Documentation
¶
Index ¶
- func ComputeKid(key any, alg string) (string, error)
- func DecodeVerifyKey(rawKey any, alg string) (any, error)
- func EncodePrivateKeyPEM(priv crypto.PrivateKey) []byte
- func EncodePublicKeyPEM(pub crypto.PublicKey) ([]byte, error)
- func GenerateECDSAKeyPair() (privPEM, pubPEM []byte, err error)
- func GenerateRSAKeyPair(bits int) (privPEM, pubPEM []byte, err error)
- func IsAsymmetricAlg(alg string) bool
- func JWKToPublicKey(jwk JWK) (crypto.PublicKey, string, error)
- func ParsePrivateKeyPEM(pemBytes []byte) (crypto.PrivateKey, error)
- func ParsePublicKeyPEM(pemBytes []byte) (crypto.PublicKey, error)
- func SigningMethodForAlg(alg string) jwt.SigningMethod
- type FlaskAuth
- func (f *FlaskAuth) DecodeSessionCookie(base64value string) (out StrMap, err error)
- func (f *FlaskAuth) DecodeSessionUserId(userid string) (out []interface{})
- func (f *FlaskAuth) NormalizedSecretKey() string
- func (f *FlaskAuth) ParseSignedCookieValue(value string) (parts []interface{}, sessmap StrMap)
- type JWK
- type JWKSet
- type StrMap
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ComputeKid ¶ added in v0.0.38
ComputeKid computes a deterministic key ID (kid) for JWT headers. For asymmetric keys, this implements RFC 7638 JWK Thumbprint. For HMAC keys ([]byte), it returns SHA-256 of the raw bytes, base64url-encoded. The result is always 43 characters (256-bit hash, base64url, no padding).
Supported key types:
func DecodeVerifyKey ¶
DecodeVerifyKey converts raw key material from a KeyStore into the appropriate type for JWT verification based on the algorithm.
- For HMAC algorithms (HS256/HS384/HS512): returns the key as-is (expected to be []byte)
- For RS256: if key is []byte, parses as PEM to *rsa.PublicKey; if already *rsa.PublicKey, returns as-is
- For ES256: if key is []byte, parses as PEM to *ecdsa.PublicKey; if already *ecdsa.PublicKey, returns as-is
func EncodePrivateKeyPEM ¶
func EncodePrivateKeyPEM(priv crypto.PrivateKey) []byte
EncodePrivateKeyPEM encodes a crypto.PrivateKey to PKCS8 PEM format.
func EncodePublicKeyPEM ¶
EncodePublicKeyPEM encodes a crypto.PublicKey to PEM format.
func GenerateECDSAKeyPair ¶
GenerateECDSAKeyPair generates an ECDSA P-256 key pair and returns PEM-encoded private and public keys.
func GenerateRSAKeyPair ¶
GenerateRSAKeyPair generates an RSA key pair and returns PEM-encoded private and public keys.
func IsAsymmetricAlg ¶
IsAsymmetricAlg returns true if the algorithm uses asymmetric keys (RS256, ES256).
func JWKToPublicKey ¶
JWKToPublicKey converts a JWK back to a crypto.PublicKey and returns the algorithm.
func ParsePrivateKeyPEM ¶
func ParsePrivateKeyPEM(pemBytes []byte) (crypto.PrivateKey, error)
ParsePrivateKeyPEM parses a PEM-encoded private key (RSA or ECDSA, PKCS8 format).
func ParsePublicKeyPEM ¶
ParsePublicKeyPEM parses a PEM-encoded public key (RSA or ECDSA).
func SigningMethodForAlg ¶
func SigningMethodForAlg(alg string) jwt.SigningMethod
SigningMethodForAlg returns the jwt.SigningMethod for the given algorithm string.
Types ¶
type FlaskAuth ¶
func (*FlaskAuth) DecodeSessionCookie ¶
DecodeSessionCookie decodes a Flask session cookie from its base64 representation.
func (*FlaskAuth) DecodeSessionUserId ¶
DecodeSessionUserId decodes a Fernet-encrypted Flask session user ID.
func (*FlaskAuth) NormalizedSecretKey ¶
func (*FlaskAuth) ParseSignedCookieValue ¶
ParseSignedCookieValue decodes a Flask session cookie and extracts the user ID parts.
type JWK ¶
type JWK struct {
Kty string `json:"kty"` // "RSA" or "EC"
Kid string `json:"kid"` // key identifier (RFC 7638 thumbprint)
Alg string `json:"alg"` // "RS256" or "ES256"
Use string `json:"use"` // "sig"
KeyOps []string `json:"key_ops"` // ["verify"] — explicit usage restriction
N string `json:"n,omitempty"` // RSA modulus (base64url, no padding)
E string `json:"e,omitempty"` // RSA exponent (base64url, no padding)
Crv string `json:"crv,omitempty"` // EC curve ("P-256")
X string `json:"x,omitempty"` // EC x-coordinate (base64url, no padding)
Y string `json:"y,omitempty"` // EC y-coordinate (base64url, no padding)
}
JWK represents a JSON Web Key (RFC 7517). Only public key components are included — the struct intentionally omits private key fields (d, p, q, dp, dq, qi) so they cannot leak via JWKS.
func ECDSAPublicKeyToJWK ¶
ECDSAPublicKeyToJWK converts an ECDSA public key to a JWK.
func PublicKeyToJWK ¶
PublicKeyToJWK converts a crypto.PublicKey to a JWK, dispatching by key type.
type JWKSet ¶
type JWKSet struct {
Keys []JWK `json:"keys"`
}
JWKSet represents a JSON Web Key Set (RFC 7517 Section 5).