cryptoadapter

package

v0.30.0 Latest Latest Go to latest Published: May 3, 2026 License: MIT Imports: 3 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/gaborage/go-bricks

Links

Open Source Insights

Documentation ¶

Overview ¶

Package cryptoadapter wraps go-jose/v4 with strict allowlist enforcement and a constant-time generic error surface. All upstream-library specifics (header types, option structs) are kept inside this package so a future library swap touches only one file.

Index ¶

Variables
func Encrypt(payload []byte, key *rsa.PublicKey, opts *EncryptOptions) (string, error)
func Sign(payload []byte, key *rsa.PrivateKey, opts *SignOptions) (string, error)
type DecryptOptions
type EncryptOptions
type Header
- func Decrypt(compact string, key *rsa.PrivateKey, opts *DecryptOptions) ([]byte, Header, error)
- func Verify(compact string, key *rsa.PublicKey, opts *VerifyOptions) ([]byte, Header, error)
type SignOptions
type VerifyOptions

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrParseEncrypted    = errors.New("cryptoadapter: parse encrypted failed")
	ErrParseSigned       = errors.New("cryptoadapter: parse signed failed")
	ErrKidMissing        = errors.New("cryptoadapter: header missing kid")
	ErrKidMismatch       = errors.New("cryptoadapter: header kid does not match expected")
	ErrDecryptFailed     = errors.New("cryptoadapter: decrypt failed")
	ErrVerifyFailed      = errors.New("cryptoadapter: signature verification failed")
	ErrSignFailed        = errors.New("cryptoadapter: sign failed")
	ErrEncryptFailed     = errors.New("cryptoadapter: encrypt failed")
	ErrEncrypterCreation = errors.New("cryptoadapter: encrypter creation failed")
	ErrSignerCreation    = errors.New("cryptoadapter: signer creation failed")
)

Sentinel errors for the adapter layer; the parent jose package wraps these in *jose.Error with full diagnostic context.

Functions ¶

func Encrypt ¶

func Encrypt(payload []byte, key *rsa.PublicKey, opts *EncryptOptions) (string, error)

Encrypt produces a compact JWE over payload using the public key.

func Sign ¶

func Sign(payload []byte, key *rsa.PrivateKey, opts *SignOptions) (string, error)

Sign produces a compact JWS over payload using the private key.

Types ¶

type DecryptOptions ¶

type DecryptOptions struct {
	ExpectedKid       string
	AllowedKeyAlgs    []jose.KeyAlgorithm
	AllowedContentEnc []jose.ContentEncryption
}

DecryptOptions controls strict header validation during JWE decrypt.

type EncryptOptions ¶

type EncryptOptions struct {
	Kid    string
	KeyAlg jose.KeyAlgorithm
	Enc    jose.ContentEncryption
	Cty    string
}

EncryptOptions controls JWE production.

type Header ¶

type Header struct {
	Kid string
	Alg string
	Enc string
	Cty string
}

Header contains the fields we extract from a parsed JOSE object for diagnostic logging. Never includes plaintext.

func Decrypt ¶

func Decrypt(compact string, key *rsa.PrivateKey, opts *DecryptOptions) ([]byte, Header, error)

Decrypt parses a compact JWE, validates its protected header against the allowlists, and decrypts using the supplied private key.

func Verify ¶

func Verify(compact string, key *rsa.PublicKey, opts *VerifyOptions) ([]byte, Header, error)

Verify parses a compact JWS, validates the protected header, and verifies the signature using the supplied public key. Reads the Protected header (signed) rather than the merged Header (which mixes unsigned values).

type SignOptions ¶

type SignOptions struct {
	Kid    string
	SigAlg jose.SignatureAlgorithm
	Cty    string
}

SignOptions controls JWS production.

type VerifyOptions ¶

type VerifyOptions struct {
	ExpectedKid    string
	AllowedSigAlgs []jose.SignatureAlgorithm
}

VerifyOptions controls strict header validation during JWS verify.

Source Files ¶

View all Source files

cryptoadapter.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL