jwssign

package

v0.5.0 Latest Latest Go to latest Published: Apr 24, 2026 License: BSD-2-Clause Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sirosfoundation/registry-cli

Links

Open Source Insights

Documentation ¶

Overview ¶

Package jwssign implements JWS compact serialization signing via PKCS#11. It supports SoftHSM2 and YubiHSM2 backends for the 3-tier signing model (dev/softhsm/yubihsm).

Index ¶

func ParsePKCS11URI(uri string) (module, token, pin string, err error)
type Config
type Signer
- func NewSigner(cfg Config) (*Signer, error)
- func NewSignerFromConfig(pkcs11URI, keyLabel, issuer, jku string) (*Signer, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ParsePKCS11URI ¶

func ParsePKCS11URI(uri string) (module, token, pin string, err error)

ParsePKCS11URI parses a PKCS#11 URI into module, token, and pin components. Format: pkcs11:module=/path/to/lib.so;token=label;pin=1234

Types ¶

type Config ¶

type Config struct {
	// PKCS11Module is the path to the PKCS#11 shared library.
	PKCS11Module string
	// TokenLabel is the PKCS#11 token label.
	TokenLabel string
	// PIN is the PKCS#11 token PIN.
	PIN string
	// KeyLabel is the label of the signing key in the HSM.
	KeyLabel string
	// KeyID is the hex ID of the key (default "01").
	KeyID string
	// Issuer is the JWT "iss" claim.
	Issuer string
	// JKU is the JWS Key URL header value.
	JKU string
}

Config holds the configuration for creating a Signer.

type Signer ¶

type Signer struct {
	// contains filtered or unexported fields
}

Signer signs JSON payloads as JWS compact serialization.

func NewSigner ¶

func NewSigner(cfg Config) (*Signer, error)

NewSigner creates a new JWS signer backed by a PKCS#11 key.

func NewSignerFromConfig ¶

func NewSignerFromConfig(pkcs11URI, keyLabel, issuer, jku string) (*Signer, error)

NewSignerFromConfig creates a signer from a parsed PKCS11 URI string.

func (*Signer) Close ¶

func (s *Signer) Close() error

Close releases the PKCS#11 context.

func (*Signer) JWKS ¶

func (s *Signer) JWKS() jose.JSONWebKeySet

JWKS returns a JSON Web Key Set containing the public key.

func (*Signer) PublicJWK ¶

func (s *Signer) PublicJWK() jose.JSONWebKey

PublicJWK returns the public key as a JSON Web Key.

func (*Signer) Sign ¶

func (s *Signer) Sign(payload json.RawMessage) (string, error)

Sign signs a JSON payload and returns a JWS compact serialization string. The payload is wrapped in a JWT envelope with iss and iat claims.

func (*Signer) SignAggregate ¶

func (s *Signer) SignAggregate(dir, pattern, outputPath string) error

SignAggregate reads all JSON files matching a pattern, combines them into a list payload, signs it, and writes to the output path.

func (*Signer) SignDirectory ¶

func (s *Signer) SignDirectory(dir, pattern string) ([]string, error)

SignDirectory signs all files matching a glob pattern in a directory.

func (*Signer) SignFile ¶

func (s *Signer) SignFile(jsonPath string) (string, error)

SignFile reads a JSON file, signs it, and writes the JWS to a .jwt file.

Source Files ¶

View all Source files

jwssign.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL