utils

package
v0.1.35 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 3, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source
const MinRSAKeySize = 2048

MinRSAKeySize is the minimum allowed RSA key size in bits (NIST SP 800-57).

Variables

This section is empty.

Functions

func ComputeKid added in v0.0.38

func ComputeKid(key any, alg string) (string, error)

ComputeKid computes a deterministic key ID (kid) for JWT headers. For asymmetric keys, this implements RFC 7638 JWK Thumbprint. For HMAC keys ([]byte), it returns SHA-256 of the raw bytes, base64url-encoded. The result is always 43 characters (256-bit hash, base64url, no padding).

Supported key types:

  • []byte: SHA-256 of raw bytes (HS256/HS384/HS512)
  • *rsa.PublicKey or *rsa.PrivateKey: RFC 7638 thumbprint with {"e","kty","n"}
  • *ecdsa.PublicKey or *ecdsa.PrivateKey: RFC 7638 thumbprint with {"crv","kty","x","y"}

func DecodeVerifyKey

func DecodeVerifyKey(rawKey any, alg string) (any, error)

DecodeVerifyKey converts raw key material from a KeyStore into the appropriate type for JWT verification based on the algorithm.

  • For HMAC algorithms (HS256/HS384/HS512): returns the key as-is (expected to be []byte)
  • For RS256: if key is []byte, parses as PEM to *rsa.PublicKey; if already *rsa.PublicKey, returns as-is
  • For ES256: if key is []byte, parses as PEM to *ecdsa.PublicKey; if already *ecdsa.PublicKey, returns as-is

func EncodePrivateKeyPEM

func EncodePrivateKeyPEM(priv crypto.PrivateKey) ([]byte, error)

EncodePrivateKeyPEM encodes a crypto.PrivateKey to PKCS8 PEM format.

func EncodePublicKeyPEM

func EncodePublicKeyPEM(pub crypto.PublicKey) ([]byte, error)

EncodePublicKeyPEM encodes a crypto.PublicKey to PEM format.

func GenerateECDSAKeyPair

func GenerateECDSAKeyPair() (privPEM, pubPEM []byte, err error)

GenerateECDSAKeyPair generates an ECDSA P-256 key pair and returns PEM-encoded private and public keys.

func GenerateRSAKeyPair

func GenerateRSAKeyPair(bits int) (privPEM, pubPEM []byte, err error)

GenerateRSAKeyPair generates an RSA key pair and returns PEM-encoded private and public keys. Rejects key sizes below MinRSAKeySize (2048 bits) per NIST SP 800-57.

func IsAsymmetricAlg

func IsAsymmetricAlg(alg string) bool

IsAsymmetricAlg returns true if the algorithm uses asymmetric keys (RS256, ES256).

func JWKToPublicKey

func JWKToPublicKey(jwk JWK) (crypto.PublicKey, string, error)

JWKToPublicKey converts a JWK back to a crypto.PublicKey and returns the algorithm.

func ParsePrivateKeyPEM

func ParsePrivateKeyPEM(pemBytes []byte) (crypto.PrivateKey, error)

ParsePrivateKeyPEM parses a PEM-encoded private key (RSA or ECDSA, PKCS8 format).

func ParsePublicKeyPEM

func ParsePublicKeyPEM(pemBytes []byte) (crypto.PublicKey, error)

ParsePublicKeyPEM parses a PEM-encoded public key (RSA or ECDSA).

func SigningMethodForAlg

func SigningMethodForAlg(alg string) (jwt.SigningMethod, error)

SigningMethodForAlg returns the jwt.SigningMethod for the given algorithm string. Returns an error for unrecognized algorithms instead of silently defaulting to HS256. Empty string is treated as HS256 (default for single-tenant deployments).

Types

type FlaskAuth

type FlaskAuth struct {
	AppSecretKey string
	LogCookies   bool
}

func (*FlaskAuth) DecodeSessionCookie

func (f *FlaskAuth) DecodeSessionCookie(base64value string) (out StrMap, err error)

DecodeSessionCookie decodes a Flask session cookie from its base64 representation.

func (*FlaskAuth) DecodeSessionUserId

func (f *FlaskAuth) DecodeSessionUserId(userid string) (out []interface{})

DecodeSessionUserId decodes a Fernet-encrypted Flask session user ID.

func (*FlaskAuth) NormalizedSecretKey

func (f *FlaskAuth) NormalizedSecretKey() string

func (*FlaskAuth) ParseSignedCookieValue

func (f *FlaskAuth) ParseSignedCookieValue(value string) (parts []interface{}, sessmap StrMap)

ParseSignedCookieValue decodes a Flask session cookie and extracts the user ID parts.

type JWK

type JWK struct {
	Kty    string   `json:"kty"`           // "RSA" or "EC"
	Kid    string   `json:"kid"`           // key identifier (RFC 7638 thumbprint)
	Alg    string   `json:"alg"`           // "RS256" or "ES256"
	Use    string   `json:"use"`           // "sig"
	KeyOps []string `json:"key_ops"`       // ["verify"] — explicit usage restriction
	N      string   `json:"n,omitempty"`   // RSA modulus (base64url, no padding)
	E      string   `json:"e,omitempty"`   // RSA exponent (base64url, no padding)
	Crv    string   `json:"crv,omitempty"` // EC curve ("P-256")
	X      string   `json:"x,omitempty"`   // EC x-coordinate (base64url, no padding)
	Y      string   `json:"y,omitempty"`   // EC y-coordinate (base64url, no padding)
}

JWK represents a JSON Web Key (RFC 7517). Only public key components are included — the struct intentionally omits private key fields (d, p, q, dp, dq, qi) so they cannot leak via JWKS.

func ECDSAPublicKeyToJWK

func ECDSAPublicKeyToJWK(kid, alg string, pub *ecdsa.PublicKey) JWK

ECDSAPublicKeyToJWK converts an ECDSA public key to a JWK. Uses pub.Bytes() (Go 1.25+) instead of deprecated X/Y fields.

func PublicKeyToJWK

func PublicKeyToJWK(kid, alg string, pub crypto.PublicKey) (JWK, error)

PublicKeyToJWK converts a crypto.PublicKey to a JWK, dispatching by key type.

func RSAPublicKeyToJWK

func RSAPublicKeyToJWK(kid, alg string, pub *rsa.PublicKey) JWK

RSAPublicKeyToJWK converts an RSA public key to a JWK.

type JWKSet

type JWKSet struct {
	Keys []JWK `json:"keys"`
}

JWKSet represents a JSON Web Key Set (RFC 7517 Section 5).

type StrMap

type StrMap = map[string]any

StrMap is a convenience alias for map[string]any.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL