1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
|
.TH "jose_jws" 3 "Tue May 30 2017" "José" \" -*- nroff -*-
.ad l
.nh
.SH NAME
jose_jws \- JSON Web Signature (RFC 7515)
.SH SYNOPSIS
.br
.PP
.SS "Functions"
.in +1c
.ti -1c
.RI "json_t * \fBjose_jws_hdr\fP (const json_t *sig)"
.br
.RI "Merges the JOSE headers of a JWS signature object\&. "
.ti -1c
.RI "bool \fBjose_jws_sig\fP (jose_cfg_t *cfg, json_t *jws, json_t *sig, const json_t *jwk)"
.br
.RI "Creates one or more signatures in a JWS object\&. "
.ti -1c
.RI "\fBjose_io_t\fP * \fBjose_jws_sig_io\fP (jose_cfg_t *cfg, json_t *jws, json_t *sig, const json_t *jwk)"
.br
.RI "Creates one or more signatures in a JWS object using streaming\&. "
.ti -1c
.RI "bool \fBjose_jws_ver\fP (jose_cfg_t *cfg, const json_t *jws, const json_t *sig, const json_t *jwk, bool all)"
.br
.RI "Verifies signatures of one or more JWKs in a JWS object\&. "
.ti -1c
.RI "\fBjose_io_t\fP * \fBjose_jws_ver_io\fP (jose_cfg_t *cfg, const json_t *jws, const json_t *sig, const json_t *jwk, bool all)"
.br
.RI "Verifies signatures of one or more JWKs in a JWS object using streaming\&. "
.in -1c
.SH "Detailed Description"
.PP
JSON Web Signature (RFC 7515)
JSON Web Token (RFC 7519)
.PP
A JSON Web Signature (JWS) is a standard data format for expresing cryptographic signatures in JSON\&. The signatures are produced using a JSON Web Key (JWK)\&.
.PP
For example, to create a simple signature of a string using a JWK (error handling omitted):
.PP
.nf
json_t *sig(const char *str, const json_t *jwk) {
json_auto_t *jws = json_pack("{s:o}", "payload",
jose_b64_enc(str, strlen(str)));
jose_jws_sig(NULL, jws, NULL, jwk);
return json_incref(jws);
}
.fi
.PP
.PP
Likewise, to verify this signature (again, error handling omitted):
.PP
.nf
char *ver(const json_t *jwe, const json_t *jwk) {
char *str = NULL;
size_t len = 0;
if (!jose_jws_ver(NULL, jws, NULL, jwk))
return NULL;
len = jose_b64_dec(json_object_get(jwe, "payload"), NULL, 0);
str = calloc(1, len + 1);
jose_b64_dec(json_object_get(jwe, "payload"), str, len);
return str;
}
.fi
.PP
.PP
\fBSee also:\fP
.RS 4
https://tools.ietf.org/html/rfc7515
.RE
.PP
A JSON Web Token (JWT) is a standard data format for expresing claims transferred between to parties in JSON\&. The JWT is wrapped in any number of Signatures (JWS) or Encryptions (JWE)\&.
.PP
\fBSee also:\fP
.RS 4
https://tools.ietf.org/html/rfc7515
.RE
.PP
.SH "Function Documentation"
.PP
.SS "json_t* jose_jws_hdr (const json_t * sig)"
.PP
Merges the JOSE headers of a JWS signature object\&.
.PP
\fBParameters:\fP
.RS 4
\fIsig\fP A JWS signature object\&.
.RE
.PP
\fBReturns:\fP
.RS 4
The newly allocated JOSE header\&.
.RE
.PP
.SS "bool jose_jws_sig (jose_cfg_t * cfg, json_t * jws, json_t * sig, const json_t * jwk)"
.PP
Creates one or more signatures in a JWS object\&. The JWS object (\fCjws\fP) must contain the 'payload' property\&.
.PP
All signatures created will be appended to the JWS specified by \fCjws\fP\&. If the resulting JWS (\fCjws\fP) would contain only a single signature, the JWS will be represented in Flattened JWS JSON Serialization Syntax\&. Otherwise, it will be represented in General JWS JSON Serialization Syntax\&.
.PP
If \fCjwk\fP contains a JWK, a single signature is created\&. In this case, \fCjws\fP must contain either a JWS signature object template or NULL\&. You may specify algorithms or other signature behaviors simply by specifying them in the JOSE headers of the JWS signature object template as defined by RFC 7515\&. If a required property is missing, sensible defaults will be used and inserted into the JOSE headers; inferring them from the JWK (\fCjwk\fP) where possible\&.
.PP
If \fCjwk\fP contains an array of JWKs or a JWKSet, multiple signatures are created\&. In this case, the \fCsig\fP parameter must contain one of the following values:
.PP
.IP "1." 4
A JWS signature object template that will be used for all signatures\&. In this case, a copy will be made for each signature and \fCsig\fP will not be modified in any way\&.
.IP "2." 4
An array of JWS signature object templates\&. Each template will be used with its corresponding JWK from \fCjwk\fP\&. If the arrays in \fCsig\fP and \fCjwk\fP are a different size, an error will occur\&.
.IP "3." 4
NULL\&. This has the same effect as passing NULL for each separate key\&.
.PP
.PP
\fBParameters:\fP
.RS 4
\fIcfg\fP The configuration context (optional)\&.
.br
\fIjws\fP The JWS object\&.
.br
\fIsig\fP The JWS signature object template(s) or NULL\&.
.br
\fIjwk\fP The JWK(s) or JWKSet used for creating signatures\&.
.RE
.PP
\fBReturns:\fP
.RS 4
On success, true\&. Otherwise, false\&.
.RE
.PP
.SS "\fBjose_io_t\fP* jose_jws_sig_io (jose_cfg_t * cfg, json_t * jws, json_t * sig, const json_t * jwk)"
.PP
Creates one or more signatures in a JWS object using streaming\&. This function behaves substantially like \fBjose_jws_sig()\fP except:
.PP
The payload is not specified in the JWS (\fCjws\fP)\&. Rather, the payload is provided using the returned IO object\&. The input to the returned IO object will not be internally Base64 encoded\&. So you may need to prepend the IO chain with the result of \fBjose_b64_enc_io()\fP (depending on your situation)\&.
.PP
Likewise, the payload is not stored in the JWS object (\fCjws\fP)\&. This allows for detached payloads and decreases memory use for signatures over large payloads\&. If you would like to attach the payload, it is your responsibility to do so manually\&.
.PP
\fBParameters:\fP
.RS 4
\fIcfg\fP The configuration context (optional)\&.
.br
\fIjws\fP The JWS object\&.
.br
\fIsig\fP The JWS signature object template(s) or NULL\&.
.br
\fIjwk\fP The JWK(s) or JWKSet used for creating signatures\&.
.RE
.PP
\fBReturns:\fP
.RS 4
The new IO object or NULL on error\&.
.RE
.PP
.SS "bool jose_jws_ver (jose_cfg_t * cfg, const json_t * jws, const json_t * sig, const json_t * jwk, bool all)"
.PP
Verifies signatures of one or more JWKs in a JWS object\&. The JWS object (\fCjws\fP) must contain the 'payload' property\&.
.PP
If a single JWK (\fCjwk\fP) is specified, the \fCall\fP parameter is ignored\&. In this case, if you would like to verify a particular JWS signature object, you may specify it using the \fCsig\fP parameter\&. Otherwise, you may simply pass NULL to verify any of the JWS signature objects in the JWS object\&.
.PP
If \fCjwk\fP contains an array of JWKs or a JWKSet, the \fCall\fP parameter determines whether a valid signature is required for every JWK in order to successfully validate the JWS\&. For example, if you set \fCall\fP to false this function will succeed if a valid signature is found for any of the provided JWKs\&. When using this multiple JWK signature mode, the \fCsig\fP parameter must contain one of the following values:
.PP
.IP "1." 4
A single JWS signature object to validate against all/any of the provided JWKs\&.
.IP "2." 4
An array of JWS signature objects\&. In this case, each JWS signature object will be mapped to its corresponding JWK from \fCjwk\fP\&. If the arrays in \fCsig\fP and \fCjwk\fP are a different size, an error will occur\&.
.IP "3." 4
NULL\&. This has the same effect as passing NULL for each separate key\&.
.PP
.PP
\fBParameters:\fP
.RS 4
\fIcfg\fP The configuration context (optional)\&.
.br
\fIjws\fP The JWS object\&.
.br
\fIsig\fP The JWS signature object(s) to verify or NULL\&.
.br
\fIjwk\fP The JWK(s) or JWKSet used for verifying signatures\&.
.br
\fIall\fP Whether or not to require validation of all JWKs\&.
.RE
.PP
\fBReturns:\fP
.RS 4
On success, true\&. Otherwise, false\&.
.RE
.PP
.SS "\fBjose_io_t\fP* jose_jws_ver_io (jose_cfg_t * cfg, const json_t * jws, const json_t * sig, const json_t * jwk, bool all)"
.PP
Verifies signatures of one or more JWKs in a JWS object using streaming\&. This function behaves substantially like \fBjose_jws_ver()\fP except:
.PP
The payload is not specified in the JWS (\fCjws\fP)\&. Rather, the payload is provided using the returned IO object\&. The input to the returned IO object will not be internally Base64 encoded\&. So you may need to prepend the IO chain with the result of \fBjose_b64_enc_io()\fP (depending on your situation)\&.
.PP
Final signature verification is delayed until \fBjose_io_t::done()\fP returns\&.
.PP
\fBParameters:\fP
.RS 4
\fIcfg\fP The configuration context (optional)\&.
.br
\fIjws\fP The JWS object\&.
.br
\fIsig\fP The JWS signature object(s) to verify or NULL\&.
.br
\fIjwk\fP The JWK(s) or JWKSet used for verifying signatures\&.
.br
\fIall\fP Whether or not to require validation of all JWKs\&.
.RE
.PP
\fBReturns:\fP
.RS 4
The new IO object or NULL on error\&.
.RE
.PP
.SH "Author"
.PP
Generated automatically by Doxygen for José from the source code\&.
|
