github.com/trustbloc/kms-go@v1.1.2/doc/jose/common.go (about) 1 /* 2 Copyright SecureKey Technologies Inc. All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package jose 8 9 import ( 10 "github.com/trustbloc/kms-go/crypto/tinkcrypto/primitive/composite/ecdh" 11 "github.com/trustbloc/kms-go/doc/jose/jwk" 12 ) 13 14 // IANA registered JOSE headers (https://tools.ietf.org/html/rfc7515#section-4.1) 15 const ( 16 // HeaderAlgorithm identifies: 17 // For JWS: the cryptographic algorithm used to secure the JWS. 18 // For JWE: the cryptographic algorithm used to encrypt or determine the value of the CEK. 19 HeaderAlgorithm = "alg" // string 20 21 // HeaderEncryption identifies the JWE content encryption algorithm. 22 HeaderEncryption = "enc" // string 23 24 // HeaderJWKSetURL is a URI that refers to a resource for a set of JSON-encoded public keys, one of which: 25 // For JWS: corresponds to the key used to digitally sign the JWS. 26 // For JWE: corresponds to the public key to which the JWE was encrypted. 27 HeaderJWKSetURL = "jku" // string 28 29 // HeaderJSONWebKey is: 30 // For JWS: the public key that corresponds to the key used to digitally sign the JWS. 31 // For JWE: the public key to which the JWE was encrypted. 32 HeaderJSONWebKey = "jwk" // JSON 33 34 // HeaderKeyID is a hint: 35 // For JWS: indicating which key was used to secure the JWS. 36 // For JWE: which references the public key to which the JWE was encrypted. 37 HeaderKeyID = "kid" // string 38 39 // HeaderSenderKeyID is a hint: 40 // For JWS: not used. 41 // For JWE: which references the (sender) public key used in the JWE key derivation/wrapping to encrypt the CEK. 42 HeaderSenderKeyID = "skid" // string 43 44 // HeaderX509URL is a URI that refers to a resource for the X.509 public key certificate or certificate chain: 45 // For JWS: corresponding to the key used to digitally sign the JWS. 46 // For JWE: corresponding to the public key to which the JWE was encrypted. 47 HeaderX509URL = "x5u" 48 49 // HeaderX509CertificateChain contains the X.509 public key certificate or certificate chain: 50 // For JWS: corresponding to the key used to digitally sign the JWS. 51 // For JWE: corresponding to the public key to which the JWE was encrypted. 52 HeaderX509CertificateChain = "x5c" 53 54 // HeaderX509CertificateDigest (X.509 certificate SHA-1 thumbprint) is a base64url-encoded 55 // SHA-1 thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate: 56 // For JWS: corresponding to the key used to digitally sign the JWS. 57 // For JWE: corresponding to the public key to which the JWE was encrypted. 58 HeaderX509CertificateDigestSha1 = "x5t" 59 60 // HeaderX509CertificateDigestSha256 (X.509 certificate SHA-256 thumbprint) is a base64url-encoded SHA-256 61 // thumbprint (a.k.a. digest) of the DER encoding of the X.509 certificate: 62 // For JWS: corresponding to the key used to digitally sign the JWS. 63 // For JWE: corresponding to the public key to which the JWE was encrypted. 64 HeaderX509CertificateDigestSha256 = "x5t#S256" // string 65 66 // HeaderType is: 67 // For JWS: used by JWS applications to declare the media type of this complete JWS. 68 // For JWE: used by JWE applications to declare the media type of this complete JWE. 69 HeaderType = "typ" // string 70 71 // HeaderContentType is used by JWS applications to declare the media type of: 72 // For JWS: the secured content (the payload). 73 // For JWE: the secured content (the plaintext). 74 HeaderContentType = "cty" // string 75 76 // HeaderCritical indicates that extensions to: 77 // For JWS: this JWS header specification and/or JWA are being used that MUST be understood and processed. 78 // For JWE: this JWE header specification and/or JWA are being used that MUST be understood and processed. 79 HeaderCritical = "crit" // array 80 81 // HeaderEPK is used by JWE applications to wrap/unwrap the CEK for a recipient. 82 HeaderEPK = "epk" // JSON 83 ) 84 85 // Header defined in https://tools.ietf.org/html/rfc7797 86 const ( 87 // HeaderB64 determines whether the payload is represented in the JWS and the JWS Signing 88 // Input as ASCII(BASE64URL(JWS Payload)) or as the JWS Payload value itself with no encoding performed. 89 HeaderB64Payload = "b64" // bool 90 // A256GCMALG is the default content encryption algorithm value as per 91 // the JWA specification: https://tools.ietf.org/html/rfc7518#section-5.1 92 A256GCMALG = "A256GCM" 93 // XC20PALG represents XChacha20Poly1305 content encryption algorithm value. 94 XC20PALG = "XC20P" 95 // A128CBCHS256ALG represents AES_128_CBC_HMAC_SHA_256 encryption algorithm value. 96 A128CBCHS256ALG = "A128CBC-HS256" 97 // A192CBCHS384ALG represents AES_192_CBC_HMAC_SHA_384 encryption algorithm value. 98 A192CBCHS384ALG = "A192CBC-HS384" 99 // A256CBCHS384ALG represents AES_256_CBC_HMAC_SHA_384 encryption algorithm value (not defined in JWA spec above). 100 A256CBCHS384ALG = "A256CBC-HS384" 101 // A256CBCHS512ALG represents AES_256_CBC_HMAC_SHA_512 encryption algorithm value. 102 A256CBCHS512ALG = "A256CBC-HS512" 103 ) 104 105 var aeadAlg = map[EncAlg]ecdh.AEADAlg{ //nolint:gochecknoglobals 106 A256GCM: ecdh.AES256GCM, 107 XC20P: ecdh.XC20P, 108 A128CBCHS256: ecdh.AES128CBCHMACSHA256, 109 A192CBCHS384: ecdh.AES192CBCHMACSHA384, 110 A256CBCHS384: ecdh.AES256CBCHMACSHA384, 111 A256CBCHS512: ecdh.AES256CBCHMACSHA512, 112 } 113 114 // Headers represents JOSE headers. 115 type Headers map[string]interface{} 116 117 // KeyID gets Key ID from JOSE headers. 118 func (h Headers) KeyID() (string, bool) { 119 return h.stringValue(HeaderKeyID) 120 } 121 122 // SenderKeyID gets the sender Key ID from Jose headers. 123 func (h Headers) SenderKeyID() (string, bool) { 124 return h.stringValue(HeaderSenderKeyID) 125 } 126 127 // Algorithm gets Algorithm from JOSE headers. 128 func (h Headers) Algorithm() (string, bool) { 129 return h.stringValue(HeaderAlgorithm) 130 } 131 132 // Encryption gets content encryption algorithm from JOSE headers. 133 func (h Headers) Encryption() (string, bool) { 134 return h.stringValue(HeaderEncryption) 135 } 136 137 // Type gets content encryption type from JOSE headers. 138 func (h Headers) Type() (string, bool) { 139 return h.stringValue(HeaderType) 140 } 141 142 // ContentType gets the payload content type from JOSE headers. 143 func (h Headers) ContentType() (string, bool) { 144 return h.stringValue(HeaderContentType) 145 } 146 147 func (h Headers) stringValue(key string) (string, bool) { 148 raw, ok := h[key] 149 if !ok { 150 return "", false 151 } 152 153 str, ok := raw.(string) 154 155 return str, ok 156 } 157 158 // JWK gets JWK from JOSE headers. 159 func (h Headers) JWK() (*jwk.JWK, bool) { 160 jwkRaw, ok := h[HeaderJSONWebKey] 161 if !ok { 162 return nil, false 163 } 164 165 var jwkKey jwk.JWK 166 167 err := convertMapToValue(jwkRaw, &jwkKey) 168 if err != nil { 169 return nil, false 170 } 171 172 return &jwkKey, true 173 }