View File

@ -4,11 +4,11 @@ go 1.18
require ( require (
github.com/DATA-DOG/go-sqlmock v1.5.0 github.com/DATA-DOG/go-sqlmock v1.5.0
github.com/brianvoe/gofakeit/v6 v6.15.0 github.com/brianvoe/gofakeit/v6 v6.16.0
github.com/fasthttp/router v1.4.10 github.com/fasthttp/router v1.4.10
github.com/goccy/go-json v0.9.7 github.com/goccy/go-json v0.9.7
github.com/jmoiron/sqlx v1.3.5 github.com/jmoiron/sqlx v1.3.5
github.com/lestrrat-go/jwx v1.2.25 github.com/lestrrat-go/jwx/v2 v2.0.2
github.com/spf13/viper v1.12.0 github.com/spf13/viper v1.12.0
github.com/stretchr/testify v1.7.2 github.com/stretchr/testify v1.7.2
github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80
@ -21,7 +21,7 @@ require (
inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6 inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6
modernc.org/sqlite v1.17.3 modernc.org/sqlite v1.17.3
source.toby3d.me/toby3d/form v0.3.0 source.toby3d.me/toby3d/form v0.3.0
source.toby3d.me/toby3d/middleware v0.9.1 source.toby3d.me/toby3d/middleware v0.9.2
willnorris.com/go/microformats v1.1.1 willnorris.com/go/microformats v1.1.1
) )
@ -36,9 +36,9 @@ require (
github.com/hashicorp/hcl v1.0.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
github.com/klauspost/compress v1.15.6 // indirect github.com/klauspost/compress v1.15.6 // indirect
github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
github.com/lestrrat-go/blackmagic v1.0.1 // indirect github.com/lestrrat-go/blackmagic v1.0.1 // indirect
github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect
github.com/lestrrat-go/httprc v1.0.1 // indirect
github.com/lestrrat-go/iter v1.0.2 // indirect github.com/lestrrat-go/iter v1.0.2 // indirect
github.com/lestrrat-go/option v1.0.0 // indirect github.com/lestrrat-go/option v1.0.0 // indirect
github.com/magiconair/properties v1.8.6 // indirect github.com/magiconair/properties v1.8.6 // indirect
@ -47,7 +47,6 @@ require (
github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.0.2 // indirect github.com/pelletier/go-toml/v2 v2.0.2 // indirect
github.com/philhofer/fwd v1.1.1 // indirect github.com/philhofer/fwd v1.1.1 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
github.com/savsgio/dictpool v0.0.0-20220406081701-03de5edb2e6d // indirect github.com/savsgio/dictpool v0.0.0-20220406081701-03de5edb2e6d // indirect
@ -62,10 +61,10 @@ require (
go4.org/intern v0.0.0-20220301175310-a089fc204883 // indirect go4.org/intern v0.0.0-20220301175310-a089fc204883 // indirect
go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37 // indirect go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37 // indirect
golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect
golang.org/x/sys v0.0.0-20220608164250-635b8c9b7f68 // indirect golang.org/x/sys v0.0.0-20220608164250-635b8c9b7f68 // indirect
golang.org/x/tools v0.1.10 // indirect golang.org/x/tools v0.1.11 // indirect
gopkg.in/ini.v1 v1.66.6 // indirect gopkg.in/ini.v1 v1.66.6 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect

View File

@ -47,8 +47,8 @@ github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY
github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
github.com/andybalholm/cascadia v1.0.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y= github.com/andybalholm/cascadia v1.0.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=
github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA= github.com/bradfitz/gomemcache v0.0.0-20220106215444-fb4bf637b56d/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA=
github.com/brianvoe/gofakeit/v6 v6.15.0 h1:lJPGJZ2/07TRGDazyTzD5b18N3y4tmmJpdhCUw18FlI= github.com/brianvoe/gofakeit/v6 v6.16.0 h1:EelCqtfArd8ppJ0z+TpOxXH8sVWNPBadPNdCDSMMw7k=
github.com/brianvoe/gofakeit/v6 v6.15.0/go.mod h1:Ow6qC71xtwm79anlwKRlWZW6zVq9D2XHE4QSSMP/rU8= github.com/brianvoe/gofakeit/v6 v6.16.0/go.mod h1:Ow6qC71xtwm79anlwKRlWZW6zVq9D2XHE4QSSMP/rU8=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@ -62,7 +62,6 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc= github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
@ -185,18 +184,16 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A=
github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ=
github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80= github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80=
github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc= github.com/lestrrat-go/httprc v1.0.1 h1:Cnc4NxIySph38pQPzKbjg5OkKsGR/Cf5xcWt5OlSUDI=
github.com/lestrrat-go/httprc v1.0.1/go.mod h1:5Ml+nB++j6IC0e6LzefJnrpMQDKgDwDCaIQQzhbqhJM=
github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
github.com/lestrrat-go/jwx v1.2.25 h1:tAx93jN2SdPvFn08fHNAhqFJazn5mBBOB8Zli0g0otA= github.com/lestrrat-go/jwx/v2 v2.0.2 h1:wkq9jwCkF3xrykISzn0Eksd7NEMOZ9yvCdnEpovIJX8=
github.com/lestrrat-go/jwx v1.2.25/go.mod h1:zoNuZymNl5lgdcu6P7K6ie2QRll5HVfF4xwxBBK1NxY= github.com/lestrrat-go/jwx/v2 v2.0.2/go.mod h1:xV8+xRcrKbmnScV8adOzUuuTrL8aAZJoY4q2JAqIYU8=
github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFeEO4= github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFeEO4=
github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@ -230,7 +227,6 @@ github.com/pelletier/go-toml/v2 v2.0.2 h1:+jQXlF3scKIcSEKkdHzXhCTDLPFi5r1wnK6yPS
github.com/pelletier/go-toml/v2 v2.0.2/go.mod h1:MovirKjgVRESsAvNZlAjtFwV867yGuwRkXbG66OzopI= github.com/pelletier/go-toml/v2 v2.0.2/go.mod h1:MovirKjgVRESsAvNZlAjtFwV867yGuwRkXbG66OzopI=
github.com/philhofer/fwd v1.1.1 h1:GdGcTjf5RNAxwS4QLsiMzJYj5KEvPJD3Abr261yRQXQ= github.com/philhofer/fwd v1.1.1 h1:GdGcTjf5RNAxwS4QLsiMzJYj5KEvPJD3Abr261yRQXQ=
github.com/philhofer/fwd v1.1.1/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU= github.com/philhofer/fwd v1.1.1/go.mod h1:gk3iGcWd9+svBvR0sR+KPcfE+RNWozjowpeBVG3ZVNU=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@ -342,8 +338,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -518,8 +514,8 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f
golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
golang.org/x/tools v0.1.10 h1:QjFRCZxdOhBJ/UNgnBZLbNV13DlbnK0quyivTnXJM20= golang.org/x/tools v0.1.11 h1:loJ25fNOEhSXfHrpoGj91eCUThwdNX6u24rO1xnNteY=
golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -685,7 +681,7 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
source.toby3d.me/toby3d/form v0.3.0 h1:kI8apdFeVr+koqTTGVoIRiR5NMqjrhCJlajYlu+1bVw= source.toby3d.me/toby3d/form v0.3.0 h1:kI8apdFeVr+koqTTGVoIRiR5NMqjrhCJlajYlu+1bVw=
source.toby3d.me/toby3d/form v0.3.0/go.mod h1:drlHMC+j/gb5zsttCSwx8qcYsbaRW+wFfE8bK6y+oeY= source.toby3d.me/toby3d/form v0.3.0/go.mod h1:drlHMC+j/gb5zsttCSwx8qcYsbaRW+wFfE8bK6y+oeY=
source.toby3d.me/toby3d/middleware v0.9.1 h1:MjXDs57SbrIndEVFJHN36ZiO2OgnXNSajrLqa87vzZQ= source.toby3d.me/toby3d/middleware v0.9.2 h1:HInjjZaN7GTqlWq32XscJs4Wf0taFG6OhyTAJrED1vA=
source.toby3d.me/toby3d/middleware v0.9.1/go.mod h1:Z67Z26wyW5USWnAYBYiA6mLubyzsHkbY6sWuIzs4304= source.toby3d.me/toby3d/middleware v0.9.2/go.mod h1:MWedNnEpLCOk2rgjlfjpkn38t+1j53htSrp3lf6pC34=
willnorris.com/go/microformats v1.1.1 h1:h5tk2luq6KBIRcwMGdksxdeea4GGuWrRFie5460OAbo= willnorris.com/go/microformats v1.1.1 h1:h5tk2luq6KBIRcwMGdksxdeea4GGuWrRFie5460OAbo=
willnorris.com/go/microformats v1.1.1/go.mod h1:kvVnWrkkEscVAIITCEoiTX66Hcyg59C7q0E49mb9TJ0= willnorris.com/go/microformats v1.1.1/go.mod h1:kvVnWrkkEscVAIITCEoiTX66Hcyg59C7q0E49mb9TJ0=

View File

@ -95,6 +95,7 @@ func initLookup() {
addWeightedLookup() addWeightedLookup()
addMinecraftLookup() addMinecraftLookup()
addCelebrityLookup() addCelebrityLookup()
} }
// NewMapParams will create a new MapParams // NewMapParams will create a new MapParams

vendor/github.com/brianvoe/gofakeit/v6/sql.go generated vendored Normal file
View File

@ -0,0 +1,157 @@
package gofakeit
import (
type SQLOptions struct {
Table string `json:"table" xml:"table"` // Table name we are inserting into
Count int `json:"count" xml:"count"` // How many entries (tuples) we're generating
Fields []Field `json:"fields" xml:"fields"` // The fields to be generated
func SQL(so *SQLOptions) (string, error) { return sqlFunc(globalFaker.Rand, so) }
func (f *Faker) SQL(so *SQLOptions) (string, error) { return sqlFunc(f.Rand, so) }
func sqlFunc(r *rand.Rand, so *SQLOptions) (string, error) {
if so.Table == "" {
return "", errors.New("must provide table name to generate SQL")
if so.Fields == nil || len(so.Fields) <= 0 {
return "", errors.New(("must pass fields in order to generate SQL queries"))
if so.Count <= 0 {
return "", errors.New("must have entry count")
var sb strings.Builder
sb.WriteString("INSERT INTO " + so.Table + " ")
// Loop through each field and put together column names
var cols []string
for _, f := range so.Fields {
cols = append(cols, f.Name)
sb.WriteString("(" + strings.Join(cols, ", ") + ")")
sb.WriteString(" VALUES ")
for i := 0; i < so.Count; i++ {
// Start opening value
// Now, we need to add all of our fields
var endStr string
for ii, field := range so.Fields {
// Set end of value string
endStr = ", "
if ii == len(so.Fields)-1 {
endStr = ""
// If autoincrement, add based upon loop
if field.Function == "autoincrement" {
sb.WriteString(fmt.Sprintf("%d%s", i+1, endStr))
// Get the function info for the field
funcInfo := GetFuncLookup(field.Function)
if funcInfo == nil {
return "", errors.New("invalid function, " + field.Function + " does not exist")
// Generate the value
val, err := funcInfo.Generate(r, &field.Params, funcInfo)
if err != nil {
return "", err
// Convert the output value to the proper SQL type
convertType := sqlConvertType(funcInfo.Output, val)
// If its the last field, we need to close the value
sb.WriteString(convertType + endStr)
// If its the last value, we need to close the value
if i == so.Count-1 {
} else {
return sb.String(), nil
// sqlConvertType will take in a type and value and convert it to the proper SQL type
func sqlConvertType(t string, val interface{}) string {
switch t {
case "string":
return `'` + fmt.Sprintf("%v", val) + `'`
case "[]byte":
return `'` + fmt.Sprintf("%s", val) + `'`
return fmt.Sprintf("%v", val)
func addDatabaseSQLLookup() {
AddFuncLookup("sql", Info{
Display: "SQL",
Category: "database",
Description: "Generates an object or an array of objects in json format",
Example: `INSERT INTO people
(id, first_name, price, age, created_at)
(1, 'Markus', 804.92, 21, '1937-01-30 07:58:01'),
(2, 'Santino', 235.13, 40, '1964-07-07 22:25:40');`,
Output: "string",
ContentType: "application/sql",
Params: []Param{
{Field: "table", Display: "Table", Type: "string", Description: "Name of the table to insert into"},
{Field: "count", Display: "Count", Type: "int", Default: "100", Description: "Number of inserts to generate"},
{Field: "fields", Display: "Fields", Type: "[]Field", Description: "Fields containing key name and function to run in json format"},
Generate: func(r *rand.Rand, m *MapParams, info *Info) (interface{}, error) {
so := SQLOptions{}
table, err := info.GetString(m, "table")
if err != nil {
return nil, err
so.Table = table
count, err := info.GetInt(m, "count")
if err != nil {
return nil, err
so.Count = count
fieldsStr, err := info.GetStringArray(m, "fields")
if err != nil {
return nil, err
// Check to make sure fields has length
if len(fieldsStr) > 0 {
so.Fields = make([]Field, len(fieldsStr))
for i, f := range fieldsStr {
// Unmarshal fields string into fields array
err = json.Unmarshal([]byte(f), &so.Fields[i])
if err != nil {
return nil, err
return sqlFunc(r, &so)

View File

View File

View File

var rng Random
for _, option := range options {
switch option.Ident() {
case identInterval{}:
interval = option.Value().(time.Duration)
case identJitterFactor{}:
jitterFactor = option.Value().(float64)
case identRNG{}:
rng = option.Value().(Random)
return &ConstantInterval{
interval: interval,
jitter: newJitter(jitterFactor, rng),
func (g *ConstantInterval) Next() time.Duration {
return time.Duration(g.jitter.apply(float64(g.interval)))
type ConstantPolicy struct {
cOptions []ControllerOption
igOptions []ConstantOption
func NewConstantPolicy(options ...Option) *ConstantPolicy {
var cOptions []ControllerOption
var igOptions []ConstantOption
for _, option := range options {
switch opt := option.(type) {
case ControllerOption:
cOptions = append(cOptions, opt)
igOptions = append(igOptions, opt.(ConstantOption))
return &ConstantPolicy{
cOptions: cOptions,
igOptions: igOptions,
func (p *ConstantPolicy) Start(ctx context.Context) Controller {
ig := NewConstantInterval(p.igOptions...)
return newController(ctx, ig, p.cOptions...)

mu: &sync.RWMutex{},
next: make(chan struct{}, 1),
resetTimer: make(chan time.Duration, 1),
timer: time.NewTimer(ig.Next()),
// enqueue a single fake event so the user gets to retry once
c.next <- struct{}{}
go c.loop()
return c
func (c *controller) loop() {
for {
select {
case <-c.ctx.Done():
case d := <-c.resetTimer:
if !c.timer.Stop() {
select {
case <-c.timer.C:
case <-c.timer.C:
select {
case <-c.ctx.Done():
case c.next <- struct{}{}:
if c.maxRetries > 0 {
if !c.check() {
c.resetTimer <- c.ig.Next()
func (c *controller) check() bool {
if c.maxRetries > 0 && c.retries >= c.maxRetries {
return false
return true
func (c *controller) Done() <-chan struct{} {
defer c.mu.RUnlock()
return c.ctx.Done()
func (c *controller) Next() <-chan struct{} {
defer c.mu.RUnlock()
return c.next

View File

@ -1,14 +1,15 @@
# Binaries for programs and plugins # Binaries for programs and plugins
*.exe *.exe
*.dll *.dll
*.so *.so
*.dylib *.dylib
# Test binary, build with `go test -c` # Test binary, built with `go test -c`
*.test *.test
# Output of the go coverage tool, specifically when used with LiteIDE # Output of the go coverage tool, specifically when used with LiteIDE
*.out *.out
# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736 # Dependency directories (remove the comment below to include it)
.glide/ # vendor/

import (
const (
helloWorld = `Hello World!`
goodbyeWorld = `Goodbye World!`
func ExampleCache() {
var mu sync.RWMutex
msg := helloWorld
srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set(`Cache-Control`, fmt.Sprintf(`max-age=%d`, 2))
fmt.Fprint(w, msg)
defer srv.Close()
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
errSink := httprc.ErrSinkFunc(func(err error) {
fmt.Printf("%s\n", err)
c := httprc.NewCache(ctx,
httprc.WithRefreshWindow(time.Second), // force checks every second
httprc.WithHTTPClient(srv.Client()), // we need client with TLS settings
httprc.WithMinRefreshInterval(time.Second), // allow max-age=1 (smallest)
payload, err := c.Get(ctx, srv.URL)
if err != nil {
fmt.Printf("%s\n", err)
if string(payload.([]byte)) != helloWorld {
fmt.Printf("payload mismatch: %s\n", payload)
msg = goodbyeWorld
time.Sleep(4 * time.Second)
payload, err = c.Get(ctx, srv.URL)
if err != nil {
fmt.Printf("%s\n", err)
if string(payload.([]byte)) != goodbyeWorld {
fmt.Printf("payload mismatch: %s\n", payload)
source: [httprc_example_test.go](https://github.com/lestrrat-go/jwx/blob/main/httprc_example_test.go)
<!-- END INCLUDE -->
# Sequence Diagram
actor User
participant httprc.Cache
participant httprc.Storage
User->>httprc.Cache: Fetch URL `u`
activate httprc.Storage
httprc.Cache->>httprc.Storage: Fetch local cache for `u`
alt Cache exists
httprc.Storage-->httprc.Cache: Return local cache
httprc.Cache-->>User: Return data
Note over httprc.Storage: If the cache exists, there's nothing more to do.<br />The cached content will be updated periodically in httprc.Refresher
deactivate httprc.Storage
else Cache does not exist
activate httprc.Fetcher
httprc.Cache->>httprc.Fetcher: Fetch remote resource `u`
httprc.Fetcher-->>httprc.Cache: Return fetched data
deactivate httprc.Fetcher
httprc.Cache-->>User: Return data
httprc.Cache-)httprc.Refresher: Enqueue into auto-refresh queue
activate httprc.Refresher
loop Refresh Loop
Note over httprc.Storage,httprc.Fetcher: Cached contents are updated synchronously
httprc.Refresher->>httprc.Refresher: Wait until next refresh
httprc.Refresher-->>httprc.Fetcher: Request fetch
httprc.Fetcher->>httprc.Refresher: Return fetched data
httprc.Refresher-->>httprc.Storage: Store new version in cache
httprc.Refresher->>httprc.Refresher: Enqueue into auto-refresh queue (again)
deactivate httprc.Refresher

vendor/github.com/lestrrat-go/httprc/cache.go generated vendored Normal file
View File

@ -0,0 +1,171 @@
package httprc
import (
// ErrSink is an abstraction that allows users to consume errors
// produced while the cache queue is running.
type HTTPClient interface {
Get(string) (*http.Response, error)
// Cache represents a cache that stores resources locally, while
// periodically refreshing the contents based on HTTP header values
// and/or user-supplied hints.
// Refresh is performed _periodically_, and therefore the contents
// are not kept up-to-date in real time. The interval between checks
// for refreshes is called the refresh window.
// The default refresh window is 15 minutes. This means that if a
// resource is fetched is at time T, and it is supposed to be
// refreshed in 20 minutes, the next refresh for this resource will
// happen at T+30 minutes (15+15 minutes).
type Cache struct {
mu sync.RWMutex
queue *queue
wl Whitelist
const defaultRefreshWindow = 15 * time.Minute
// New creates a new Cache object.
// The context object in the argument controls the life-cycle of the
// auto-refresh worker. If you cancel the `ctx`, then the automatic
// refresh will stop working.
// Refresh will only be performed periodically where the interval between
// refreshes are controlled by the `refresh window` variable. For example,
// if the refresh window is every 5 minutes and the resource was queued
// to be refreshed at 7 minutes, the resource will be refreshed after 10
// minutes (in 2 refresh window time).
// The refresh window can be configured by using `httprc.WithRefreshWindow`
// option. If you want refreshes to be performed more often, provide a smaller
// refresh window. If you specify a refresh window that is smaller than 1
// second, it will automatically be set to the default value, which is 15
// minutes.
// Internally the HTTP fetching is done using a pool of HTTP fetch
// workers. The default number of workers is 3. You may change this
// number by specifying the `httprc.WithFetcherWorkerCount`
func NewCache(ctx context.Context, options ...CacheOption) *Cache {
var refreshWindow time.Duration
var errSink ErrSink
var wl Whitelist
var fetcherOptions []FetcherOption
for _, option := range options {
switch option.Ident() {
case identRefreshWindow{}:
refreshWindow = option.Value().(time.Duration)
case identFetcherWorkerCount{}, identWhitelist{}:
fetcherOptions = append(fetcherOptions, option)
case identErrSink{}:
errSink = option.Value().(ErrSink)
if refreshWindow < time.Second {
refreshWindow = defaultRefreshWindow
fetch := NewFetcher(ctx, fetcherOptions...)
queue := newQueue(ctx, refreshWindow, fetch, errSink)
return &Cache{
queue: queue,
wl: wl,
// Register configures a URL to be stored in the cache.
// For any given URL, the URL must be registered _BEFORE_ it is
// accessed using `Get()` method.
func (c *Cache) Register(u string, options ...RegisterOption) error {
defer c.mu.Unlock()
if wl := c.wl; wl != nil {
if !wl.IsAllowed(u) {
return fmt.Errorf(`httprc.Cache: url %q has been rejected by whitelist`, u)
return c.queue.Register(u, options...)
// Unregister removes the given URL `u` from the cache.
// Subsequent calls to `Get()` will fail until `u` is registered again.
func (c *Cache) Unregister(u string) error {
defer c.mu.Unlock()
return c.queue.Unregister(u)
// IsRegistered returns true if the given URL `u` has already been
// registered in the cache.
func (c *Cache) IsRegistered(u string) bool {
defer c.mu.RUnlock()
return c.queue.IsRegistered(u)
// Refresh is identical to Get(), except it always fetches the
// specified resource anew, and updates the cached content
func (c *Cache) Refresh(ctx context.Context, u string) (interface{}, error) {
return c.getOrFetch(ctx, u, true)
// Get returns the cached object.
// The context.Context argument is used to control the timeout for
// synchronous fetches, when they need to happen. Synchronous fetches
// will be performed when the cache does not contain the specified
// resource.
func (c *Cache) Get(ctx context.Context, u string) (interface{}, error) {
return c.getOrFetch(ctx, u, false)
func (c *Cache) getOrFetch(ctx context.Context, u string, forceRefresh bool) (interface{}, error) {
e, ok := c.queue.getRegistered(u)
if !ok {
return nil, fmt.Errorf(`url %q is not registered (did you make sure to call Register() first?)`, u)
// Only one goroutine may enter this section.
// has this entry been fetched? (but ignore and do a fetch
// if forceRefresh is true)
if forceRefresh || !e.hasBeenFetched() {
if err := c.queue.fetchAndStore(ctx, e); err != nil {
return nil, fmt.Errorf(`failed to fetch %q: %w`, u, err)
data := e.data
return data, nil
func (c *Cache) Snapshot() *Snapshot {
defer c.mu.RUnlock()
return c.queue.snapshot()

vendor/github.com/lestrrat-go/httprc/fetcher.go generated vendored Normal file
View File

@ -0,0 +1,182 @@
package httprc
import (
type fetchRequest struct {
mu sync.RWMutex
// client contains the HTTP Client that can be used to make a
// request. By setting a custom *http.Client, you can for example
// provide a custom http.Transport
// If not specified, http.DefaultClient will be used.
client HTTPClient
wl Whitelist
// u contains the URL to be fetched
url string
// reply is a field that is only used by the internals of the fetcher
// it is used to return the result of fetching
reply chan *fetchResult
type fetchResult struct {
mu sync.RWMutex
res *http.Response
err error
func (fr *fetchResult) reply(ctx context.Context, reply chan *fetchResult) error {
select {
case <-ctx.Done():
return ctx.Err()
case reply <- fr:
return nil
type fetcher struct {
requests chan *fetchRequest
type Fetcher interface {
Fetch(context.Context, string, ...FetchOption) (*http.Response, error)
fetch(context.Context, *fetchRequest) (*http.Response, error)
func NewFetcher(ctx context.Context, options ...FetcherOption) Fetcher {
var nworkers int
var wl Whitelist
for _, option := range options {
switch option.Ident() {
case identFetcherWorkerCount{}:
nworkers = option.Value().(int)
case identWhitelist{}:
wl = option.Value().(Whitelist)
if nworkers < 1 {
nworkers = 3
incoming := make(chan *fetchRequest)
for i := 0; i < nworkers; i++ {
go runFetchWorker(ctx, incoming, wl)
return &fetcher{
requests: incoming,
func (f *fetcher) Fetch(ctx context.Context, u string, options ...FetchOption) (*http.Response, error) {
var client HTTPClient
var wl Whitelist
for _, option := range options {
switch option.Ident() {
case identHTTPClient{}:
client = option.Value().(HTTPClient)
case identWhitelist{}:
wl = option.Value().(Whitelist)
req := fetchRequest{
client: client,
url: u,
wl: wl,
return f.fetch(ctx, &req)
// fetch (unexported) is the main fetching implemntation.
// it allows the caller to reuse the same *fetchRequest object
func (f *fetcher) fetch(ctx context.Context, req *fetchRequest) (*http.Response, error) {
reply := make(chan *fetchResult, 1)
req.reply = reply
// Send a request to the backend
select {
case <-ctx.Done():
return nil, ctx.Err()
case f.requests <- req:
// wait until we get a reply
select {
case <-ctx.Done():
return nil, ctx.Err()
case fr := <-reply:
res := fr.res
err := fr.err
return res, err
func runFetchWorker(ctx context.Context, incoming chan *fetchRequest, wl Whitelist) {
for {
select {
case <-ctx.Done():
break LOOP
case req := <-incoming:
reply := req.reply
client := req.client
if client == nil {
client = http.DefaultClient
url := req.url
reqwl := req.wl
var wls []Whitelist
for _, v := range []Whitelist{wl, reqwl} {
if v != nil {
wls = append(wls, v)
if len(wls) > 0 {
for _, wl := range wls {
if !wl.IsAllowed(url) {
r := &fetchResult{
err: fmt.Errorf(`fetching url %q rejected by whitelist`, url),
if err := r.reply(ctx, reply); err != nil {
break LOOP
continue LOOP
// The body is handled by the consumer of the fetcher
res, err := client.Get(url)
r := &fetchResult{
res: res,
err: err,
if err := r.reply(ctx, reply); err != nil {
break LOOP

vendor/github.com/lestrrat-go/httprc/httprc.go generated vendored Normal file
View File

@ -0,0 +1,22 @@
//go:generate tools/genoptions.sh
// Package httprc implements a cache for resources available
// over http(s). Its aim is not only to cache these resources so
// that it saves on HTTP roundtrips, but it also periodically
// attempts to auto-refresh these resources once they are cached
// based on the user-specified intervals and HTTP `Expires` and
// `Cache-Control` headers, thus keeping the entries _relatively_ fresh.
package httprc
import "fmt"
// RefreshError is the underlying error type that is sent to
// the `httprc.ErrSink` objects
type RefreshError struct {
URL string
Err error
func (re *RefreshError) Error() string {
return fmt.Sprintf(`refresh error (%q): %s`, re.URL, re.Err)

vendor/github.com/lestrrat-go/httprc/options.yaml generated vendored Normal file
View File

@ -0,0 +1,119 @@
package_name: httprc
output: options_gen.go
- name: RegisterOption
comment: |
RegisterOption desribes options that can be passed to `(httprc.Cache).Register()`
- name: CacheOption
comment: |
CacheOption desribes options that can be passed to `New()`
- name: FetcherOption
- cacheOption
comment: |
FetcherOption describes options that can be passed to `(httprc.Fetcher).NewFetcher()`
- name: FetchOption
comment: |
FetchOption describes options that can be passed to `(httprc.Fetcher).Fetch()`
- name: FetchRegisterOption
- fetchOption
- registerOption
- name: FetchFetcherRegisterOption
- fetchOption
- fetcherOption
- registerOption
- ident: FetcherWorkerCount
interface: FetcherOption
argument_type: int
comment: |
WithFetchWorkerCount specifies the number of HTTP fetch workers that are spawned
in the backend. By default 3 workers are spawned.
- ident: Whitelist
interface: FetchFetcherRegisterOption
argument_type: Whitelist
comment: |
WithWhitelist specifies the Whitelist object that can control which URLs are
allowed to be processed.
It can be passed to `httprc.NewCache` as a whitelist applied to all
URLs that are fetched by the cache, or it can be passed on a per-URL
basis using `(httprc.Cache).Register()`. If both are specified,
the url must fulfill _both_ the cache-wide whitelist and the per-URL
- ident: Transformer
interface: RegisterOption
argument_type: Transformer
comment: |
WithTransformer specifies the `httprc.Transformer` object that should be applied
to the fetched resource. The `Transform()` method is only called if the HTTP request
returns a `200 OK` status.
- ident: HTTPClient
interface: FetchRegisterOption
argument_type: HTTPClient
comment: |
WithHTTPClient specififes the HTTP Client object that should be used to fetch
the resource. For example, if you need an `*http.Client` instance that requires
special TLS or Authorization setup, you might want to pass it using this option.
- ident: MinRefreshInterval
interface: RegisterOption
argument_type: time.Duration
comment: |
WithMinRefreshInterval specifies the minimum refresh interval to be used.
When we fetch the key from a remote URL, we first look at the `max-age`
directive from `Cache-Control` response header. If this value is present,
we compare the `max-age` value and the value specified by this option
and take the larger one (e.g. if `max-age` = 5 minutes and `min refresh` = 10
minutes, then next fetch will happen in 10 minutes)
Next we check for the `Expires` header, and similarly if the header is
present, we compare it against the value specified by this option,
and take the larger one.
Finally, if neither of the above headers are present, we use the
value specified by this option as the interval until the next refresh.
If unspecified, the minimum refresh interval is 1 hour.
This value and the header values are ignored if `WithRefreshInterval` is specified.
- ident: RefreshInterval
interface: RegisterOption
argument_type: time.Duration
comment: |
WithRefreshInterval specifies the static interval between refreshes
of resources controlled by `httprc.Cache`.
Providing this option overrides the adaptive token refreshing based
on Cache-Control/Expires header (and `httprc.WithMinRefreshInterval`),
and refreshes will *always* happen in this interval.
You generally do not want to make this value too small, as it can easily
be considered a DoS attack, and there is no backoff mechanism for failed
- ident: RefreshWindow
interface: CacheOption
argument_type: time.Duration
comment: |
WithRefreshWindow specifies the interval between checks for refreshes.
`httprc.Cache` does not check for refreshes in exact intervals. Instead,
it wakes up at every tick that occurs in the interval specified by
`WithRefreshWindow` option, and refreshes all entries that need to be
refreshed within this window.
The default value is 15 minutes.
You generally do not want to make this value too small, as it can easily
be considered a DoS attack, and there is no backoff mechanism for failed
- ident: ErrSink
interface: CacheOption
argument_type: ErrSink
comment: |
WithErrSink specifies the `httprc.ErrSink` object that handles errors
that occurred during the cache's execution. For example, you will be
able to intercept errors that occurred during the execution of Transformers.

vendor/github.com/lestrrat-go/httprc/options_gen.go generated vendored Normal file
View File

@ -0,0 +1,221 @@
// This file is auto-generated by github.com/lestrrat-go/option/cmd/genoptions. DO NOT EDIT
package httprc
import (
type Option = option.Interface
// CacheOption desribes options that can be passed to `New()`
type CacheOption interface {
type cacheOption struct {
func (*cacheOption) cacheOption() {}
type FetchFetcherRegisterOption interface {
type fetchFetcherRegisterOption struct {
func (*fetchFetcherRegisterOption) fetchOption() {}
func (*fetchFetcherRegisterOption) fetcherOption() {}
func (*fetchFetcherRegisterOption) registerOption() {}
// FetchOption describes options that can be passed to `(httprc.Fetcher).Fetch()`
type FetchOption interface {
type fetchOption struct {
func (*fetchOption) fetchOption() {}
type FetchRegisterOption interface {
type fetchRegisterOption struct {
func (*fetchRegisterOption) fetchOption() {}
func (*fetchRegisterOption) registerOption() {}
// FetcherOption describes options that can be passed to `(httprc.Fetcher).NewFetcher()`
type FetcherOption interface {
type fetcherOption struct {
func (*fetcherOption) cacheOption() {}
// RegisterOption desribes options that can be passed to `(httprc.Cache).Register()`
type RegisterOption interface {
type registerOption struct {
func (*registerOption) registerOption() {}
type identErrSink struct{}
type identFetcherWorkerCount struct{}
type identHTTPClient struct{}
type identMinRefreshInterval struct{}
type identRefreshInterval struct{}
type identRefreshWindow struct{}
type identTransformer struct{}
type identWhitelist struct{}
func (identErrSink) String() string {
return "WithErrSink"
func (identFetcherWorkerCount) String() string {
return "WithFetcherWorkerCount"
func (identHTTPClient) String() string {
return "WithHTTPClient"
func (identMinRefreshInterval) String() string {
return "WithMinRefreshInterval"
func (identRefreshInterval) String() string {
return "WithRefreshInterval"
func (identRefreshWindow) String() string {
return "WithRefreshWindow"
func (identTransformer) String() string {
return "WithTransformer"
func (identWhitelist) String() string {
return "WithWhitelist"
// WithErrSink specifies the `httprc.ErrSink` object that handles errors
// that occurred during the cache's execution. For example, you will be
// able to intercept errors that occurred during the execution of Transformers.
func WithErrSink(v ErrSink) CacheOption {
return &cacheOption{option.New(identErrSink{}, v)}
// WithFetchWorkerCount specifies the number of HTTP fetch workers that are spawned
// in the backend. By default 3 workers are spawned.
func WithFetcherWorkerCount(v int) FetcherOption {
return &fetcherOption{option.New(identFetcherWorkerCount{}, v)}
// WithHTTPClient specififes the HTTP Client object that should be used to fetch
// the resource. For example, if you need an `*http.Client` instance that requires
// special TLS or Authorization setup, you might want to pass it using this option.
func WithHTTPClient(v HTTPClient) FetchRegisterOption {
return &fetchRegisterOption{option.New(identHTTPClient{}, v)}
// WithMinRefreshInterval specifies the minimum refresh interval to be used.
// When we fetch the key from a remote URL, we first look at the `max-age`
// directive from `Cache-Control` response header. If this value is present,
// we compare the `max-age` value and the value specified by this option
// and take the larger one (e.g. if `max-age` = 5 minutes and `min refresh` = 10
// minutes, then next fetch will happen in 10 minutes)
// Next we check for the `Expires` header, and similarly if the header is
// present, we compare it against the value specified by this option,
// and take the larger one.
// Finally, if neither of the above headers are present, we use the
// value specified by this option as the interval until the next refresh.
// If unspecified, the minimum refresh interval is 1 hour.
// This value and the header values are ignored if `WithRefreshInterval` is specified.
func WithMinRefreshInterval(v time.Duration) RegisterOption {
return &registerOption{option.New(identMinRefreshInterval{}, v)}
// WithRefreshInterval specifies the static interval between refreshes
// of resources controlled by `httprc.Cache`.
// Providing this option overrides the adaptive token refreshing based
// on Cache-Control/Expires header (and `httprc.WithMinRefreshInterval`),
// and refreshes will *always* happen in this interval.
// You generally do not want to make this value too small, as it can easily
// be considered a DoS attack, and there is no backoff mechanism for failed
// attempts.
func WithRefreshInterval(v time.Duration) RegisterOption {
return &registerOption{option.New(identRefreshInterval{}, v)}
// WithRefreshWindow specifies the interval between checks for refreshes.
// `httprc.Cache` does not check for refreshes in exact intervals. Instead,
// it wakes up at every tick that occurs in the interval specified by
// `WithRefreshWindow` option, and refreshes all entries that need to be
// refreshed within this window.
// The default value is 15 minutes.
// You generally do not want to make this value too small, as it can easily
// be considered a DoS attack, and there is no backoff mechanism for failed
// attempts.
func WithRefreshWindow(v time.Duration) CacheOption {
return &cacheOption{option.New(identRefreshWindow{}, v)}
// WithTransformer specifies the `httprc.Transformer` object that should be applied
// to the fetched resource. The `Transform()` method is only called if the HTTP request
// returns a `200 OK` status.
func WithTransformer(v Transformer) RegisterOption {
return &registerOption{option.New(identTransformer{}, v)}
// WithWhitelist specifies the Whitelist object that can control which URLs are
// allowed to be processed.
// It can be passed to `httprc.NewCache` as a whitelist applied to all
// URLs that are fetched by the cache, or it can be passed on a per-URL
// basis using `(httprc.Cache).Register()`. If both are specified,
// the url must fulfill _both_ the cache-wide whitelist and the per-URL
// whitelist.
func WithWhitelist(v Whitelist) FetchFetcherRegisterOption {
return &fetchFetcherRegisterOption{option.New(identWhitelist{}, v)}

vendor/github.com/lestrrat-go/httprc/queue.go generated vendored Normal file
View File

@ -0,0 +1,446 @@
package httprc
import (
// ErrSink is an abstraction that allows users to consume errors
// produced while the cache queue is running.
type ErrSink interface {
// Error accepts errors produced during the cache queue's execution.
// The method should never block, otherwise the fetch loop may be
// paused for a prolonged amount of time.
type ErrSinkFunc func(err error)
func (f ErrSinkFunc) Error(err error) {
// Transformer is responsible for converting an HTTP response
// into an appropriate form of your choosing.
type Transformer interface {
// Transform receives an HTTP response object, and should
// return an appropriate object that suits your needs.
// If you happen to use the response body, you are responsible
// for closing the body
Transform(string, *http.Response) (interface{}, error)
type TransformFunc func(string, *http.Response) (interface{}, error)
func (f TransformFunc) Transform(u string, res *http.Response) (interface{}, error) {
return f(u, res)
// BodyBytes is the default Transformer applied to all resources.
// It takes an *http.Response object and extracts the body
// of the response as `[]byte`
type BodyBytes struct{}
func (BodyBytes) Transform(_ string, res *http.Response) (interface{}, error) {
buf, err := ioutil.ReadAll(res.Body)
defer res.Body.Close()
if err != nil {
return nil, fmt.Errorf(`failed to read response body: %w`, err)
return buf, nil
type rqentry struct {
fireAt time.Time
url string
// entry represents a resource to be fetched over HTTP,
// long with optional specifications such as the *http.Client
// object to use.
type entry struct {
mu sync.RWMutex
sem chan struct{}
lastFetch time.Time
// Interval between refreshes are calculated two ways.
// 1) You can set an explicit refresh interval by using WithRefreshInterval().
// In this mode, it doesn't matter what the HTTP response says in its
// Cache-Control or Expires headers
// 2) You can let us calculate the time-to-refresh based on the key's
// Cache-Control or Expires headers.
// First, the user provides us the absolute minimum interval before
// refreshes. We will never check for refreshes before this specified
// amount of time.
// Next, max-age directive in the Cache-Control header is consulted.
// If `max-age` is not present, we skip the following section, and
// proceed to the next option.
// If `max-age > user-supplied minimum interval`, then we use the max-age,
// otherwise the user-supplied minimum interval is used.
// Next, the value specified in Expires header is consulted.
// If the header is not present, we skip the following seciont and
// proceed to the next option.
// We take the time until expiration `expires - time.Now()`, and
// if `time-until-expiration > user-supplied minimum interval`, then
// we use the expires value, otherwise the user-supplied minimum interval is used.
// If all of the above fails, we used the user-supplied minimum interval
refreshInterval time.Duration
minRefreshInterval time.Duration
request *fetchRequest
transform Transformer
data interface{}
func (e *entry) acquireSem() {
e.sem <- struct{}{}
func (e *entry) releaseSem() {
func (e *entry) hasBeenFetched() bool {
defer e.mu.RUnlock()
return !e.lastFetch.IsZero()
// queue is responsible for updating the contents of the storage
type queue struct {
mu sync.RWMutex
registry map[string]*entry
windowSize time.Duration
fetch Fetcher
fetchCond *sync.Cond
fetchQueue []*rqentry
// list is a sorted list of urls to their expected fire time
// when we get a new tick in the RQ loop, we process everything
// that can be fired up to the point the tick was called
list []*rqentry
func newQueue(ctx context.Context, window time.Duration, fetch Fetcher, errSink ErrSink) *queue {
fetchLocker := &sync.Mutex{}
rq := &queue{
windowSize: window,
fetch: fetch,
fetchCond: sync.NewCond(fetchLocker),
registry: make(map[string]*entry),
go rq.refreshLoop(ctx, errSink)
return rq
func (q *queue) Register(u string, options ...RegisterOption) error {
var refreshInterval time.Duration
var client HTTPClient
var wl Whitelist
var transform Transformer = BodyBytes{}
minRefreshInterval := 15 * time.Minute
for _, option := range options {
switch option.Ident() {
case identHTTPClient{}:
client = option.Value().(HTTPClient)
case identRefreshInterval{}:
refreshInterval = option.Value().(time.Duration)
case identMinRefreshInterval{}:
minRefreshInterval = option.Value().(time.Duration)
case identTransformer{}:
transform = option.Value().(Transformer)
case identWhitelist{}:
wl = option.Value().(Whitelist)
rWindow := q.windowSize
if refreshInterval > 0 && refreshInterval < rWindow {
return fmt.Errorf(`refresh interval (%s) is smaller than refresh window (%s): this will not as expected`, refreshInterval, rWindow)
e := entry{
sem: make(chan struct{}, 1),
minRefreshInterval: minRefreshInterval,
transform: transform,
refreshInterval: refreshInterval,
request: &fetchRequest{
client: client,
url: u,
wl: wl,
q.registry[u] = &e
return nil
func (q *queue) Unregister(u string) error {
defer q.mu.Unlock()
_, ok := q.registry[u]
if !ok {
return fmt.Errorf(`url %q has not been registered`, u)
delete(q.registry, u)
return nil
func (q *queue) getRegistered(u string) (*entry, bool) {
e, ok := q.registry[u]
return e, ok
func (q *queue) IsRegistered(u string) bool {
_, ok := q.getRegistered(u)
return ok
func (q *queue) fetchLoop(ctx context.Context, errSink ErrSink) {
for {
for len(q.fetchQueue) <= 0 {
select {
case <-ctx.Done():
list := make([]*rqentry, len(q.fetchQueue))
copy(list, q.fetchQueue)
q.fetchQueue = q.fetchQueue[:0]
for _, rq := range list {
select {
case <-ctx.Done():
e, ok := q.getRegistered(rq.url)
if !ok {
if err := q.fetchAndStore(ctx, e); err != nil {
if errSink != nil {
URL: rq.url,
Err: err,
// This loop is responsible for periodically updating the cached content
func (q *queue) refreshLoop(ctx context.Context, errSink ErrSink) {
// Tick every q.windowSize duration.
ticker := time.NewTicker(q.windowSize)
go q.fetchLoop(ctx, errSink)
defer q.fetchCond.Signal()
for {
select {
case <-ctx.Done():
case t := <-ticker.C:
t = t.Round(time.Second)
// To avoid getting stuck here, we just copy the relevant
// items, and release the lock within this critical section
var list []*rqentry
var max int
for i, r := range q.list {
if r.fireAt.Before(t) || r.fireAt.Equal(t) {
max = i
list = append(list, r)
if len(list) > 0 {
q.list = q.list[max+1:]
q.mu.Unlock() // release lock
if len(list) > 0 {
// Now we need to fetch these, but do this elsewhere so
// that we don't block this main loop
q.fetchQueue = append(q.fetchQueue, list...)
func (q *queue) fetchAndStore(ctx context.Context, e *entry) error {
defer e.mu.Unlock()
// synchronously go fetch
e.lastFetch = time.Now()
res, err := q.fetch.fetch(ctx, e.request)
if err != nil {
// Even if the request failed, we need to queue the next fetch
q.enqueueNextFetch(nil, e)
return fmt.Errorf(`failed to fetch %q: %w`, e.request.url, err)
q.enqueueNextFetch(res, e)
data, err := e.transform.Transform(e.request.url, res)
if err != nil {
return fmt.Errorf(`failed to transform HTTP response for %q: %w`, e.request.url, err)
e.data = data
return nil
func (q *queue) Enqueue(u string, interval time.Duration) error {
fireAt := time.Now().Add(interval).Round(time.Second)
defer q.mu.Unlock()
list := q.list
ll := len(list)
if ll == 0 || list[ll-1].fireAt.Before(fireAt) {
list = append(list, &rqentry{
fireAt: fireAt,
url: u,
} else {
for i := 0; i < ll; i++ {
if i == ll-1 || list[i].fireAt.After(fireAt) {
// insert here
list = append(append(list[:i], &rqentry{fireAt: fireAt, url: u}), list[i:]...)
q.list = list
return nil
func (q *queue) MarshalJSON() ([]byte, error) {
var buf bytes.Buffer
for i, e := range q.list {
if i > 0 {
fmt.Fprintf(&buf, `{"fire_at":%q,"url":%q}`, e.fireAt.Format(time.RFC3339), e.url)
return buf.Bytes(), nil
func (q *queue) enqueueNextFetch(res *http.Response, e *entry) {
dur := calculateRefreshDuration(res, e)
// TODO send to error sink
_ = q.Enqueue(e.request.url, dur)
func calculateRefreshDuration(res *http.Response, e *entry) time.Duration {
if e.refreshInterval > 0 {
return e.refreshInterval
if res != nil {
if v := res.Header.Get(`Cache-Control`); v != "" {
dir, err := httpcc.ParseResponse(v)
if err == nil {
maxAge, ok := dir.MaxAge()
if ok {
resDuration := time.Duration(maxAge) * time.Second
if resDuration > e.minRefreshInterval {
return resDuration
return e.minRefreshInterval
// fallthrough
// fallthrough
if v := res.Header.Get(`Expires`); v != "" {
expires, err := http.ParseTime(v)
if err == nil {
resDuration := time.Until(expires)
if resDuration > e.minRefreshInterval {
return resDuration
return e.minRefreshInterval
// fallthrough
// Previous fallthroughs are a little redandunt, but hey, it's all good.
return e.minRefreshInterval
type SnapshotEntry struct {
URL string `json:"url"`
Data interface{} `json:"data"`
LastFetched time.Time `json:"last_fetched"`
type Snapshot struct {
Entries []SnapshotEntry `json:"entries"`
// Snapshot returns the contents of the cache at the given moment.
func (q *queue) snapshot() *Snapshot {
list := make([]SnapshotEntry, 0, len(q.registry))
for url, e := range q.registry {
list = append(list, SnapshotEntry{
URL: url,
LastFetched: e.lastFetch,
Data: e.data,
return &Snapshot{
Entries: list,

vendor/github.com/lestrrat-go/httprc/whitelist.go generated vendored Normal file
View File

@ -0,0 +1,73 @@
package httprc
import "regexp"
// Whitelist is an interface for a set of URL whitelists. When provided
// to fetching operations, urls are checked against this object, and
// the object must return true for urls to be fetched.
type Whitelist interface {
IsAllowed(string) bool
// InsecureWhitelist allows any URLs to be fetched.
type InsecureWhitelist struct{}
func (InsecureWhitelist) IsAllowed(string) bool {
return true
// RegexpWhitelist is a httprc.Whitelist object comprised of a list of *regexp.Regexp
// objects. All entries in the list are tried until one matches. If none of the
// *regexp.Regexp objects match, then the URL is deemed unallowed.
type RegexpWhitelist struct {
patterns []*regexp.Regexp
func NewRegexpWhitelist() *RegexpWhitelist {
return &RegexpWhitelist{}
func (w *RegexpWhitelist) Add(pat *regexp.Regexp) *RegexpWhitelist {
w.patterns = append(w.patterns, pat)
return w
// IsAlloed returns true if any of the patterns in the whitelist
// returns true.
func (w *RegexpWhitelist) IsAllowed(u string) bool {
for _, pat := range w.patterns {
if pat.MatchString(u) {
return true
return false
// MapWhitelist is a httprc.Whitelist object comprised of a map of strings.
// If the URL exists in the map, then the URL is allowed to be fetched.
type MapWhitelist struct {
store map[string]struct{}
func NewMapWhitelist() *MapWhitelist {
return &MapWhitelist{store: make(map[string]struct{})}
func (w *MapWhitelist) Add(pat string) *MapWhitelist {
w.store[pat] = struct{}{}
return w
func (w *MapWhitelist) IsAllowed(u string) bool {
_, b := w.store[u]
return b
// WhitelistFunc is a httprc.Whitelist object based on a function.
// You can perform any sort of check against the given URL to determine
// if it can be fetched or not.
type WhitelistFunc func(string) bool
func (w WhitelistFunc) IsAllowed(u string) bool {
return w(u)

View File

if err := r.Headers().Set(KeyIDKey, v); err != nil {
return nil, errors.Wrap(err, "failed to set header")
enckey, err := enc.Encrypt(cek)
if err != nil {
return nil, errors.Wrap(err, `failed to encrypt key`)
if enc.Algorithm() == jwa.ECDH_ES || enc.Algorithm() == jwa.DIRECT {
if len(e.keyEncrypters) > 1 {
return nil, errors.Errorf("unable to support multiple recipients for ECDH-ES")
cek = enckey.Bytes()
} else {
if err := r.SetEncryptedKey(enckey.Bytes()); err != nil {
return nil, errors.Wrap(err, "failed to set encrypted key")
if hp, ok := enckey.(populater); ok {
if err := hp.Populate(r.Headers()); err != nil {
return nil, errors.Wrap(err, "failed to populate")
recipients[i] = r
// If there's only one recipient, you want to include that in the
// protected header
if len(recipients) == 1 {
h, err := e.protected.Merge(context.TODO(), recipients[0].Headers())
if err != nil {
return nil, errors.Wrap(err, "failed to merge protected headers")
e.protected = h
aad, err := e.protected.Encode()
if err != nil {
return nil, errors.Wrap(err, "failed to base64 encode protected headers")
plaintext, err = compress(plaintext, compression)
if err != nil {
return nil, errors.Wrap(err, `failed to compress payload before encryption`)
// ...on the other hand, there's only one content cipher.
iv, ciphertext, tag, err := e.contentEncrypter.Encrypt(cek, plaintext, aad)
if err != nil {
return nil, errors.Wrap(err, "failed to encrypt payload")
msg := NewMessage()
decodedAad, err := base64.Decode(aad)
if err != nil {
return nil, errors.Wrap(err, "failed to decode base64")
if err := msg.Set(AuthenticatedDataKey, decodedAad); err != nil {
return nil, errors.Wrapf(err, `failed to set %s`, AuthenticatedDataKey)
if err := msg.Set(CipherTextKey, ciphertext); err != nil {
return nil, errors.Wrapf(err, `failed to set %s`, CipherTextKey)
if err := msg.Set(InitializationVectorKey, iv); err != nil {
return nil, errors.Wrapf(err, `failed to set %s`, InitializationVectorKey)
if err := msg.Set(ProtectedHeadersKey, e.protected); err != nil {
return nil, errors.Wrapf(err, `failed to set %s`, ProtectedHeadersKey)
if err := msg.Set(RecipientsKey, recipients); err != nil {
return nil, errors.Wrapf(err, `failed to set %s`, RecipientsKey)
if err := msg.Set(TagKey, tag); err != nil {
return nil, errors.Wrapf(err, `failed to set %s`, TagKey)
return msg, nil

package jwe
return json.Marshal(m)

case ed25519.PublicKey, ed25519.PrivateKey, x25519.PublicKey, x25519.PrivateKey:
kty = jwa.OKP
case []byte:
kty = jwa.OctetSeq
return nil, errors.Errorf(`invalid key %T`, key)
algs, ok := keyTypeToAlgorithms[kty]
if !ok {
return nil, errors.Errorf(`invalid key type %q`, kty)
return algs, nil

@ -1,119 +0,0 @@
package jws
import (
type Option = option.Interface
type identPayloadSigner struct{}
type identDetachedPayload struct{}
type identHeaders struct{}
type identMessage struct{}
type identFetchBackoff struct{}
type identFetchWhitelist struct{}
type identHTTPClient struct{}
type identJWKSetFetcher struct{}
func WithSigner(signer Signer, key interface{}, public, protected Headers) Option {
return option.New(identPayloadSigner{}, &payloadSigner{
signer: signer,
key: key,
protected: protected,
public: public,
type SignOption interface {
type signOption struct {
func (*signOption) signOption() {}
// WithHeaders allows you to specify extra header values to include in the
// final JWS message
func WithHeaders(h Headers) SignOption {
return &signOption{option.New(identHeaders{}, h)}
// VerifyOption describes an option that can be passed to the jws.Verify function
type VerifyOption interface {
type verifyOption struct {
func (*verifyOption) verifyOption() {}
// WithMessage can be passed to Verify() to obtain the jws.Message upon
// a successful verification.
func WithMessage(m *Message) VerifyOption {
return &verifyOption{option.New(identMessage{}, m)}
type SignVerifyOption interface {
type signVerifyOption struct {
func (*signVerifyOption) signOption() {}
func (*signVerifyOption) verifyOption() {}
// WithDetachedPayload can be used to both sign or verify a JWS message with a
// detached payload.
// When this option is used for `jws.Sign()`, the first parameter (normally the payload)
// must be set to `nil`.
// If you have to verify using this option, you should know exactly how and why this works.
func WithDetachedPayload(v []byte) SignVerifyOption {
return &signVerifyOption{option.New(identDetachedPayload{}, v)}
// WithFetchWhitelist specifies the whitelist object to be passed
// to `jwk.Fetch()` when `jws.VerifyAuto()` is used. If you do not
// specify a whitelist, `jws.VerifyAuto()` will ALWAYS fail.
// This option is ignored if WithJWKSetFetcher is specified.
func WithFetchWhitelist(wl jwk.Whitelist) VerifyOption {
return &verifyOption{option.New(identFetchWhitelist{}, wl)}
// WithFetchBackoff specifies the backoff.Policy object to be passed
// to `jwk.Fetch()` when `jws.VerifyAuto()` is used.
// This option is ignored if WithJWKSetFetcher is specified.
func WithFetchBackoff(b backoff.Policy) VerifyOption {
return &verifyOption{option.New(identFetchBackoff{}, b)}
// WithHTTPClient specifies the *http.Client object to be passed
// to `jwk.Fetch()` when `jws.VerifyAuto()` is used.
// This option is ignored if WithJWKSetFetcher is specified.
func WithHTTPClient(httpcl *http.Client) VerifyOption {
return &verifyOption{option.New(identHTTPClient{}, httpcl)}
// WithJWKSetFetcher specifies the JWKSetFetcher object to be
// used when `jws.VerifyAuto()`, for example, to use `jwk.AutoRefetch`
// instead of the default `jwk.Fetch()`
func WithJWKSetFetcher(f JWKSetFetcher) VerifyOption {
return &verifyOption{option.New(identJWKSetFetcher{}, f)}

@ -1,9 +0,0 @@
pushd internal/cmd/gentoken
go build -o gentoken main.go
./internal/cmd/gentoken/gentoken -objects=internal/cmd/gentoken/objects.yml
rm internal/cmd/gentoken/gentoken

@ -1,98 +0,0 @@
package types
import (
// NumericDate represents the date format used in the 'nbf' claim
type NumericDate struct {
func (n *NumericDate) Get() time.Time {
if n == nil {
return (time.Time{}).UTC()
return n.Time
func numericToTime(v interface{}, t *time.Time) bool {
var n int64
switch x := v.(type) {
case int64:
n = x
case int32:
n = int64(x)
case int16:
n = int64(x)
case int8:
n = int64(x)
case int:
n = int64(x)
case float32:
n = int64(x)
case float64:
n = int64(x)
return false
*t = time.Unix(n, 0)
return true
func (n *NumericDate) Accept(v interface{}) error {
var t time.Time
switch x := v.(type) {
case string:
i, err := strconv.ParseInt(x[:], 10, 64)
if err != nil {
return errors.Errorf(`invalid epoch value %#v`, x)
t = time.Unix(i, 0)
case json.Number:
intval, err := x.Int64()
if err != nil {
return errors.Wrapf(err, `failed to convert json value %#v to int64`, x)
t = time.Unix(intval, 0)
case time.Time:
t = x
if !numericToTime(v, &t) {
return errors.Errorf(`invalid type %T`, v)
n.Time = t.UTC()
return nil
// MarshalJSON translates from internal representation to JSON NumericDate
// See https://tools.ietf.org/html/rfc7519#page-6
func (n *NumericDate) MarshalJSON() ([]byte, error) {
if n.IsZero() {
return json.Marshal(nil)
return json.Marshal(n.Unix())
func (n *NumericDate) UnmarshalJSON(data []byte) error {
var v interface{}
if err := json.Unmarshal(data, &v); err != nil {
return errors.Wrap(err, `failed to unmarshal date`)
var n2 NumericDate
if err := n2.Accept(v); err != nil {
return errors.Wrap(err, `invalid value for NumericDate`)
*n = n2
return nil

@ -1,29 +0,0 @@
// Automatically generated by internal/cmd/genreadfile/main.go. DO NOT EDIT
package jwt
import "os"
// ReadFileOption describes options that can be passed to ReadFile.
type ReadFileOption interface {
func ReadFile(path string, options ...ReadFileOption) (Token, error) {
var parseOptions []ParseOption
for _, option := range options {
switch option := option.(type) {
case ParseOption:
parseOptions = append(parseOptions, option)
f, err := os.Open(path)
if err != nil {
return nil, err
defer f.Close()
return ParseReader(f, parseOptions...)

@ -1,538 +0,0 @@
package jwt
import (
type Option = option.Interface
// GlobalOption describes an Option that can be passed to `Settings()`.
type GlobalOption interface {
type globalOption struct {
func (*globalOption) globalOption() {}
// ParseRequestOption describes an Option that can be passed to `ParseRequest()`.
type ParseRequestOption interface {
type httpParseOption struct {
func (*httpParseOption) httpParseOption() {}
// ParseOption describes an Option that can be passed to `Parse()`.
// ParseOption also implements ReadFileOption, therefore it may be
// safely pass them to `jwt.ReadFile()`
type ParseOption interface {
type parseOption struct {
func newParseOption(n interface{}, v interface{}) ParseOption {
return &parseOption{option.New(n, v)}
func (*parseOption) parseOption() {}
func (*parseOption) readFileOption() {}
// SignOption describes an Option that can be passed to Sign() or
// (jwt.Serializer).Sign
type SignOption interface {
type signOption struct {
func newSignOption(n interface{}, v interface{}) SignOption {
return &signOption{option.New(n, v)}
func (*signOption) signOption() {}
// EncryptOption describes an Option that can be passed to Encrypt() or
// (jwt.Serializer).Encrypt
type EncryptOption interface {
type encryptOption struct {
func newEncryptOption(n interface{}, v interface{}) EncryptOption {
return &encryptOption{option.New(n, v)}
func (*encryptOption) encryptOption() {}
// ValidateOption describes an Option that can be passed to Validate().
// ValidateOption also implements ParseOption, therefore it may be
// safely passed to `Parse()` (and thus `jwt.ReadFile()`)
type ValidateOption interface {
type validateOption struct {
func newValidateOption(n interface{}, v interface{}) ValidateOption {
return &validateOption{newParseOption(n, v)}
func (*validateOption) validateOption() {}
type identAcceptableSkew struct{}
type identClock struct{}
type identContext struct{}
type identDecrypt struct{}
type identDefault struct{}
type identFlattenAudience struct{}
type identInferAlgorithmFromKey struct{}
type identJweHeaders struct{}
type identJwsHeaders struct{}
type identKeySet struct{}
type identKeySetProvider struct{}
type identPedantic struct{}
type identValidator struct{}
type identToken struct{}
type identTypedClaim struct{}
type identValidate struct{}
type identVerify struct{}
type identVerifyAuto struct{}
type identFetchBackoff struct{}
type identFetchWhitelist struct{}
type identHTTPClient struct{}
type identJWKSetFetcher struct{}
type identHeaderKey struct{}
type identFormKey struct{}
type VerifyParameters interface {
Algorithm() jwa.SignatureAlgorithm
Key() interface{}
type verifyParams struct {
alg jwa.SignatureAlgorithm
key interface{}
func (p *verifyParams) Algorithm() jwa.SignatureAlgorithm {
return p.alg
func (p *verifyParams) Key() interface{} {
return p.key
// WithVerify forces the Parse method to verify the JWT message
// using the given key. XXX Should have been named something like
// WithVerificationKey
func WithVerify(alg jwa.SignatureAlgorithm, key interface{}) ParseOption {
return newParseOption(identVerify{}, &verifyParams{
alg: alg,
key: key,
// WithKeySet forces the Parse method to verify the JWT message
// using one of the keys in the given key set.
// The key and the JWT MUST have a proper `kid` field set.
// The key to use for signature verification is chosen by matching
// the Key ID of the JWT and the ID of the given key set.
// When using this option, keys MUST have a proper 'alg' field
// set. This is because we need to know the exact algorithm that
// you (the user) wants to use to verify the token. We do NOT
// trust the token's headers, because they can easily be tampered with.
// However, there _is_ a workaround if you do understand the risks
// of allowing a library to automatically choose a signature verification strategy,
// and you do not mind the verification process having to possibly
// attempt using multiple times before succeeding to verify. See
// `jwt.InferAlgorithmFromKey` option
// If you have only one key in the set, and are sure you want to
// use that key, you can use the `jwt.WithDefaultKey` option.
// If provided with WithKeySetProvider(), this option takes precedence.
func WithKeySet(set jwk.Set) ParseOption {
return newParseOption(identKeySet{}, set)
// UseDefaultKey is used in conjunction with the option WithKeySet
// to instruct the Parse method to default to the single key in a key
// set when no Key ID is included in the JWT. If the key set contains
// multiple keys then the default behavior is unchanged -- that is,
// the since we can't determine the key to use, it returns an error.
func UseDefaultKey(value bool) ParseOption {
return newParseOption(identDefault{}, value)
// WithToken specifies the token instance that is used when parsing
// JWT tokens.
func WithToken(t Token) ParseOption {
return newParseOption(identToken{}, t)
// WithHeaders is passed to `jwt.Sign()` function, to allow specifying arbitrary
// header values to be included in the header section of the jws message
// This option will be deprecated in the next major version. Use
// jwt.WithJwsHeaders() instead.
func WithHeaders(hdrs jws.Headers) SignOption {
return WithJwsHeaders(hdrs)
// WithJwsHeaders is passed to `jwt.Sign()` function or
// "jwt.Serializer".Sign() method, to allow specifying arbitrary
// header values to be included in the header section of the JWE message
func WithJwsHeaders(hdrs jws.Headers) SignOption {
return newSignOption(identJwsHeaders{}, hdrs)
// WithJweHeaders is passed to "jwt.Serializer".Encrypt() method to allow
// specifying arbitrary header values to be included in the protected header
// of the JWE message
func WithJweHeaders(hdrs jwe.Headers) EncryptOption {
return newEncryptOption(identJweHeaders{}, hdrs)
// WithValidate is passed to `Parse()` method to denote that the
// validation of the JWT token should be performed after a successful
// parsing of the incoming payload.
func WithValidate(b bool) ParseOption {
return newParseOption(identValidate{}, b)
// WithClock specifies the `Clock` to be used when verifying
// claims exp and nbf.
func WithClock(c Clock) ValidateOption {
return newValidateOption(identClock{}, c)
// WithAcceptableSkew specifies the duration in which exp and nbf
// claims may differ by. This value should be positive
func WithAcceptableSkew(dur time.Duration) ValidateOption {
return newValidateOption(identAcceptableSkew{}, dur)
// WithIssuer specifies that expected issuer value. If not specified,
// the value of issuer is not verified at all.
func WithIssuer(s string) ValidateOption {
return WithValidator(ClaimValueIs(IssuerKey, s))
// WithSubject specifies that expected subject value. If not specified,
// the value of subject is not verified at all.
func WithSubject(s string) ValidateOption {
return WithValidator(ClaimValueIs(SubjectKey, s))
// WithJwtID specifies that expected jti value. If not specified,
// the value of jti is not verified at all.
func WithJwtID(s string) ValidateOption {
return WithValidator(ClaimValueIs(JwtIDKey, s))
// WithAudience specifies that expected audience value.
// `Validate()` will return true if one of the values in the `aud` element
// matches this value. If not specified, the value of issuer is not
// verified at all.
func WithAudience(s string) ValidateOption {
return WithValidator(ClaimContainsString(AudienceKey, s))
// WithClaimValue specifies the expected value for a given claim
func WithClaimValue(name string, v interface{}) ValidateOption {
return WithValidator(ClaimValueIs(name, v))
// WithHeaderKey is used to specify header keys to search for tokens.
// While the type system allows this option to be passed to jwt.Parse() directly,
// doing so will have no effect. Only use it for HTTP request parsing functions
func WithHeaderKey(v string) ParseRequestOption {
return &httpParseOption{newParseOption(identHeaderKey{}, v)}
// WithFormKey is used to specify header keys to search for tokens.
// While the type system allows this option to be passed to jwt.Parse() directly,
// doing so will have no effect. Only use it for HTTP request parsing functions
func WithFormKey(v string) ParseRequestOption {
return &httpParseOption{newParseOption(identFormKey{}, v)}
// WithFlattenAudience specifies if the "aud" claim should be flattened
// to a single string upon the token being serialized to JSON.
// This is sometimes important when a JWT consumer does not understand that
// the "aud" claim can actually take the form of an array of strings.
// The default value is `false`, which means that "aud" claims are always
// rendered as a arrays of strings. This setting has a global effect,
// and will change the behavior for all JWT serialization.
func WithFlattenAudience(v bool) GlobalOption {
return &globalOption{option.New(identFlattenAudience{}, v)}
type claimPair struct {
Name string
Value interface{}
// WithTypedClaim allows a private claim to be parsed into the object type of
// your choice. It works much like the RegisterCustomField, but the effect
// is only applicable to the jwt.Parse function call which receives this option.
// While this can be extremely useful, this option should be used with caution:
// There are many caveats that your entire team/user-base needs to be aware of,
// and therefore in general its use is discouraged. Only use it when you know
// what you are doing, and you document its use clearly for others.
// First and foremost, this is a "per-object" option. Meaning that given the same
// serialized format, it is possible to generate two objects whose internal
// representations may differ. That is, if you parse one _WITH_ the option,
// and the other _WITHOUT_, their internal representation may completely differ.
// This could potentially lead to problems.
// Second, specifying this option will slightly slow down the decoding process
// as it needs to consult multiple definitions sources (global and local), so
// be careful if you are decoding a large number of tokens, as the effects will stack up.
// Finally, this option will also NOT work unless the tokens themselves support such
// parsing mechanism. For example, while tokens obtained from `jwt.New()` and
// `openid.New()` will respect this option, if you provide your own custom
// token type, it will need to implement the TokenWithDecodeCtx interface.
func WithTypedClaim(name string, object interface{}) ParseOption {
return newParseOption(identTypedClaim{}, claimPair{Name: name, Value: object})
// WithRequiredClaim specifies that the claim identified the given name
// must exist in the token. Only the existence of the claim is checked:
// the actual value associated with that field is not checked.
func WithRequiredClaim(name string) ValidateOption {
return WithValidator(IsRequired(name))
// WithMaxDelta specifies that given two claims `c1` and `c2` that represent time, the difference in
// time.Duration must be less than equal to the value specified by `d`. If `c1` or `c2` is the
// empty string, the current time (as computed by `time.Now` or the object passed via
// `WithClock()`) is used for the comparison.
// `c1` and `c2` are also assumed to be required, therefore not providing either claim in the
// token will result in an error.
// Because there is no way of reliably knowing how to parse private claims, we currently only
// support `iat`, `exp`, and `nbf` claims.
// If the empty string is passed to c1 or c2, then the current time (as calculated by time.Now() or
// the clock object provided via WithClock()) is used.
// For example, in order to specify that `exp` - `iat` should be less than 10*time.Second, you would write
// jwt.Validate(token, jwt.WithMaxDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey))
// If AcceptableSkew of 2 second is specified, the above will return valid for any value of
// `exp` - `iat` between 8 (10-2) and 12 (10+2).
func WithMaxDelta(dur time.Duration, c1, c2 string) ValidateOption {
return WithValidator(MaxDeltaIs(c1, c2, dur))
// WithMinDelta is almost exactly the same as WithMaxDelta, but force validation to fail if
// the difference between time claims are less than dur.
// For example, in order to specify that `exp` - `iat` should be greater than 10*time.Second, you would write
// jwt.Validate(token, jwt.WithMinDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey))
// The validation would fail if the difference is less than 10 seconds.
func WithMinDelta(dur time.Duration, c1, c2 string) ValidateOption {
return WithValidator(MinDeltaIs(c1, c2, dur))
// WithValidator validates the token with the given Validator.
// For example, in order to validate tokens that are only valid during August, you would write
// validator := jwt.ValidatorFunc(func(_ context.Context, t jwt.Token) error {
// if time.Now().Month() != 8 {
// return fmt.Errorf(`tokens are only valid during August!`)
// }
// return nil
// })
// err := jwt.Validate(token, jwt.WithValidator(validator))
func WithValidator(v Validator) ValidateOption {
return newValidateOption(identValidator{}, v)
type decryptParams struct {
alg jwa.KeyEncryptionAlgorithm
key interface{}
type DecryptParameters interface {
Algorithm() jwa.KeyEncryptionAlgorithm
Key() interface{}
func (dp *decryptParams) Algorithm() jwa.KeyEncryptionAlgorithm {
return dp.alg
func (dp *decryptParams) Key() interface{} {
return dp.key
// WithDecrypt allows users to specify parameters for decryption using
// `jwe.Decrypt`. You must specify this if your JWT is encrypted.
func WithDecrypt(alg jwa.KeyEncryptionAlgorithm, key interface{}) ParseOption {
return newParseOption(identDecrypt{}, &decryptParams{
alg: alg,
key: key,
// WithPedantic enables pedantic mode for parsing JWTs. Currently this only
// applies to checking for the correct `typ` and/or `cty` when necessary.
func WithPedantic(v bool) ParseOption {
return newParseOption(identPedantic{}, v)
// InferAlgorithmFromKey allows jwt.Parse to guess the signature algorithm
// passed to `jws.Verify()`, in case the key you provided does not have a proper `alg` header.
// Compared to providing explicit `alg` from the key this is slower, and in
// case our heuristics are wrong or outdated, may fail to verify the token.
// Also, automatic detection of signature verification methods are always
// more vulnerable for potential attack vectors.
// It is highly recommended that you fix your key to contain a proper `alg`
// header field instead of resorting to using this option, but sometimes
// it just needs to happen.
// Your JWT still need to have an `alg` field, and it must match one of the
// candidates that we produce for your key
func InferAlgorithmFromKey(v bool) ParseOption {
return newParseOption(identInferAlgorithmFromKey{}, v)
// KeySetProvider is an interface for objects that can choose the appropriate
// jwk.Set to be used when verifying JWTs
type KeySetProvider interface {
// KeySetFrom returns the jwk.Set to be used to verify the token.
// Keep in mind that the token at the point when the method is called is NOT VERIFIED.
// DO NOT trust the contents of the Token too much. For example, do not take the
// hint as to which signature algorithm to use from the token itself.
KeySetFrom(Token) (jwk.Set, error)
// KeySetProviderFunc is an implementation of KeySetProvider that is based
// on a function.
type KeySetProviderFunc func(Token) (jwk.Set, error)
func (fn KeySetProviderFunc) KeySetFrom(t Token) (jwk.Set, error) {
return fn(t)
// WithKeySetProvider allows users to specify an object to choose which
// jwk.Set to use for verification.
// If provided with WithKeySet(), WithKeySet() option takes precedence.
func WithKeySetProvider(p KeySetProvider) ParseOption {
return newParseOption(identKeySetProvider{}, p)
// WithContext allows you to specify a context.Context object to be used
// with `jwt.Validate()` option.
// Please be aware that in the next major release of this library,
// `jwt.Validate()`'s signature will change to include an explicit
// `context.Context` object.
func WithContext(ctx context.Context) ValidateOption {
return newValidateOption(identContext{}, ctx)
// WithVerifyAuto specifies that the JWS verification should be performed
// using `jws.VerifyAuto()`, which in turn attempts to verify the message
// using values that are stored within the JWS message.
// Only passing this option to `jwt.Parse()` will not result in a successful
// verification. Please make sure to carefully read the documentation in
// `jws.VerifyAuto()`, and provide the necessary Whitelist object via
// `jwt.WithFetchWhitelist()`
// You might also consider using a backoff policy by using `jwt.WithFetchBackoff()`
// to control the number of requests being made.
func WithVerifyAuto(v bool) ParseOption {
return newParseOption(identVerifyAuto{}, v)
// WithFetchWhitelist specifies the `jwk.Whitelist` object that should be
// passed to `jws.VerifyAuto()`, which in turn will be passed to `jwk.Fetch()`
// This is a wrapper over `jws.WithFetchWhitelist()` that can be passed
// to `jwt.Parse()`, and will be ignored if you spcify `jws.WithJWKSetFetcher()`
func WithFetchWhitelist(wl jwk.Whitelist) ParseOption {
return newParseOption(identFetchWhitelist{}, wl)
// WithHTTPClient specifies the `*http.Client` object that should be
// passed to `jws.VerifyAuto()`, which in turn will be passed to `jwk.Fetch()`
// This is a wrapper over `jws.WithHTTPClient()` that can be passed
// to `jwt.Parse()`, and will be ignored if you spcify `jws.WithJWKSetFetcher()`
func WithHTTPClient(httpcl *http.Client) ParseOption {
return newParseOption(identHTTPClient{}, httpcl)
// WithFetchBackoff specifies the `backoff.Policy` object that should be
// passed to `jws.VerifyAuto()`, which in turn will be passed to `jwk.Fetch()`
// This is a wrapper over `jws.WithFetchBackoff()` that can be passed
// to `jwt.Parse()`, and will be ignored if you spcify `jws.WithJWKSetFetcher()`
func WithFetchBackoff(b backoff.Policy) ParseOption {
return newParseOption(identFetchBackoff{}, b)
// WithJWKSetFetcher specifies the `jws.JWKSetFetcher` object that should be
// passed to `jws.VerifyAuto()`
// This is a wrapper over `jws.WithJWKSetFetcher()` that can be passed
// to `jwt.Parse()`.
func WithJWKSetFetcher(f jws.JWKSetFetcher) ParseOption {
return newParseOption(identJWKSetFetcher{}, f)

@ -33,3 +33,5 @@ coverage.out
# I redirect my test output to files named "out" way too often # I redirect my test output to files named "out" way too often
out out

@ -28,7 +28,6 @@ linters:
- gofumpt - gofumpt
- golint #deprecated - golint #deprecated
- gomnd - gomnd
- gomoddirectives # I think it's broken
- gosec - gosec
- govet - govet
- interfacer # deprecated - interfacer # deprecated

View File

@ -0,0 +1,75 @@
v2 has many incompatibilities with v1. To see the full list of differences between
v1 and v2, please read the Changes-v2.md file (https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes-v2.md)
v2.0.2 - 23 May 2022
[Bug Fixes][Security]
* [jwe] An old bug from at least 7 years ago existed in handling AES-CBC unpadding,
where the unpad operation might remove more bytes than necessary (#744)
This affects all jwx code that is available before v2.0.2 and v1.2.25.
[New Features]
* [jwt] RFC3339 timestamps are also accepted for Numeric Date types in JWT tokens.
This allows users to parse servers that errnously use RFC3339 timestamps in
some pre-defined fields. You can change this behavior by setting
`jwt.WithNumericDateParsePedantic` to `false`
* [jwt] `jwt.WithNumericDateParsePedantic` has been added. This is a global
option that is set using `jwt.Settings`
v2.0.1 - 06 May 2022
* [jwk] `jwk.Set` had erronously been documented as not returning an error
when the same key already exists in the set. This is a behavior change
since v2, and it was missing in the docs (#730)
* [jwt] `jwt.ErrMissingRequiredClaim` has been deprecated. Please use
`jwt.ErrRequiredClaim` instead.
* [jwt] `jwt.WithNumericDateParsePrecision` and `jwt.WithNumericDateFormatPrecision`
have been added to parse and format fractional seconds. These options can be
passed to `jwt.Settings`.
The default precision is set to 0, and fractional portions are not parsed nor
formatted. The precision may be set up to 9.
* `golang.org/x/crypto` has been upgraded (#724)
* `io/ioutil` has been removed from the source code.
v2.0.0 - 24 Apr 2022
* This i the first v2 release, which represents a set of design changes
that were learnt over the previous 2 years. As a result the v2 API
should be much more consistent and uniform across packages, and
should be much more flexible to accomodate real-world needs.
For a complete list of changes, please see the Changes-v2.md file,
or check the diff at https://github.com/lestrrat-go/jwx/compare/v1...v2
* Minor house cleaning on code generation tools
* `jwt.ErrMissingRequiredClaim()` has been added
v2.0.0-beta2 - 16 Apr 2022
* Updated `jwk.Set` API and reflected pending changes from v1 which were
left over. Please see Changes-v2.md file for details.
* Added `jwk.CachedSet`, a shim over `jwk.Cache` that allows you to
have to write wrappers around `jwk.Cache` that retrieves a particular
`jwk.Set` out of it. You can use it to, for example, pass `jwk.CachedSet`
to a `jws.Verify`
cache := jwk.NewCache(ctx)
cache.Register(ctx, jwksURL)
cachedSet := jwk.NewCachedSet(cache, jwksURL)
jws.Verify(signed, jws.WithKeySet(cachedSet))
v2.0.0-beta1 - 09 Apr 2022
* Renamed Changes.v2 to Changes-v2.md
* Housecleaning for lint action.
* While v2 was not affected, ported over equivalent test for #681 to catch
regressions in the future.
* Please note that there is no stability guarantees on pre-releases.
v2.0.0-alpha1 - 04 Apr 2022
* Initial pre-release of v2 line. Please note that there is no stability guarantees
on pre-releases.

View File

@ -0,0 +1,390 @@
# Incompatible Changes from v1 to v2
These are changes that are incompatible with the v1.x.x version.
* [tl;dr](#tldr) - If you don't feel like reading the details -- but you will read the details, right?
* [Detailed List of Changes](#detailed-list-of-changes) - A comprehensive list of changes from v1 to v2
# tl;dr
## JWT
// most basic
jwt.Parse(serialized, jwt.WithKey(alg, key)) // NOTE: verification and validation are ENABLED by default!
jwt.Sign(token, jwt.WithKey(alg,key))
// with a jwk.Set
jwt.Parse(serialized, jwt.WithKeySet(set))
// UseDefault/InferAlgorithm with JWKS
jwt.Parse(serialized, jwt.WithKeySet(set,
jws.WithUseDefault(true), jws.WithInferAlgorithm(true))
// Use `jku`
jwt.Parse(serialized, jwt.WithVerifyAuto(...))
// Any other custom key provisioning (using functions in this
// example, but can be anything that fulfills jws.KeyProvider)
jwt.Parse(serialized, jwt.WithKeyProvider(jws.KeyProviderFunc(...)))
## JWK
// jwk.New() was confusing. Renamed to fit the actual implementation
key, err := jwk.FromRaw(rawKey)
// Algorithm() now returns jwa.KeyAlgorithm type. `jws.Sign()`
// and other function that receive JWK algorithm names accept
// this new type, so you can use the same key and do the following
// (previosly you needed to type assert)
jws.Sign(payload, jws.WithKey(key.Algorithm(), key))
// If you need the specific type, type assert
// jwk.AutoRefresh is no more. Use jwk.Cache
cache := jwk.NewCache(ctx, options...)
// Certificate chains are no longer jwk.CertificateChain type, but
// *(github.com/lestrrat-go/jwx/cert).Chain
cc := key.X509CertChain() // this is *cert.Chain now
## JWS
// basic
jws.Sign(payload, jws.WithKey(alg, key))
jws.Sign(payload, jws.WithKey(alg, key), jws.WithKey(alg, key), jws.WithJSON(true))
jws.Verify(signed, jws.WithKey(alg, key))
// other ways to pass the key
jws.Sign(payload, jws.WithKeySet(jwks))
jws.Sign(payload, jws.WithKeyProvider(kp))
// retrieve the key that succeeded in verifying
var keyUsed interface{}
jws.Verify(signed, jws.WithKeySet(jwks), jws.WithKeyUsed(&keyUsed))
## JWE
// basic
jwe.Encrypt(payload, jwe.WithKey(alg, key)) // other defaults are infered
jwe.Encrypt(payload, jwe.WithKey(alg, key), jwe.WithKey(alg, key), jwe.WithJSON(true))
jwe.Decrypt(encrypted, jwe.WithKey(alg, key))
// other ways to pass the key
jwe.Encrypt(payload, jwe.WithKeySet(jwks))
jwe.Encrypt(payload, jwe.WithKeyProvider(kp))
// retrieve the key that succeeded in decrypting
var keyUsed interface{}
jwe.Verify(signed, jwe.WithKeySet(jwks), jwe.WithKeyUsed(&keyUsed))
# Detailed List of Changes
## Module
* Module now requires go 1.16
* Use of github.com/pkg/errors is no more. If you were relying on bevaior
that depends on the errors being an instance of github.com/pkg/errors
then you need to change your code
* File-generation tools have been moved out of internal/ directories.
These files pre-dates Go modules, and they were in internal/ in order
to avoid being listed in the `go doc` -- however, now that we can
make them separate modules this is no longer necessary.
* New package `cert` has been added to handle `x5c` certificate
chains, and to work with certificates
* cert.Chain to store base64 encoded ASN.1 DER format certificates
* cert.EncodeBase64 to encode ASN.1 DER format certificate using base64
* cert.Create to create a base64 encoded ASN.1 DER format certificates
* cert.Parse to parse base64 encoded ASN.1 DER format certificates
## JWE
* `jwe.Compact()`'s signature has changed to
`jwe.Compact(*jwe.Message, ...jwe.CompactOption)`
* `jwe.JSON()` has been removed. You can generate JSON serialization
using `jwe.Encrypt(jwe.WitJSON())` or `json.Marshal(jwe.Message)`
* `(jwe.Message).Decrypt()` has been removed. Since formatting of the
original serialized message matters (including whitespace), using a parsed
object was inherently confusing.
* `jwe.Encrypt()` can now generate JWE messages in either compact or JSON
forms. By default, the compact form is used. JSON format can be
enabled by using the `jwe.WithJSON` option.
* `jwe.Encrypt()` can now accept multiple keys by passing multiple
`jwe.WithKey()` options. This can be used with `jwe.WithJSON` to
create JWE messages with multiple recipients.
* `jwe.DecryptEncryptOption()` has been renamed to `jwe.EncryptDecryptOption()`.
This is so that it is more uniform with `jws` equivalent of `jws.SignVerifyOption()`
where the producer (`Sign`) comes before the consumer (`Verify`) in the naming
* `jwe.WithCompact` and `jwe.WithJSON` options have been added
to control the serialization format.
* jwe.Decrypt()'s method signature has been changed to `jwt.Decrypt([]byte, ...jwe.DecryptOption) ([]byte, error)`.
These options can be stacked. Therefore, you could configure the
verification process to attempt a static key pair, a JWKS, and only
try other forms if the first two fails, for example.
- For static key pair, use `jwe.WithKey()`
- For static JWKS, use `jwe.WithKeySet()` (NOTE: InferAlgorithmFromKey like in `jws` package is NOT supported)
- For custom, possibly dynamic key provisioning, use `jwe.WithKeyProvider()`
* jwe.Decrypter has been unexported. Users did not need this.
* jwe.WithKeyProvider() has been added to specify arbitrary
code to specify which keys to try.
* jwe.KeyProvider interface has been added
* jwe.KeyProviderFunc has been added
* `WithPostParser()` has been removed. You can achieve the same effect
by using `jwe.WithKeyProvider()`. Because this was the only consumer for
`jwe.DecryptCtx`, this type has been removed as well.
* `x5c` field type has been changed to `*cert.Chain` instead of `[]string`
* Method signature for `jwe.Parse()` has been changed to include options,
but options are currently not used
* `jwe.ReadFile` now supports the option `jwe.WithFS` which allows you to
read data from arbitrary `fs.FS` objects
* jwe.WithKeyUsed has been added to allow users to retrieve
the key used for decryption. This is useful in cases you provided
multiple keys and you want to know which one was successful
## JWK
* `jwk.New()` has been renamed to `jwk.FromRaw()`, which hopefully will
make it easier for the users what the input should be.
* `jwk.Set` has many interface changes:
* Changed methods to match jwk.Key and its semantics:
* Field is now Get() (returns values for arbitrary fields other than keys). Fetching a key is done via Key()
* Remove() now removes arbitrary fields, not keys. to remove keys, use RemoveKey()
* Iterate has been added to iterate through all non-key fields.
* Add is now AddKey(Key) string, and returns an error when the same key is added
* Get is now Key(int) (Key, bool)
* Remove is now RemoveKey(Key) error
* Iterate is now Keys(context.Context) KeyIterator
* Clear is now Clear() error
* `jwk.CachedSet` has been added. You can create a `jwk.Set` that is backed by
`jwk.Cache` so you can do this:
cache := jkw.NewCache(ctx)
cachedSet := jwk.NewCachedSet(cache, jwksURI)
// cachedSet is always the refreshed, cached version from jwk.Cache
jws.Verify(signed, jws.WithKeySet(cachedSet))
* `jwk.NewRSAPRivateKey()`, `jwk.NewECDSAPrivateKey()`, etc have been removed.
There is no longer any way to create concrete types of `jwk.Key`
* `jwk.Key` type no longer supports direct unmarshaling via `json.Unmarshal()`,
because you can no longer instantiate concrete `jwk.Key` types. You will need to
use `jwk.ParseKey()`. See the documentation for ways to parse JWKs.
* `(jwk.Key).Algorithm()` is now of `jwk.KeyAlgorithm` type. This field used
to be `string` and therefore could not be passed directly to `jwt.Sign()`
`jws.Sign()`, `jwe.Encrypt()`, et al. This is no longer the case, and
now you can pass it directly. See
for more details
* `jwk.Fetcher` and `jwk.FetchFunc` has been added.
They represent something that can fetch a `jwk.Set`
* `jwk.CertificateChain` has been removed, use `*cert.Chain`
* `x5c` field type has been changed to `*cert.Chain` instead of `[]*x509.Certificate`
* `jwk.ReadFile` now supports the option `jwk.WithFS` which allows you to
read data from arbitrary `fs.FS` objects
* Added `jwk.PostFetcher`, `jwk.PostFetchFunc`, and `jwk.WithPostFetch` to
allow users to get at the `jwk.Set` that was fetched in `jwk.Cache`.
This will make it possible for users to supply extra information and edit
`jwk.Set` after it has been fetched and parsed, but before it is cached.
You could, for example, modify the `alg` field so that it's easier to
work with when you use it in `jws.Verify` later.
* Reworked `jwk.AutoRefresh` in terms of `github.com/lestrrat-go/httprc`
and renamed it `jwk.Cache`.
Major difference between `jwk.AutoRefresh` and `jwk.Cache` is that while
former used one `time.Timer` per resource, the latter uses a static timer
(based on `jwk.WithRefreshWindow()` value, default 15 minutes) that periodically
refreshes all resources that were due to be refreshed within that time frame.
This method may cause your updates to happen slightly later, but uses significantly
less resources and is less prone to clogging.
* Reimplemented `jwk.Fetch` in terms of `github.com/lestrrat-go/httprc`.
* Previously `jwk.Fetch` and `jwk.AutoRefresh` respected backoff options,
but this has been removed. This is to avoid unwanted clogging of the fetch workers
which is the default processing mode in `github.com/lestrrat-go/httprc`.
If you are using backoffs, you need to control your inputs more carefully so as to
not clog your fetch queue, and therefore you should be writing custom code that
suits your needs
## JWS
* `jws.Sign()` can now generate JWS messages in either compact or JSON
forms. By default, the compact form is used. JSON format can be
enabled by using the `jws.WithJSON` option.
* `jws.Sign()` can now accept multiple keys by passing multiple
`jws.WithKey()` options. This can be used with `jws.WithJSON` to
create JWS messages with multiple signatures.
* `jws.WithCompact` and `jws.WithJSON` options have been added
to control the serialization format.
* jws.Verify()'s method signature has been changed to `jwt.Verify([]byte, ...jws.VerifyOption) ([]byte, error)`.
These options can be stacked. Therefore, you could configure the
verification process to attempt a static key pair, a JWKS, and only
try other forms if the first two fails, for example.
- For static key pair, use `jws.WithKey()`
- For static JWKS, use `jws.WithKeySet()`
- For enabling verification using `jku`, use `jws.WithVerifyAuto()`
- For custom, possibly dynamic key provisioning, use `jws.WithKeyProvider()`
* jws.WithVerify() has been removed.
* jws.WithKey() has been added to specify an algorithm + key to
verify the payload with.
* jws.WithKeySet() has been added to specify a JWKS to be used for
verification. By default `kid` AND `alg` must match between the signature
and the key.
The option can take further suboptions:
// by default `kid` is required. set false to disable.
// optionally skip matching kid if there's exactly one key in set
// infer algorithm name from key type
* `jws.VerifuAuto` has been removed in favor of using
`jws.WithVerifyAuto` option with `jws.Verify()`
* `jws.WithVerifyAuto` has been added to enable verification
using `jku`.
The first argument must be a jwk.Fetcher object, but can be
set to `nil` to use the default implementation which is `jwk.Fetch`
The rest of the arguments are treated as options passed to the
`(jwk.Fetcher).Fetch()` function.
* Remove `jws.WithPayloadSigner()`. This should be completely repleceable
using `jws.WithKey()`
* jws.WithKeyProvider() has been added to specify arbitrary
code to specify which keys to try.
* jws.KeyProvider interface has been added
* jws.KeyProviderFunc has been added
* jws.WithKeyUsed has been added to allow users to retrieve
the key used for verification. This is useful in cases you provided
multiple keys and you want to know which one was successful
* `x5c` field type has been changed to `*cert.Chain` instead of `[]string`
* `jws.ReadFile` now supports the option `jws.WithFS` which allows you to
read data from arbitrary `fs.FS` objects
## JWT
* `jwt.Parse` now verifies the signature and validates the token
by default. You must disable it explicitly using `jwt.WithValidate(false)`
and/or `jwt.WithVerify(false)` if you only want to parse the JWT message.
If you don't want either, a convenience function `jwt.ParseInsecure`
has been added.
* `jwt.Parse` can only parse raw JWT (JSON) or JWS (JSON or Compact).
It no longer accepts JWE messages.
* `jwt.WithDecrypt` has been removed
* `jwt.WithJweHeaders` has been removed
* `jwt.WithVerify()` has been renamed to `jwt.WithKey()`. The option can
be used for signing, encryption, and parsing.
* `jwt.Validator` has been changed to return `jwt.ValidationError`.
If you provide a custom validator, you should wrap the error with
* `jwt.UseDefault()` has been removed. You should use `jws.WithUseDefault()`
as a suboption in the `jwt.WithKeySet()` option.
jwt.Parse(serialized, jwt.WithKeySet(set, jws.WithUseDefault(true)))
* `jwt.InferAlgorithmFromKey()` has been removed. You should use
`jws.WithInferAlgorithmFromKey()` as a suboption in the `jwt.WithKeySet()` option.
jwt.Parse(serialized, jwt.WithKeySet(set, jws.WithInferAlgorithmFromKey(true)))
* jwt.WithKeySetProvider has been removed. Use `jwt.WithKeyProvider()`
instead. If jwt.WithKeyProvider seems a bit complicated, use a combination of
JWS parse, no-verify/validate JWT parse, and an extra JWS verify:
msg, _ := jws.Parse(signed)
token, _ := jwt.Parse(msg.Payload(), jwt.WithVerify(false), jwt.WithValidate(false))
// Get information out of token, for example, `iss`
switch token.Issuer() {
case ...:
jws.Verify(signed, jwt.WithKey(...))
* `jwt.WithHeaders` and `jwt.WithJwsHeaders` have been removed.
You should be able to use the new `jwt.WithKey` option to pass headers
* `jwt.WithSignOption` and `jwt.WithEncryptOption` have been added as
escape hatches for options that are declared in `jws` and `jwe` packages
but not in `jwt`
* `jwt.ReadFile` now supports the option `jwt.WithFS` which allows you to
read data from arbitrary `fs.FS` objects
* `jwt.Sign()` has been changed so that it works more like the new `jws.Sign()`

View File

@ -4,7 +4,6 @@ generate:
@$(MAKE) generate-jwa generate-jwe generate-jwk generate-jws generate-jwt @$(MAKE) generate-jwa generate-jwe generate-jwk generate-jws generate-jwt
generate-%: generate-%:
@echo "> Generating for $(patsubst generate-%,%,$@)"
@go generate $(shell pwd -P)/$(patsubst generate-%,%,$@) @go generate $(shell pwd -P)/$(patsubst generate-%,%,$@)
realclean: realclean:

vendor/github.com/lestrrat-go/jwx/v2/README.md generated vendored Normal file
View File

@ -0,0 +1,248 @@
# github.com/lestrrat-go/jwx/v2 ![](https://github.com/lestrrat-go/jwx/workflows/CI/badge.svg?branch=v2) [![Go Reference](https://pkg.go.dev/badge/github.com/lestrrat-go/jwx/v2.svg)](https://pkg.go.dev/github.com/lestrrat-go/jwx/v2) [![codecov.io](https://codecov.io/github/lestrrat-go/jwx/coverage.svg?branch=v2)](https://codecov.io/github/lestrrat-go/jwx?branch=v2)
Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies.
If you are using this module in your product or your company, please add your product and/or company name in the [Wiki](https://github.com/lestrrat-go/jwx/wiki/Users)! It really helps keeping up our motivation.
# Features
* Complete coverage of JWA/JWE/JWK/JWS/JWT, not just JWT+minimum tool set.
* Supports JWS messages with multiple signatures, both compact and JSON serialization
* Supports JWS with detached payload
* Supports JWS with unencoded payload (RFC7797)
* Supports JWE messages with multiple recipients, both compact and JSON serialization
* Most operations work with either JWK or raw keys e.g. *rsa.PrivateKey, *ecdsa.PrivateKey, etc).
* Opinionated, but very uniform API. Everything is symmetric, and follows a standard convetion
* jws.Parse/Verify/Sign
* jwe.Parse/Encrypt/Decrypt
* Arguments are organized as explicit required paramters and optional WithXXXX() style options.
* Extra utilities
* `jwk.Cache` to always keep a JWKS up-to-date
Some more in-depth discussion on why you might want to use this library over others
can be found in the [Description section](#description)
<!-- INCLUDE(examples/jwx_readme_example_test.go) -->
package examples_test
import (
func ExampleJWX() {
// Parse, serialize, slice and dice JWKs!
privkey, err := jwk.ParseKey(jsonRSAPrivateKey)
if err != nil {
fmt.Printf("failed to parse JWK: %s\n", err)
pubkey, err := jwk.PublicKeyOf(privkey)
if err != nil {
fmt.Printf("failed to get public key: %s\n", err)
// Work with JWTs!
// Build a JWT!
tok, err := jwt.NewBuilder().
if err != nil {
fmt.Printf("failed to build token: %s\n", err)
// Sign a JWT!
signed, err := jwt.Sign(tok, jwt.WithKey(jwa.RS256, privkey))
if err != nil {
fmt.Printf("failed to sign token: %s\n", err)
// Verify a JWT!
verifiedToken, err := jwt.Parse(signed, jwt.WithKey(jwa.RS256, pubkey))
if err != nil {
fmt.Printf("failed to verify JWS: %s\n", err)
_ = verifiedToken
// Work with *http.Request!
req, err := http.NewRequest(http.MethodGet, `https://github.com/lestrrat-go/jwx`, nil)
req.Header.Set(`Authorization`, fmt.Sprintf(`Bearer %s`, signed))
verifiedToken, err := jwt.ParseRequest(req, jwt.WithKey(jwa.RS256, pubkey))
if err != nil {
fmt.Printf("failed to verify token from HTTP request: %s\n", err)
_ = verifiedToken
// Encrypt and Decrypt arbitrary payload with JWE!
encrypted, err := jwe.Encrypt(payloadLoremIpsum, jwe.WithKey(jwa.RSA_OAEP, jwkRSAPublicKey))
if err != nil {
fmt.Printf("failed to encrypt payload: %s\n", err)
decrypted, err := jwe.Decrypt(encrypted, jwe.WithKey(jwa.RSA_OAEP, jwkRSAPrivateKey))
if err != nil {
fmt.Printf("failed to decrypt payload: %s\n", err)
if !bytes.Equal(decrypted, payloadLoremIpsum) {
fmt.Printf("verified payload did not match\n")
// Sign and Verify arbitrary payload with JWS!
signed, err := jws.Sign(payloadLoremIpsum, jws.WithKey(jwa.RS256, jwkRSAPrivateKey))
if err != nil {
fmt.Printf("failed to sign payload: %s\n", err)
verified, err := jws.Verify(signed, jws.WithKey(jwa.RS256, jwkRSAPublicKey))
if err != nil {
fmt.Printf("failed to verify payload: %s\n", err)
if !bytes.Equal(verified, payloadLoremIpsum) {
fmt.Printf("verified payload did not match\n")
source: [examples/jwx_readme_example_test.go](https://github.com/lestrrat-go/jwx/blob/v2/examples/jwx_readme_example_test.go)
<!-- END INCLUDE -->
# How-to Documentation
* [API documentation](https://pkg.go.dev/github.com/lestrrat-go/jwx/v2)
* [How-to style documentation](./docs)
* [Runnable Examples](./examples)
# Description
This Go module implements JWA, JWE, JWK, JWS, and JWT. Please see the following table for the list of
available packages:
| Package name | Notes |
| [jwt](https://github.com/lestrrat-go/jwx/tree/v2/jwt) | [RFC 7519](https://tools.ietf.org/html/rfc7519) |
| [jwk](https://github.com/lestrrat-go/jwx/tree/v2/jwk) | [RFC 7517](https://tools.ietf.org/html/rfc7517) + [RFC 7638](https://tools.ietf.org/html/rfc7638) |
| [jwa](https://github.com/lestrrat-go/jwx/tree/v2/jwa) | [RFC 7518](https://tools.ietf.org/html/rfc7518) |
| [jws](https://github.com/lestrrat-go/jwx/tree/v2/jws) | [RFC 7515](https://tools.ietf.org/html/rfc7515) + [RFC 7797](https://tools.ietf.org/html/rfc7797) |
| [jwe](https://github.com/lestrrat-go/jwx/tree/v2/jwe) | [RFC 7516](https://tools.ietf.org/html/rfc7516) |
## History
My goal was to write a server that heavily uses JWK and JWT. At first glance
the libraries that already exist seemed sufficient, but soon I realized that
1. To completely implement the protocols, I needed the entire JWT, JWK, JWS, JWE (and JWA, by necessity).
2. Most of the libraries that existed only deal with a subset of the various JWx specifications that were necessary to implement their specific needs
For example, a certain library looks like it had most of JWS, JWE, JWK covered, but then it lacked the ability to include private claims in its JWT responses. Another library had support of all the private claims, but completely lacked in its flexibility to generate various different response formats.
Because I was writing the server side (and the client side for testing), I needed the *entire* JOSE toolset to properly implement my server, **and** they needed to be *flexible* enough to fulfill the entire spec that I was writing.
So here's `github.com/lestrrat-go/jwx/v2`. This library is extensible, customizable, and hopefully well organized to the point that it is easy for you to slice and dice it.
## Why would I use this library?
There are several other major Go modules that handle JWT and related data formats,
so why should you use this library?
From a purely functional perspective, the only major difference is this:
Whereas most other projects only deal with what they seem necessary to handle
JWTs, this module handles the **_entire_** spectrum of JWS, JWE, JWK, and JWT.
That is, if you need to not only parse JWTs, but also to control JWKs, or
if you need to handle payloads that are NOT JWTs, you should probably consider
using this module. You should also note that JWT is built _on top_ of those
other technologies. You simply cannot have a complete JWT package without
implementing the entirety of JWS/JWE/JWK, which this library does.
Next, from an implementation perspective, this module differs significantly
from others in that it tries very hard to expose only the APIs, and not the
internal data. For example, individual JWT claims are not accessible through
struct field lookups. You need to use one of the getter methods.
This is because this library takes the stance that the end user is fully capable
and even willing to shoot themselves on the foot when presented with a lax
API. By making sure that users do not have access to open structs, we can protect
users from doing silly things like creating _incomplete_ structs, or access the
structs concurrently without any protection. This structure also allows
us to put extra smarts in the structs, such as doing the right thing when
you want to parse / write custom fields (this module does not require the user
to specify alternate structs to parse objects with custom fields)
In the end I think it comes down to your usage pattern, and priorities.
Some general guidelines that come to mind are:
* If you want a single library to handle everything JWx, such as using JWE, JWK, JWS, handling [auto-refreshing JWKs](https://github.com/lestrrat-go/jwx/blob/v2/docs/04-jwk.md#auto-refreshing-remote-keys), use this module.
* If you want to honor all possible custom fields transparently, use this module.
* If you want a standardized clean API, use this module.
Otherwise, feel free to choose something else.
# Contributions
## Issues
For bug reports and feature requests, please try to follow the issue templates as much as possible.
For either bug reports or feature requests, failing tests are even better.
## Pull Requests
Please make sure to include tests that excercise the changes you made.
If you are editing auto-generated files (those files with the `_gen.go` suffix, please make sure that you do the following:
1. Edit the generator, not the generated files (e.g. internal/cmd/genreadfile/main.go)
2. Run `make generate` (or `go generate`) to generate the new code
3. Commit _both_ the generator _and_ the generated files
## Discussions / Usage
Please try [discussions](https://github.com/lestrrat-go/jwx/tree/v2/discussions) first.
# Related Modules
* [github.com/lestrrat-go/echo-middileware-jwx](https://github.com/lestrrat-go/echo-middleware-jwx) - Sample Echo middleware
* [github.com/jwx-go/crypto-signer/gcp](https://github.com/jwx-go/crypto-signer/tree/main/gcp) - GCP KMS wrapper that implements [`crypto.Signer`](https://pkg.go.dev/crypto#Signer)
* [github.com/jwx-go/crypto-signer/aws](https://github.com/jwx-go/crypto-signer/tree/main/aws) - AWS KMS wrapper that implements [`crypto.Signer`](https://pkg.go.dev/crypto#Signer)
# Credits
* Initial work on this library was generously sponsored by HDE Inc (https://www.hde.co.jp)
* Lots of code, especially JWE was initially taken from go-jose library (https://github.com/square/go-jose)
* Lots of individual contributors have helped this project over the years. Thank each and everyone of you very much.

View File

@ -0,0 +1,48 @@
package cert
import (
stdlibb64 "encoding/base64"
// Create is a wrapper around x509.CreateCertificate, but it additionally
// encodes it in base64 so that it can be easily added to `x5c` fields
func Create(rand io.Reader, template, parent *x509.Certificate, pub, priv interface{}) ([]byte, error) {
der, err := x509.CreateCertificate(rand, template, parent, pub, priv)
if err != nil {
return nil, fmt.Errorf(`failed to create x509 certificate: %w`, err)
return EncodeBase64(der)
// EncodeBase64 is a utility function to encode ASN.1 DER certificates
// using base64 encoding. This operation is normally done by `pem.Encode`
// but since PEM would include the markers (`-----BEGIN`, and the like)
// while `x5c` fields do not need this, this function can be used to
// shave off a few lines
func EncodeBase64(der []byte) ([]byte, error) {
enc := stdlibb64.StdEncoding
dst := make([]byte, enc.EncodedLen(len(der)))
enc.Encode(dst, der)
return dst, nil
// Parse is a utility function to decode a base64 encoded
// ASN.1 DER format certificate, and to parse the byte sequence.
// The certificate must be in PKIX format, and it must not contain PEM markers
func Parse(src []byte) (*x509.Certificate, error) {
dst, err := base64.Decode(src)
if err != nil {
return nil, fmt.Errorf(`failed to base64 decode the certificate: %w`, err)
cert, err := x509.ParseCertificate(dst)
if err != nil {
return nil, fmt.Errorf(`failed to parse x509 certificate: %w`, err)
return cert, nil

View File

@ -0,0 +1,78 @@
package cert
import (
// Chain represents a certificate chain as used in the `x5c` field of
// various objects within JOSE.
// It stores the certificates as a list of base64 encoded []byte
// sequence. By definition these values must PKIX encoded.
type Chain struct {
certificates [][]byte
func (cc Chain) MarshalJSON() ([]byte, error) {
var buf bytes.Buffer
for i, cert := range cc.certificates {
if i > 0 {
return buf.Bytes(), nil
func (cc *Chain) UnmarshalJSON(data []byte) error {
var tmp []string
if err := json.Unmarshal(data, &tmp); err != nil {
return fmt.Errorf(`failed to unmarshal certificate chain: %w`, err)
certs := make([][]byte, len(tmp))
for i, cert := range tmp {
certs[i] = []byte(cert)
cc.certificates = certs
return nil
// Get returns the n-th ASN.1 DER + base64 encoded certificate
// stored. `false` will be returned in the second argument if
// the corresponding index is out of range.
func (cc *Chain) Get(index int) ([]byte, bool) {
if index < 0 || index > len(cc.certificates) {
return nil, false
return cc.certificates[index], true
// Len returns the number of certificates stored in this Chain
func (cc *Chain) Len() int {
return len(cc.certificates)
var pemStart = []byte("----- BEGIN CERTIFICATE -----")
var pemEnd = []byte("----- END CERTIFICATE -----")
func (cc *Chain) AddString(der string) error {
return cc.Add([]byte(der))
func (cc *Chain) Add(der []byte) error {
// We're going to be nice and remove marker lines if they
// give it to us
der = bytes.TrimPrefix(der, pemStart)
der = bytes.TrimSuffix(der, pemEnd)
der = bytes.TrimSpace(der)
cc.certificates = append(cc.certificates, der)
return nil

View File

@ -0,0 +1,2 @@
allow_coverage_offsets: true

View File

@ -4,8 +4,7 @@ import (
"bytes" "bytes"
"encoding/base64" "encoding/base64"
"encoding/binary" "encoding/binary"
) )
func Encode(src []byte) []byte { func Encode(src []byte) []byte {
@ -56,7 +55,7 @@ func Decode(src []byte) ([]byte, error) {
dst := make([]byte, enc.DecodedLen(len(src))) dst := make([]byte, enc.DecodedLen(len(src)))
n, err := enc.Decode(dst, src) n, err := enc.Decode(dst, src)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to decode source`) return nil, fmt.Errorf(`failed to decode source: %w`, err)
} }
return dst[:n], nil return dst[:n], nil
} }

@ -7,7 +7,7 @@ import (
"math/big" "math/big"
"sync" "sync"
"github.com/lestrrat-go/jwx/jwa" "github.com/lestrrat-go/jwx/v2/jwa"
) )
// data for available curves. Some algorithms may be compiled in/out // data for available curves. Some algorithms may be compiled in/out

View File

@ -2,9 +2,9 @@ package iter
import ( import (
"context" "context"
"github.com/lestrrat-go/iter/mapiter" "github.com/lestrrat-go/iter/mapiter"
) )
// MapVisitor is a specialized visitor for our purposes. // MapVisitor is a specialized visitor for our purposes.
@ -30,7 +30,7 @@ func WalkMap(ctx context.Context, src mapiter.Source, visitor MapVisitor) error
func AsMap(ctx context.Context, src mapiter.Source) (map[string]interface{}, error) { func AsMap(ctx context.Context, src mapiter.Source) (map[string]interface{}, error) {
var m map[string]interface{} var m map[string]interface{}
if err := mapiter.AsMap(ctx, src, &m); err != nil { if err := mapiter.AsMap(ctx, src, &m); err != nil {
return nil, errors.Wrap(err, `mapiter.AsMap failed`) return nil, fmt.Errorf(`mapiter.AsMap failed: %w`, err)
} }
return m, nil return m, nil
} }

@ -2,11 +2,12 @@ package json
import ( import (
"bytes" "bytes"
"sync" "sync"
"sync/atomic" "sync/atomic"
"github.com/lestrrat-go/jwx/internal/base64" "github.com/lestrrat-go/jwx/v2/internal/base64"
) )
var muGlobalConfig sync.RWMutex var muGlobalConfig sync.RWMutex
@ -29,12 +30,12 @@ func Unmarshal(b []byte, v interface{}) error {
func AssignNextBytesToken(dst *[]byte, dec *Decoder) error { func AssignNextBytesToken(dst *[]byte, dec *Decoder) error {
var val string var val string
if err := dec.Decode(&val); err != nil { if err := dec.Decode(&val); err != nil {
return errors.Wrap(err, `error reading next value`) return fmt.Errorf(`error reading next value: %w`, err)
} }
buf, err := base64.DecodeString(val) buf, err := base64.DecodeString(val)
if err != nil { if err != nil {
return errors.Errorf(`expected base64 encoded []byte (%T)`, val) return fmt.Errorf(`expected base64 encoded []byte (%T)`, val)
} }
*dst = buf *dst = buf
return nil return nil
@ -43,7 +44,7 @@ func AssignNextBytesToken(dst *[]byte, dec *Decoder) error {
func ReadNextStringToken(dec *Decoder) (string, error) { func ReadNextStringToken(dec *Decoder) (string, error) {
var val string var val string
if err := dec.Decode(&val); err != nil { if err := dec.Decode(&val); err != nil {
return "", errors.Wrap(err, `error reading next value`) return "", fmt.Errorf(`error reading next value: %w`, err)
} }
return val, nil return val, nil
} }
@ -103,3 +104,10 @@ func NewDecodeCtx(r *Registry) DecodeCtx {
func (dc *decodeCtx) Registry() *Registry { func (dc *decodeCtx) Registry() *Registry {
return dc.registry return dc.registry
} }
func Dump(v interface{}) {
enc := NewEncoder(os.Stdout)
enc.SetIndent("", " ")
_ = enc.Encode(v)

View File

@ -1,10 +1,9 @@
package json package json
import ( import (
"reflect" "reflect"
"sync" "sync"
) )
type Registry struct { type Registry struct {
@ -40,14 +39,14 @@ func (r *Registry) Decode(dec *Decoder, name string) (interface{}, error) {
if typ, ok := r.data[name]; ok { if typ, ok := r.data[name]; ok {
ptr := reflect.New(typ).Interface() ptr := reflect.New(typ).Interface()
if err := dec.Decode(ptr); err != nil { if err := dec.Decode(ptr); err != nil {
return nil, errors.Wrapf(err, `failed to decode field %s`, name) return nil, fmt.Errorf(`failed to decode field %s: %w`, name, err)
} }
return reflect.ValueOf(ptr).Elem().Interface(), nil return reflect.ValueOf(ptr).Elem().Interface(), nil
} }
var decoded interface{} var decoded interface{}
if err := dec.Decode(&decoded); err != nil { if err := dec.Decode(&decoded); err != nil {
return nil, errors.Wrapf(err, `failed to decode field %s`, name) return nil, fmt.Errorf(`failed to decode field %s: %w`, name, err)
} }
return decoded, nil return decoded, nil
} }

@ -4,10 +4,10 @@ import (
"crypto" "crypto"
"crypto/ecdsa" "crypto/ecdsa"
"crypto/rsa" "crypto/rsa"
"github.com/lestrrat-go/blackmagic" "github.com/lestrrat-go/blackmagic"
"github.com/lestrrat-go/jwx/jwk" "github.com/lestrrat-go/jwx/v2/jwk"
"golang.org/x/crypto/ed25519" "golang.org/x/crypto/ed25519"
) )
@ -18,7 +18,7 @@ func RSAPrivateKey(dst, src interface{}) error {
if jwkKey, ok := src.(jwk.Key); ok { if jwkKey, ok := src.(jwk.Key); ok {
var raw rsa.PrivateKey var raw rsa.PrivateKey
if err := jwkKey.Raw(&raw); err != nil { if err := jwkKey.Raw(&raw); err != nil {
return errors.Wrapf(err, `failed to produce rsa.PrivateKey from %T`, src) return fmt.Errorf(`failed to produce rsa.PrivateKey from %T: %w`, src, err)
} }
src = &raw src = &raw
} }
@ -30,7 +30,7 @@ func RSAPrivateKey(dst, src interface{}) error {
case *rsa.PrivateKey: case *rsa.PrivateKey:
ptr = src ptr = src
default: default:
return errors.Errorf(`expected rsa.PrivateKey or *rsa.PrivateKey, got %T`, src) return fmt.Errorf(`expected rsa.PrivateKey or *rsa.PrivateKey, got %T`, src)
} }
return blackmagic.AssignIfCompatible(dst, ptr) return blackmagic.AssignIfCompatible(dst, ptr)
@ -43,7 +43,7 @@ func RSAPublicKey(dst, src interface{}) error {
if jwkKey, ok := src.(jwk.Key); ok { if jwkKey, ok := src.(jwk.Key); ok {
var raw rsa.PublicKey var raw rsa.PublicKey
if err := jwkKey.Raw(&raw); err != nil { if err := jwkKey.Raw(&raw); err != nil {
return errors.Wrapf(err, `failed to produce rsa.PublicKey from %T`, src) return fmt.Errorf(`failed to produce rsa.PublicKey from %T: %w`, src, err)
} }
src = &raw src = &raw
} }
@ -55,7 +55,7 @@ func RSAPublicKey(dst, src interface{}) error {
case *rsa.PublicKey: case *rsa.PublicKey:
ptr = src ptr = src
default: default:
return errors.Errorf(`expected rsa.PublicKey or *rsa.PublicKey, got %T`, src) return fmt.Errorf(`expected rsa.PublicKey or *rsa.PublicKey, got %T`, src)
} }
return blackmagic.AssignIfCompatible(dst, ptr) return blackmagic.AssignIfCompatible(dst, ptr)
@ -67,7 +67,7 @@ func ECDSAPrivateKey(dst, src interface{}) error {
if jwkKey, ok := src.(jwk.Key); ok { if jwkKey, ok := src.(jwk.Key); ok {
var raw ecdsa.PrivateKey var raw ecdsa.PrivateKey
if err := jwkKey.Raw(&raw); err != nil { if err := jwkKey.Raw(&raw); err != nil {
return errors.Wrapf(err, `failed to produce ecdsa.PrivateKey from %T`, src) return fmt.Errorf(`failed to produce ecdsa.PrivateKey from %T: %w`, src, err)
} }
src = &raw src = &raw
} }
@ -79,7 +79,7 @@ func ECDSAPrivateKey(dst, src interface{}) error {
case *ecdsa.PrivateKey: case *ecdsa.PrivateKey:
ptr = src ptr = src
default: default:
return errors.Errorf(`expected ecdsa.PrivateKey or *ecdsa.PrivateKey, got %T`, src) return fmt.Errorf(`expected ecdsa.PrivateKey or *ecdsa.PrivateKey, got %T`, src)
} }
return blackmagic.AssignIfCompatible(dst, ptr) return blackmagic.AssignIfCompatible(dst, ptr)
} }
@ -90,7 +90,7 @@ func ECDSAPublicKey(dst, src interface{}) error {
if jwkKey, ok := src.(jwk.Key); ok { if jwkKey, ok := src.(jwk.Key); ok {
var raw ecdsa.PublicKey var raw ecdsa.PublicKey
if err := jwkKey.Raw(&raw); err != nil { if err := jwkKey.Raw(&raw); err != nil {
return errors.Wrapf(err, `failed to produce ecdsa.PublicKey from %T`, src) return fmt.Errorf(`failed to produce ecdsa.PublicKey from %T: %w`, src, err)
} }
src = &raw src = &raw
} }
@ -102,7 +102,7 @@ func ECDSAPublicKey(dst, src interface{}) error {
case *ecdsa.PublicKey: case *ecdsa.PublicKey:
ptr = src ptr = src
default: default:
return errors.Errorf(`expected ecdsa.PublicKey or *ecdsa.PublicKey, got %T`, src) return fmt.Errorf(`expected ecdsa.PublicKey or *ecdsa.PublicKey, got %T`, src)
} }
return blackmagic.AssignIfCompatible(dst, ptr) return blackmagic.AssignIfCompatible(dst, ptr)
} }
@ -111,13 +111,13 @@ func ByteSliceKey(dst, src interface{}) error {
if jwkKey, ok := src.(jwk.Key); ok { if jwkKey, ok := src.(jwk.Key); ok {
var raw []byte var raw []byte
if err := jwkKey.Raw(&raw); err != nil { if err := jwkKey.Raw(&raw); err != nil {
return errors.Wrapf(err, `failed to produce []byte from %T`, src) return fmt.Errorf(`failed to produce []byte from %T: %w`, src, err)
} }
src = raw src = raw
} }
if _, ok := src.([]byte); !ok { if _, ok := src.([]byte); !ok {
return errors.Errorf(`expected []byte, got %T`, src) return fmt.Errorf(`expected []byte, got %T`, src)
} }
return blackmagic.AssignIfCompatible(dst, src) return blackmagic.AssignIfCompatible(dst, src)
} }
@ -126,7 +126,7 @@ func Ed25519PrivateKey(dst, src interface{}) error {
if jwkKey, ok := src.(jwk.Key); ok { if jwkKey, ok := src.(jwk.Key); ok {
var raw ed25519.PrivateKey var raw ed25519.PrivateKey
if err := jwkKey.Raw(&raw); err != nil { if err := jwkKey.Raw(&raw); err != nil {
return errors.Wrapf(err, `failed to produce ed25519.PrivateKey from %T`, src) return fmt.Errorf(`failed to produce ed25519.PrivateKey from %T: %w`, src, err)
} }
src = &raw src = &raw
} }
@ -138,7 +138,7 @@ func Ed25519PrivateKey(dst, src interface{}) error {
case *ed25519.PrivateKey: case *ed25519.PrivateKey:
ptr = src ptr = src
default: default:
return errors.Errorf(`expected ed25519.PrivateKey or *ed25519.PrivateKey, got %T`, src) return fmt.Errorf(`expected ed25519.PrivateKey or *ed25519.PrivateKey, got %T`, src)
} }
return blackmagic.AssignIfCompatible(dst, ptr) return blackmagic.AssignIfCompatible(dst, ptr)
} }
@ -147,7 +147,7 @@ func Ed25519PublicKey(dst, src interface{}) error {
if jwkKey, ok := src.(jwk.Key); ok { if jwkKey, ok := src.(jwk.Key); ok {
var raw ed25519.PublicKey var raw ed25519.PublicKey
if err := jwkKey.Raw(&raw); err != nil { if err := jwkKey.Raw(&raw); err != nil {
return errors.Wrapf(err, `failed to produce ed25519.PublicKey from %T`, src) return fmt.Errorf(`failed to produce ed25519.PublicKey from %T: %w`, src, err)
} }
src = &raw src = &raw
} }
@ -161,17 +161,17 @@ func Ed25519PublicKey(dst, src interface{}) error {
case *crypto.PublicKey: case *crypto.PublicKey:
tmp, ok := (*src).(ed25519.PublicKey) tmp, ok := (*src).(ed25519.PublicKey)
if !ok { if !ok {
return errors.New(`failed to retrieve ed25519.PublicKey out of *crypto.PublicKey`) return fmt.Errorf(`failed to retrieve ed25519.PublicKey out of *crypto.PublicKey`)
} }
ptr = &tmp ptr = &tmp
case crypto.PublicKey: case crypto.PublicKey:
tmp, ok := src.(ed25519.PublicKey) tmp, ok := src.(ed25519.PublicKey)
if !ok { if !ok {
return errors.New(`failed to retrieve ed25519.PublicKey out of crypto.PublicKey`) return fmt.Errorf(`failed to retrieve ed25519.PublicKey out of crypto.PublicKey`)
} }
ptr = &tmp ptr = &tmp
default: default:
return errors.Errorf(`expected ed25519.PublicKey or *ed25519.PublicKey, got %T`, src) return fmt.Errorf(`expected ed25519.PublicKey or *ed25519.PublicKey, got %T`, src)
} }
return blackmagic.AssignIfCompatible(dst, ptr) return blackmagic.AssignIfCompatible(dst, ptr)
} }

View File

@ -0,0 +1,3 @@
# JWA [![Go Reference](https://pkg.go.dev/badge/github.com/lestrrat-go/jwx/v2/jwa.svg)](https://pkg.go.dev/github.com/lestrrat-go/jwx/v2/jwa)
Package [github.com/lestrrat-go/jwx/v2/jwa](./jwa) defines the various algorithm described in [RFC7518](https://tools.ietf.org/html/rfc7518)

View File

@ -6,8 +6,6 @@ import (
"fmt" "fmt"
"sort" "sort"
"sync" "sync"
) )
// CompressionAlgorithm represents the compression algorithms as described in https://tools.ietf.org/html/rfc7518#section-7.3 // CompressionAlgorithm represents the compression algorithms as described in https://tools.ietf.org/html/rfc7518#section-7.3
@ -55,12 +53,12 @@ func (v *CompressionAlgorithm) Accept(value interface{}) error {
case string: case string:
s = x s = x
default: default:
return errors.Errorf(`invalid type for jwa.CompressionAlgorithm: %T`, value) return fmt.Errorf(`invalid type for jwa.CompressionAlgorithm: %T`, value)
} }
tmp = CompressionAlgorithm(s) tmp = CompressionAlgorithm(s)
} }
if _, ok := allCompressionAlgorithms[tmp]; !ok { if _, ok := allCompressionAlgorithms[tmp]; !ok {
return errors.Errorf(`invalid jwa.CompressionAlgorithm value`) return fmt.Errorf(`invalid jwa.CompressionAlgorithm value`)
} }
*v = tmp *v = tmp

View File

@ -6,8 +6,6 @@ import (
"fmt" "fmt"
"sort" "sort"
"sync" "sync"
) )
// ContentEncryptionAlgorithm represents the various encryption algorithms as described in https://tools.ietf.org/html/rfc7518#section-5 // ContentEncryptionAlgorithm represents the various encryption algorithms as described in https://tools.ietf.org/html/rfc7518#section-5
@ -63,12 +61,12 @@ func (v *ContentEncryptionAlgorithm) Accept(value interface{}) error {
case string: case string:
s = x s = x
default: default:
return errors.Errorf(`invalid type for jwa.ContentEncryptionAlgorithm: %T`, value) return fmt.Errorf(`invalid type for jwa.ContentEncryptionAlgorithm: %T`, value)
} }
tmp = ContentEncryptionAlgorithm(s) tmp = ContentEncryptionAlgorithm(s)
} }
if _, ok := allContentEncryptionAlgorithms[tmp]; !ok { if _, ok := allContentEncryptionAlgorithms[tmp]; !ok {
return errors.Errorf(`invalid jwa.ContentEncryptionAlgorithm value`) return fmt.Errorf(`invalid jwa.ContentEncryptionAlgorithm value`)
} }
*v = tmp *v = tmp

View File

@ -6,8 +6,6 @@ import (
"fmt" "fmt"
"sort" "sort"
"sync" "sync"
) )
// EllipticCurveAlgorithm represents the algorithms used for EC keys // EllipticCurveAlgorithm represents the algorithms used for EC keys
@ -66,12 +64,12 @@ func (v *EllipticCurveAlgorithm) Accept(value interface{}) error {
case string: case string:
s = x s = x
default: default:
return errors.Errorf(`invalid type for jwa.EllipticCurveAlgorithm: %T`, value) return fmt.Errorf(`invalid type for jwa.EllipticCurveAlgorithm: %T`, value)
} }
tmp = EllipticCurveAlgorithm(s) tmp = EllipticCurveAlgorithm(s)
} }
if _, ok := allEllipticCurveAlgorithms[tmp]; !ok { if _, ok := allEllipticCurveAlgorithms[tmp]; !ok {
return errors.Errorf(`invalid jwa.EllipticCurveAlgorithm value`) return fmt.Errorf(`invalid jwa.EllipticCurveAlgorithm value`)
} }
*v = tmp *v = tmp

vendor/github.com/lestrrat-go/jwx/v2/jwa/jwa.go generated vendored Normal file
View File

@ -0,0 +1,61 @@
//go:generate ../tools/cmd/genjwa.sh
// Package jwa defines the various algorithm described in https://tools.ietf.org/html/rfc7518
package jwa
import "fmt"
// KeyAlgorithm is a workaround for jwk.Key being able to contain different
// types of algorithms in its `alg` field.
// Previously the storage for the `alg` field was represented as a string,
// but this caused some users to wonder why the field was not typed appropriately
// like other fields.
// Ideally we would like to keep track of Signature Algorithms and
// Content Encryption Algorithms separately, and force the APIs to
// type-check at compile time, but this allows users to pass a value from a
// jwk.Key directly
type KeyAlgorithm interface {
String() string
// InvalidKeyAlgorithm represents an algorithm that the library is not aware of.
type InvalidKeyAlgorithm string
func (s InvalidKeyAlgorithm) String() string {
return string(s)
func (InvalidKeyAlgorithm) Accept(_ interface{}) error {
return fmt.Errorf(`jwa.InvalidKeyAlgorithm does not support Accept() method calls`)
// KeyAlgorithmFrom takes either a string, `jwa.SignatureAlgorithm` or `jwa.KeyEncryptionAlgorithm`
// and returns a `jwa.KeyAlgorithm`.
// If the value cannot be handled, it returns an `jwa.InvalidKeyAlgorithm`
// object instead of returning an error. This design choice was made to allow
// users to directly pass the return value to functions such as `jws.Sign()`
func KeyAlgorithmFrom(v interface{}) KeyAlgorithm {
switch v := v.(type) {
case SignatureAlgorithm:
return v
case KeyEncryptionAlgorithm:
return v
case string:
var salg SignatureAlgorithm
if err := salg.Accept(v); err == nil {
return salg
var kealg KeyEncryptionAlgorithm
if err := kealg.Accept(v); err == nil {
return kealg
return InvalidKeyAlgorithm(v)
return InvalidKeyAlgorithm(fmt.Sprintf("%s", v))

@ -6,8 +6,6 @@ import (
"fmt" "fmt"
"sort" "sort"
"sync" "sync"
) )
// KeyEncryptionAlgorithm represents the various encryption algorithms as described in https://tools.ietf.org/html/rfc7518#section-4.1 // KeyEncryptionAlgorithm represents the various encryption algorithms as described in https://tools.ietf.org/html/rfc7518#section-4.1
@ -85,12 +83,12 @@ func (v *KeyEncryptionAlgorithm) Accept(value interface{}) error {
case string: case string:
s = x s = x
default: default:
return errors.Errorf(`invalid type for jwa.KeyEncryptionAlgorithm: %T`, value) return fmt.Errorf(`invalid type for jwa.KeyEncryptionAlgorithm: %T`, value)
} }
tmp = KeyEncryptionAlgorithm(s) tmp = KeyEncryptionAlgorithm(s)
} }
if _, ok := allKeyEncryptionAlgorithms[tmp]; !ok { if _, ok := allKeyEncryptionAlgorithms[tmp]; !ok {
return errors.Errorf(`invalid jwa.KeyEncryptionAlgorithm value`) return fmt.Errorf(`invalid jwa.KeyEncryptionAlgorithm value`)
} }
*v = tmp *v = tmp

View File

@ -6,8 +6,6 @@ import(
"fmt" "fmt"
"sort" "sort"
"sync" "sync"
) )
// KeyType represents the key type ("kty") that are supported // KeyType represents the key type ("kty") that are supported
@ -60,12 +58,12 @@ func (v *KeyType) Accept(value interface{}) error {
case string: case string:
s = x s = x
default: default:
return errors.Errorf(`invalid type for jwa.KeyType: %T`, value) return fmt.Errorf(`invalid type for jwa.KeyType: %T`, value)
} }
tmp = KeyType(s) tmp = KeyType(s)
} }
if _, ok := allKeyTypes[tmp]; !ok { if _, ok := allKeyTypes[tmp]; !ok {
return errors.Errorf(`invalid jwa.KeyType value`) return fmt.Errorf(`invalid jwa.KeyType value`)
} }
*v = tmp *v = tmp

@ -6,8 +6,6 @@ import(
"fmt" "fmt"
"sort" "sort"
"sync" "sync"
) )
// SignatureAlgorithm represents the various signature algorithms as described in https://tools.ietf.org/html/rfc7518#section-3.1 // SignatureAlgorithm represents the various signature algorithms as described in https://tools.ietf.org/html/rfc7518#section-3.1
@ -81,12 +79,12 @@ func (v *SignatureAlgorithm) Accept(value interface{}) error {
case string: case string:
s = x s = x
default: default:
return errors.Errorf(`invalid type for jwa.SignatureAlgorithm: %T`, value) return fmt.Errorf(`invalid type for jwa.SignatureAlgorithm: %T`, value)
} }
tmp = SignatureAlgorithm(s) tmp = SignatureAlgorithm(s)
} }
if _, ok := allSignatureAlgorithms[tmp]; !ok { if _, ok := allSignatureAlgorithms[tmp]; !ok {
return errors.Errorf(`invalid jwa.SignatureAlgorithm value`) return fmt.Errorf(`invalid jwa.SignatureAlgorithm value`)
} }
*v = tmp *v = tmp

@ -1,4 +1,4 @@
@ -1,4 +1,4 @@
Package jwe implements JWE as described in [RFC7516](https://tools.ietf.org/html/rfc7516) Package jwe implements JWE as described in [RFC7516](https://tools.ietf.org/html/rfc7516)
@ -59,7 +59,7 @@ func ExampleEncrypt() {
payload := []byte("Lorem Ipsum") payload := []byte("Lorem Ipsum")
encrypted, err := jwe.Encrypt(payload, jwa.RSA1_5, &privkey.PublicKey, jwa.A128CBC_HS256, jwa.NoCompress) encrypted, err := jwe.Encrypt(payload, jwe.WithKey(jwa.RSA1_5, &privkey.PublicKey), jwe.WithContentEncryption(jwa.A128CBC_HS256))
if err != nil { if err != nil {
log.Printf("failed to encrypt payload: %s", err) log.Printf("failed to encrypt payload: %s", err)
return return
@ -79,7 +79,7 @@ func ExampleDecrypt() {
return return
} }
decrypted, err := jwe.Decrypt(encrypted, jwa.RSA1_5, privkey) decrypted, err := jwe.Decrypt(encrypted, jwe.WithKey(jwa.RSA1_5, privkey))
if err != nil { if err != nil {
log.Printf("failed to decrypt: %s", err) log.Printf("failed to decrypt: %s", err)
return return

View File

@ -0,0 +1,36 @@
package jwe
import (
func uncompress(plaintext []byte) ([]byte, error) {
return io.ReadAll(flate.NewReader(bytes.NewReader(plaintext)))
func compress(plaintext []byte) ([]byte, error) {
buf := pool.GetBytesBuffer()
defer pool.ReleaseBytesBuffer(buf)
w, _ := flate.NewWriter(buf, 1)
in := plaintext
for len(in) > 0 {
n, err := w.Write(in)
if err != nil {
return nil, fmt.Errorf(`failed to write to compression writer: %w`, err)
in = in[n:]
if err := w.Close(); err != nil {
return nil, fmt.Errorf(`failed to close compression writer: %w`, err)
ret := make([]byte, buf.Len())
copy(ret, buf.Bytes())
return ret, nil

@ -7,23 +7,23 @@ import(
"crypto/rsa" "crypto/rsa"
"crypto/sha256" "crypto/sha256"
"crypto/sha512" "crypto/sha512"
"hash" "hash"
"golang.org/x/crypto/pbkdf2" "golang.org/x/crypto/pbkdf2"
"github.com/lestrrat-go/jwx/internal/keyconv" "github.com/lestrrat-go/jwx/v2/internal/keyconv"
"github.com/lestrrat-go/jwx/jwa" "github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/jwe/internal/cipher" "github.com/lestrrat-go/jwx/v2/jwe/internal/cipher"
"github.com/lestrrat-go/jwx/jwe/internal/content_crypt" "github.com/lestrrat-go/jwx/v2/jwe/internal/content_crypt"
"github.com/lestrrat-go/jwx/jwe/internal/keyenc" "github.com/lestrrat-go/jwx/v2/jwe/internal/keyenc"
"github.com/lestrrat-go/jwx/x25519" "github.com/lestrrat-go/jwx/v2/x25519"
) )
// Decrypter is responsible for taking various components to decrypt a message. // decrypter is responsible for taking various components to decrypt a message.
// its operation is not concurrency safe. You must provide locking yourself // its operation is not concurrency safe. You must provide locking yourself
//nolint:govet //nolint:govet
aad []byte aad []byte
apu []byte apu []byte
apv []byte apv []byte
@ -41,7 +41,7 @@ type Decrypter struct {
keycount int keycount int
} }
// NewDecrypter Creates a new Decrypter instance. You must supply the // newDecrypter Creates a new Decrypter instance. You must supply the
// rest of parameters via their respective setter methods before // rest of parameters via their respective setter methods before
// calling Decrypt(). // calling Decrypt().
// //
@ -49,103 +49,103 @@ type Decrypter struct {
// *rsa.PrivateKey, instead of jwk.Key) // *rsa.PrivateKey, instead of jwk.Key)
// //
// You should consider this object immutable once you assign values to it. // You should consider this object immutable once you assign values to it.
func NewDecrypter(keyalg jwa.KeyEncryptionAlgorithm, ctalg jwa.ContentEncryptionAlgorithm, privkey interface{}) *Decrypter { func newDecrypter(keyalg jwa.KeyEncryptionAlgorithm, ctalg jwa.ContentEncryptionAlgorithm, privkey interface{}) *decrypter {
return &Decrypter{ return &decrypter{
ctalg: ctalg, ctalg: ctalg,
keyalg: keyalg, keyalg: keyalg,
privkey: privkey, privkey: privkey,
} }
} }
func (d *Decrypter) AgreementPartyUInfo(apu []byte) *Decrypter { func (d *decrypter) AgreementPartyUInfo(apu []byte) *decrypter {
d.apu = apu d.apu = apu
return d return d
} }
func (d *Decrypter) AgreementPartyVInfo(apv []byte) *Decrypter { func (d *decrypter) AgreementPartyVInfo(apv []byte) *decrypter {
d.apv = apv d.apv = apv
return d return d
} }
func (d *Decrypter) AuthenticatedData(aad []byte) *Decrypter { func (d *decrypter) AuthenticatedData(aad []byte) *decrypter {
d.aad = aad d.aad = aad
return d return d
} }
func (d *Decrypter) ComputedAuthenticatedData(aad []byte) *Decrypter { func (d *decrypter) ComputedAuthenticatedData(aad []byte) *decrypter {
d.computedAad = aad d.computedAad = aad
return d return d
} }
func (d *Decrypter) ContentEncryptionAlgorithm(ctalg jwa.ContentEncryptionAlgorithm) *Decrypter { func (d *decrypter) ContentEncryptionAlgorithm(ctalg jwa.ContentEncryptionAlgorithm) *decrypter {
d.ctalg = ctalg d.ctalg = ctalg
return d return d
} }
func (d *Decrypter) InitializationVector(iv []byte) *Decrypter { func (d *decrypter) InitializationVector(iv []byte) *decrypter {
d.iv = iv d.iv = iv
return d return d
} }
func (d *Decrypter) KeyCount(keycount int) *Decrypter { func (d *decrypter) KeyCount(keycount int) *decrypter {
d.keycount = keycount d.keycount = keycount
return d return d
} }
func (d *Decrypter) KeyInitializationVector(keyiv []byte) *Decrypter { func (d *decrypter) KeyInitializationVector(keyiv []byte) *decrypter {
d.keyiv = keyiv d.keyiv = keyiv
return d return d
} }
func (d *Decrypter) KeySalt(keysalt []byte) *Decrypter { func (d *decrypter) KeySalt(keysalt []byte) *decrypter {
d.keysalt = keysalt d.keysalt = keysalt
return d return d
} }
func (d *Decrypter) KeyTag(keytag []byte) *Decrypter { func (d *decrypter) KeyTag(keytag []byte) *decrypter {
d.keytag = keytag d.keytag = keytag
return d return d
} }
// PublicKey sets the public key to be used in decoding EC based encryptions. // PublicKey sets the public key to be used in decoding EC based encryptions.
// The key must be in its "raw" format (i.e. *ecdsa.PublicKey, instead of jwk.Key) // The key must be in its "raw" format (i.e. *ecdsa.PublicKey, instead of jwk.Key)
func (d *Decrypter) PublicKey(pubkey interface{}) *Decrypter { func (d *decrypter) PublicKey(pubkey interface{}) *decrypter {
d.pubkey = pubkey d.pubkey = pubkey
return d return d
} }
func (d *Decrypter) Tag(tag []byte) *Decrypter { func (d *decrypter) Tag(tag []byte) *decrypter {
d.tag = tag d.tag = tag
return d return d
} }
func (d *Decrypter) ContentCipher() (content_crypt.Cipher, error) { func (d *decrypter) ContentCipher() (content_crypt.Cipher, error) {
if d.cipher == nil { if d.cipher == nil {
switch d.ctalg { switch d.ctalg {
case jwa.A128GCM, jwa.A192GCM, jwa.A256GCM, jwa.A128CBC_HS256, jwa.A192CBC_HS384, jwa.A256CBC_HS512: case jwa.A128GCM, jwa.A192GCM, jwa.A256GCM, jwa.A128CBC_HS256, jwa.A192CBC_HS384, jwa.A256CBC_HS512:
cipher, err := cipher.NewAES(d.ctalg) cipher, err := cipher.NewAES(d.ctalg)
if err != nil { if err != nil {
return nil, errors.Wrapf(err, `failed to build content cipher for %s`, d.ctalg) return nil, fmt.Errorf(`failed to build content cipher for %s: %w`, d.ctalg, err)
} }
d.cipher = cipher d.cipher = cipher
default: default:
return nil, errors.Errorf(`invalid content cipher algorithm (%s)`, d.ctalg) return nil, fmt.Errorf(`invalid content cipher algorithm (%s)`, d.ctalg)
} }
} }
return d.cipher, nil return d.cipher, nil
} }
func (d *Decrypter) Decrypt(recipientKey, ciphertext []byte) (plaintext []byte, err error) { func (d *decrypter) Decrypt(recipientKey, ciphertext []byte) (plaintext []byte, err error) {
cek, keyerr := d.DecryptKey(recipientKey) cek, keyerr := d.DecryptKey(recipientKey)
if keyerr != nil { if keyerr != nil {
err = errors.Wrap(keyerr, `failed to decrypt key`) err = fmt.Errorf(`failed to decrypt key: %w`, keyerr)
return return
} }
cipher, ciphererr := d.ContentCipher() cipher, ciphererr := d.ContentCipher()
if ciphererr != nil { if ciphererr != nil {
err = errors.Wrap(ciphererr, `failed to fetch content crypt cipher`) err = fmt.Errorf(`failed to fetch content crypt cipher: %w`, ciphererr)
return return
} }
@ -156,14 +156,14 @@ func (d *Decrypter) Decrypt(recipientKey, ciphertext []byte) (plaintext []byte,
plaintext, err = cipher.Decrypt(cek, d.iv, ciphertext, d.tag, computedAad) plaintext, err = cipher.Decrypt(cek, d.iv, ciphertext, d.tag, computedAad)
if err != nil { if err != nil {
err = errors.Wrap(err, `failed to decrypt payload`) err = fmt.Errorf(`failed to decrypt payload: %w`, err)
return return
} }
return plaintext, nil return plaintext, nil
} }
func (d *Decrypter) decryptSymmetricKey(recipientKey, cek []byte) ([]byte, error) { func (d *decrypter) decryptSymmetricKey(recipientKey, cek []byte) ([]byte, error) {
switch d.keyalg { switch d.keyalg {
case jwa.DIRECT: case jwa.DIRECT:
return cek, nil return cek, nil
@ -189,48 +189,48 @@ func (d *Decrypter) decryptSymmetricKey(recipientKey, cek []byte) ([]byte, error
case jwa.A128KW, jwa.A192KW, jwa.A256KW: case jwa.A128KW, jwa.A192KW, jwa.A256KW:
block, err := aes.NewCipher(cek) block, err := aes.NewCipher(cek)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to create new AES cipher`) return nil, fmt.Errorf(`failed to create new AES cipher: %w`, err)
} }
jek, err := keyenc.Unwrap(block, recipientKey) jek, err := keyenc.Unwrap(block, recipientKey)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to unwrap key`) return nil, fmt.Errorf(`failed to unwrap key: %w`, err)
} }
return jek, nil return jek, nil
case jwa.A128GCMKW, jwa.A192GCMKW, jwa.A256GCMKW: case jwa.A128GCMKW, jwa.A192GCMKW, jwa.A256GCMKW:
if len(d.keyiv) != 12 { if len(d.keyiv) != 12 {
return nil, errors.Errorf("GCM requires 96-bit iv, got %d", len(d.keyiv)*8) return nil, fmt.Errorf("GCM requires 96-bit iv, got %d", len(d.keyiv)*8)
} }
if len(d.keytag) != 16 { if len(d.keytag) != 16 {
return nil, errors.Errorf("GCM requires 128-bit tag, got %d", len(d.keytag)*8) return nil, fmt.Errorf("GCM requires 128-bit tag, got %d", len(d.keytag)*8)
} }
block, err := aes.NewCipher(cek) block, err := aes.NewCipher(cek)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to create new AES cipher`) return nil, fmt.Errorf(`failed to create new AES cipher: %w`, err)
} }
aesgcm, err := cryptocipher.NewGCM(block) aesgcm, err := cryptocipher.NewGCM(block)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to create new GCM wrap`) return nil, fmt.Errorf(`failed to create new GCM wrap: %w`, err)
} }
ciphertext := recipientKey[:] ciphertext := recipientKey[:]
ciphertext = append(ciphertext, d.keytag...) ciphertext = append(ciphertext, d.keytag...)
jek, err := aesgcm.Open(nil, d.keyiv, ciphertext, nil) jek, err := aesgcm.Open(nil, d.keyiv, ciphertext, nil)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to decode key`) return nil, fmt.Errorf(`failed to decode key: %w`, err)
} }
return jek, nil return jek, nil
default: default:
return nil, errors.Errorf("decrypt key: unsupported algorithm %s", d.keyalg) return nil, fmt.Errorf("decrypt key: unsupported algorithm %s", d.keyalg)
} }
} }
@ -156,14 +156,14 @@ func (d *Decrypter) Decrypt(recipientKey, ciphertext []byte) (plaintext []byte,
if d.keyalg.IsSymmetric() { if d.keyalg.IsSymmetric() {
var ok bool var ok bool
cek, ok = d.privkey.([]byte) cek, ok = d.privkey.([]byte)
if !ok { if !ok {
return nil, errors.Errorf("decrypt key: []byte is required as the key to build %s key decrypter (got %T)", d.keyalg, d.privkey) return nil, fmt.Errorf("decrypt key: []byte is required as the key to build %s key decrypter (got %T)", d.keyalg, d.privkey)
} }
return d.decryptSymmetricKey(recipientKey, cek) return d.decryptSymmetricKey(recipientKey, cek)
@ -238,42 +238,42 @@ func (d *Decrypter) DecryptKey(recipientKey []byte) (cek []byte, err error) {
k, err := d.BuildKeyDecrypter() k, err := d.BuildKeyDecrypter()
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to build key decrypter`) return nil, fmt.Errorf(`failed to build key decrypter: %w`, err)
} }
cek, err = k.Decrypt(recipientKey) cek, err = k.Decrypt(recipientKey)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to decrypt key`) return nil, fmt.Errorf(`failed to decrypt key: %w`, err)
} }
return cek, nil return cek, nil
} }
func (d *Decrypter) BuildKeyDecrypter() (keyenc.Decrypter, error) { func (d *decrypter) BuildKeyDecrypter() (keyenc.Decrypter, error) {
cipher, err := d.ContentCipher() cipher, err := d.ContentCipher()
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to fetch content crypt cipher`) return nil, fmt.Errorf(`failed to fetch content crypt cipher: %w`, err)
} }
switch alg := d.keyalg; alg { switch alg := d.keyalg; alg {
case jwa.RSA1_5: case jwa.RSA1_5:
var privkey rsa.PrivateKey var privkey rsa.PrivateKey
if err := keyconv.RSAPrivateKey(&privkey, d.privkey); err != nil { if err := keyconv.RSAPrivateKey(&privkey, d.privkey); err != nil {
return nil, errors.Wrapf(err, "*rsa.PrivateKey is required as the key to build %s key decrypter", alg) return nil, fmt.Errorf(`*rsa.PrivateKey is required as the key to build %s key decrypter: %w`, alg, err)
} }
return keyenc.NewRSAPKCS15Decrypt(alg, &privkey, cipher.KeySize()/2), nil return keyenc.NewRSAPKCS15Decrypt(alg, &privkey, cipher.KeySize()/2), nil
case jwa.RSA_OAEP, jwa.RSA_OAEP_256: case jwa.RSA_OAEP, jwa.RSA_OAEP_256:
var privkey rsa.PrivateKey var privkey rsa.PrivateKey
if err := keyconv.RSAPrivateKey(&privkey, d.privkey); err != nil { if err := keyconv.RSAPrivateKey(&privkey, d.privkey); err != nil {
return nil, errors.Wrapf(err, "*rsa.PrivateKey is required as the key to build %s key decrypter", alg) return nil, fmt.Errorf(`*rsa.PrivateKey is required as the key to build %s key decrypter: %w`, alg, err)
} }
return keyenc.NewRSAOAEPDecrypt(alg, &privkey) return keyenc.NewRSAOAEPDecrypt(alg, &privkey)
case jwa.A128KW, jwa.A192KW, jwa.A256KW: case jwa.A128KW, jwa.A192KW, jwa.A256KW:
sharedkey, ok := d.privkey.([]byte) sharedkey, ok := d.privkey.([]byte)
if !ok { if !ok {
return nil, errors.Errorf("[]byte is required as the key to build %s key decrypter", alg) return nil, fmt.Errorf("[]byte is required as the key to build %s key decrypter", alg)
} }
return keyenc.NewAES(alg, sharedkey) return keyenc.NewAES(alg, sharedkey)
@ -284,17 +284,17 @@ func (d *Decrypter) BuildKeyDecrypter() (keyenc.Decrypter, error) {
default: default:
var pubkey ecdsa.PublicKey var pubkey ecdsa.PublicKey
if err := keyconv.ECDSAPublicKey(&pubkey, d.pubkey); err != nil { if err := keyconv.ECDSAPublicKey(&pubkey, d.pubkey); err != nil {
return nil, errors.Wrapf(err, "*ecdsa.PublicKey is required as the key to build %s key decrypter", alg) return nil, fmt.Errorf(`*ecdsa.PublicKey is required as the key to build %s key decrypter: %w`, alg, err)
} }
var privkey ecdsa.PrivateKey var privkey ecdsa.PrivateKey
if err := keyconv.ECDSAPrivateKey(&privkey, d.privkey); err != nil { if err := keyconv.ECDSAPrivateKey(&privkey, d.privkey); err != nil {
return nil, errors.Wrapf(err, "*ecdsa.PrivateKey is required as the key to build %s key decrypter", alg) return nil, fmt.Errorf(`*ecdsa.PrivateKey is required as the key to build %s key decrypter: %w`, alg, err)
} }
return keyenc.NewECDHESDecrypt(alg, d.ctalg, &pubkey, d.apu, d.apv, &privkey), nil return keyenc.NewECDHESDecrypt(alg, d.ctalg, &pubkey, d.apu, d.apv, &privkey), nil
} }
default: default:
return nil, errors.Errorf(`unsupported algorithm for key decryption (%s)`, alg) return nil, fmt.Errorf(`unsupported algorithm for key decryption (%s)`, alg)
} }
} }

@ -2,13 +2,13 @@ package jwe
import ( import (
"context" "context"
"github.com/lestrrat-go/jwx/internal/base64" "github.com/lestrrat-go/jwx/v2/internal/base64"
"github.com/lestrrat-go/jwx/internal/json" "github.com/lestrrat-go/jwx/v2/internal/json"
"github.com/lestrrat-go/iter/mapiter" "github.com/lestrrat-go/iter/mapiter"
"github.com/lestrrat-go/jwx/internal/iter" "github.com/lestrrat-go/jwx/v2/internal/iter"
) )
type isZeroer interface { type isZeroer interface {
@ -64,7 +64,7 @@ func (h *stdHeaders) AsMap(ctx context.Context) (map[string]interface{}, error)
func (h *stdHeaders) Clone(ctx context.Context) (Headers, error) { func (h *stdHeaders) Clone(ctx context.Context) (Headers, error) {
dst := NewHeaders() dst := NewHeaders()
if err := h.Copy(ctx, dst); err != nil { if err := h.Copy(ctx, dst); err != nil {
return nil, errors.Wrap(err, `failed to copy header contents to new object`) return nil, fmt.Errorf(`failed to copy header contents to new object: %w`, err)
} }
return dst, nil return dst, nil
} }
@ -74,7 +74,7 @@ func (h *stdHeaders) Clone(ctx context.Context) (Headers, error) {
//nolint:forcetypeassert //nolint:forcetypeassert
key := pair.Key.(string) key := pair.Key.(string)
if err := dst.Set(key, pair.Value); err != nil { if err := dst.Set(key, pair.Value); err != nil {
return errors.Wrapf(err, `failed to set header %q`, key) return fmt.Errorf(`failed to set header %q: %w`, key, err)
} }
} }
return nil return nil
@ -85,13 +85,13 @@ func (h *stdHeaders) Merge(ctx context.Context, h2 Headers) (Headers, error) {
if h != nil { if h != nil {
if err := h.Copy(ctx, h3); err != nil { if err := h.Copy(ctx, h3); err != nil {
return nil, errors.Wrap(err, `failed to copy headers from receiver`) return nil, fmt.Errorf(`failed to copy headers from receiver: %w`, err)
} }
} }
if h2 != nil { if h2 != nil {
if err := h2.Copy(ctx, h3); err != nil { if err := h2.Copy(ctx, h3); err != nil {
return nil, errors.Wrap(err, `failed to copy headers from argument`) return nil, fmt.Errorf(`failed to copy headers from argument: %w`, err)
} }
} }
@ -101,7 +101,7 @@ func (h *stdHeaders) Merge(ctx context.Context, h2 Headers) (Headers, error) {
func (h *stdHeaders) Encode() ([]byte, error) { func (h *stdHeaders) Encode() ([]byte, error) {
buf, err := json.Marshal(h) buf, err := json.Marshal(h)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to marshal headers to JSON prior to encoding`) return nil, fmt.Errorf(`failed to marshal headers to JSON prior to encoding: %w`, err)
} }
return base64.Encode(buf), nil return base64.Encode(buf), nil
@ -111,11 +111,11 @@ func (h *stdHeaders) Decode(buf []byte) error {
// base64 json string -> json object representation of header // base64 json string -> json object representation of header
decoded, err := base64.Decode(buf) decoded, err := base64.Decode(buf)
if err != nil { if err != nil {
return errors.Wrap(err, "failed to unmarshal base64 encoded buffer") return fmt.Errorf(`failed to unmarshal base64 encoded buffer: %w`, err)
} }
if err := json.Unmarshal(decoded, h); err != nil { if err := json.Unmarshal(decoded, h); err != nil {
return errors.Wrap(err, "failed to unmarshal buffer") return fmt.Errorf(`failed to unmarshal buffer: %w`, err)
} }
return nil return nil

@ -5,15 +5,16 @@ package jwe
import ( import (
"bytes" "bytes"
"context" "context"
"sort" "sort"
"sync" "sync"
"github.com/lestrrat-go/jwx/internal/base64" "github.com/lestrrat-go/jwx/v2/cert"
"github.com/lestrrat-go/jwx/internal/json" "github.com/lestrrat-go/jwx/v2/internal/base64"
"github.com/lestrrat-go/jwx/internal/pool" "github.com/lestrrat-go/jwx/v2/internal/json"
"github.com/lestrrat-go/jwx/jwa" "github.com/lestrrat-go/jwx/v2/internal/pool"
"github.com/lestrrat-go/jwx/jwk" "github.com/lestrrat-go/jwx/v2/jwa"
"github.com/pkg/errors" "github.com/lestrrat-go/jwx/v2/jwk"
) )
const ( const (
@ -51,7 +52,7 @@ type Headers interface {
JWKSetURL() string JWKSetURL() string
KeyID() string KeyID() string
Type() string Type() string
X509CertChain() []string X509CertChain() *cert.Chain
X509CertThumbprint() string X509CertThumbprint() string
X509CertThumbprintS256() string X509CertThumbprintS256() string
X509URL() string X509URL() string
@ -86,7 +87,7 @@ type stdHeaders struct {
jwkSetURL *string jwkSetURL *string
keyID *string keyID *string
typ *string typ *string
x509CertChain []string x509CertChain *cert.Chain
x509CertThumbprint *string x509CertThumbprint *string
x509CertThumbprintS256 *string x509CertThumbprintS256 *string
x509URL *string x509URL *string
@ -194,7 +195,7 @@ func (h *stdHeaders) Type() string {
return *(h.typ) return *(h.typ)
} }
func (h *stdHeaders) X509CertChain() []string { func (h *stdHeaders) X509CertChain() *cert.Chain {
h.mu.RLock() h.mu.RLock()
defer h.mu.RUnlock() defer h.mu.RUnlock()
return h.x509CertChain return h.x509CertChain
@ -394,100 +395,100 @@ func (h *stdHeaders) setNoLock(name string, value interface{}) error {
h.agreementPartyUInfo = v h.agreementPartyUInfo = v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, AgreementPartyUInfoKey, value) return fmt.Errorf(`invalid value for %s key: %T`, AgreementPartyUInfoKey, value)
case AgreementPartyVInfoKey: case AgreementPartyVInfoKey:
if v, ok := value.([]byte); ok { if v, ok := value.([]byte); ok {
h.agreementPartyVInfo = v h.agreementPartyVInfo = v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, AgreementPartyVInfoKey, value) return fmt.Errorf(`invalid value for %s key: %T`, AgreementPartyVInfoKey, value)
case AlgorithmKey: case AlgorithmKey:
if v, ok := value.(jwa.KeyEncryptionAlgorithm); ok { if v, ok := value.(jwa.KeyEncryptionAlgorithm); ok {
h.algorithm = &v h.algorithm = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, AlgorithmKey, value) return fmt.Errorf(`invalid value for %s key: %T`, AlgorithmKey, value)
case CompressionKey: case CompressionKey:
if v, ok := value.(jwa.CompressionAlgorithm); ok { if v, ok := value.(jwa.CompressionAlgorithm); ok {
h.compression = &v h.compression = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, CompressionKey, value) return fmt.Errorf(`invalid value for %s key: %T`, CompressionKey, value)
case ContentEncryptionKey: case ContentEncryptionKey:
if v, ok := value.(jwa.ContentEncryptionAlgorithm); ok { if v, ok := value.(jwa.ContentEncryptionAlgorithm); ok {
if v == "" { if v == "" {
return errors.New(`"enc" field cannot be an empty string`) return fmt.Errorf(`"enc" field cannot be an empty string`)
} }
h.contentEncryption = &v h.contentEncryption = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, ContentEncryptionKey, value) return fmt.Errorf(`invalid value for %s key: %T`, ContentEncryptionKey, value)
case ContentTypeKey: case ContentTypeKey:
h.contentType = &v h.contentType = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, ContentTypeKey, value) return fmt.Errorf(`invalid value for %s key: %T`, ContentTypeKey, value)
case CriticalKey: case CriticalKey:
if v, ok := value.([]string); ok { if v, ok := value.([]string); ok {
h.critical = v h.critical = v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, CriticalKey, value) return fmt.Errorf(`invalid value for %s key: %T`, CriticalKey, value)
case EphemeralPublicKeyKey: case EphemeralPublicKeyKey:
if v, ok := value.(jwk.Key); ok { if v, ok := value.(jwk.Key); ok {
h.ephemeralPublicKey = v h.ephemeralPublicKey = v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, EphemeralPublicKeyKey, value) return fmt.Errorf(`invalid value for %s key: %T`, EphemeralPublicKeyKey, value)
case JWKKey: case JWKKey:
if v, ok := value.(jwk.Key); ok { if v, ok := value.(jwk.Key); ok {
h.jwk = v h.jwk = v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, JWKKey, value) return fmt.Errorf(`invalid value for %s key: %T`, JWKKey, value)
case JWKSetURLKey: case JWKSetURLKey:
if v, ok := value.(string); ok { if v, ok := value.(string); ok {
h.jwkSetURL = &v h.jwkSetURL = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, JWKSetURLKey, value) return fmt.Errorf(`invalid value for %s key: %T`, JWKSetURLKey, value)
case KeyIDKey: case KeyIDKey:
if v, ok := value.(string); ok { if v, ok := value.(string); ok {
h.keyID = &v h.keyID = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, KeyIDKey, value) return fmt.Errorf(`invalid value for %s key: %T`, KeyIDKey, value)
case TypeKey: case TypeKey:
if v, ok := value.(string); ok { if v, ok := value.(string); ok {
h.typ = &v h.typ = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, TypeKey, value) return fmt.Errorf(`invalid value for %s key: %T`, TypeKey, value)
case X509CertChainKey: case X509CertChainKey:
if v, ok := value.([]string); ok { if v, ok := value.(*cert.Chain); ok {
h.x509CertChain = v h.x509CertChain = v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, X509CertChainKey, value) return fmt.Errorf(`invalid value for %s key: %T`, X509CertChainKey, value)
case X509CertThumbprintKey: case X509CertThumbprintKey:
if v, ok := value.(string); ok { if v, ok := value.(string); ok {
h.x509CertThumbprint = &v h.x509CertThumbprint = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, X509CertThumbprintKey, value) return fmt.Errorf(`invalid value for %s key: %T`, X509CertThumbprintKey, value)
case X509CertThumbprintS256Key: case X509CertThumbprintS256Key:
if v, ok := value.(string); ok { if v, ok := value.(string); ok {
h.x509CertThumbprintS256 = &v h.x509CertThumbprintS256 = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, X509CertThumbprintS256Key, value) return fmt.Errorf(`invalid value for %s key: %T`, X509CertThumbprintS256Key, value)
case X509URLKey: case X509URLKey:
if v, ok := value.(string); ok { if v, ok := value.(string); ok {
h.x509URL = &v h.x509URL = &v
return nil return nil
} }
return errors.Errorf(`invalid value for %s key: %T`, X509URLKey, value) return fmt.Errorf(`invalid value for %s key: %T`, X509URLKey, value)
default: default:
if h.privateParams == nil { if h.privateParams == nil {
h.privateParams = map[string]interface{}{} h.privateParams = map[string]interface{}{}
@ -561,7 +562,7 @@ LOOP:
for { for {
tok, err := dec.Token() tok, err := dec.Token()
if err != nil { if err != nil {
return errors.Wrap(err, `error reading token`) return fmt.Errorf(`error reading token: %w`, err)
} }
switch tok := tok.(type) { switch tok := tok.(type) {
case json.Delim: case json.Delim:
@ -570,95 +571,95 @@ LOOP:
if tok == '}' { // End of object if tok == '}' { // End of object
break LOOP break LOOP
} else if tok != '{' { } else if tok != '{' {
return errors.Errorf(`expected '{', but got '%c'`, tok) return fmt.Errorf(`expected '{', but got '%c'`, tok)
} }
case string: // Objects can only have string keys case string: // Objects can only have string keys
switch tok { switch tok {
case AgreementPartyUInfoKey: case AgreementPartyUInfoKey:
if err := json.AssignNextBytesToken(&h.agreementPartyUInfo, dec); err != nil { if err := json.AssignNextBytesToken(&h.agreementPartyUInfo, dec); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, AgreementPartyUInfoKey) return fmt.Errorf(`failed to decode value for key %s: %w`, AgreementPartyUInfoKey, err)
} }
case AgreementPartyVInfoKey: case AgreementPartyVInfoKey:
if err := json.AssignNextBytesToken(&h.agreementPartyVInfo, dec); err != nil { if err := json.AssignNextBytesToken(&h.agreementPartyVInfo, dec); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, AgreementPartyVInfoKey) return fmt.Errorf(`failed to decode value for key %s: %w`, AgreementPartyVInfoKey, err)
} }
case AlgorithmKey: case AlgorithmKey:
var decoded jwa.KeyEncryptionAlgorithm var decoded jwa.KeyEncryptionAlgorithm
if err := dec.Decode(&decoded); err != nil { if err := dec.Decode(&decoded); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, AlgorithmKey) return fmt.Errorf(`failed to decode value for key %s: %w`, AlgorithmKey, err)
} }
h.algorithm = &decoded h.algorithm = &decoded
case CompressionKey: case CompressionKey:
var decoded jwa.CompressionAlgorithm var decoded jwa.CompressionAlgorithm
if err := dec.Decode(&decoded); err != nil { if err := dec.Decode(&decoded); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, CompressionKey) return fmt.Errorf(`failed to decode value for key %s: %w`, CompressionKey, err)
} }
h.compression = &decoded h.compression = &decoded
case ContentEncryptionKey: case ContentEncryptionKey:
var decoded jwa.ContentEncryptionAlgorithm var decoded jwa.ContentEncryptionAlgorithm
if err := dec.Decode(&decoded); err != nil { if err := dec.Decode(&decoded); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, ContentEncryptionKey) return fmt.Errorf(`failed to decode value for key %s: %w`, ContentEncryptionKey, err)
} }
h.contentEncryption = &decoded h.contentEncryption = &decoded
case ContentTypeKey: case ContentTypeKey:
if err := json.AssignNextStringToken(&h.contentType, dec); err != nil { if err := json.AssignNextStringToken(&h.contentType, dec); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, ContentTypeKey) return fmt.Errorf(`failed to decode value for key %s: %w`, ContentTypeKey, err)
} }
case CriticalKey: case CriticalKey:
var decoded []string var decoded []string
if err := dec.Decode(&decoded); err != nil { if err := dec.Decode(&decoded); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, CriticalKey) return fmt.Errorf(`failed to decode value for key %s: %w`, CriticalKey, err)
} }
h.critical = decoded h.critical = decoded
case EphemeralPublicKeyKey: case EphemeralPublicKeyKey:
var buf json.RawMessage var buf json.RawMessage
if err := dec.Decode(&buf); err != nil { if err := dec.Decode(&buf); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, EphemeralPublicKeyKey) return fmt.Errorf(`failed to decode value for key %s:%w`, EphemeralPublicKeyKey, err)
} }
key, err := jwk.ParseKey(buf) key, err := jwk.ParseKey(buf)
if err != nil { if err != nil {
return errors.Wrapf(err, `failed to parse JWK for key %s`, EphemeralPublicKeyKey) return fmt.Errorf(`failed to parse JWK for key %s: %w`, EphemeralPublicKeyKey, err)
} }
h.ephemeralPublicKey = key h.ephemeralPublicKey = key
case JWKKey: case JWKKey:
var buf json.RawMessage var buf json.RawMessage
if err := dec.Decode(&buf); err != nil { if err := dec.Decode(&buf); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, JWKKey) return fmt.Errorf(`failed to decode value for key %s:%w`, JWKKey, err)
} }
key, err := jwk.ParseKey(buf) key, err := jwk.ParseKey(buf)
if err != nil { if err != nil {
return errors.Wrapf(err, `failed to parse JWK for key %s`, JWKKey) return fmt.Errorf(`failed to parse JWK for key %s: %w`, JWKKey, err)
} }
h.jwk = key h.jwk = key
case JWKSetURLKey: case JWKSetURLKey:
if err := json.AssignNextStringToken(&h.jwkSetURL, dec); err != nil { if err := json.AssignNextStringToken(&h.jwkSetURL, dec); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, JWKSetURLKey) return fmt.Errorf(`failed to decode value for key %s: %w`, JWKSetURLKey, err)
} }
case KeyIDKey: case KeyIDKey:
if err := json.AssignNextStringToken(&h.keyID, dec); err != nil { if err := json.AssignNextStringToken(&h.keyID, dec); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, KeyIDKey) return fmt.Errorf(`failed to decode value for key %s: %w`, KeyIDKey, err)
} }
case TypeKey: case TypeKey:
if err := json.AssignNextStringToken(&h.typ, dec); err != nil { if err := json.AssignNextStringToken(&h.typ, dec); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, TypeKey) return fmt.Errorf(`failed to decode value for key %s: %w`, TypeKey, err)
} }
case X509CertChainKey: case X509CertChainKey:
var decoded []string var decoded cert.Chain
if err := dec.Decode(&decoded); err != nil { if err := dec.Decode(&decoded); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, X509CertChainKey) return fmt.Errorf(`failed to decode value for key %s: %w`, X509CertChainKey, err)
} }
h.x509CertChain = decoded h.x509CertChain = &decoded
case X509CertThumbprintKey: case X509CertThumbprintKey:
if err := json.AssignNextStringToken(&h.x509CertThumbprint, dec); err != nil { if err := json.AssignNextStringToken(&h.x509CertThumbprint, dec); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, X509CertThumbprintKey) return fmt.Errorf(`failed to decode value for key %s: %w`, X509CertThumbprintKey, err)
} }
case X509CertThumbprintS256Key: case X509CertThumbprintS256Key:
if err := json.AssignNextStringToken(&h.x509CertThumbprintS256, dec); err != nil { if err := json.AssignNextStringToken(&h.x509CertThumbprintS256, dec); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, X509CertThumbprintS256Key) return fmt.Errorf(`failed to decode value for key %s: %w`, X509CertThumbprintS256Key, err)
} }
case X509URLKey: case X509URLKey:
if err := json.AssignNextStringToken(&h.x509URL, dec); err != nil { if err := json.AssignNextStringToken(&h.x509URL, dec); err != nil {
return errors.Wrapf(err, `failed to decode value for key %s`, X509URLKey) return fmt.Errorf(`failed to decode value for key %s: %w`, X509URLKey, err)
} }
default: default:
decoded, err := registry.Decode(dec, tok) decoded, err := registry.Decode(dec, tok)
@ -668,7 +669,7 @@ LOOP:
h.setNoLock(tok, decoded) h.setNoLock(tok, decoded)
} }
default: default:
return errors.Errorf(`invalid token %T`, tok) return fmt.Errorf(`invalid token %T`, tok)
} }
} }
return nil return nil
@ -702,7 +703,7 @@ func (h stdHeaders) MarshalJSON() ([]byte, error) {
buf.WriteRune('"') buf.WriteRune('"')
default: default:
if err := enc.Encode(v); err != nil { if err := enc.Encode(v); err != nil {
errors.Errorf(`failed to encode value for field %s`, f) return nil, fmt.Errorf(`failed to encode value for field %s`, f)
} }
buf.Truncate(buf.Len() - 1) buf.Truncate(buf.Len() - 1)
} }

View File

@ -0,0 +1,159 @@
package jwe
import (
// Recipient holds the encrypted key and hints to decrypt the key
type Recipient interface {
Headers() Headers
EncryptedKey() []byte
SetHeaders(Headers) error
SetEncryptedKey([]byte) error
type stdRecipient struct {
// Comments on each field are taken from https://datatracker.ietf.org/doc/html/rfc7516
// header
// The "header" member MUST be present and contain the value JWE Per-
// Recipient Unprotected Header when the JWE Per-Recipient
// Unprotected Header value is non-empty; otherwise, it MUST be
// absent. This value is represented as an unencoded JSON object,
// rather than as a string. These Header Parameter values are not
// integrity protected.
// At least one of the "header", "protected", and "unprotected" members
// MUST be present so that "alg" and "enc" Header Parameter values are
// conveyed for each recipient computation.
// JWX note: see Message.unprotectedHeaders
headers Headers
// encrypted_key
// The "encrypted_key" member MUST be present and contain the value
// BASE64URL(JWE Encrypted Key) when the JWE Encrypted Key value is
// non-empty; otherwise, it MUST be absent.
encryptedKey []byte
// Message contains the entire encrypted JWE message. You should not
// expect to use Message for anything other than inspecting the
// state of an encrypted message. This is because encryption is
// highly context sensitive, and once we parse the original payload
// into an object, we may not always be able to recreate the exact
// context in which the encryption happened.
// For example, it is totally valid for if the protected header's
// integrity was calculated using a non-standard line breaks:
// {"a dummy":
// "protected header"}
// Once parsed, though, we can only serialize the protected header as:
// {"a dummy":"protected header"}
// which would obviously result in a contradicting integrity value
// if we tried to re-calculate it from a parsed message.
type Message struct {
// Comments on each field are taken from https://datatracker.ietf.org/doc/html/rfc7516
// protected
// The "protected" member MUST be present and contain the value
// BASE64URL(UTF8(JWE Protected Header)) when the JWE Protected
// Header value is non-empty; otherwise, it MUST be absent. These
// Header Parameter values are integrity protected.
protectedHeaders Headers
// unprotected
// The "unprotected" member MUST be present and contain the value JWE
// Shared Unprotected Header when the JWE Shared Unprotected Header
// value is non-empty; otherwise, it MUST be absent. This value is
// represented as an unencoded JSON object, rather than as a string.
// These Header Parameter values are not integrity protected.
// JWX note: This field is NOT mutually exclusive with per-recipient
// headers within the implmentation because... it's too much work.
// It is _never_ populated (we don't provide a way to do this) upon encryption.
// When decrypting, if present its values are always merged with
// per-recipient header.
unprotectedHeaders Headers
// iv
// The "iv" member MUST be present and contain the value
// BASE64URL(JWE Initialization Vector) when the JWE Initialization
// Vector value is non-empty; otherwise, it MUST be absent.
initializationVector []byte
// aad
// The "aad" member MUST be present and contain the value
// BASE64URL(JWE AAD)) when the JWE AAD value is non-empty;
// otherwise, it MUST be absent. A JWE AAD value can be included to
// supply a base64url-encoded value to be integrity protected but not
// encrypted.
authenticatedData []byte
// ciphertext
// The "ciphertext" member MUST be present and contain the value
// BASE64URL(JWE Ciphertext).
cipherText []byte
// tag
// The "tag" member MUST be present and contain the value
// BASE64URL(JWE Authentication Tag) when the JWE Authentication Tag
// value is non-empty; otherwise, it MUST be absent.
tag []byte
// recipients
// The "recipients" member value MUST be an array of JSON objects.
// Each object contains information specific to a single recipient.
// This member MUST be present with exactly one array element per
// recipient, even if some or all of the array element values are the
// empty JSON object "{}" (which can happen when all Header Parameter
// values are shared between all recipients and when no encrypted key
// is used, such as when doing Direct Encryption).
// Some Header Parameters, including the "alg" parameter, can be shared
// among all recipient computations. Header Parameters in the JWE
// Protected Header and JWE Shared Unprotected Header values are shared
// among all recipients.
// The Header Parameter values used when creating or validating per-
// recipient ciphertext and Authentication Tag values are the union of
// the three sets of Header Parameter values that may be present: (1)
// the JWE Protected Header represented in the "protected" member, (2)
// the JWE Shared Unprotected Header represented in the "unprotected"
// member, and (3) the JWE Per-Recipient Unprotected Header represented
// in the "header" member of the recipient's array element. The union
// of these sets of Header Parameters comprises the JOSE Header. The
// Header Parameter names in the three locations MUST be disjoint.
recipients []Recipient
// TODO: Additional members can be present in both the JSON objects defined
// above; if not understood by implementations encountering them, they
// MUST be ignored.
// privateParams map[string]interface{}
// These two fields below are not available for the public consumers of this object.
// rawProtectedHeaders stores the original protected header buffer
rawProtectedHeaders []byte
// storeProtectedHeaders is a hint to be used in UnmarshalJSON().
// When this flag is true, UnmarshalJSON() will populate the
// rawProtectedHeaders field
storeProtectedHeaders bool
// populater is an interface for things that may modify the
// JWE header. e.g. ByteWithECPrivateKey
type populater interface {
Populate(keygen.Setter) error
type Visitor = iter.MapVisitor
type VisitorFunc = iter.MapVisitorFunc
type HeaderPair = mapiter.Pair
type Iterator = mapiter.Iterator

@ -9,8 +9,6 @@ import(
"encoding/binary" "encoding/binary"
"fmt" "fmt"
"hash" "hash"
) )
const ( const (
@ -38,7 +36,7 @@ func unpad(buf []byte, n int) ([]byte, error) {
// First, `buf` must be a multiple of `n` // First, `buf` must be a multiple of `n`
if rem != 0 { if rem != 0 {
return nil, errors.Errorf("input buffer must be multiple of block size %d", n) return nil, fmt.Errorf("input buffer must be multiple of block size %d", n)
} }
// Find the last byte, which is the encoded padding // Find the last byte, which is the encoded padding
@ -60,7 +58,7 @@ func unpad(buf []byte, n int) ([]byte, error) {
// we also don't check against lbuf-i in range, because we have established expected <= lbuf // we also don't check against lbuf-i in range, because we have established expected <= lbuf
for i := 1; i < expected; i++ { for i := 1; i < expected; i++ {
if buf[lbuf-i] != last { if buf[lbuf-i] != last {
return nil, errors.New(`invalid padding`) return nil, fmt.Errorf(`invalid padding`)
} }
} }
@ -84,7 +82,7 @@ func New(key []byte, f BlockCipherFunc) (hmac *Hmac, err error) {
bc, ciphererr := f(ekey) bc, ciphererr := f(ekey)
if ciphererr != nil { if ciphererr != nil {
err = errors.Wrap(ciphererr, `failed to execute block cipher function`) err = fmt.Errorf(`failed to execute block cipher function: %w`, ciphererr)
return return
} }
@ -97,7 +95,7 @@ func New(key []byte, f BlockCipherFunc) (hmac *Hmac, err error) {
case 32: case 32:
hfunc = sha512.New hfunc = sha512.New
default: default:
return nil, errors.Errorf("unsupported key size %d", keysize) return nil, fmt.Errorf("unsupported key size %d", keysize)
} }
return &Hmac{ return &Hmac{
@ -133,7 +131,7 @@ func (c Hmac) ComputeAuthTag(aad, nonce, ciphertext []byte) ([]byte, error) {
h := hmac.New(c.hash, c.integrityKey) h := hmac.New(c.hash, c.integrityKey)
if _, err := h.Write(buf); err != nil { if _, err := h.Write(buf); err != nil {
return nil, errors.Wrap(err, "failed to write ComputeAuthTag using Hmac") return nil, fmt.Errorf(`failed to write ComputeAuthTag using Hmac: %w`, err)
} }
s := h.Sum(nil) s := h.Sum(nil)
return s[:c.tagsize], nil return s[:c.tagsize], nil
@ -182,7 +180,7 @@ func (c Hmac) Seal(dst, nonce, plaintext, data []byte) []byte {
// Open fulfills the crypto.AEAD interface // Open fulfills the crypto.AEAD interface
func (c Hmac) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) { func (c Hmac) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
if len(ciphertext) < c.keysize { if len(ciphertext) < c.keysize {
return nil, errors.New("invalid ciphertext (too short)") return nil, fmt.Errorf(`invalid ciphertext (too short)`)
} }
tagOffset := len(ciphertext) - c.tagsize tagOffset := len(ciphertext) - c.tagsize
@ -198,11 +196,11 @@ func (c Hmac) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
expectedTag, err := c.ComputeAuthTag(data, nonce, ciphertext[:tagOffset]) expectedTag, err := c.ComputeAuthTag(data, nonce, ciphertext[:tagOffset])
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to compute auth tag`) return nil, fmt.Errorf(`failed to compute auth tag: %w`, err)
} }
if subtle.ConstantTimeCompare(expectedTag, tag) != 1 { if subtle.ConstantTimeCompare(expectedTag, tag) != 1 {
return nil, errors.New("invalid ciphertext (tag mismatch)") return nil, fmt.Errorf(`invalid ciphertext (tag mismatch)`)
} }
cbc := cipher.NewCBCDecrypter(c.blockCipher, nonce) cbc := cipher.NewCBCDecrypter(c.blockCipher, nonce)
@ -211,7 +209,7 @@ func (c Hmac) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
plaintext, err := unpad(buf, c.blockCipher.BlockSize()) plaintext, err := unpad(buf, c.blockCipher.BlockSize())
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to generate plaintext from decrypted blocks`) return nil, fmt.Errorf(`failed to generate plaintext from decrypted blocks: %w`, err)
} }
ret := ensureSize(dst, len(plaintext)) ret := ensureSize(dst, len(plaintext))
out := ret[len(dst):] out := ret[len(dst):]

@ -5,10 +5,9 @@ import(
"crypto/cipher" "crypto/cipher"
"fmt" "fmt"
"github.com/lestrrat-go/jwx/jwa" "github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/jwe/internal/aescbc" "github.com/lestrrat-go/jwx/v2/jwe/internal/aescbc"
"github.com/lestrrat-go/jwx/jwe/internal/keygen" "github.com/lestrrat-go/jwx/v2/jwe/internal/keygen"
) )
var gcm = &gcmFetcher{} var gcm = &gcmFetcher{}
@ -17,12 +16,12 @@ var cbc = &cbcFetcher{}
func (f gcmFetcher) Fetch(key []byte) (cipher.AEAD, error) { func (f gcmFetcher) Fetch(key []byte) (cipher.AEAD, error) {
aescipher, err := aes.NewCipher(key) aescipher, err := aes.NewCipher(key)
if err != nil { if err != nil {
return nil, errors.Wrap(err, "cipher: failed to create AES cipher for GCM") return nil, fmt.Errorf(`cipher: failed to create AES cipher for GCM: %w`, err)
} }
aead, err := cipher.NewGCM(aescipher) aead, err := cipher.NewGCM(aescipher)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `failed to create GCM for cipher`) return nil, fmt.Errorf(`failed to create GCM for cipher: %w`, err)
} }
return aead, nil return aead, nil
} }
@ -30,7 +29,7 @@ func (f gcmFetcher) Fetch(key []byte) (cipher.AEAD, error) {
func (f cbcFetcher) Fetch(key []byte) (cipher.AEAD, error) { func (f cbcFetcher) Fetch(key []byte) (cipher.AEAD, error) {
aead, err := aescbc.New(key, aes.NewCipher) aead, err := aescbc.New(key, aes.NewCipher)
if err != nil { if err != nil {
return nil, errors.Wrap(err, "cipher: failed to create AES cipher for CBC") return nil, fmt.Errorf(`cipher: failed to create AES cipher for CBC: %w`, err)
} }
return aead, nil return aead, nil
} }
@ -73,7 +72,7 @@ func NewAES(alg jwa.ContentEncryptionAlgorithm) (*AesContentCipher, error) {
keysize = tagsize * 2 keysize = tagsize * 2
fetcher = cbc fetcher = cbc
default: default:
return nil, errors.Errorf("failed to create AES content cipher: invalid algorithm (%s)", alg) return nil, fmt.Errorf("failed to create AES content cipher: invalid algorithm (%s)", alg)
} }
return &AesContentCipher{ return &AesContentCipher{
@ -83,11 +82,11 @@ func NewAES(alg jwa.ContentEncryptionAlgorithm) (*AesContentCipher, error) {
}, nil }, nil
} }
@ -83,11 +82,11 @@ func NewAES(alg jwa.ContentEncryptionAlgorithm) (*AesContentCipher, error) {
var aead cipher.AEAD var aead cipher.AEAD
aead, err = c.fetch.Fetch(cek) aead, err = c.fetch.Fetch(cek)
if err != nil { if err != nil {
return nil, nil, nil, errors.Wrap(err, "failed to fetch AEAD") return nil, nil, nil, fmt.Errorf(`failed to fetch AEAD: %w`, err)
} }
// Seal may panic (argh!), so protect ourselves from that // Seal may panic (argh!), so protect ourselves from that
@ -97,9 +96,9 @@ func (c AesContentCipher) Encrypt(cek, plaintext, aad []byte) (iv, ciphertext, t
case error: case error:
err = e err = e
default: default:
err = errors.Errorf("%s", e) err = fmt.Errorf("%s", e)
} }
err = errors.Wrap(err, "failed to encrypt") err = fmt.Errorf(`failed to encrypt: %w`, err)
} }
}() }()
@ -110,7 +109,7 @@ func (c AesContentCipher) Encrypt(cek, plaintext, aad []byte) (iv, ciphertext, t
bs, err = c.NonceGenerator.Generate() bs, err = c.NonceGenerator.Generate()
} }
if err != nil { if err != nil {
return nil, nil, nil, errors.Wrap(err, "failed to generate nonce") return nil, nil, nil, fmt.Errorf(`failed to generate nonce: %w`, err)
} }
iv = bs.Bytes() iv = bs.Bytes()
@ -122,8 +121,8 @@ func (c AesContentCipher) Encrypt(cek, plaintext, aad []byte) (iv, ciphertext, t
} }
tag = combined[tagoffset:] tag = combined[tagoffset:]
ciphertext = make([]byte, tagoffset) ciphertxt = make([]byte, tagoffset)
copy(ciphertext, combined[:tagoffset]) copy(ciphertxt, combined[:tagoffset])
return return
} }
@ -131,7 +130,7 @@ func (c AesContentCipher) Encrypt(cek, plaintext, aad []byte) (iv, ciphertext, t
@ -131,7 +130,7 @@ func (c AesContentCipher) Encrypt(cek, plaintext, aad []byte) (iv, ciphertext, t
aead, err := c.fetch.Fetch(cek) aead, err := c.fetch.Fetch(cek)
if err != nil { if err != nil {
return nil, errors.Wrap(err, "failed to fetch AEAD data") return nil, fmt.Errorf(`failed to fetch AEAD data: %w`, err)
} }
// Open may panic (argh!), so protect ourselves from that // Open may panic (argh!), so protect ourselves from that
@ -141,9 +140,9 @@ func (c AesContentCipher) Decrypt(cek, iv, ciphertxt, tag, aad []byte) (plaintex
case error: case error:
err = e err = e
default: default:
err = errors.Errorf("%s", e) err = fmt.Errorf(`%s`, e)
} }
err = errors.Wrap(err, "failed to decrypt") err = fmt.Errorf(`failed to decrypt: %w`, err)
return return
} }
}() }()
@ -154,7 +153,7 @@ func (c AesContentCipher) Decrypt(cek, iv, ciphertxt, tag, aad []byte) (plaintex
buf, aeaderr := aead.Open(nil, iv, combined, aad) buf, aeaderr := aead.Open(nil, iv, combined, aad)
if aeaderr != nil { if aeaderr != nil {
err = errors.Wrap(aeaderr, `aead.Open failed`) err = fmt.Errorf(`aead.Open failed: %w`, aeaderr)
return return
} }
plaintext = buf plaintext = buf

@ -3,7 +3,7 @@ package cipher
import ( import (
"crypto/cipher" "crypto/cipher"
"github.com/lestrrat-go/jwx/jwe/internal/keygen" "github.com/lestrrat-go/jwx/v2/jwe/internal/keygen"
) )
const ( const (

@ -3,8 +3,7 @@ package concatkdf
import ( import (
"crypto" "crypto"
"encoding/binary" "encoding/binary"
) )
type KDF struct { type KDF struct {
@ -48,13 +47,13 @@ func (k *KDF) Read(out []byte) (int, error) {
h.Reset() h.Reset()
if err := binary.Write(h, binary.BigEndian, round); err != nil { if err := binary.Write(h, binary.BigEndian, round); err != nil {
return 0, errors.Wrap(err, "failed to write round using kdf") return 0, fmt.Errorf(`failed to write round using kdf: %w`, err)
} }
if _, err := h.Write(k.z); err != nil { if _, err := h.Write(k.z); err != nil {
return 0, errors.Wrap(err, "failed to write z using kdf") return 0, fmt.Errorf(`failed to write z using kdf: %w`, err)
} }
if _, err := h.Write(k.otherinfo); err != nil { if _, err := h.Write(k.otherinfo); err != nil {
return 0, errors.Wrap(err, "failed to write other info using kdf") return 0, fmt.Errorf(`failed to write other info using kdf: %w`, err)
} }
k.buf = append(k.buf, h.Sum(nil)...) k.buf = append(k.buf, h.Sum(nil)...)

@ -1,9 +1,10 @@
@ -1,9 +1,10 @@
import ( import (
"github.com/lestrrat-go/jwx/jwa" "fmt"
"github.com/pkg/errors" "github.com/lestrrat-go/jwx/v2/jwa"
) )
func (c Generic) Algorithm() jwa.ContentEncryptionAlgorithm { func (c Generic) Algorithm() jwa.ContentEncryptionAlgorithm {
@ -13,7 +14,7 @@ func (c Generic) Algorithm() jwa.ContentEncryptionAlgorithm {
@ -13,7 +14,7 @@ func (c Generic) Algorithm() jwa.ContentEncryptionAlgorithm {
iv, encrypted, tag, err := c.cipher.Encrypt(cek, plaintext, aad) iv, encrypted, tag, err := c.cipher.Encrypt(cek, plaintext, aad)
if err != nil { if err != nil {
return nil, nil, nil, errors.Wrap(err, `failed to crypt content`) return nil, nil, nil, fmt.Errorf(`failed to crypt content: %w`, err)
} }
return iv, encrypted, tag, nil return iv, encrypted, tag, nil
@ -26,7 +27,7 @@ func (c Generic) Decrypt(cek, iv, ciphertext, tag, aad []byte) ([]byte, error) {
func NewGeneric(alg jwa.ContentEncryptionAlgorithm) (*Generic, error) { func NewGeneric(alg jwa.ContentEncryptionAlgorithm) (*Generic, error) {
c, err := cipher.NewAES(alg) c, err := cipher.NewAES(alg)
if err != nil { if err != nil {
return nil, errors.Wrap(err, `aes crypt: failed to create content cipher`) return nil, fmt.Errorf(`aes crypt: failed to create content cipher: %w`, err)
} }
return &Generic{ return &Generic{

@ -1,8 +1,8 @@
@ -1,8 +1,8 @@
import ( import (
"github.com/lestrrat-go/jwx/jwa" "github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/jwe/internal/cipher" "github.com/lestrrat-go/jwx/v2/jwe/internal/cipher"
) )
// Generic encrypts a message by applying all the necessary // Generic encrypts a message by applying all the necessary

@ -4,8 +4,8 @@ import(
"crypto/rsa" "crypto/rsa"
"hash" "hash"
"github.com/lestrrat-go/jwx/jwa" "github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/jwe/internal/keygen" "github.com/lestrrat-go/jwx/v2/jwe/internal/keygen"
) )
// Encrypter is an interface for things that can encrypt keys // Encrypter is an interface for things that can encrypt keys

Some files were not shown because too many files have changed in this diff Show More