1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
|
// Code generated by tools/cmd/genoptions/main.go. DO NOT EDIT.
package jws
import (
"context"
"io/fs"
"github.com/lestrrat-go/option"
)
type Option = option.Interface
// CompactOption describes options that can be passed to `jws.Compact`
type CompactOption interface {
Option
compactOption()
}
type compactOption struct {
Option
}
func (*compactOption) compactOption() {}
// ReadFileOption is a type of `Option` that can be passed to `jwe.Parse`
type ParseOption interface {
Option
readFileOption()
}
type parseOption struct {
Option
}
func (*parseOption) readFileOption() {}
// ReadFileOption is a type of `Option` that can be passed to `jws.ReadFile`
type ReadFileOption interface {
Option
readFileOption()
}
type readFileOption struct {
Option
}
func (*readFileOption) readFileOption() {}
// SignOption describes options that can be passed to `jws.Sign`
type SignOption interface {
Option
signOption()
}
type signOption struct {
Option
}
func (*signOption) signOption() {}
// SignVerifyOption describes options that can be passed to either `jws.Verify` or `jws.Sign`
type SignVerifyOption interface {
Option
signOption()
verifyOption()
parseOption()
}
type signVerifyOption struct {
Option
}
func (*signVerifyOption) signOption() {}
func (*signVerifyOption) verifyOption() {}
func (*signVerifyOption) parseOption() {}
type SignVerifyParseOption interface {
Option
signOption()
verifyOption()
parseOption()
readFileOption()
}
type signVerifyParseOption struct {
Option
}
func (*signVerifyParseOption) signOption() {}
func (*signVerifyParseOption) verifyOption() {}
func (*signVerifyParseOption) parseOption() {}
func (*signVerifyParseOption) readFileOption() {}
// VerifyOption describes options that can be passed to `jws.Verify`
type VerifyOption interface {
Option
verifyOption()
parseOption()
}
type verifyOption struct {
Option
}
func (*verifyOption) verifyOption() {}
func (*verifyOption) parseOption() {}
// JSONSuboption describes suboptions that can be passed to the `jws.WithJSON()` option.
type WithJSONSuboption interface {
Option
withJSONSuboption()
}
type withJSONSuboption struct {
Option
}
func (*withJSONSuboption) withJSONSuboption() {}
// WithKeySetSuboption is a suboption passed to the `jws.WithKeySet()` option
type WithKeySetSuboption interface {
Option
withKeySetSuboption()
}
type withKeySetSuboption struct {
Option
}
func (*withKeySetSuboption) withKeySetSuboption() {}
// WithKeySuboption describes option types that can be passed to the `jws.WithKey()`
// option.
type WithKeySuboption interface {
Option
withKeySuboption()
}
type withKeySuboption struct {
Option
}
func (*withKeySuboption) withKeySuboption() {}
type identContext struct{}
type identDetached struct{}
type identDetachedPayload struct{}
type identFS struct{}
type identInferAlgorithmFromKey struct{}
type identKey struct{}
type identKeyProvider struct{}
type identKeyUsed struct{}
type identMessage struct{}
type identMultipleKeysPerKeyID struct{}
type identPretty struct{}
type identProtectedHeaders struct{}
type identPublicHeaders struct{}
type identRequireKid struct{}
type identSerialization struct{}
type identUseDefault struct{}
type identValidateKey struct{}
func (identContext) String() string {
return "WithContext"
}
func (identDetached) String() string {
return "WithDetached"
}
func (identDetachedPayload) String() string {
return "WithDetachedPayload"
}
func (identFS) String() string {
return "WithFS"
}
func (identInferAlgorithmFromKey) String() string {
return "WithInferAlgorithmFromKey"
}
func (identKey) String() string {
return "WithKey"
}
func (identKeyProvider) String() string {
return "WithKeyProvider"
}
func (identKeyUsed) String() string {
return "WithKeyUsed"
}
func (identMessage) String() string {
return "WithMessage"
}
func (identMultipleKeysPerKeyID) String() string {
return "WithMultipleKeysPerKeyID"
}
func (identPretty) String() string {
return "WithPretty"
}
func (identProtectedHeaders) String() string {
return "WithProtectedHeaders"
}
func (identPublicHeaders) String() string {
return "WithPublicHeaders"
}
func (identRequireKid) String() string {
return "WithRequireKid"
}
func (identSerialization) String() string {
return "WithSerialization"
}
func (identUseDefault) String() string {
return "WithUseDefault"
}
func (identValidateKey) String() string {
return "WithValidateKey"
}
func WithContext(v context.Context) VerifyOption {
return &verifyOption{option.New(identContext{}, v)}
}
// WithDetached specifies that the `jws.Message` should be serialized in
// JWS compact serialization with detached payload. The resulting octet
// sequence will not contain the payload section.
func WithDetached(v bool) CompactOption {
return &compactOption{option.New(identDetached{}, v)}
}
// WithDetachedPayload can be used to both sign or verify a JWS message with a
// detached payload.
//
// When this option is used for `jws.Sign()`, the first parameter (normally the payload)
// must be set to `nil`.
//
// If you have to verify using this option, you should know exactly how and why this works.
func WithDetachedPayload(v []byte) SignVerifyOption {
return &signVerifyOption{option.New(identDetachedPayload{}, v)}
}
// WithFS specifies the source `fs.FS` object to read the file from.
func WithFS(v fs.FS) ReadFileOption {
return &readFileOption{option.New(identFS{}, v)}
}
// WithInferAlgorithmFromKey specifies whether the JWS signing algorithm name
// should be inferred by looking at the provided key, in case the JWS
// message or the key does not have a proper `alg` header.
//
// When this option is set to true, a list of algorithm(s) that is compatible
// with the key type will be enumerated, and _ALL_ of them will be tried
// against the key/message pair. If any of them succeeds, the verification
// will be considered successful.
//
// Compared to providing explicit `alg` from the key this is slower, and
// verification may fail to verify if somehow our heuristics are wrong
// or outdated.
//
// Also, automatic detection of signature verification methods are always
// more vulnerable for potential attack vectors.
//
// It is highly recommended that you fix your key to contain a proper `alg`
// header field instead of resorting to using this option, but sometimes
// it just needs to happen.
func WithInferAlgorithmFromKey(v bool) WithKeySetSuboption {
return &withKeySetSuboption{option.New(identInferAlgorithmFromKey{}, v)}
}
func WithKeyProvider(v KeyProvider) VerifyOption {
return &verifyOption{option.New(identKeyProvider{}, v)}
}
// WithKeyUsed allows you to specify the `jws.Verify()` function to
// return the key used for verification. This may be useful when
// you specify multiple key sources or if you pass a `jwk.Set`
// and you want to know which key was successful at verifying the
// signature.
//
// `v` must be a pointer to an empty `interface{}`. Do not use
// `jwk.Key` here unless you are 100% sure that all keys that you
// have provided are instances of `jwk.Key` (remember that the
// jwx API allows users to specify a raw key such as *rsa.PublicKey)
func WithKeyUsed(v interface{}) VerifyOption {
return &verifyOption{option.New(identKeyUsed{}, v)}
}
// WithMessage can be passed to Verify() to obtain the jws.Message upon
// a successful verification.
func WithMessage(v *Message) VerifyOption {
return &verifyOption{option.New(identMessage{}, v)}
}
// WithMultipleKeysPerKeyID specifies if we should expect multiple keys
// to match against a key ID. By default it is assumed that key IDs are
// unique, i.e. for a given key ID, the key set only contains a single
// key that has the matching ID. When this option is set to true,
// multiple keys that match the same key ID in the set can be tried.
func WithMultipleKeysPerKeyID(v bool) WithKeySetSuboption {
return &withKeySetSuboption{option.New(identMultipleKeysPerKeyID{}, v)}
}
// WithPretty specifies whether the JSON output should be formatted and
// indented
func WithPretty(v bool) WithJSONSuboption {
return &withJSONSuboption{option.New(identPretty{}, v)}
}
// WithProtected is used with `jws.WithKey()` option when used with `jws.Sign()`
// to specify a protected header to be attached to the JWS signature.
//
// It has no effect if used when `jws.WithKey()` is passed to `jws.Verify()`
func WithProtectedHeaders(v Headers) WithKeySuboption {
return &withKeySuboption{option.New(identProtectedHeaders{}, v)}
}
// WithPublic is used with `jws.WithKey()` option when used with `jws.Sign()`
// to specify a public header to be attached to the JWS signature.
//
// It has no effect if used when `jws.WithKey()` is passed to `jws.Verify()`
//
// `jws.Sign()` will result in an error if `jws.WithPublic()` is used
// and the serialization format is compact serialization.
func WithPublicHeaders(v Headers) WithKeySuboption {
return &withKeySuboption{option.New(identPublicHeaders{}, v)}
}
// WithRequiredKid specifies whether the keys in the jwk.Set should
// only be matched if the target JWS message's Key ID and the Key ID
// in the given key matches.
func WithRequireKid(v bool) WithKeySetSuboption {
return &withKeySetSuboption{option.New(identRequireKid{}, v)}
}
// WithCompact specifies that the result of `jws.Sign()` is serialized in
// compact format.
//
// By default `jws.Sign()` will opt to use compact format, so you usually
// do not need to specify this option other than to be explicit about it
func WithCompact() SignVerifyParseOption {
return &signVerifyParseOption{option.New(identSerialization{}, fmtCompact)}
}
// WithUseDefault specifies that if and only if a jwk.Key contains
// exactly one jwk.Key, that key should be used.
// (I think this should be removed)
func WithUseDefault(v bool) WithKeySetSuboption {
return &withKeySetSuboption{option.New(identUseDefault{}, v)}
}
// WithValidateKey specifies whether the key used for signing or verification
// should be validated before using. Note that this means calling
// `key.Validate()` on the key, which in turn means that your key
// must be a `jwk.Key` instance, or a key that can be converted to
// a `jwk.Key` by calling `jwk.FromRaw()`. This means that your
// custom hardware-backed keys will probably not work.
//
// You can directly call `key.Validate()` yourself if you need to
// mix keys that cannot be converted to `jwk.Key`.
//
// Please also note that use of this option will also result in
// one extra conversion of raw keys to a `jwk.Key` instance. If you
// care about shaving off as much as possible, consider using a
// pre-validated key instead of using this option to validate
// the key on-demand each time.
//
// By default, the key is not validated.
func WithValidateKey(v bool) SignVerifyOption {
return &signVerifyOption{option.New(identValidateKey{}, v)}
}
|
