgorithm, key crypto.Signer) ([]byte, error)

SignWithType creates a signed JWT of the passed type for the passed payload using the passed crypto.Signer with the passed jwa.SignatureAlgorithm

func SupportedAlgs 

func SupportedAlgs() []jwa.SignatureAlgorithm

SupportedAlgs returns the supported signing algorithms as a slice of jwa.SignatureAlgorithm

func SupportedAlgsStrings 

func SupportedAlgsStrings() []string

SupportedAlgsStrings returns the supported signing algorithms as a slice of string

Types

type EntityStatementSigner 

type EntityStatementSigner struct {
	*GeneralJWTSigner
}

EntityStatementSigner is a JWTSigner for oidfedconst.JWTTypeEntityStatement

func NewEntityStatementSigner 

func NewEntityStatementSigner(signer VersatileSigner) *EntityStatementSigner

NewEntityStatementSigner creates a new EntityStatementSigner

func (EntityStatementSigner) JWT 

func (s EntityStatementSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type GeneralJWTSigner 

type GeneralJWTSigner struct {
	// contains filtered or unexported fields
}

GeneralJWTSigner is a general jwt signer with no specific typ

func NewGeneralJWTSigner 

func NewGeneralJWTSigner(
	signer VersatileSigner, algs []jwa.SignatureAlgorithm,
) *GeneralJWTSigner

NewGeneralJWTSigner creates a new GeneralJWTSigner using the passed VersatileSigner. The passed algorithms define which algorithms can be used; the order also implies a preference, where the first alg is the preferred signing algorithm.

func (*GeneralJWTSigner) EntityStatementSigner 

func (s *GeneralJWTSigner) EntityStatementSigner() *EntityStatementSigner

EntityStatementSigner returns an EntityStatementSigner using the same crypto.Signer

func (*GeneralJWTSigner) JWKS 

func (s *GeneralJWTSigner) JWKS() JWKS

JWKS returns the jwks.JWKS used with this signer

func (GeneralJWTSigner) JWT 

func (s GeneralJWTSigner) JWT(i any, headerType string, algs ...string) (jwt []byte, err error)

JWT returns a signed jwt representation of the passed data with the passed header type

func (*GeneralJWTSigner) ResolveResponseSigner 

func (s *GeneralJWTSigner) ResolveResponseSigner() *ResolveResponseSigner

ResolveResponseSigner returns an ResolveResponseSigner using the same crypto.Signer

func (*GeneralJWTSigner) TrustMarkDelegationSigner 

func (s *GeneralJWTSigner) TrustMarkDelegationSigner() *TrustMarkDelegationSigner

TrustMarkDelegationSigner returns an TrustMarkDelegationSigner using the same crypto.Signer

func (*GeneralJWTSigner) TrustMarkSigner 

func (s *GeneralJWTSigner) TrustMarkSigner() *TrustMarkSigner

TrustMarkSigner returns an TrustMarkSigner using the same crypto.Signer

func (*GeneralJWTSigner) Typed 

func (s *GeneralJWTSigner) Typed(headerType string) *TypedJWTSigner

Typed returns a TypedJWTSigner for the passed header type using the same crypto.Signer

type JWKS 

type JWKS struct {
	jwk.Set
}

JWKS is a wrapper type for jwk.Set to implement custom marshaling

func KeyToJWKS 

func KeyToJWKS(publicKey interface{}, alg jwa.SignatureAlgorithm) (JWKS, error)

KeyToJWKS creates a jwk.Set from the passed publicKey and sets the algorithm key in the jwk.Key to the passed jwa.SignatureAlgorithm

func NewJWKS 

func NewJWKS() JWKS

NewJWKS returns a new JWKS

func (JWKS) MarshalJSON 

func (jwks JWKS) MarshalJSON() ([]byte, error)

MarshalJSON implements the json.Marshaler interface

func (JWKS) MarshalMsgpack 

func (jwks JWKS) MarshalMsgpack() ([]byte, error)

MarshalMsgpack implements the msgpack.Marshaler interface

func (JWKS) MarshalYAML 

func (jwks JWKS) MarshalYAML() (any, error)

MarshalYAML implements the yaml.Marshaler interface.

func (JWKS) MinimalExpirationTime 

func (jwks JWKS) MinimalExpirationTime() unixtime.Unixtime

MinimalExpirationTime iterates over all keys in the JWKS if they have an exp claim set and returns the minimal expiration time of all keys

func (*JWKS) UnmarshalJSON 

func (jwks *JWKS) UnmarshalJSON(data []byte) error

UnmarshalJSON implements the json.Unmarshaler interface

func (*JWKS) UnmarshalMsgpack 

func (jwks *JWKS) UnmarshalMsgpack(data []byte) error

UnmarshalMsgpack implements the msgpack.Unmarshaler interface

func (*JWKS) UnmarshalYAML 

func (jwks *JWKS) UnmarshalYAML(node *yaml.Node) error

UnmarshalYAML implements the yaml.Unmarshaler interface

type JWTSigner 

type JWTSigner interface {
	JWT(i any, alg ...jwa.SignatureAlgorithm) (jwt []byte, err error)
	JWKS() JWKS
}

JWTSigner is an interface that can give signed jwts

type KeyStorage 

type KeyStorage struct {
	// contains filtered or unexported fields
}

KeyStorage manages public and private signing keys for multiple typeIds (e.g. federation and oidc), it handles loading and writing keys to disk and can also handle key rotation.

func NewKeyStorage 

func NewKeyStorage(keyDir string, conf map[string]KeyStorageConfig) (*KeyStorage, error)

NewKeyStorage creates a new KeyStorage for the passed KeyStorageConfigs at the passed directory

func (KeyStorage) DefaultSigner 

func (ks KeyStorage) DefaultSigner(storageType string) (crypto.Signer, jwa.SignatureAlgorithm)

DefaultSigner returns a crypto.Signer and the corresponding jwa.SignatureAlgorithm for the passed storageType

func (*KeyStorage) Federation 

func (ks *KeyStorage) Federation() VersatileSigner

Federation returns a VersatileSigner for the KeyStorageTypeFederation

func (KeyStorage) FederationJWKS 

func (ks KeyStorage) FederationJWKS() JWKS

FederationJWKS returns the jwks.JWKS containing all public keys for the KeyStorageTypeFederation storageTypeID

func (KeyStorage) FederationSigner 

func (ks KeyStorage) FederationSigner() (crypto.Signer, jwa.SignatureAlgorithm)

FederationSigner returns the crypto.Signer and the corresponding jwa.SignatureAlgorithm for the KeyStorageTypeFederation storageTypeID

func (KeyStorage) History 

func (ks KeyStorage) History(storageType string) JWKS

History returns the jwks history for the passed storageType

func (KeyStorage) JWKS 

func (ks KeyStorage) JWKS(storageType string) JWKS

JWKS returns the jwks.JWKS containing all public keys for the passed storageType

func (*KeyStorage) Load 

func (ks *KeyStorage) Load() error

Load loads the KeyStorage from disk and if enabled schedules key rotation.

func (*KeyStorage) OIDC 

func (ks *KeyStorage) OIDC() VersatileSigner

OIDC returns a VersatileSigner for the KeyStorageTypeOIDC

func (KeyStorage) OIDCJWKS 

func (ks KeyStorage) OIDCJWKS() JWKS

OIDCJWKS returns the jwks.JWKS containing all public keys for the KeyStorageTypeOIDC storageTypeID

func (KeyStorage) Save 

func (ks KeyStorage) Save() error

Save saves the KeyStorage to disk

func (KeyStorage) Signer 

func (ks KeyStorage) Signer(storageType string, algs ...string) (crypto.Signer, jwa.SignatureAlgorithm)

Signer takes a list of acceptable signature algorithms and returns a usable crypto.Signer or nil as well as the corresponding jwa.SignatureAlgorithm for the passed storageType

func (*KeyStorage) SubStorage 

func (ks *KeyStorage) SubStorage(typeID string) VersatileSigner

SubStorage returns a VersatileSigner for the passed storageTypeID

type KeyStorageConfig 

type KeyStorageConfig struct {
	Algorithm        string       `yaml:"alg"`
	Algorithms       []string     `yaml:"algs"`
	DefaultAlgorithm string       `yaml:"default_alg"`
	RSAKeyLen        int          `yaml:"rsa_key_len"`
	RolloverConf     RolloverConf `yaml:"automatic_key_rollover"`
}

KeyStorageConfig is a type holding the configuration for keys for a protocol. If Algorithm is set, this implies that a single singing algorithm is supported, otherwise multiple algorithms are supported, even if Algorithms is not set ( since in that case all supported algorithms should be supported)

type ResolveResponseSigner 

type ResolveResponseSigner struct {
	*GeneralJWTSigner
}

ResolveResponseSigner is a JWTSigner for oidfedconst.JWTTypeResolveResponse

func NewResolveResponseSigner 

func NewResolveResponseSigner(signer VersatileSigner) *ResolveResponseSigner

NewResolveResponseSigner creates a new ResolveResponseSigner

func (ResolveResponseSigner) JWT 

func (s ResolveResponseSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type RolloverConf 

type RolloverConf struct {
	Enabled                   bool                    `yaml:"enabled"`
	Interval                  duration.DurationOption `yaml:"interval"`
	NumberOfOldKeysKeptInJWKS int                     `yaml:"old_keys_kept_in_jwks"`
	KeepHistory               bool                    `yaml:"keep_history"`
}

RolloverConf is a type holding configuration for key rollover / key rotation

type SingleKeyStorage 

type SingleKeyStorage struct {
	// contains filtered or unexported fields
}

SingleKeyStorage is a type implementing the oidfed.VersatileSigner interface but only uses a single key / alg

func NewSingleKeyVersatileSigner 

func NewSingleKeyVersatileSigner(sk crypto.Signer, alg jwa.SignatureAlgorithm) SingleKeyStorage

NewSingleKeyVersatileSigner creates a new SingleKeyStorage

func (SingleKeyStorage) DefaultSigner 

func (s SingleKeyStorage) DefaultSigner() (crypto.Signer, jwa.SignatureAlgorithm)

DefaultSigner returns a crypto.Signer and the corresponding jwa.SignatureAlgorithm

func (SingleKeyStorage) JWKS 

func (s SingleKeyStorage) JWKS() JWKS

JWKS returns the jwks.JWKS containing all public keys of this VersatileSigner

func (SingleKeyStorage) Signer 

func (s SingleKeyStorage) Signer(algs ...string) (crypto.Signer, jwa.SignatureAlgorithm)

Signer takes a list of acceptable signature algorithms and returns a usable crypto.Signer or nil as well as the corresponding jwa.SignatureAlgorithm

type TrustMarkDelegationSigner 

type TrustMarkDelegationSigner struct {
	*GeneralJWTSigner
}

TrustMarkDelegationSigner is a JWTSigner for constants. JWTTypeTrustMarkDelegation

func NewTrustMarkDelegationSigner 

func NewTrustMarkDelegationSigner(signer VersatileSigner) *TrustMarkDelegationSigner

NewTrustMarkDelegationSigner creates a new TrustMarkDelegationSigner

func (TrustMarkDelegationSigner) JWT 

func (s TrustMarkDelegationSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type TrustMarkSigner 

type TrustMarkSigner struct {
	*GeneralJWTSigner
}

TrustMarkSigner is a JWTSigner for oidfedconst.JWTTypeTrustMark

func NewTrustMarkSigner 

func NewTrustMarkSigner(signer VersatileSigner) *TrustMarkSigner

NewTrustMarkSigner creates a new TrustMarkSigner

func (TrustMarkSigner) JWT 

func (s TrustMarkSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type TypedJWTSigner 

type TypedJWTSigner struct {
	*GeneralJWTSigner
	HeaderType string
}

TypedJWTSigner is a JWTSigner for a specific header type

func (TypedJWTSigner) JWT 

func (s TypedJWTSigner) JWT(i any) (jwt []byte, err error)

JWT implements the JWTSigner interface

type VersatileSigner 

type VersatileSigner interface {
	// Signer takes a list of acceptable signature algorithms and returns a
	// usable crypto.Signer or nil as well as the corresponding
	// jwa.SignatureAlgorithm
	Signer(algs ...string) (crypto.Signer, jwa.SignatureAlgorithm)
	// DefaultSigner returns a crypto.Signer and the corresponding jwa.SignatureAlgorithm
	DefaultSigner() (crypto.Signer, jwa.SignatureAlgorithm)
	// JWKS returns the jwks.JWKS containing all public keys of this VersatileSigner
	JWKS() JWKS
}

VersatileSigner is an interface type for obtaining a crypto.Signer for a specific jwa. SignatureAlgorithm and the corresponding (full) jwks.JWKS The purpose of this interface is to enable: (1) easy usage of signing with potentially multiple algs, e.g. in oidc the public_key_jwt client auth method might use one alg with one OP and another alg with another OP; this requires different crypto.Signer but we still want to easily access a single combined jwks.JWKS (2) key rotation; by using a function to obtain the crypto.Signer it is possible that the used crypto. Signer changes over time

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.