Documentation
¶
Index ¶
- Constants
- func ComputeKid(key any, alg string) (string, error)
- func DecodeVerifyKey(rawKey any, alg string) (any, error)
- func EncodePrivateKeyPEM(priv crypto.PrivateKey) ([]byte, error)
- func EncodePublicKeyPEM(pub crypto.PublicKey) ([]byte, error)
- func GenerateECDSAKeyPair() (privPEM, pubPEM []byte, err error)
- func GenerateRSAKeyPair(bits int) (privPEM, pubPEM []byte, err error)
- func IsAsymmetricAlg(alg string) bool
- func JWKToPublicKey(jwk JWK) (crypto.PublicKey, string, error)
- func ParsePrivateKeyPEM(pemBytes []byte) (crypto.PrivateKey, error)
- func ParsePublicKeyPEM(pemBytes []byte) (crypto.PublicKey, error)
- func SigningMethodForAlg(alg string) (jwt.SigningMethod, error)
- type FlaskAuth
- func (f *FlaskAuth) DecodeSessionCookie(base64value string) (out StrMap, err error)
- func (f *FlaskAuth) DecodeSessionUserId(userid string) (out []interface{})
- func (f *FlaskAuth) NormalizedSecretKey() string
- func (f *FlaskAuth) ParseSignedCookieValue(value string) (parts []interface{}, sessmap StrMap)
- type JWK
- type JWKSet
- type StrMap
Constants ¶
const MinRSAKeySize = 2048
MinRSAKeySize is the minimum allowed RSA key size in bits (NIST SP 800-57).
Variables ¶
This section is empty.
Functions ¶
func ComputeKid ¶ added in v0.0.38
ComputeKid computes a deterministic key ID (kid) for JWT headers. For asymmetric keys, this implements RFC 7638 JWK Thumbprint. For HMAC keys ([]byte), it returns SHA-256 of the raw bytes, base64url-encoded. The result is always 43 characters (256-bit hash, base64url, no padding).
Supported key types:
func DecodeVerifyKey ¶
DecodeVerifyKey converts raw key material from a KeyStore into the appropriate type for JWT verification based on the algorithm.
- For HMAC algorithms (HS256/HS384/HS512): returns the key as-is (expected to be []byte)
- For RS256: if key is []byte, parses as PEM to *rsa.PublicKey; if already *rsa.PublicKey, returns as-is
- For ES256: if key is []byte, parses as PEM to *ecdsa.PublicKey; if already *ecdsa.PublicKey, returns as-is
func EncodePrivateKeyPEM ¶
func EncodePrivateKeyPEM(priv crypto.PrivateKey) ([]byte, error)
EncodePrivateKeyPEM encodes a crypto.PrivateKey to PKCS8 PEM format.
func EncodePublicKeyPEM ¶
EncodePublicKeyPEM encodes a crypto.PublicKey to PEM format.
func GenerateECDSAKeyPair ¶
GenerateECDSAKeyPair generates an ECDSA P-256 key pair and returns PEM-encoded private and public keys.
func GenerateRSAKeyPair ¶
GenerateRSAKeyPair generates an RSA key pair and returns PEM-encoded private and public keys. Rejects key sizes below MinRSAKeySize (2048 bits) per NIST SP 800-57.
func IsAsymmetricAlg ¶
IsAsymmetricAlg returns true if the algorithm uses asymmetric keys (RS256, ES256).
func JWKToPublicKey ¶
JWKToPublicKey converts a JWK back to a crypto.PublicKey and returns the algorithm.
func ParsePrivateKeyPEM ¶
func ParsePrivateKeyPEM(pemBytes []byte) (crypto.PrivateKey, error)
ParsePrivateKeyPEM parses a PEM-encoded private key (RSA or ECDSA, PKCS8 format).
func ParsePublicKeyPEM ¶
ParsePublicKeyPEM parses a PEM-encoded public key (RSA or ECDSA).
func SigningMethodForAlg ¶
func SigningMethodForAlg(alg string) (jwt.SigningMethod, error)
SigningMethodForAlg returns the jwt.SigningMethod for the given algorithm string. Returns an error for unrecognized algorithms instead of silently defaulting to HS256. Empty string is treated as HS256 (default for single-tenant deployments).
Types ¶
type FlaskAuth ¶
func (*FlaskAuth) DecodeSessionCookie ¶
DecodeSessionCookie decodes a Flask session cookie from its base64 representation.
func (*FlaskAuth) DecodeSessionUserId ¶
DecodeSessionUserId decodes a Fernet-encrypted Flask session user ID.
func (*FlaskAuth) NormalizedSecretKey ¶
func (*FlaskAuth) ParseSignedCookieValue ¶
ParseSignedCookieValue decodes a Flask session cookie and extracts the user ID parts.
type JWK ¶
type JWK struct {
Kty string `json:"kty"` // "RSA" or "EC"
Kid string `json:"kid"` // key identifier (RFC 7638 thumbprint)
Alg string `json:"alg"` // "RS256" or "ES256"
Use string `json:"use"` // "sig"
KeyOps []string `json:"key_ops"` // ["verify"] — explicit usage restriction
N string `json:"n,omitempty"` // RSA modulus (base64url, no padding)
E string `json:"e,omitempty"` // RSA exponent (base64url, no padding)
Crv string `json:"crv,omitempty"` // EC curve ("P-256")
X string `json:"x,omitempty"` // EC x-coordinate (base64url, no padding)
Y string `json:"y,omitempty"` // EC y-coordinate (base64url, no padding)
}
JWK represents a JSON Web Key (RFC 7517). Only public key components are included — the struct intentionally omits private key fields (d, p, q, dp, dq, qi) so they cannot leak via JWKS.
func ECDSAPublicKeyToJWK ¶
ECDSAPublicKeyToJWK converts an ECDSA public key to a JWK. Uses pub.Bytes() (Go 1.25+) instead of deprecated X/Y fields.
func PublicKeyToJWK ¶
PublicKeyToJWK converts a crypto.PublicKey to a JWK, dispatching by key type.
type JWKSet ¶
type JWKSet struct {
Keys []JWK `json:"keys"`
}
JWKSet represents a JSON Web Key Set (RFC 7517 Section 5).