josekit
JOSE (Javascript Object Signing and Encryption: JWT, JWS, JWE, JWA, JWK) library for Rust.
Notice: This package doesn't support JWE yet.
Install
[]
= "0.3.0"
This library depends on OpenSSL DLL. Read more about Crate openssl.
Build
Supported signature algorithms
Name | Description | Curve |
---|---|---|
HS256 | HMAC using SHA-256 | |
HS384 | HMAC using SHA-384 | |
HS512 | HMAC using SHA-512 | |
RS256 | RSASSA-PKCS1-v1_5 using SHA-256 | |
RS384 | RSASSA-PKCS1-v1_5 using SHA-384 | |
RS512 | RSASSA-PKCS1-v1_5 using SHA-512 | |
PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 | |
PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 | |
PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 | |
ES256 | ECDSA using P-256 and SHA-256 | |
ES384 | ECDSA using P-384 and SHA-384 | |
ES512 | ECDSA using P-521 and SHA-512 | |
ES256K | ECDSA using secp256k1 curve and SHA-256 | |
EdDSA | EdDSA signature algorithms | Ed25519, Ed448 |
None | No digital signature or MAC performed |
Supported key formats for RSA/RSA-PSS/ECDSA/EdDSA sigining
Usage
Signing a JWT by HMAC
HMAC is used to verify the integrity of a message by common secret key. Three types of HMAC algorithms are available: HS256, HS384, and HS512. You can use any text as the key.
use ;
use ;
let mut header = new;
header.set_token_type;
let mut payload = new;
payload.set_subject;
let common_secret_key = b"secret";
// Signing JWT
let signer = HS256.signer_from_bytes?;
let jwt = encode_with_signer?;
// Verifing JWT
let verifier = HS256.signer_from_bytes?
let = decode_with_verifier?;
Signing a JWT by RSA
RSA is used to verify the integrity of a message by two keys: public and private. Three types of RSA algorithms are available: RS256, RS384, and RS512.
You can generate the keys by executing openssl command.
# Generate a new private key. Keygen bits must be 2048 or more.
# Generate a public key from the private key.
use ;
use ;
let mut header = new;
header.set_token_type;
let mut payload = new;
payload.set_subject;
// Signing JWT
let private_key = load_from_file?;
let signer = RS256.signer_from_pem?;
let jwt = encode_with_signer?;
// Verifing JWT
let public_key = load_from_file?;
let verifier = RS256.verifier_from_pem?;
let = decode_with_verifier?;
Signing a JWT by RSA-PSS
RSA-PSS is used to verify the integrity of a message by two keys: public and private.
The raw key format of RSA-PSS is the same as RSA. So you should use a PKCS#8 wrapped key. It contains some optional attributes.
Three types of RSA-PSS algorithms are available: PS256, PS384, and PS512. You can generate the keys by executing openssl command.
# Generate a new private key
# for PS256
# for PS384
# for PS512
# Generate a public key from the private key.
use ;
use ;
let mut header = new;
header.set_token_type;
let mut payload = new;
payload.set_subject;
// Signing JWT
let private_key = load_from_file?;
let signer = PS256.signer_from_pem?;
let jwt = encode_with_signer?;
// Verifing JWT
let public_key = load_from_file?;
let verifier = PS256.verifier_from_pem?;
let = decode_with_verifier?;
Signing a JWT by ECDSA
ECDSA is used to verify the integrity of a message by two keys: public and private. Four types of ECDSA algorithms are available: ES256, ES384, ES512 and ES256K.
You can generate the keys by executing openssl command.
# Generate a new private key
# for ES256
# for ES384
# for ES512
# for ES256K
# Generate a public key from the private key.
use ;
use ;
let mut header = new;
header.set_token_type;
let mut payload = new;
payload.set_subject;
// Signing JWT
let private_key = load_from_file?;
let signer = ES256.signer_from_pem?;
let jwt = encode_with_signer?;
// Verifing JWT
let public_key = load_from_file?;
let verifier = ES256.verifier_from_pem?;
let = decode_with_verifier?;
Signing a JWT by EdDSA
EdDSA is used to verify the integrity of a message by two keys: public and private. Types of EdDSA algorithms is only "EdDSA". But it has two curve types: ED25519, ED448.
You can generate the keys by executing openssl command.
# Generate a new private key
# for ED25519
# for ED448
# Generate a public key from the private key.
use ;
use ;
let mut header = new;
header.set_token_type;
let mut payload = new;
payload.set_subject;
// Signing JWT
let private_key = load_from_file?;
let signer = EdDSA.signer_from_pem?;
let jwt = encode_with_signer?;
// Verifing JWT
let public_key = load_from_file?;
let verifier = EdDSA.verifier_from_pem?;
let = decode_with_verifier?;
Encrypted JWT
Not support yet.
Unsecured JWT
use JwsHeader;
use ;
let mut header = new;
header.set_token_type;
let mut payload = new;
payload.set_subject;
let jwt = encode_unsecured?;
let = decode_unsecured?;
Validate payload
use ;
...
let = decode_with_verifier?;
let mut validator = new;
// value based validation
validator.set_issuer;
validator.set_audience;
validator.set_jwt_id;
// time based validation: not_before <= base_time < expires_at
validator.set_base_time;
// issued time based validation: min_issued_time <= issued_time <= max_issued_time
validator.set_min_issued_time;
validator.set_max_issued_time;
validator.validate?;
ToDo
- Support JWE
License
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
References
- RFC7515: JSON Web Signature (JWS)
- RFC7516: JSON Web Encryption (JWE)
- RFC7517: JSON Web Key (JWK)
- RFC7518: JSON Web Algorithms (JWA)
- RFC7519: JSON Web Token (JWT)
- RFC7797: JSON Web Signature (JWS) Unencoded Payload Option
- RFC8017: PKCS #1: RSA Cryptography Specifications Version 2.2
- RFC5208: PKCS #8: Private-Key Information Syntax Specification Version 1.2
- RFC5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
- RFC5915: Elliptic Curve Private Key Structure
- RFC5480: Elliptic Curve Cryptography Subject Public Key Information
- RFC6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)
- RFC8410: Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure
- RFC7468: Textual Encodings of PKIX, PKCS, and CMS Structures