Enum openid::biscuit::jwe::Compact [−][src]
Compact representation of a JWE, or an encrypted JWT
This representation contains a payload of type T
with custom headers provided by type H
.
In general you should use a JWE with a JWS. That is, you should sign your JSON Web Token to
create a JWS, and then encrypt the signed JWS.
Nonce/Initialization Vectors for AES GCM encryption
When encrypting tokens with AES GCM, you must take care not to reuse the nonce for the same key. You can keep track of this by simply treating the nonce as a 96 bit counter and incrementing it every time you encrypt something new.
Examples
Encrypting a JWS/JWT
See the example code in the biscuit::JWE
type alias.
Encrypting a string payload with A256GCMKW and A256GCM
use std::str; use biscuit::Empty; use biscuit::jwk::JWK; use biscuit::jwe; use biscuit::jwa::{EncryptionOptions, KeyManagementAlgorithm, ContentEncryptionAlgorithm}; let payload = "The true sign of intelligence is not knowledge but imagination."; // You would usually have your own AES key for this, but we will use a zeroed key as an example let key: JWK<Empty> = JWK::new_octet_key(&vec![0; 256 / 8], Default::default()); // Construct the JWE let jwe = jwe::Compact::new_decrypted( From::from(jwe::RegisteredHeader { cek_algorithm: KeyManagementAlgorithm::A256GCMKW, enc_algorithm: ContentEncryptionAlgorithm::A256GCM, ..Default::default() }), payload.as_bytes().to_vec(), ); // We need to create an `EncryptionOptions` with a nonce for AES GCM encryption. // You must take care NOT to reuse the nonce. You can simply treat the nonce as a 96 bit // counter that is incremented after every use let mut nonce_counter = num::BigUint::from_bytes_le(&vec![0; 96 / 8]); // Make sure it's no more than 96 bits! assert!(nonce_counter.bits() <= 96); let mut nonce_bytes = nonce_counter.to_bytes_le(); // We need to ensure it is exactly 96 bits nonce_bytes.resize(96/8, 0); let options = EncryptionOptions::AES_GCM { nonce: nonce_bytes }; // Encrypt let encrypted_jwe = jwe.encrypt(&key, &options).unwrap(); // Decrypt let decrypted_jwe = encrypted_jwe .decrypt( &key, KeyManagementAlgorithm::A256GCMKW, ContentEncryptionAlgorithm::A256GCM, ) .unwrap(); let decrypted_payload: &Vec<u8> = decrypted_jwe.payload().unwrap(); let decrypted_str = str::from_utf8(&*decrypted_payload).unwrap(); assert_eq!(decrypted_str, payload); // Don't forget to increment the nonce! nonce_counter = nonce_counter + 1u8;
Variants
Decrypted form of the JWE. This variant cannot be serialized or deserialized and will return an error.
Fields of Decrypted
Encrypted(Compact)
Encrypted JWT. Use this form to send to your clients
Implementations
impl<T, H> Compact<T, H> where
T: CompactPart,
H: Serialize + DeserializeOwned + Clone,
[src]
T: CompactPart,
H: Serialize + DeserializeOwned + Clone,
pub fn new_decrypted(header: Header<H>, payload: T) -> Compact<T, H>
[src]
Create a new encrypted JWE
pub fn new_encrypted(token: &str) -> Compact<T, H>
[src]
Create a new encrypted JWE
pub fn into_encrypted<K>(
self,
key: &JWK<K>,
options: &EncryptionOptions
) -> Result<Compact<T, H>, Error> where
K: Serialize + DeserializeOwned,
[src]
self,
key: &JWK<K>,
options: &EncryptionOptions
) -> Result<Compact<T, H>, Error> where
K: Serialize + DeserializeOwned,
Consumes self and encrypt it. If the token is already encrypted, this is a no-op.
You will need to provide a jwa::EncryptionOptions
that will differ based on your chosen
algorithms.
If your cek_algorithm
is not dir
or direct, the options provided will be used to
encrypt your content encryption key.
If your cek_algorithm
is dir
or Direct, then the options will be used to encrypt
your content directly.
pub fn encrypt<K>(
&self,
key: &JWK<K>,
options: &EncryptionOptions
) -> Result<Compact<T, H>, Error> where
K: Serialize + DeserializeOwned,
[src]
&self,
key: &JWK<K>,
options: &EncryptionOptions
) -> Result<Compact<T, H>, Error> where
K: Serialize + DeserializeOwned,
Encrypt an Decrypted JWE.
You will need to provide a jwa::EncryptionOptions
that will differ based on your chosen
algorithms.
If your cek_algorithm
is not dir
or direct, the options provided will be used to
encrypt your content encryption key.
If your cek_algorithm
is dir
or Direct, then the options will be used to encrypt
your content directly.
pub fn into_decrypted<K>(
self,
key: &JWK<K>,
cek_alg: KeyManagementAlgorithm,
enc_alg: ContentEncryptionAlgorithm
) -> Result<Compact<T, H>, Error> where
K: Serialize + DeserializeOwned,
[src]
self,
key: &JWK<K>,
cek_alg: KeyManagementAlgorithm,
enc_alg: ContentEncryptionAlgorithm
) -> Result<Compact<T, H>, Error> where
K: Serialize + DeserializeOwned,
Consumes self and decrypt it. If the token is already decrypted, this is a no-op.
pub fn decrypt<K>(
&self,
key: &JWK<K>,
cek_alg: KeyManagementAlgorithm,
enc_alg: ContentEncryptionAlgorithm
) -> Result<Compact<T, H>, Error> where
K: Serialize + DeserializeOwned,
[src]
&self,
key: &JWK<K>,
cek_alg: KeyManagementAlgorithm,
enc_alg: ContentEncryptionAlgorithm
) -> Result<Compact<T, H>, Error> where
K: Serialize + DeserializeOwned,
Decrypt an encrypted JWE. Provide the expected algorithms to mitigate an attacker modifying the fields
pub fn encrypted(&self) -> Result<&Compact, Error>
[src]
Convenience method to get a reference to the encrypted payload
pub fn encrypted_mut(&mut self) -> Result<&mut Compact, Error>
[src]
Convenience method to get a mutable reference to the encrypted payload
pub fn payload(&self) -> Result<&T, Error>
[src]
Convenience method to get a reference to the payload from an Decrypted JWE
pub fn payload_mut(&mut self) -> Result<&mut T, Error>
[src]
Convenience method to get a mutable reference to the payload from an Decrypted JWE
pub fn header(&self) -> Result<&Header<H>, Error>
[src]
Convenience method to get a reference to the header from an Decrypted JWE
pub fn header_mut(&mut self) -> Result<&mut Header<H>, Error>
[src]
Convenience method to get a reference to the header from an Decrypted JWE
pub fn unwrap_decrypted(self) -> (Header<H>, T)
[src]
Consumes self, and move the payload and header out and return them as a tuple
Panics
Panics if the JWE is not decrypted
pub fn unwrap_encrypted(self) -> Compact
[src]
Consumes self, and move the encrypted Compact serialization out and return it
Panics
Panics if the JWE is not encrypted
impl<P, H> Compact<ClaimsSet<P>, H> where
H: Serialize + DeserializeOwned + Clone,
ClaimsSet<P>: CompactPart,
[src]
H: Serialize + DeserializeOwned + Clone,
ClaimsSet<P>: CompactPart,
Convenience implementation for a Compact that contains a ClaimsSet
pub fn validate(&self, options: ValidationOptions) -> Result<(), Error>
[src]
Validate the temporal claims in the decoded token
If None
is provided for options, the defaults will apply.
By default, no temporal claims (namely iat
, exp
, nbf
)
are required, and they will pass validation if they are missing.
Trait Implementations
impl<T, H> Clone for Compact<T, H> where
T: Clone,
H: Clone,
[src]
T: Clone,
H: Clone,
impl<T, H> Debug for Compact<T, H> where
T: Debug,
H: Debug,
[src]
T: Debug,
H: Debug,
impl<'de, T, H> Deserialize<'de> for Compact<T, H>
[src]
pub fn deserialize<__D>(
__deserializer: __D
) -> Result<Compact<T, H>, <__D as Deserializer<'de>>::Error> where
__D: Deserializer<'de>,
[src]
__deserializer: __D
) -> Result<Compact<T, H>, <__D as Deserializer<'de>>::Error> where
__D: Deserializer<'de>,
impl<T, H> Eq for Compact<T, H> where
T: Eq,
H: Eq,
[src]
T: Eq,
H: Eq,
impl<T, H> PartialEq<Compact<T, H>> for Compact<T, H> where
T: PartialEq<T>,
H: PartialEq<H>,
[src]
T: PartialEq<T>,
H: PartialEq<H>,
pub fn eq(&self, other: &Compact<T, H>) -> bool
[src]
pub fn ne(&self, other: &Compact<T, H>) -> bool
[src]
impl<T, H> Serialize for Compact<T, H>
[src]
pub fn serialize<__S>(
&self,
__serializer: __S
) -> Result<<__S as Serializer>::Ok, <__S as Serializer>::Error> where
__S: Serializer,
[src]
&self,
__serializer: __S
) -> Result<<__S as Serializer>::Ok, <__S as Serializer>::Error> where
__S: Serializer,
impl<T, H> StructuralEq for Compact<T, H>
[src]
impl<T, H> StructuralPartialEq for Compact<T, H>
[src]
Auto Trait Implementations
impl<T, H> RefUnwindSafe for Compact<T, H> where
H: RefUnwindSafe,
T: RefUnwindSafe,
H: RefUnwindSafe,
T: RefUnwindSafe,
impl<T, H> Send for Compact<T, H> where
H: Send,
T: Send,
H: Send,
T: Send,
impl<T, H> Sync for Compact<T, H> where
H: Sync,
T: Sync,
H: Sync,
T: Sync,
impl<T, H> Unpin for Compact<T, H> where
H: Unpin,
T: Unpin,
H: Unpin,
T: Unpin,
impl<T, H> UnwindSafe for Compact<T, H> where
H: UnwindSafe,
T: UnwindSafe,
H: UnwindSafe,
T: UnwindSafe,
Blanket Implementations
impl<T> Any for T where
T: 'static + ?Sized,
[src]
T: 'static + ?Sized,
impl<T> Borrow<T> for T where
T: ?Sized,
[src]
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
[src]
T: ?Sized,
pub fn borrow_mut(&mut self) -> &mut T
[src]
impl<T> DeserializeOwned for T where
T: for<'de> Deserialize<'de>,
[src]
T: for<'de> Deserialize<'de>,
impl<Q, K> Equivalent<K> for Q where
K: Borrow<Q> + ?Sized,
Q: Eq + ?Sized,
[src]
K: Borrow<Q> + ?Sized,
Q: Eq + ?Sized,
pub fn equivalent(&self, key: &K) -> bool
[src]
impl<T> From<T> for T
[src]
impl<T> Instrument for T
[src]
pub fn instrument(self, span: Span) -> Instrumented<Self>
[src]
pub fn in_current_span(self) -> Instrumented<Self>
[src]
impl<T, U> Into<U> for T where
U: From<T>,
[src]
U: From<T>,
impl<T> ToOwned for T where
T: Clone,
[src]
T: Clone,
type Owned = T
The resulting type after obtaining ownership.
pub fn to_owned(&self) -> T
[src]
pub fn clone_into(&self, target: &mut T)
[src]
impl<T, U> TryFrom<U> for T where
U: Into<T>,
[src]
U: Into<T>,
type Error = Infallible
The type returned in the event of a conversion error.
pub fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>
[src]
impl<T, U> TryInto<U> for T where
U: TryFrom<T>,
[src]
U: TryFrom<T>,