tokens

package
v0.0.0-...-86f439f Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 12, 2024 License: MIT Imports: 28 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrThreeParts   = errors.New("JWT must be composed of three parts separated by periods")
	ErrJWTSignature = errors.New("JWT signature mismatch")
	ErrNoBase64JWT  = errors.New("the token claims (second part of the JWT) is not base64-valid")
	ErrColumnInKey  = errors.New("found a column symbol in the key string but tokens.NemHMAC() does not support AlgoKey scheme => use tokens.NewVerifier(algoKey)")
	ErrHMACKey      = errors.New("cannot decode the HMAC key, please provide a key in hexadecimal or Base64 form (64, 96 or 128 hexadecimal digits ; 43, 64 or 86 Base64 characters)")
	ErrHS256PubKey  = errors.New("cannot decode the HMAC-SHA256 key, please provide 64 hexadecimal digits or a Base64 string containing about 43 characters")
	ErrHS384PubKey  = errors.New("cannot decode the HMAC-SHA384 key, please provide 96 hexadecimal digits or a Base64 string containing 64 characters")
	ErrHS512PubKey  = errors.New("cannot decode the HMAC-SHA512 key, please provide 128 hexadecimal digits or a Base64 string containing about 86 characters")
	ErrEdDSAPubKey  = errors.New("cannot decode the EdDSA public key, please provide 88 hexadecimal digits or a Base64 string containing about 59 characters")
	ErrES256PubKey  = errors.New("cannot decode the ECDSA-P256-SHA256 public key, please provide 182 hexadecimal digits or a Base64 string containing about 122 characters")
	ErrES384PubKey  = errors.New("cannot decode the ECDSA-P384-SHA384 public key, please provide 240 hexadecimal digits or a Base64 string containing 160 characters")
	ErrES512PubKey  = errors.New("cannot decode the ECDSA-P512-SHA512 public key, please provide 316 hexadecimal digits or a Base64 string containing about 211 characters")
	ErrECDSAPubKey  = errors.New("cannot parse the DER bytes as a valid ECDSA public key")
)

Functions

func B64Decode 

func B64Decode(b64 []byte, reuse bool) ([]byte, error)

B64Decode avoid allocating memory when reuse=true by reusing the input buffer to return the base64-decoded result.

func DecryptVerificationKeyDER 

func DecryptVerificationKeyDER(algo string, accessKey []byte) ([]byte, error)

DecryptVerificationKeyDER returns the secret key for symmetric algos (like HMAC), or the public key for asymmetric algos (like RSA, EdDSA). The returned key is in DER format.

func GenAccessToken 

func GenAccessToken(timeout, maxTTL, user string, groups, orgs []string, secretKey []byte) (string, error)

GenAccessToken generates an access token with HS256 signing algo. Deprecated: Use `GenAccessTokenWithAlgo("HMAC", ...)`

func GenAccessTokenWithAlgo 

func GenAccessTokenWithAlgo(algo, timeout, maxTTL, user string, groups, orgs []string, keyDER []byte) (string, error)

GenAccessTokenWithAlgo creates an Access Token with the JSON fields "exp", "usr", "grp" and "org".

func GenRefreshToken 

func GenRefreshToken(timeout, maxTTL, namespace, user string, secretKey []byte) (string, error)

GenRefreshToken generates a refresh token for a user in a namespace.

func GenerateEdDSAKey 

func GenerateEdDSAKey() []byte

GenerateEdDSAKey generates a random EdDSA-25519 key in DER format.

func GenerateKeyECDSA 

func GenerateKeyECDSA(c elliptic.Curve) []byte

GenerateKeyECDSA generates a random ECDSA private key in DER format.

func GenerateKeyHMAC 

func GenerateKeyHMAC(bits int) []byte

GenerateKeyHMAC generates a random HMAC-SHA256 key.

func GenerateKeyRSA 

func GenerateKeyRSA(bits int) []byte

GenerateKeyRSA generates a random RSA private key in DER format.

func GenerateSigningKey 

func GenerateSigningKey(algo string) ([]byte, error)

GenerateSigningKey produces the private key of the given algorithm. Supported algorithms:

- HS256 = HMAC using SHA-256 - HS384 = HMAC using SHA-384 - HS512 = HMAC using SHA-512 - RS256 = RSASSA-PKCS-v1.5 using SHA-256 - RS384 = RSASSA-PKCS-v1.5 using SHA-384 - RS512 = RSASSA-PKCS-v1.5 using SHA-512 - ES256 = ECDSA using P-256 and SHA-256 - ES384 = ECDSA using P-384 and SHA-384 - ES512 = ECDSA using P-521 and SHA-512 - EdDSA = Ed25519

func GenerateSigningKeyHex 

func GenerateSigningKeyHex(algo string) (string, error)

GenerateSigningKeyHex produces the private key in hexadecimal form.

func ParsePublicDER 

func ParsePublicDER(algo string, der []byte) (any, error)

ParsePublicDER converts a public key in DER form into the original public key.

func PrivateDER2Public 

func PrivateDER2Public(algo string, der []byte) (any, error)

PrivateDER2Public converts a private key into a public key depending on the algo.

func PrivateDER2PublicDER 

func PrivateDER2PublicDER(algo string, privateDER []byte) ([]byte, error)

PrivateDER2PublicDER converts a private key into a public key depending on the algo. The input and output are in DER form.

func SplitThreeParts 

func SplitThreeParts(JWT []byte) (p1, p2 int, _ error)

SplitThreeParts returns the period position decompose the JWT in three parts

func ValidAccessToken 

func ValidAccessToken(accessToken, algo string, verificationKeyDER []byte) error

Types

type AccessClaims 

type AccessClaims struct {
	Username string   `json:"usr,omitempty"`
	Groups   []string `json:"grp,omitempty"`
	Orgs     []string `json:"org,omitempty"`
	jwt.RegisteredClaims
}

AccessClaims is the standard claims for a user access token.

func AccessClaimsFromBase64 

func AccessClaimsFromBase64(payload []byte, reuse bool) (*AccessClaims, error)

type Base 

type Base struct {
	// contains filtered or unexported fields
}

func (Base) Reuse 

func (b Base) Reuse() bool

type BytesKey 

type BytesKey struct {
	Base
	// contains filtered or unexported fields
}

type ECDSA 

type ECDSA struct {
	Base
	// contains filtered or unexported fields
}

type ES256 

type ES256 struct{ ECDSA }

func NewES256 

func NewES256(keyTxt string, reuse bool) (*ES256, error)

func (*ES256) Claims 

func (v *ES256) Claims(JWT []byte) (*AccessClaims, error)

func (*ES256) Verify 

func (v *ES256) Verify(hp, sig []byte) bool

type ES384 

type ES384 struct{ ECDSA }

func NewES384 

func NewES384(keyTxt string, reuse bool) (*ES384, error)

func (*ES384) Claims 

func (v *ES384) Claims(JWT []byte) (*AccessClaims, error)

func (*ES384) Verify 

func (v *ES384) Verify(hp, sig []byte) bool

type ES512 

type ES512 struct{ ECDSA }

func NewES512 

func NewES512(keyTxt string, reuse bool) (*ES512, error)

func (*ES512) Claims 

func (v *ES512) Claims(JWT []byte) (*AccessClaims, error)

func (*ES512) Verify 

func (v *ES512) Verify(hp, sig []byte) bool

type EdDSA 

type EdDSA struct{ BytesKey }

func NewEdDSA 

func NewEdDSA(keyTxt string, reuse bool) (*EdDSA, error)

func (*EdDSA) Claims 

func (v *EdDSA) Claims(JWT []byte) (*AccessClaims, error)

func (*EdDSA) Verify 

func (v *EdDSA) Verify(hp, sig []byte) bool

type HS256 

type HS256 struct{ BytesKey }

func NewHS256 

func NewHS256(keyTxt string, reuse bool) (*HS256, error)

func (*HS256) Claims 

func (v *HS256) Claims(JWT []byte) (*AccessClaims, error)

func (*HS256) GenAccessToken 

func (v *HS256) GenAccessToken(timeout, maxTTL, user string, groups, orgs []string) (string, error)

func (*HS256) Sign 

func (v *HS256) Sign(hp []byte) []byte

Sign return the signature of the first two parts. It allocates hmac.New() each time to avoid race condition.

func (*HS256) Verify 

func (v *HS256) Verify(hp, sig []byte) bool

type HS384 

type HS384 struct{ BytesKey }

func NewHS384 

func NewHS384(keyTxt string, reuse bool) (*HS384, error)

func (*HS384) Claims 

func (v *HS384) Claims(JWT []byte) (*AccessClaims, error)

func (*HS384) GenAccessToken 

func (v *HS384) GenAccessToken(timeout, maxTTL, user string, groups, orgs []string) (string, error)

func (*HS384) Sign 

func (v *HS384) Sign(hp []byte) []byte

func (*HS384) Verify 

func (v *HS384) Verify(hp, sig []byte) bool

type HS512 

type HS512 struct{ BytesKey }

func NewHS512 

func NewHS512(keyTxt string, reuse bool) (*HS512, error)

func (*HS512) Claims 

func (v *HS512) Claims(JWT []byte) (*AccessClaims, error)

func (*HS512) GenAccessToken 

func (v *HS512) GenAccessToken(timeout, maxTTL, user string, groups, orgs []string) (string, error)

func (*HS512) Sign 

func (v *HS512) Sign(hp []byte) []byte

func (*HS512) Verify 

func (v *HS512) Verify(hp, sig []byte) bool

type RefreshClaims 

type RefreshClaims struct {
	Namespace string `json:"namespace,omitempty"`
	Username  string `json:"username,omitempty"`
	jwt.RegisteredClaims
}

RefreshClaims is the standard claims for a user refresh token.

type Tokenizer 

type Tokenizer interface {
	GenAccessToken(timeout, maxTTL, user string, groups, orgs []string) (string, error)
	Sign(headerPayload []byte) []byte
	Verifier
}

func NewHMAC 

func NewHMAC(keyTxt string, reuse bool) (Tokenizer, error)

NewHMAC creates an asymmetric-key Tokenizer based on HMAC algorithms.

type Verifier 

type Verifier interface {
	Claims(accessToken []byte) (*AccessClaims, error)
	Verify(headerPayload, signature []byte) bool
	Reuse() bool
}

func NewVerifier 

func NewVerifier(algoKey string, reuse bool) (Verifier, error)

NewVerifier creates a new Verifier to speed up the verification of many Access Tokens with the same verification key.

The parameter algoKey accepts three different schemes:

  1. only a HMAC secret key: algoKey = "9d2e0a02121179a3c3de1b035ae1355b1548781c8ce8538a1dc0853a12dfb13d"

  2. both the signing algo and its verification key: algoKey = "HS256:9d2e0a02121179a3c3de1b035ae1355b1548781c8ce8538a1dc0853a12dfb13d"

  3. the Quid URL to fetch the algo/key info from a given namespace algoKey = "https://quid.teal.finance/v1?ns=foobar"

In the two first forms, NewVerifier accepts the key to be in hexadecimal, or in Base64 form. NewVerifier converts the verification key into binary DER form depending on the key string length and the optional algo name. The algo name is case insensitive.

func RequestAlgoKey 

func RequestAlgoKey(uri string, reuse bool) (Verifier, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.