Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var ErrUnsupportedKeyType = errors.New("unsupported key type")
Functions ¶
This section is empty.
Types ¶
type Alg ¶
type Alg string
const ( // HS256 signing algorithm. // // HMAC using SHA-256. HS256 Alg = "HS256" // HS384 signing algorithm. // // HMAC using SHA-384. HS384 Alg = "HS384" // HS512 signing algorithm. // // HMAC using SHA-512. HS512 Alg = "HS512" // RS256 signing algorithm. // // RSASSA-PKCS1-v1_5 using SHA-256. RS256 Alg = "RS256" // RS384 signing algorithm. // // RSASSA-PKCS1-v1_5 using SHA-384. RS384 Alg = "RS384" // RS512 signing algorithm. // // RSASSA-PKCS1-v1_5 using SHA-512. RS512 Alg = "RS512" // ES256 signing algorithm. // // ECDSA using P-256 and SHA-256. ES256 Alg = "ES256" // ES384 signing algorithm. // // ECDSA using P-384 and SHA-384. ES384 Alg = "ES384" // ES512 signing algorithm. // // ECDSA using P-521 and SHA-512. ES512 Alg = "ES512" // PS256 signing algorithm. // // RSASSA-PSS using SHA-256 and MGF1 with SHA-256. PS256 Alg = "PS256" // PS384 signing algorithm. // // RSASSA-PSS using SHA-384 and MGF1 with SHA-384. PS384 Alg = "PS384" // PS512 signing algorithm. // // RSASSA-PSS using SHA-512 and MGF1 with SHA-512. PS512 Alg = "PS512" // EdDSA signing algorithm. EdDSA Alg = "EdDSA" )
JWS algorithms. https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
const ( // RSAOAEP key management algorithm. // // RSAES OAEP using default parameters. RSAOAEP Alg = "RSA-OAEP" // RSAOAEP256 key management algorithm. // // RSAES OAEP using SHA-256 and MGF1 with SHA-256. RSAOAEP256 Alg = "RSA-OAEP-256" // A128KW key management algorithm. // // AES Key Wrap with default initial value using 128-bit key. A128KW Alg = "A128KW" // A192KW key management algorithm. // // AES Key Wrap with default initial value using 192-bit key. A192KW Alg = "A192KW" // A256KW key management algorithm. // // AES Key Wrap with default initial value using 256-bit key. A256KW Alg = "A256KW" // DIR key management algorithm. // // Direct use of a shared symmetric key as the CEK. DIR Alg = "dir" // ECDHES key management algorithm. // // Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF. ECDHES Alg = "ECDH-ES" // ECDHESA128KW key management algorithm. // // ECDH-ES using Concat KDF and CEK wrapped with A128KW. ECDHESA128KW Alg = "ECDH-ES+A128KW" // ECDHESA192KW key management algorithm. // // ECDH-ES using Concat KDF and CEK wrapped with A192KW. ECDHESA192KW Alg = "ECDH-ES+A192KW" // ECDHESA256KW key management algorithm. // // ECDH-ES using Concat KDF and CEK wrapped with A256KW. ECDHESA256KW Alg = "ECDH-ES+A256KW" // A128GCMKW key management algorithm. // // Key wrapping with AES GCM using 128-bit key. A128GCMKW Alg = "A128GCMKW" // A192GCMKW key management algorithm. // // Key wrapping with AES GCM using 192-bit key. A192GCMKW Alg = "A192GCMKW" // A256GCMKW key management algorithm. // // Key wrapping with AES GCM using 256-bit key. A256GCMKW Alg = "A256GCMKW" // PBES2HS256A128KW key management algorithm. // // PBES2 with HMAC SHA-256 and A128KW key wrapping. PBES2HS256A128KW Alg = "PBES2-HS256+A128KW" // PBES2HS384A192KW key management algorithm. // // PBES2 with HMAC SHA-384 and A192KW key wrapping. PBES2HS384A192KW Alg = "PBES2-HS384+A192KW" // PBES2HS512A256KW key management algorithm. // // PBES2 with HMAC SHA-512 and A256KW key wrapping. PBES2HS512A256KW Alg = "PBES2-HS512+A256KW" )
JWE key management algorithms. https://datatracker.ietf.org/doc/html/rfc7518#section-4.1
const None Alg = "none"
type CTY ¶
type CTY string
CTY represents the "cty" field of a JWT header.
https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
const CtyJWT CTY = "JWT"
type Claims ¶
type Claims struct {
ClaimsCommon
Payload json.RawMessage
}
func (Claims) MarshalJSON ¶
func (*Claims) UnmarshalJSON ¶
type ClaimsCommon ¶
type ClaimsCommon struct {
// Iss is the producer of the token.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
//
// The "iss" (producer) claim identifies the principal that issued the
// JWT. The processing of this claim is generally application specific.
// The "iss" value is a case-sensitive string containing a StringOrURI
// value. Use of this claim is OPTIONAL.
Iss string `json:"iss,omitempty"`
// Sub is the subject of the token.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
//
// The "sub" (subject) claim identifies the principal that is the
// subject of the JWT. The claims in a JWT are normally statements
// about the subject. The subject value MUST either be scoped to be
// locally unique in the context of the producer or be globally unique.
// The processing of this claim is generally application specific. The
// "sub" value is a case-sensitive string containing a StringOrURI
// value. Use of this claim is OPTIONAL.
Sub string `json:"sub,omitempty"`
// Aud is the audience of the token.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
//
// The "aud" (audience) claim identifies the recipients that the JWT is
// intended for. Each principal intended to process the JWT MUST
// identify itself with a value in the audience claim. If the principal
// processing the claim does not identify itself with a value in the
// "aud" claim when this claim is present, then the JWT MUST be
// rejected. In the general case, the "aud" value is an array of case-
// sensitive strings, each containing a StringOrURI value. In the
// special case when the JWT has one audience, the "aud" value MAY be a
// single case-sensitive string containing a StringOrURI value. The
// interpretation of audience values is generally application specific.
// Use of this claim is OPTIONAL.
Aud string `json:"aud,omitempty"`
// Exp is the expiration time of the token.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
// The "exp" (expiration time) claim identifies the expiration time on
// or after which the JWT MUST NOT be accepted for processing. The
// processing of the "exp" claim requires that the current date/time
// MUST be before the expiration date/time listed in the "exp" claim.
// Implementers MAY provide for some small leeway, usually no more than
// a few minutes, to account for clock skew. Its value MUST be a number
// containing a NumericDate value. Use of this claim is OPTIONAL.
Exp int64 `json:"exp,omitempty"`
// Nbf is the "not before" time of the token.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
//
// The "nbf" (not before) claim identifies the time before which the JWT
// MUST NOT be accepted for processing. The processing of the "nbf"
// claim requires that the current date/time MUST be after or equal to
// the not-before date/time listed in the "nbf" claim. Implementers MAY
// provide for some small leeway, usually no more than a few minutes, to
// account for clock skew. Its value MUST be a number containing a
// NumericDate value. Use of this claim is OPTIONAL.
Nbf int64 `json:"nbf,omitempty"`
// Iat is the time at which the token was issued.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6
//
// The "iat" (issued at) claim identifies the time at which the JWT was
// issued. This claim can be used to determine the age of the JWT. Its
// value MUST be a number containing a NumericDate value. Use of this
// claim is OPTIONAL.
Iat int64 `json:"iat,omitempty"`
// Jti is the JWT ID of the token.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7
//
// The "jti" (JWT ID) claim provides a unique identifier for the JWT.
// The identifier value MUST be assigned in a manner that ensures that
// there is a negligible probability that the same value will be
// accidentally assigned to a different data object; if the application
// uses multiple producers, collisions MUST be prevented among values
// produced by different producers as well. The "jti" claim can be used
// to prevent the JWT from being replayed. The "jti" value is a case-
// sensitive string. Use of this claim is OPTIONAL.
Jti string `json:"jti,omitempty"`
}
ClaimsCommon are standard claims of a JWT token.
https://datatracker.ietf.org/doc/html/rfc7519#section-4
The JWT Claims Set represents a JSON object whose members are the claims conveyed by the JWT. The Claim Names within a JWT Claims Set MUST be unique; JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name, as specified in Section 15.12 ("The JSON Object") of ECMAScript 5.1 [ECMAScript].
The set of claims that a JWT must contain to be considered valid is context dependent and is outside the scope of this specification. Specific applications of JWTs will require implementations to understand and process some claims in particular ways. However, in the absence of such requirements, all claims that are not understood by implementations MUST be ignored.
There are three classes of JWT Claim Names: Registered Claim Names, Public Claim Names, and Private Claim Names.
type Enc ¶
type Enc string
const ( // A128CBC encryption algorithm. // // AES_128_CBC_HMAC_SHA_256 authenticated encryption algorithm. A128CBC Enc = "A128CBC-HS256" // A192CBC encryption algorithm. // // AES_192_CBC_HMAC_SHA_384 authenticated encryption algorithm. A192CBC Enc = "A192CBC-HS384" // A256CBC encryption algorithm. // // AES_256_CBC_HMAC_SHA_512 authenticated encryption algorithm. A256CBC Enc = "A256CBC-HS512" // A128GCM encryption algorithm. // // AES_128_GCM authenticated encryption algorithm. A128GCM Enc = "A128GCM" // A192GCM encryption algorithm. // // AES_192_GCM authenticated encryption algorithm. A192GCM Enc = "A192GCM" // A256GCM encryption algorithm. // // AES_256_GCM authenticated encryption algorithm. A256GCM Enc = "A256GCM" )
type J509 ¶
type J509 struct {
// X5U represents the "x5u" (X.509 URL) parameter in a JSON web key.
//
// If both X5U and X5C are set, their content must be semantically consistent.
//
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.6
//
// The "x5u" (X.509 URL) parameter is a URI [RFC3986] that refers to a
// resource for an X.509 public key certificate or certificate chain
// [RFC5280]. The identified resource MUST provide a representation of
// the certificate or certificate chain that conforms to RFC 5280
// [RFC5280] in PEM-encoded form, with each certificate delimited as
// specified in Section 6.1 of RFC 4945 [RFC4945]. The key in the first
// certificate MUST match the public key represented by other members of
// the JWKCommon. The protocol used to acquire the resource MUST provide
// integrity protection; an HTTP GET request to retrieve the certificate
// MUST use TLS [RFC2818] [RFC5246]; the identity of the server MUST be
// validated, as per Section 6 of RFC 6125 [RFC6125]. Use of this
// member is OPTIONAL.
//
// While there is no requirement that optional JWKCommon members providing key
// usage, algorithm, or other information be present when the "x5u"
// member is used, doing so may improve interoperability for
// applications that do not handle PKIX certificates [RFC5280]. If
// other members are present, the contents of those members MUST be
// semantically consistent with the related fields in the first
// certificate. For instance, if the "use" member is present, then it
// MUST correspond to the usage that is specified in the certificate,
// when it includes this information. Similarly, if the "alg" member is
// present, it MUST correspond to the algorithm specified in the
// certificate.
X5U string `json:"x5u,omitempty"`
// X5C represents the "x5c" (X.509 certificate chain) parameter in a JSON web key.
//
// If both X5U and X5C are set, their content must be semantically consistent.
//
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.7
//
// The "x5c" (X.509 certificate chain) parameter contains a chain of one
// or more PKIX certificates [RFC5280]. The certificate chain is
// represented as a JSON array of certificate value strings. Each
// string in the array is a base64-encoded (Section 4 of [RFC4648] --
// not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.
// The PKIX certificate containing the key value MUST be the first
// certificate. This MAY be followed by additional certificates, with
// each subsequent certificate being the one used to certify the
// previous one. The key in the first certificate MUST match the public
// key represented by other members of the JWKCommon. Use of this member is
// OPTIONAL.
//
// As with the "x5u" member, optional JWKCommon members providing key usage,
// algorithm, or other information MAY also be present when the "x5c"
// member is used. If other members are present, the contents of those
// members MUST be semantically consistent with the related fields in
// the first certificate. See the last paragraph of Section 4.6 for
// additional guidance on this.
X5C []string `json:"x5c,omitempty"`
// X5T represents the "x5t" (X.509 certificate SHA-1 thumbprint) parameter in a JSON web key.
//
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.8
//
// The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a
// base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
// encoding of an X.509 certificate [RFC5280]. Note that certificate
// thumbprints are also sometimes known as certificate fingerprints.
// The key in the certificate MUST match the public key represented by
// other members of the JWKCommon. Use of this member is OPTIONAL.
//
// As with the "x5u" member, optional JWKCommon members providing key usage,
// algorithm, or other information MAY also be present when the "x5t"
// member is used. If other members are present, the contents of those
// members MUST be semantically consistent with the related fields in
// the referenced certificate. See the last paragraph of Section 4.6
// for additional guidance on this.
X5T string `json:"x5t,omitempty"`
// X5TS256 represents the "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter in a JSON web key.
//
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.9
//
// The "x5t#S256" (X.509 certificate SHA-256 thumbprint) parameter is a
// base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER
// encoding of an X.509 certificate [RFC5280]. Note that certificate
// thumbprints are also sometimes known as certificate fingerprints.
// The key in the certificate MUST match the public key represented by
// other members of the JWKCommon. Use of this member is OPTIONAL.
//
// As with the "x5u" member, optional JWKCommon members providing key usage,
// algorithm, or other information MAY also be present when the
// "x5t#S256" member is used. If other members are present, the
// contents of those members MUST be semantically consistent with the
// related fields in the referenced certificate. See the last paragraph
// of Section 4.6 for additional guidance on this.
X5TS256 string `json:"x5t#S256,omitempty"` //nolint:tagliatelle
}
J509 represents x509 certificate information in a JSON Web Algorithm format.
type JWH ¶
type JWH struct {
JWHCommon
Payload json.RawMessage
}
func (JWH) MarshalJSON ¶
func (*JWH) UnmarshalJSON ¶
type JWHAESGCMKW ¶
type JWHCommon ¶
type JWHCommon struct {
JWHEmbeddedKey
JWHKeyAgreement
JWHPBES2
JWHAESGCMKW
J509
// JWT header.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-5.1
//
// The "typ" (type) Header Parameter defined by [JWS] and [JWE] is used
// by JWT applications to declare the media type [IANA.MediaTypes] of
// this complete JWT. This is intended for use by the JWT application
// when values that are not JWTs could also be present in an application
// data structure that can contain a JWT object; the application can use
// this value to disambiguate among the different kinds of objects that
// might be present. It will typically not be used by applications when
// it is already known that the object is a JWT. This parameter is
// ignored by JWT implementations; any processing of this parameter is
// performed by the JWT application. If present, it is RECOMMENDED that
// its value be "JWT" to indicate that this object is a JWT. While
// media type names are not case-sensitive, it is RECOMMENDED that "JWT"
// always be spelled using uppercase characters for compatibility with
// legacy implementations. Use of this Header Parameter is OPTIONAL.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9
//
// The "typ" (type) Header Parameter is used by JWS applications to
// declare the media type [IANA.MediaTypes] of this complete JWS. This
// is intended for use by the application when more than one kind of
// object could be present in an application data structure that can
// contain a JWS; the application can use this value to disambiguate
// among the different kinds of objects that might be present. It will
// typically not be used by applications when the kind of object is
// already known. This parameter is ignored by JWS implementations; any
// processing of this parameter is performed by the JWS application.
// Use of this Header Parameter is OPTIONAL.
//
// Per RFC 2045 [RFC2045], all media type values, subtype values, and
// parameter names are case insensitive. However, parameter values are
// case sensitive unless otherwise specified for the specific parameter.
// To keep messages compact in common situations, it is RECOMMENDED that
// producers omit an "application/" prefix of a media type value in a
// "typ" Header Parameter when no other '/' appears in the media type
// value. A recipient using the media type value MUST treat it as if
// "application/" were prepended to any "typ" value not containing a
// '/'. For instance, a "typ" value of "example" SHOULD be used to
// represent the "application/example" media type, whereas the media
// type "application/example;part="1/2"" cannot be shortened to
// "example;part="1/2"".
//
// The "typ" value "JOSE" can be used by applications to indicate that
// this object is a JWS or JWE using the JWS Compact Serialization or
// the JWE Compact Serialization. The "typ" value "JOSE+JSON" can be
// used by applications to indicate that this object is a JWS or JWE
// using the JWS JSON Serialization or the JWE JSON Serialization.
// Other type values can also be used by applications.
Typ Typ `json:"typ,omitempty"`
// CTY header.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
//
// The "cty" (content type) Header Parameter defined by [JWS] and [JWE]
// is used by this specification to convey structural information about
// the JWT.
//
// In the normal case in which nested signing or encryption operations
// are not employed, the use of this Header Parameter is NOT
// RECOMMENDED. In the case that nested signing or encryption is
// employed, this Header Parameter MUST be present; in this case, the
// value MUST be "JWT", to indicate that a Nested JWT is carried in this
// JWT. While media type names are not case-sensitive, it is
// RECOMMENDED that "JWT" always be spelled using uppercase characters
// for compatibility with legacy implementations. See Appendix A.2 for
// an example of a Nested JWT.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.10
//
// The "cty" (content type) Header Parameter is used by JWS applications
// to declare the media type [IANA.MediaTypes] of the secured content
// (the payload). This is intended for use by the application when more
// than one kind of object could be present in the JWS J509; the
// application can use this value to disambiguate among the different
// kinds of objects that might be present. It will typically not be
// used by applications when the kind of object is already known. This
// parameter is ignored by JWS implementations; any processing of this
// parameter is performed by the JWS application. Use of this Header
// Parameter is OPTIONAL.
//
// Per RFC 2045 [RFC2045], all media type values, subtype values, and
// parameter names are case insensitive. However, parameter values are
// case sensitive unless otherwise specified for the specific parameter.
//
// To keep messages compact in common situations, it is RECOMMENDED that
// producers omit an "application/" prefix of a media type value in a
// "cty" Header Parameter when no other '/' appears in the media type
// value. A recipient using the media type value MUST treat it as if
// "application/" were prepended to any "cty" value not containing a
// '/'. For instance, a "cty" value of "example" SHOULD be used to
// represent the "application/example" media type, whereas the media
// type "application/example;part="1/2"" cannot be shortened to
// "example;part="1/2"".
//
// Values:
// - CtyJWT
CTY CTY `json:"cty,omitempty"`
// Alg header.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1
//
// The "alg" (algorithm) Header Parameter identifies the cryptographic
// algorithm used to secure the JWS. The JWS Signature value is not
// valid if the "alg" value does not represent a supported algorithm or
// if there is not a key for use with that algorithm associated with the
// party that digitally signed or MACed the content. "alg" values
// should either be registered in the IANA "JSON Web Signature and
// Encryption Algorithms" registry established by [JWA] or be a value
// that contains a Collision-Resistant Name. The "alg" value is a case-
// sensitive ASCII string containing a StringOrURI value. This Header
// Parameter MUST be present and MUST be understood and processed by
// implementations.
//
// A list of defined "alg" values for this use can be found in the IANA
// "JSON Web Signature and Encryption Algorithms" registry established
// by [JWA]; the initial contents of this registry are the values
// defined in Section 3.1 of [JWA].
Alg Alg `json:"alg,omitempty"`
// Enc header.
//
// https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.2
// The "enc" (encryption algorithm) Header Parameter identifies the
// content encryption algorithm used to perform authenticated encryption
// on the plaintext to produce the ciphertext and the Authentication
// Tag. This algorithm MUST be an AEAD algorithm with a specified key
// length. The encrypted content is not usable if the "enc" value does
// not represent a supported algorithm. "enc" values should either be
// registered in the IANA "JSON Web Signature and Encryption Algorithms"
// registry established by [JWA] or be a value that contains a
// Collision-Resistant Name. The "enc" value is a case-sensitive ASCII
// string containing a StringOrURI value. This Header Parameter MUST be
// present and MUST be understood and processed by implementations.
Enc Enc `json:"enc,omitempty"`
// Zip header.
//
// https://datatracker.ietf.org/doc/html/rfc7516#section-4.1.3
//
// The "zip" (compression algorithm) applied to the plaintext before
// encryption, if any. The "zip" value defined by this specification
// is:
//
// o "DEF" - Compression with the DEFLATE [RFC1951] algorithm
//
// Other values MAY be used. Compression algorithm values can be
// registered in the IANA "JSON Web Encryption Compression Algorithms"
// registry established by [JWA]. The "zip" value is a case-sensitive
// string. If no "zip" parameter is present, no compression is applied
// to the plaintext before encryption. When used, this Header Parameter
// MUST be integrity protected; therefore, it MUST occur only within the
// JWE Protected Header. Use of this Header Parameter is OPTIONAL.
// This Header Parameter MUST be understood and processed by
// implementations.
Zip Zip `json:"zip,omitempty"`
// Crit (Critical) Header Parameter.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.11
//
// The "crit" (critical) Header Parameter indicates that extensions to
// this specification and/or [JWA] are being used that MUST be
// understood and processed. Its value is an array listing the Header
// Parameter names present in the JOSE Header that use those extensions.
// If any of the listed extension Header Parameters are not understood
// and supported by the recipient, then the JWS is invalid. Producers
// MUST NOT include Header Parameter names defined by this specification
// or [JWA] for use with JWS, duplicate names, or names that do not
// occur as Header Parameter names within the JOSE Header in the "crit"
// list. Producers MUST NOT use the empty list "[]" as the "crit"
// value. Recipients MAY consider the JWS to be invalid if the critical
// list contains any Header Parameter names defined by this
// specification or [JWA] for use with JWS or if any other constraints
// on its use are violated. When used, this Header Parameter MUST be
// integrity protected; therefore, it MUST occur only within the JWS
// Protected Header. Use of this Header Parameter is OPTIONAL. This
// Header Parameter MUST be understood and processed by implementations.
//
// An example use, along with a hypothetical "exp" (expiration time)
// field is:
//
// {"alg":"ES256",
// "crit":["exp"],
// "exp":1363284000
// }
Crit []string `json:"crit,omitempty"`
// Iss is the producer of the token.
//
// This parameter is replicated from the body, to allow processing of encrypted body, where this information is
// not available.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
//
// The "iss" (producer) claim identifies the principal that issued the
// JWT. The processing of this claim is generally application specific.
// The "iss" value is a case-sensitive string containing a StringOrURI
// value. Use of this claim is OPTIONAL.
Iss string `json:"iss,omitempty"`
// Sub is the subject of the token.
//
// This parameter is replicated from the body, to allow processing of encrypted body, where this information is
// not available.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
//
// The "sub" (subject) claim identifies the principal that is the
// subject of the JWT. The claims in a JWT are normally statements
// about the subject. The subject value MUST either be scoped to be
// locally unique in the context of the producer or be globally unique.
// The processing of this claim is generally application specific. The
// "sub" value is a case-sensitive string containing a StringOrURI
// value. Use of this claim is OPTIONAL.
Sub string `json:"sub,omitempty"`
// Aud is the audience of the token.
//
// This parameter is replicated from the body, to allow processing of encrypted body, where this information is
// not available.
//
// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
//
// The "aud" (audience) claim identifies the recipients that the JWT is
// intended for. Each principal intended to process the JWT MUST
// identify itself with a value in the audience claim. If the principal
// processing the claim does not identify itself with a value in the
// "aud" claim when this claim is present, then the JWT MUST be
// rejected. In the general case, the "aud" value is an array of case-
// sensitive strings, each containing a StringOrURI value. In the
// special case when the JWT has one audience, the "aud" value MAY be a
// single case-sensitive string containing a StringOrURI value. The
// interpretation of audience values is generally application specific.
// Use of this claim is OPTIONAL.
Aud string `json:"aud,omitempty"`
}
JWHCommon is a JOSE header.
https://datatracker.ietf.org/doc/html/rfc7519#section-5
# For a JWT object, the members of the JSON object represented by the JOSE Header describe the cryptographic operations applied to the JWT and optionally, additional properties of the JWT. Depending upon whether the JWT is a JWS or JWE, the corresponding rules for the JOSE Header values apply.
This specification further specifies the use of the following Header Parameters in both the cases where the JWT is a JWS and where it is a JWE.
type JWHEmbeddedKey ¶
type JWHEmbeddedKey struct {
// JKU (JWK Set URL) Header Parameter.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.2
//
// The "jku" (JWK Set URL) Header Parameter is a URI [RFC3986] that
// refers to a resource for a set of JSON-encoded public keys, one of
// which corresponds to the key used to digitally sign the JWS. The
// keys MUST be encoded as a JWK Set [JWKCommon]. The protocol used to
// acquire the resource MUST provide integrity protection; an HTTP GET
// request to retrieve the JWK Set MUST use Transport Layer Security
// (TLS) [RFC2818] [RFC5246]; and the identity of the server MUST be
// validated, as per Section 6 of RFC 6125 [RFC6125]. Also, see
// Section 8 on TLS requirements. Use of this Header Parameter is
// OPTIONAL.
JKU string `json:"jku,omitempty"`
// JWK (JSON Web CEK) Header Parameter.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.3
//
// The "jwk" (JSON Web CEK) Header Parameter is the public key that
// corresponds to the key used to digitally sign the JWS. This key is
// represented as a JSON Web CEK [JWKCommon]. Use of this Header Parameter is
// OPTIONAL.
JWK *JWK `json:"jwk,omitempty"`
// KID (Key ID) Header Parameter.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4
//
// The "kid" (key ID) Header Parameter is a hint indicating which key
// was used to secure the JWS. This parameter allows originators to
// explicitly signal a change of key to recipients. The structure of
// the "kid" value is unspecified. Its value MUST be a case-sensitive
// string. Use of this Header Parameter is OPTIONAL.
//
// When used with a JWK, the "kid" value is used to match a JWK "kid"
// parameter value.
KID string `json:"kid,omitempty"`
}
type JWHKeyAgreement ¶
type JWHKeyAgreement struct {
// EPK is the Ephemeral Public Key Header Parameter.
//
// https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.1
//
// The "epk" (ephemeral public key) value created by the originator for
// the use in key agreement algorithms. This key is represented as a
// JSON Web Key [JWKCommon] public key value. It MUST contain only public key
// parameters and SHOULD contain only the minimum JWKCommon parameters
// necessary to represent the key; other JWKCommon parameters included can be
// checked for consistency and honored, or they can be ignored. This
// Header Parameter MUST be present and MUST be understood and processed
// by implementations when these algorithms are used.
EPK *JWK `json:"epk,omitempty"`
// APU is the Agreement PartyUInfo Header Parameter.
//
// https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.2
//
// The "apu" (agreement PartyUInfo) value for key agreement algorithms
// using it (such as "ECDH-ES"), represented as a base64url-encoded
// string. When used, the PartyUInfo value contains information about
// the producer. Use of this Header Parameter is OPTIONAL. This Header
// Parameter MUST be understood and processed by implementations when
// these algorithms are used.
APU string `json:"apu,omitempty"`
// APV is the Agreement PartyVInfo Header Parameter.
//
// https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.1.3
//
// The "apv" (agreement PartyVInfo) value for key agreement algorithms
// using it (such as "ECDH-ES"), represented as a base64url encoded
// string. When used, the PartyVInfo value contains information about
// the recipient. Use of this Header Parameter is OPTIONAL. This
// Header Parameter MUST be understood and processed by implementations
// when these algorithms are used.
APV string `json:"apv,omitempty"`
}
type JWK ¶
type JWK struct {
JWKCommon
Payload json.RawMessage
}
JWK represents a JSON Web Key, with both generic and key-specific information.
func (JWK) MarshalJSON ¶
func (*JWK) UnmarshalJSON ¶
type JWKCommon ¶
type JWKCommon struct {
J509
// KTY represents the "kty" (key type) parameter in a JSON web key.
//
// https://datatracker.ietf.org/doc/html/rfc7518#section-6.1
//
// The "kty" (key type) parameter identifies the cryptographic algorithm
// family used with the key, such as "RSA" or "EC". "kty" values should
// either be registered in the IANA "JSON Web CEK Types" registry
// established by [JWA] or be a value that contains a Collision-
// Resistant Name. The "kty" value is a case-sensitive string. This
// member MUST be present in a JWKCommon.
//
// A list of defined "kty" values can be found in the IANA "JSON Web CEK
// Types" registry established by [JWA]; the initial contents of this
// registry are the values defined in Section 6.1 of [JWA].
//
// The key type definitions include specification of the members to be
// used for those key types. Members used with specific "kty" values
// can be found in the IANA "JSON Web CEK Parameters" registry
// established by Section 8.1.
KTY KTY `json:"kty"`
// Use represents the "use" parameter in a JSON web key.
//
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.2
//
// The "use" (public key use) parameter identifies the intended use of
// the public key. The "use" parameter is employed to indicate whether
// a public key is used for encrypting data or verifying the signature
// on data.
//
// Values defined by this specification are:
//
// o "sig" (signature)
// o "enc" (encryption)
//
// Other values MAY be used. The "use" value is a case-sensitive
// string. Use of the "use" member is OPTIONAL, unless the application
// requires its presence.
//
// When a key is used to wrap another key and a public key use
// designation for the first key is desired, the "enc" (encryption) key
// use value is used, since key wrapping is a kind of encryption. The
// "enc" value is also to be used for public keys used for key agreement
// operations.
//
// Additional "use" (public key use) values can be registered in the
// IANA "JSON Web CEK Use" registry established by Section 8.2.
// Registering any extension values used is highly recommended when this
// specification is used in open environments, in which multiple
// organizations need to have a common understanding of any extensions
// used. However, unregistered extension values can be used in closed
// environments, in which the producing and consuming organization will
// always be the same.
Use Use `json:"use,omitempty"`
// KeyOps represents the "key_ops" parameter in a JSON web key.
//
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.3
//
// The "key_ops" (key operations) parameter identifies the operation(s)
// for which the key is intended to be used. The "key_ops" parameter is
// intended for use cases in which public, private, or symmetric keys
// may be present.
//
// Its value is an array of key operation values. Values defined by
// this specification are:
//
// o "sign" (compute digital signature or MAC)
// o "verify" (verify digital signature or MAC)
// o "encrypt" (encrypt content)
// o "decrypt" (decrypt content and validate decryption, if applicable)
// o "wrapKey" (encrypt key)
// o "unwrapKey" (decrypt key and validate decryption, if applicable)
// o "deriveKey" (derive key)
// o "deriveBits" (derive bits not to be used as a key)
//
// (Note that the "key_ops" values intentionally match the "KeyUsage"
// values defined in the Web Cryptography API
// [W3C.CR-WebCryptoAPI-20141211] specification.)
//
// Other values MAY be used. The key operation values are case-
// sensitive strings. Duplicate key operation values MUST NOT be
// present in the array. Use of the "key_ops" member is OPTIONAL,
// unless the application requires its presence.
//
// Multiple unrelated key operations SHOULD NOT be specified for a key
// because of the potential vulnerabilities associated with using the
// same key with multiple algorithms. Thus, the combinations "sign"
// with "verify", "encrypt" with "decrypt", and "wrapKey" with
// "unwrapKey" are permitted, but other combinations SHOULD NOT be used.
//
// Additional "key_ops" (key operations) values can be registered in the
// IANA "JSON Web CEK Plugins" registry established by Section 8.3.
// The same considerations about registering extension values apply to
// the "key_ops" member as do for the "use" member.
//
// The "use" and "key_ops" JWKCommon members SHOULD NOT be used together;
// however, if both are used, the information they convey MUST be
// consistent. Applications should specify which of these members they
// use, if either is to be used by the application.
KeyOps KeyOps `json:"key_ops,omitempty"`
// Alg represents the algorithm used in a JSON web key.
//
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.4
//
// The "alg" (algorithm) parameter identifies the algorithm intended for
// use with the key. The values used should either be registered in the
// IANA "JSON Web Signature and Encryption Algorithms" registry
// established by [JWA] or be a value that contains a Collision-
// Resistant Name. The "alg" value is a case-sensitive ASCII string.
// Use of this member is OPTIONAL.
Alg Alg `json:"alg,omitempty"`
// KID (Key ID) JWKCommon Parameter.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4
//
// The "kid" (key ID) JWKCommon Parameter is a hint indicating which key
// was used to secure the JWS. This parameter allows originators to
// explicitly signal a change of key to recipients. The structure of
// the "kid" value is unspecified. Its value MUST be a case-sensitive
// string. Use of this JWKCommon Parameter is OPTIONAL.
//
// When used with a JWKCommon, the "kid" value is used to match a JWKCommon "kid"
// parameter value.
KID string `json:"kid,omitempty"`
}
JWKCommon represents a key in standard JSOM web key format.
https://datatracker.ietf.org/doc/html/rfc7517#section-4
A JWKCommon is a JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value. This JSON object MAY contain whitespace and/or line breaks before or after any JSON values or structural characters, in accordance with Section 2 of RFC 7159 [RFC7159]. This document defines the key parameters that are not algorithm specific and, thus, common to many keys.
In addition to the common parameters, each JWKCommon will have members that are key type specific. These members represent the parameters of the key. Section 6 of the JSON Web Algorithms (JWA) [JWA] specification defines multiple kinds of cryptographic keys and their associated members.
The member names within a JWKCommon MUST be unique; JWKCommon parsers MUST either reject JWKs with duplicate member names or use a JSON parser that returns only the lexically last duplicate member name, as specified in Section 15.12 (The JSON Object) of ECMAScript 5.1 [ECMAScript].
Additional members can be present in the JWKCommon; if not understood by implementations encountering them, they MUST be ignored. Member names used for representing key parameters for different keys types need not be distinct. Any new member name should either be registered in the IANA "JSON Web CEK Parameters" registry established by Section 8.1 or be a value that contains a Collision-Resistant Name.
func (JWKCommon) MatchPreset ¶
MatchPreset is used to check is the description of a JSON Web Key matches the expected preset.
type KTY ¶
type KTY string
KTY is used to determine the type of key in a JWA protocol.
const ( // KTYOct Parameters for Symmetric Keys. // // https://datatracker.ietf.org/doc/html/rfc7518#section-6.4 // // When the JWKCommon "kty" member value is "oct" (octet sequence), the member // "k" (see Section 6.4.1) is used to represent a symmetric key (or // another key whose value is a single octet sequence). An "alg" member // SHOULD also be present to identify the algorithm intended to be used // with the key, unless the application uses another means or convention // to determine the algorithm used. KTYOct KTY = "oct" // KTYRSA Parameters for RSA Public Keys. // // https://datatracker.ietf.org/doc/html/rfc7518#section-6.3 // // JWKs can represent RSA [RFC3447] keys. In this case, the "kty" // member value is "RSA". The semantics of the parameters defined below // are the same as those defined in Sections 3.1 and 3.2 of RFC 3447. KTYRSA KTY = "RSA" // KTYEC Parameters for Elliptic Curve Public Keys. // // https://datatracker.ietf.org/doc/html/rfc7518#section-6.2 // // JWKs can represent Elliptic Curve [DSS] keys. In this case, the // "kty" member value is "EC". KTYEC KTY = "EC" // KTYOKP Parameters for Octet Key Pair. // // https://datatracker.ietf.org/doc/html/rfc8037#section-2 // // A new key type (kty) value "OKP" (Octet Key Pair) is defined for // public key algorithms that use octet strings as private and public // keys. KTYOKP KTY = "OKP" )
type KeyOp ¶
type KeyOp string
KeyOp is used to determine the operations that can be performed with a key in a JWA protocol.
const ( // KeyOpSign compute digital signature or MAC. KeyOpSign KeyOp = "sign" // KeyOpVerify verify digital signature or MAC. KeyOpVerify KeyOp = "verify" // KeyOpEncrypt encrypt content. KeyOpEncrypt KeyOp = "encrypt" // KeyOpDecrypt decrypt content and validate decryption, if applicable. KeyOpDecrypt KeyOp = "decrypt" // KeyOpWrapKey encrypt key. KeyOpWrapKey KeyOp = "wrapKey" // KeyOpUnwrapKey decrypt key and validate decryption, if applicable. KeyOpUnwrapKey KeyOp = "unwrapKey" // KeyOpDeriveKey derive key. KeyOpDeriveKey KeyOp = "deriveKey" // KeyOpDeriveBits derive bits not to be used as a key. KeyOpDeriveBits KeyOp = "deriveBits" )
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.