Documentation ¶
Index ¶
- Constants
- Variables
- func CheckNotExpiredDateEpochUNIX(timeUNIX int64) bool
- func CheckNotExpiredDateISO(datetime string) bool
- func DeserializeAndDecodeHeadersJWE(rawJWE *JWEncryptionRawJSON) (protectedHeaders *map[string]interface{}, ...)
- func GetInflatedDataByCompactJWT(compactJWT *string) (headerJSON map[string]interface{}, payloadBytes []byte)
- func GetInflatedDataByPartsJWT(partsJWT *PartsJWT) (headerJSON map[string]interface{}, payloadBytes []byte)
- type AudienceSingle
- type AudienceSlice
- type DataJWT
- type DecryptedOpenidJWE
- type HeaderRequestJWE
- type HeaderRequestJWS
- type Headers
- type JWEncryptionGo
- func (jweGo *JWEncryptionGo) CompactSoleRecipientJWE(jsonMarshal JsonMarshalFunc) (string, error)
- func (jweGo *JWEncryptionGo) PrepareHeadersJSON(jsonMarshal JsonMarshalFunc) (string, json.RawMessage, error)
- func (jweGo *JWEncryptionGo) PrepareRecipientsJSON(jsonMarshal JsonMarshalFunc) (json.RawMessage, string, []byte, error)
- func (jweGo *JWEncryptionGo) SerializeMultiRecipientBytes(marshal JsonMarshalFunc) ([]byte, error)
- func (jweGo *JWEncryptionGo) SerializeMultiRecipientJSON() (map[string]interface{}, error)
- func (jweGo *JWEncryptionGo) SerializeMultiRecipientRawJSON() (json.RawMessage, error)
- func (jweGo *JWEncryptionGo) SerializeMultiRecipientStringified() (string, error)
- type JWEncryptionRawJSON
- type JsonMarshalFunc
- type NumericDate
- type PartsJWT
- type PayloadClaims
- type RecipientHeaders
- type RecipientJWE
Constants ¶
const ( // These are set by go-jose and shouldn't need to be set by consumers of the library. // HeaderAlgorithm = "alg" // string // HeaderEncryption = "enc" // ContentEncryption HeaderCompression = "zip" // CompressionAlgorithm HeaderAPU = "apu" // *byteBuffer HeaderAPV = "apv" // *byteBuffer // HeaderEPK = "epk" // *JSONWebKey HeaderIV = "iv" // *byteBuffer HeaderTag = "tag" // *byteBuffer HeaderX5c = "x5c" // []*x509.Certificate HeaderJWK = "jwk" // *JSONWebKey // HeaderKeyID = "kid" // string HeaderNonce = "nonce" // string HeaderB64 = "b64" // bool HeaderP2C = "p2c" // *byteBuffer (int) HeaderP2S = "p2s" // *byteBuffer ([]byte) )
from go-jose header constants
const ( // HeaderAlgorithm identifies: // For JWS: the cryptographic algorithm used to secure the JWS. // For JWE: the cryptographic algorithm used to encrypt or determine the value of the CEK. HeaderAlgorithm = "alg" // string // HeaderEncryption identifies the JWE content encryption algorithm. HeaderEncryption = "enc" // string // HeaderJWKSetURL is a URI that refers to a resource for a set of JSON-encoded public keys, one of which: // For JWS: corresponds to the key used to digitally sign the JWS. // For JWE: corresponds to the public key to which the JWE was encrypted. HeaderJWKSetURL = "jku" // string // HeaderJSONWebKey is: // For JWS: the public key that corresponds to the key used to digitally sign the JWS. // For JWE: the public key to which the JWE was encrypted. HeaderJSONWebKey = "jwk" // JSON // HeaderJSONWebKeySet in UHC is: // For JWS: array of public keys that corresponds to the sender's signature and encryption keys. // For JWE: do not use here HeaderJSONWebKeySet = "jwks" // JSON // HeaderKeyID is a hint: // For JWS: indicating which key was used to secure the JWS. // For JWE: which references the public key to which the JWE was encrypted. HeaderKeyID = "kid" // string // HeaderSenderKeyID is a hint: // For JWS: not used. // For JWE: which references the (sender) public key used in the JWE key derivation/wrapping to encrypt the CEK. HeaderSenderKeyID = "skid" // string // HeaderX509URL is a URI that refers to a resource for the X.509 public key certificate or certificate chain: // For JWS: corresponding to the key used to digitally sign the JWS. // For JWE: corresponding to the public key to which the JWE was encrypted. HeaderX509URL = "x5u" // HeaderX509CertificateChain contains the X.509 public key certificate or certificate chain: // For JWS: corresponding to the key used to digitally sign the JWS. // For JWE: corresponding to the public key to which the JWE was encrypted. HeaderX509CertificateChain = "x5c" // HeaderX509CertificateDigest (X.509 certificate SHA-1 thumbprint) is a base64url-encoded // SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate: // For JWS: corresponding to the key used to digitally sign the JWS. // For JWE: corresponding to the public key to which the JWE was encrypted. HeaderX509CertificateDigestSha1 = "x5t" // HeaderX509CertificateDigestSha256 (X.509 certificate SHA-256 thumbprint) is a base64url-encoded SHA-256 // thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate: // For JWS: corresponding to the key used to digitally sign the JWS. // For JWE: corresponding to the public key to which the JWE was encrypted. HeaderX509CertificateDigestSha256 = "x5t#S256" // string // HeaderType is: // For JWS: used by JWS applications to declare the media type of this complete JWS. // For JWE: used by JWE applications to declare the media type of this complete JWE. HeaderType = "typ" // string // HeaderContentType is used by JWS applications to declare the media type of: // For JWS: the secured content (the payload). // For JWE: the secured content (the plaintext). HeaderContentType = "cty" // string // HeaderCritical indicates that extensions to: // For JWS: this JWS header specification and/or JWA are being used that MUST be understood and processed. // For JWE: this JWE header specification and/or JWA are being used that MUST be understood and processed. HeaderCritical = "crit" // array // HeaderEPK is used by JWE applications to wrap/unwrap the CEK for a recipient. HeaderEPK = "epk" // JSON )
from Hyperledger Aries IANA registered JOSE headers (https://tools.ietf.org/html/rfc7515#section-4.1)
const ( // HeaderB64 determines whether the payload is represented in the JWS and the JWS Signing // Input as ASCII(BASE64URL(JWS Payload)) or as the JWS Payload value itself with no encoding performed. HeaderB64Payload = "b64" // bool // A256GCMALG is the default content encryption algorithm value as per // the JWA specification: https://tools.ietf.org/html/rfc7518#section-5.1 A256GCMALG = "A256GCM" // XC20PALG represents XChacha20Poly1305 content encryption algorithm value. XC20PALG = "XC20P" // A128CBCHS256ALG represents AES_128_CBC_HMAC_SHA_256 encryption algorithm value. A128CBCHS256ALG = "A128CBC-HS256" // A192CBCHS384ALG represents AES_192_CBC_HMAC_SHA_384 encryption algorithm value. A192CBCHS384ALG = "A192CBC-HS384" // A256CBCHS384ALG represents AES_256_CBC_HMAC_SHA_384 encryption algorithm value (not defined in JWA spec above). A256CBCHS384ALG = "A256CBC-HS384" // A256CBCHS512ALG represents AES_256_CBC_HMAC_SHA_512 encryption algorithm value. A256CBCHS512ALG = "A256CBC-HS512" )
Header defined in https://tools.ietf.org/html/rfc7797
Variables ¶
var ( ErrUnsupportedKey = errors.New("unsupported key") ErrCannotCreateData = errors.New("cannot create data") ErrCannotGetData = errors.New("cannot get data") ErrSignature = errors.New("signature error") )
var ErrMsgExpired = "validation failed, token is expired (exp)"
ErrMsgExpired indicates that token is used after expiry time indicated in exp claim.
var ErrMsgInvalidAccessTokenJWT = "invalid access token format"
var ErrMsgInvalidAudience = "validation failed, invalid audience claim (aud)"
ErrMsgInvalidAudience indicated invalid aud claim.
var ErrMsgInvalidBearerAccessToken = "invalid bearer access token"
var ErrMsgInvalidClaims = "expected claims to be value convertible into JSON object"
ErrInvalidClaims indicates that given claims have invalid type.
var ErrMsgInvalidContentType = "expected content type to be JWT (cty header)"
ErrMsgInvalidContentType indicates that token requires JWT cty header.
var ErrMsgInvalidDPoPToken = "invalid DPoP token format"
var ErrMsgInvalidID = "validation failed, invalid ID claim (jti)"
ErrMsgInvalidID indicates invalid jti claim.
var ErrMsgInvalidIssuer = "validation failed, invalid issuer claim (iss)"
ErrInvalidIssuer indicates invalid iss claim.
var ErrMsgInvalidRequest = "request is empty or invalid"
var ErrMsgInvalidResponseType = "invalid response type"
var ErrMsgInvalidSubject = "validation failed, invalid subject claim (sub)"
ErrMsgInvalidSubject indicates invalid sub claim.
var ErrMsgIssuedInTheFuture = "validation field, token issued in the future (iat)"
ErrMsgIssuedInTheFuture indicates that the iat field is in the future.
var ErrMsgMissingDPoP = "missing DPoP token"
var ErrMsgMissingDecryptionKey = "missing decryption key"
var ErrMsgMissingSignVerificationKey = "missing signature verification key"
var ErrMsgNotValidYet = "validation failed, token not valid yet (nbf)"
ErrMsgNotValidYet indicates that token is used before time indicated in nbf claim.
var ErrMsgUnmarshalAudience = "expected string or array value to unmarshal to AudienceSlice"
ErrMsgUnmarshalAudience indicates that aud claim could not be unmarshalled.
var ErrMsgUnmarshalNumericDate = "expected number value to unmarshal NumericDate"
ErrMsgUnmarshalNumericDate indicates that JWT NumericDate could not be unmarshalled.
var GetDataJWT = func(compactJWT *string) *DataJWT { partsJWT := GetPartsJWT(compactJWT) if partsJWT == nil { return nil } data := GetDataByPartsJWT(partsJWT) return data }
GetDataJWT returns nil or a deserialized JWT with header and payload as JSON data and signature as bytes.
Functions ¶
func CheckNotExpiredDateEpochUNIX ¶
CheckNotExpiredDateEpochUNIX returns true if the date is not expired or false if expired
func CheckNotExpiredDateISO ¶
CheckNotExpiredDateISO returns true if the date is not expired or false if expired or error
func DeserializeAndDecodeHeadersJWE ¶
func DeserializeAndDecodeHeadersJWE(rawJWE *JWEncryptionRawJSON) (protectedHeaders *map[string]interface{}, unprotectedHeaders *map[string]interface{}, err error)
func GetInflatedDataByCompactJWT ¶
func GetInflatedDataByCompactJWT(compactJWT *string) (headerJSON map[string]interface{}, payloadBytes []byte)
GetInflatedDataByCompactJWT decompress a JWT payload if required and returns payload bytes and header claims or nil if some error
func GetInflatedDataByPartsJWT ¶
func GetInflatedDataByPartsJWT(partsJWT *PartsJWT) (headerJSON map[string]interface{}, payloadBytes []byte)
GetInflatedDataByPartsJWT decompress a JWT payload if required and returns payload bytes and header claims or nil if some error
Types ¶
type AudienceSingle ¶
type AudienceSingle string
AudienceSingle represents one of the recipients that the JWT is intended for.
func (*AudienceSingle) AudienceSingleToString ¶
func (audienceString *AudienceSingle) AudienceSingleToString() string
AudienceSingleToString gets the string
type AudienceSlice ¶
type AudienceSlice []string
AudienceSlice represents the recipients that the JWT is intended for.
func (AudienceSlice) AudienceSliceToString ¶
func (audienceSlice AudienceSlice) AudienceSliceToString(v string) string
AudienceSliceToString joins the array of strings with white space characters in a single string
func (*AudienceSlice) AudienceSliceToStringsArray ¶
func (audienceSlice *AudienceSlice) AudienceSliceToStringsArray() []string
AudienceSliceToStringsArray splits the audience string around each instance of one or more consecutive white space characters
func (AudienceSlice) Contains ¶
func (audienceSlice AudienceSlice) Contains(v string) bool
Contains checks whether a given string is included in the AudienceSlice
type DataJWT ¶
type DataJWT struct { Header Headers // The protected Header claims Payload map[string]interface{} // JSON Payload claims Signature *[]byte // Signature if already signed }
func GetDataByPartsJWT ¶
GetDataByPartsJWT decodes and decompress the parts or the JWT and returns DataJWT
func (*DataJWT) CompactUnsignedJWT ¶
CompactUnsignedJWT method returns an unsigned compact JWT which is an string with the format "base64url(headerBytes).base64url(payloadBytes)." (no signature after the last dot). It creates both the base64url encoded header and payload and concatenates it (empty signature). The last character "." SHALL be removed before doing the signature and then the signature SHALL added (concatenated).
func (*DataJWT) PartsUnsignedJWT ¶
CreatePartsUnsignedJWT method converts both headers and payload data to RawBase64UrlSafe format to return the encoded parts. (payload is compressed when the "zip" header claim is "DEF") It does not return the signature (nil).
type DecryptedOpenidJWE ¶
type DecryptedOpenidJWE struct { ProtectedHeaders map[string]interface{} UnprotectedHeaders map[string]interface{} Recipients []*RecipientJWE NestedJWT DataJWT }
DecryptedOpenidJWE represents a RAW JSON decrypted JWE.
- ProtectedHeaders
- UnprotectedHeaders
- Recipients
- NestedJWT: headers, payload and signature (if any)
type HeaderRequestJWE ¶
type HeaderRequestJWE struct { // Algorithm ("alg", required) is the cryptographic algorithm used to encrypt (encapsulate) the value of the CEK (Crystals-Kyber). Algorithm string `json:"alg,omitempty" bson:"alg,omitempty"` // ContentType ("cty", required in UHC) is used to declare the media type of secured content (the "plaintext" encrypted data). ContentType string `json:"cty,omitempty" bson:"cty,omitempty"` // Encryption ("enc", required) identifies the cryptographic algorithm used to encrypt the data using the CEK (e.g.: *"A256GCM"* for AES data encryption). Encryption string `json:"enc,omitempty" bson:"enc,omitempty"` // string // JSONWebKey ("jwk", conditional) is the public key to which the JWE was encrypted. JSONWebKey *jwkUtils.JWK `json:"jwk,omitempty" bson:"jwk,omitempty"` // JSON // JWKSetURL ("jku", conditional) is a URI that refers to a resource for a set of JSON-encoded public keys or the recipient, one of which // corresponds to the public key to which the JWE was encrypted (determined by the recipient's encryption KeyID). JWKSetURL *string `json:"jku,omitempty" bson:"jku,omitempty"` // string // KeyID ("kid", conditional) indicates the recipient's public key to which the JWE was encrypted. KeyID *string `json:"kid,omitempty" bson:"kid,omitempty"` // SenderKeyID ("skid", required in UHC) is a hint which references the sender's public encryption key for authenticated encryption. SenderKeyID string `json:"skid,omitempty" bson:"skid,omitempty"` // string // Type ("typ", required) is used to declare the media type of the complete JWS. It is "jwt" as per the OpenID specification. Type string `json:"typ,omitempty" bson:"typ,omitempty"` }
HeaderRequestJWE contains the JOSE header of an encrypted DIDComm-JAR message following both JOSE ([RFC7516](https://www.rfc-editor.org/rfc/rfc7516.html#section-4)) and DIDComm specifications: - the **"typ"** (*required*) field value is *"jwt"*. - the **"cty"** (*required*) field value is set to *"didcomm-signed+json"* when the plaintext is a nested signed DIDComm message. - the **"alg"** (*required*) field value identifies the **algorithm used to encrypt (encapsulate) the value of the CEK**. - the **"enc"** (*required*) field value identifies the **algorithm used to encrypt the data using the CEK** (e.g.: *"A256GCM"* for AES data encryption). - the **"skid"** (*required*) field value is the sender's public encryption keyID, and it is required in UHC for authenticated encryption. - the **"kid"** (*conditional*) field value is the recipient's keyID (*kid*) to which the CEK was encrypted, calculated by the JWK Thumbprint of the recipient's public encryption key. - the **"jku"** (*conditional*) field value is the recipient's JWK Set URL, to get the public key to which the JWE was encrypted by using the *"kid"* field as identifier. - the **"jwk"** (*conditional*) field value is the recipient's public JWK to which the CEK was encrypted (rather than using both "kid" and "jku"). The main JWE "kid" header claim field is the recipient's public encryption keyID. Note: *"x5u"* is not used in JAR because the certificate data can be included in the JWK (use the *"jwk"* or *"jku"* fields instead).
todo:
type HeaderRequestJWS ¶
type HeaderRequestJWS struct { // Algorithm ("alg") is the cryptographic algorithm used to secure the JWS. MUST NOT be "none". Algorithm string `json:"alg,omitempty" bson:"alg,omitempty"` // ContentType ("cty") is used to declare the media type of secured content (the payload). It is set to ContentType string `json:"cty,omitempty" bson:"cty,omitempty"` // JSONWebKeySet ("jwks", optional) contains an array of public keys that corresponds in UHC to the sender's public signature JWK (first) and public encryption JWK (second, it can be already in the JWE "jwk" header). JSONWebKeySet *jwkUtils.JWKeySet `json:"jwks,omitempty" bson:"jwks,omitempty"` // JSON // KeyID ("kid") indicates which key was used to secure the JWS. It can be already defined in the payload's "client_id" (DID#KID URI). KeyID string `json:"kid,omitempty" bson:"kid,omitempty"` // To ("to") is the DID Service Endpoint. // It should be the same as the payload's "aud" field in case of the Authorization flow // or the "htu" field when using a DPoP token bound to an access token. To string `json:"to,omitempty" bson:"to,omitempty"` // Type ("typ") is used to declare the media type of the complete JWS. It is "jwt" as per the OpenID specification. Type string `json:"typ,omitempty" bson:"typ,omitempty"` // specifies if the payload bytes are compressed or not ZipCompression *string `json:"zip,omitempty" bson:"zip,omitempty"` // CompressionAlgorithm }
joseUtils.HeaderRequestJWS contains the JOSE header of a signed DIDComm-JAR message. - the **"alg"** field value is the identifier of the digital signature algorithm. MUST NOT be "none". - the **"cty"** field value is set to *"didcomm-signed+json"*. - the "jwks" (optional) field value contains an array of public keys that corresponds in UHC to the sender's public signature JWK (first) and public encryption JWK (second, it can be already in the JWE "jwk" header). - the **"kid"** field value is the keyID (*kid*) calculated by the JWK Thumbprint of the public key used by the issuer. - the **"to"** field value is the DID Service Endpoint. It should be the same as the payload's "aud" field in case of the Authorization flow or the "htu" field when using a DPoP token bound to an access token. - the **"typ"** field value is *"jwt"*. - the "zip" (optional) field value can be "DEF" (deflated, compressed)
type Headers ¶
type Headers map[string]interface{}
Headers represents JOSE headers.
func (Headers) ContentType ¶
ContentType gets the payload content type from JOSE headers.
func (Headers) Encryption ¶
Encryption gets content encryption algorithm from JOSE headers.
func (Headers) SenderKeyID ¶
SenderKeyID gets the sender Key ID from Jose headers.
type JWEncryptionGo ¶
type JWEncryptionGo struct { ProtectedHeaders map[string]interface{} OrigProtectedHders string `json:"protected,omitempty"` // the original protected headers Base64Url encoded UnprotectedHeaders map[string]interface{} `json:"unprotected,omitempty"` Recipients []*RecipientJWE `json:"recipients,omitempty"` AAD string `json:"aad,omitempty"` IV string `json:"iv,omitempty"` Ciphertext string `json:"ciphertext,omitempty"` Tag string `json:"tag,omitempty"` }
JWEncryptionGo represents a JWE in Go (defined in https://tools.ietf.org/html/rfc7516). OpenID Connect specification mandates to use JWS compact serialization and JWE compact serialization whenever necessary Any JWT must follow compact serialization. A JWS or JWE token following JSON serialization cannot be called as a JWT. In contrast to the JWS compact serialization, the JWS JSON serialization can produce multiple signatures over the same JWS payload along with multiple JOSE headers. JWE COMPACT serialization is built with five key components, each separated by a period (.):
- 1) JOSE header
- 2) JWE Encrypted Key (CEK) // recipients list does not exist in compact serialization
- 3) JWE Initialization Vector (IV)
- 4) JWE Additional Authentication Data (AAD),
- 5) JWE Ciphertext and JWE Authentication Tag// The header has the algorithm to encrypt the CEK to the recipients "alg" (Kyber) and the CEK symmetric encryption algorithm "enc" (A256GCM) algorithm.
func DeserializeCompactJWE ¶
func DeserializeCompactJWE(serializedJWE string) (*JWEncryptionGo, error)
DeserializeCompactJWE gets the parts of a compact JWE:
- ProtectedHeaders as map[string]interface{} (JSON)
- OrigProtectedHders as Base64Url encoded string
- UnprotectedHeaders as map[string]interface{} (JSON)
- Recipients is an array of recipients which contains the encrypted CEK for each recipient (only one recipient is allowed in OpenID).
- AAD: Additional Authentication Data encoded as Base64Url string.
- IV (Initialization Vector): nonce / random bytes encoded as Base64Url string.
- Ciphertext: the stringified and encrypted data bytes, encoded as Base64Url string.
- Tag: bytes generated by the cipher algorithm, encoded as Base64Url string.
func DeserializeFromRawJWE ¶
func DeserializeFromRawJWE(rawJWE *JWEncryptionRawJSON) (*JWEncryptionGo, error)
func DeserializeJWE ¶
func DeserializeJWE(serializedJWE string) (*JWEncryptionGo, error)
DeserializeJWE deserializes the given serialized JWE into a JWEncryptionGo object.
- ProtectedHeaders as map[string]interface{} (JSON)
- OrigProtectedHders as Base64Url encoded string
- UnprotectedHeaders as map[string]interface{} (JSON)
- Recipients is an array of recipients which contains the encrypted CEK for each recipient (only one recipient is allowed in OpenID).
- AAD: Additional Authentication Data encoded as Base64Url string.
- IV (Initialization Vector): nonce / random bytes encoded as Base64Url string.
- Ciphertext: the stringified and encrypted data bytes, encoded as Base64Url string.
- Tag: bytes generated by the cipher algorithm, encoded as Base64Url string.
func DeserializeJsonJWE ¶
func DeserializeJsonJWE(serializedJWE string) (*JWEncryptionGo, error)
DeserializeJsonJWE gets the parts of a JSON JWE (no compact serialization):
- ProtectedHeaders as map[string]interface{} (JSON)
- OrigProtectedHders as Base64Url encoded string
- UnprotectedHeaders as map[string]interface{} (JSON)
- Recipients is an array of recipients which contains the encrypted CEK for each recipient (only one recipient is allowed in OpenID).
- AAD: Additional Authentication Data encoded as Base64Url string.
- IV (Initialization Vector): nonce / random bytes encoded as Base64Url string.
- Ciphertext: the stringified and encrypted data bytes, encoded as Base64Url string.
- Tag: bytes generated by the cipher algorithm, encoded as Base64Url string.
func (*JWEncryptionGo) CompactSoleRecipientJWE ¶
func (jweGo *JWEncryptionGo) CompactSoleRecipientJWE(jsonMarshal JsonMarshalFunc) (string, error)
CompactSoleRecipientJWE serializes the given JWE into a compact, URL-safe string as defined in https://tools.ietf.org/html/rfc7516#section-7.1 (e.g.: for OpenID) OpenID Connect specification mandates to use JWS compact serialization and JWE compact serialization whenever necessary Any JWT must follow compact serialization. A JWS or JWE token following JSON serialization cannot be called as a JWT. JWE compact serialization is built with five key components, each separated by a period (.):
- 1) JOSE header
- 2) JWE Encrypted Key (CEK)
- 3) JWE Initialization Vector (IV)
- 4) JWE Additional Authentication Data (AAD),
- 5) JWE Ciphertext and JWE Authentication Tag
func (*JWEncryptionGo) PrepareHeadersJSON ¶
func (jweGo *JWEncryptionGo) PrepareHeadersJSON(jsonMarshal JsonMarshalFunc) (string, json.RawMessage, error)
TODO: This servers both for JWE and JWS Headers?
func (*JWEncryptionGo) PrepareRecipientsJSON ¶
func (jweGo *JWEncryptionGo) PrepareRecipientsJSON(jsonMarshal JsonMarshalFunc) (json.RawMessage, string, []byte, error)
func (*JWEncryptionGo) SerializeMultiRecipientBytes ¶
func (jweGo *JWEncryptionGo) SerializeMultiRecipientBytes(marshal JsonMarshalFunc) ([]byte, error)
SerializeMultiRecipientBytes serializes the bytes of a JWE, as defined in https://tools.ietf.org/html/rfc7516#section-7.2. The full serialization syntax is used for multi-recipient JWE.
func (*JWEncryptionGo) SerializeMultiRecipientJSON ¶
func (jweGo *JWEncryptionGo) SerializeMultiRecipientJSON() (map[string]interface{}, error)
SerializeMultiRecipientJSON returns JSON as defined in https://tools.ietf.org/html/rfc7516#section-7.2. The full serialization syntax is used for multi-recipient JWE.
func (*JWEncryptionGo) SerializeMultiRecipientRawJSON ¶
func (jweGo *JWEncryptionGo) SerializeMultiRecipientRawJSON() (json.RawMessage, error)
SerializeMultiRecipientRawJSON serializes the JWE into RawMessage, as defined in https://tools.ietf.org/html/rfc7516#section-7.2. The full serialization syntax is used for multi-recipient JWE.
func (*JWEncryptionGo) SerializeMultiRecipientStringified ¶
func (jweGo *JWEncryptionGo) SerializeMultiRecipientStringified() (string, error)
SerializeMultiRecipientStringified serializes and strigifies the JSON data, as defined in https://tools.ietf.org/html/rfc7516#section-7.2. The full serialization syntax is used for multi-recipient JWE.
type JWEncryptionRawJSON ¶
type JWEncryptionRawJSON struct { B64ProtectedHeaders string `json:"protected,omitempty"` UnprotectedHeaders json.RawMessage `json:"unprotected,omitempty"` Recipients json.RawMessage `json:"recipients,omitempty"` B64SingleRecipientEncKey string `json:"encrypted_key,omitempty"` SingleRecipientHeader json.RawMessage `json:"header,omitempty"` B64AAD string `json:"aad,omitempty"` B64IV string `json:"iv,omitempty"` B64Ciphertext string `json:"ciphertext,omitempty"` B64Tag string `json:"tag,omitempty"` }
JWEncryptionRawJSON represents a RAW JSON JWE that is used for serialization/deserialization (JWEncryptionGo) OpenID Connect specification mandates to use JWS compact serialization and JWE compact serialization whenever necessary Any JWT must follow compact serialization. A JWS or JWE token following JSON serialization cannot be called as a JWT. In contrast to the JWS compact serialization, the JWS JSON serialization can produce multiple signatures over the same JWS payload along with multiple JOSE headers. JWE compact serialization is built with five key components, each separated by a period (.):
- 1) JOSE header
- 2) JWE Encrypted Key (CEK)
- 3) JWE Initialization Vector (IV)
- 4) JWE Additional Authentication Data (AAD),
- 5) JWE Ciphertext and JWE Authentication Tag// The header has the algorithm to encrypt the CEK to the recipients "alg" (Kyber) and the CEK symmetric encryption algorithm "enc" (A256GCM) algorithm.
type JsonMarshalFunc ¶
Used to pass the json.Marshal functions to the methods
type NumericDate ¶
type NumericDate int64
NumericDate represents date and time as the number of seconds since the epoch, ignoring leap seconds. Non-integer values can be represented in the serialized format, but we round to the nearest second. See RFC7519 Section 2: https://tools.ietf.org/html/rfc7519#section-2
func NewNumericDate ¶
func NewNumericDate(t time.Time) *NumericDate
NewNumericDate constructs NumericDate from time.Time value.
func (NumericDate) MarshalJSON ¶
func (n NumericDate) MarshalJSON() ([]byte, error)
MarshalJSON serializes the given NumericDate into its JSON representation.
func (*NumericDate) Time ¶
func (n *NumericDate) Time() time.Time
Time returns time.Time representation of NumericDate.
func (*NumericDate) UnmarshalJSON ¶
func (n *NumericDate) UnmarshalJSON(b []byte) error
UnmarshalJSON reads a date from its JSON representation.
type PartsJWT ¶
type PartsJWT struct { Header string // Is the protected header (because signed claims) Payload string // payload claims to be signed also Signature *string // it does not exist when preparing the data for signature }
This has the 3 parts encoded in Base64url format.
func CreatePartsUnsignedJWT ¶
CreatePartsUnsignedJWT function converts both headers and payload data to RawBase64UrlSafe format to return the encoded parts. (payload is compressed when the "zip" header claim is "DEF") It does not return the signature (nil).
func GetPartsJWT ¶
GetPartsJWT gets a compact JWT/PartsJWT (string, not JSON) and returns an object with header, payload and signature (base64url encoded), or nil if error.
type PayloadClaims ¶
type PayloadClaims struct { Issuer string `json:"iss,omitempty"` Subject string `json:"sub,omitempty"` Audience AudienceSlice `json:"aud,omitempty"` Expiry *NumericDate `json:"exp,omitempty"` NotBefore *NumericDate `json:"nbf,omitempty"` IssuedAt *NumericDate `json:"iat,omitempty"` ID string `json:"jti,omitempty"` }
PayloadClaims represents public claim values (as specified in RFC 7519).
type RecipientHeaders ¶
type RecipientHeaders struct { Alg string `json:"alg,omitempty"` APU string `json:"apu,omitempty"` APV string `json:"apv,omitempty"` IV string `json:"iv,omitempty"` Tag string `json:"tag,omitempty"` KID string `json:"kid,omitempty"` EPK json.RawMessage `json:"epk,omitempty"` }
RecipientHeaders are the recipient headers.
type RecipientJWE ¶
type RecipientJWE struct { Header *RecipientHeaders `json:"header,omitempty"` EncryptedKey string `json:"encrypted_key,omitempty"` }
RecipientJWE is a recipient of a JWE including the shared encryption key.
func DeserializeRecipientsJWE ¶
func DeserializeRecipientsJWE(rawJWE *JWEncryptionRawJSON) ([]*RecipientJWE, error)
func ParseDeserializeRecipientsJWE ¶
func ParseDeserializeRecipientsJWE(rawJWE *JWEncryptionRawJSON) ([]*RecipientJWE, error)