github.com/trustbloc/kms-go@v1.1.2/doc/jose/common.go (about)

     1  /*
     2  Copyright SecureKey Technologies Inc. All Rights Reserved.
     3  
     4  SPDX-License-Identifier: Apache-2.0
     5  */
     6  
     7  package jose
     8  
     9  import (
    10  	"github.com/trustbloc/kms-go/crypto/tinkcrypto/primitive/composite/ecdh"
    11  	"github.com/trustbloc/kms-go/doc/jose/jwk"
    12  )
    13  
    14  // IANA registered JOSE headers (https://tools.ietf.org/html/rfc7515#section-4.1)
    15  const (
    16  	// HeaderAlgorithm identifies:
    17  	// For JWS: the cryptographic algorithm used to secure the JWS.
    18  	// For JWE: the cryptographic algorithm used to encrypt or determine the value of the CEK.
    19  	HeaderAlgorithm = "alg" // string
    20  
    21  	// HeaderEncryption identifies the JWE content encryption algorithm.
    22  	HeaderEncryption = "enc" // string
    23  
    24  	// HeaderJWKSetURL is a URI that refers to a resource for a set of JSON-encoded public keys, one of which:
    25  	// For JWS: corresponds to the key used to digitally sign the JWS.
    26  	// For JWE: corresponds to the public key to which the JWE was encrypted.
    27  	HeaderJWKSetURL = "jku" // string
    28  
    29  	// HeaderJSONWebKey is:
    30  	// For JWS: the public key that corresponds to the key used to digitally sign the JWS.
    31  	// For JWE: the public key to which the JWE was encrypted.
    32  	HeaderJSONWebKey = "jwk" // JSON
    33  
    34  	// HeaderKeyID is a hint:
    35  	// For JWS: indicating which key was used to secure the JWS.
    36  	// For JWE: which references the public key to which the JWE was encrypted.
    37  	HeaderKeyID = "kid" // string
    38  
    39  	// HeaderSenderKeyID is a hint:
    40  	// For JWS: not used.
    41  	// For JWE: which references the (sender) public key used in the JWE key derivation/wrapping to encrypt the CEK.
    42  	HeaderSenderKeyID = "skid" // string
    43  
    44  	// HeaderX509URL is a URI that refers to a resource for the X.509 public key certificate or certificate chain:
    45  	// For JWS: corresponding to the key used to digitally sign the JWS.
    46  	// For JWE: corresponding to the public key to which the JWE was encrypted.
    47  	HeaderX509URL = "x5u"
    48  
    49  	// HeaderX509CertificateChain contains the X.509 public key certificate or certificate chain:
    50  	// For JWS: corresponding to the key used to digitally sign the JWS.
    51  	// For JWE: corresponding to the public key to which the JWE was encrypted.
    52  	HeaderX509CertificateChain = "x5c"
    53  
    54  	// HeaderX509CertificateDigest (X.509 certificate SHA-1 thumbprint) is a base64url-encoded
    55  	// SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate:
    56  	// For JWS: corresponding to the key used to digitally sign the JWS.
    57  	// For JWE: corresponding to the public key to which the JWE was encrypted.
    58  	HeaderX509CertificateDigestSha1 = "x5t"
    59  
    60  	// HeaderX509CertificateDigestSha256 (X.509 certificate SHA-256 thumbprint) is a base64url-encoded SHA-256
    61  	// thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate:
    62  	// For JWS: corresponding to the key used to digitally sign the JWS.
    63  	// For JWE: corresponding to the public key to which the JWE was encrypted.
    64  	HeaderX509CertificateDigestSha256 = "x5t#S256" // string
    65  
    66  	// HeaderType is:
    67  	// For JWS: used by JWS applications to declare the media type of this complete JWS.
    68  	// For JWE: used by JWE applications to declare the media type of this complete JWE.
    69  	HeaderType = "typ" // string
    70  
    71  	// HeaderContentType is used by JWS applications to declare the media type of:
    72  	// For JWS: the secured content (the payload).
    73  	// For JWE: the secured content (the plaintext).
    74  	HeaderContentType = "cty" // string
    75  
    76  	// HeaderCritical indicates that extensions to:
    77  	// For JWS: this JWS header specification and/or JWA are being used that MUST be understood and processed.
    78  	// For JWE: this JWE header specification and/or JWA are being used that MUST be understood and processed.
    79  	HeaderCritical = "crit" // array
    80  
    81  	// HeaderEPK is used by JWE applications to wrap/unwrap the CEK for a recipient.
    82  	HeaderEPK = "epk" // JSON
    83  )
    84  
    85  // Header defined in https://tools.ietf.org/html/rfc7797
    86  const (
    87  	// HeaderB64 determines whether the payload is represented in the JWS and the JWS Signing
    88  	// Input as ASCII(BASE64URL(JWS Payload)) or as the JWS Payload value itself with no encoding performed.
    89  	HeaderB64Payload = "b64" // bool
    90  	// A256GCMALG is the default content encryption algorithm value as per
    91  	// the JWA specification: https://tools.ietf.org/html/rfc7518#section-5.1
    92  	A256GCMALG = "A256GCM"
    93  	// XC20PALG represents XChacha20Poly1305 content encryption algorithm value.
    94  	XC20PALG = "XC20P"
    95  	// A128CBCHS256ALG represents AES_128_CBC_HMAC_SHA_256 encryption algorithm value.
    96  	A128CBCHS256ALG = "A128CBC-HS256"
    97  	// A192CBCHS384ALG represents AES_192_CBC_HMAC_SHA_384 encryption algorithm value.
    98  	A192CBCHS384ALG = "A192CBC-HS384"
    99  	// A256CBCHS384ALG represents AES_256_CBC_HMAC_SHA_384 encryption algorithm value (not defined in JWA spec above).
   100  	A256CBCHS384ALG = "A256CBC-HS384"
   101  	// A256CBCHS512ALG represents AES_256_CBC_HMAC_SHA_512 encryption algorithm value.
   102  	A256CBCHS512ALG = "A256CBC-HS512"
   103  )
   104  
   105  var aeadAlg = map[EncAlg]ecdh.AEADAlg{ //nolint:gochecknoglobals
   106  	A256GCM:      ecdh.AES256GCM,
   107  	XC20P:        ecdh.XC20P,
   108  	A128CBCHS256: ecdh.AES128CBCHMACSHA256,
   109  	A192CBCHS384: ecdh.AES192CBCHMACSHA384,
   110  	A256CBCHS384: ecdh.AES256CBCHMACSHA384,
   111  	A256CBCHS512: ecdh.AES256CBCHMACSHA512,
   112  }
   113  
   114  // Headers represents JOSE headers.
   115  type Headers map[string]interface{}
   116  
   117  // KeyID gets Key ID from JOSE headers.
   118  func (h Headers) KeyID() (string, bool) {
   119  	return h.stringValue(HeaderKeyID)
   120  }
   121  
   122  // SenderKeyID gets the sender Key ID from Jose headers.
   123  func (h Headers) SenderKeyID() (string, bool) {
   124  	return h.stringValue(HeaderSenderKeyID)
   125  }
   126  
   127  // Algorithm gets Algorithm from JOSE headers.
   128  func (h Headers) Algorithm() (string, bool) {
   129  	return h.stringValue(HeaderAlgorithm)
   130  }
   131  
   132  // Encryption gets content encryption algorithm from JOSE headers.
   133  func (h Headers) Encryption() (string, bool) {
   134  	return h.stringValue(HeaderEncryption)
   135  }
   136  
   137  // Type gets content encryption type from JOSE headers.
   138  func (h Headers) Type() (string, bool) {
   139  	return h.stringValue(HeaderType)
   140  }
   141  
   142  // ContentType gets the payload content type from JOSE headers.
   143  func (h Headers) ContentType() (string, bool) {
   144  	return h.stringValue(HeaderContentType)
   145  }
   146  
   147  func (h Headers) stringValue(key string) (string, bool) {
   148  	raw, ok := h[key]
   149  	if !ok {
   150  		return "", false
   151  	}
   152  
   153  	str, ok := raw.(string)
   154  
   155  	return str, ok
   156  }
   157  
   158  // JWK gets JWK from JOSE headers.
   159  func (h Headers) JWK() (*jwk.JWK, bool) {
   160  	jwkRaw, ok := h[HeaderJSONWebKey]
   161  	if !ok {
   162  		return nil, false
   163  	}
   164  
   165  	var jwkKey jwk.JWK
   166  
   167  	err := convertMapToValue(jwkRaw, &jwkKey)
   168  	if err != nil {
   169  		return nil, false
   170  	}
   171  
   172  	return &jwkKey, true
   173  }