jwt_simple/
jwe_header.rs

1use serde::{Deserialize, Serialize};
2
3/// JWE (JSON Web Encryption) header structure.
4///
5/// This header identifies the cryptographic algorithms used to encrypt
6/// the content encryption key (CEK) and the plaintext.
7#[derive(Debug, Clone, Serialize, Deserialize)]
8pub struct JWEHeader {
9    /// Key management algorithm (e.g., "RSA-OAEP", "A256KW", "ECDH-ES+A256KW")
10    #[serde(rename = "alg")]
11    pub algorithm: String,
12
13    /// Content encryption algorithm (e.g., "A256GCM", "A128GCM")
14    #[serde(rename = "enc")]
15    pub encryption: String,
16
17    /// Key ID - identifies which key was used for encryption
18    #[serde(rename = "kid", default, skip_serializing_if = "Option::is_none")]
19    pub key_id: Option<String>,
20
21    /// Token type (typically "JWE" or omitted)
22    #[serde(rename = "typ", default, skip_serializing_if = "Option::is_none")]
23    pub token_type: Option<String>,
24
25    /// Content type - describes the media type of the encrypted content
26    #[serde(rename = "cty", default, skip_serializing_if = "Option::is_none")]
27    pub content_type: Option<String>,
28
29    /// Ephemeral public key (for ECDH key agreement)
30    #[serde(rename = "epk", default, skip_serializing_if = "Option::is_none")]
31    pub ephemeral_public_key: Option<serde_json::Value>,
32
33    /// Agreement PartyUInfo (for ECDH)
34    #[serde(rename = "apu", default, skip_serializing_if = "Option::is_none")]
35    pub apu: Option<String>,
36
37    /// Agreement PartyVInfo (for ECDH)
38    #[serde(rename = "apv", default, skip_serializing_if = "Option::is_none")]
39    pub apv: Option<String>,
40
41    /// Initialization vector (for AES-GCM key wrap)
42    #[serde(rename = "iv", default, skip_serializing_if = "Option::is_none")]
43    pub iv: Option<String>,
44
45    /// Authentication tag (for AES-GCM key wrap)
46    #[serde(rename = "tag", default, skip_serializing_if = "Option::is_none")]
47    pub tag: Option<String>,
48
49    /// PBES2 salt (not used - PBES2 not supported)
50    #[serde(rename = "p2s", default, skip_serializing_if = "Option::is_none")]
51    pub p2s: Option<String>,
52
53    /// PBES2 iteration count (not used - PBES2 not supported)
54    #[serde(rename = "p2c", default, skip_serializing_if = "Option::is_none")]
55    pub p2c: Option<u32>,
56
57    /// Critical headers that must be understood
58    #[serde(rename = "crit", default, skip_serializing_if = "Option::is_none")]
59    pub critical: Option<Vec<String>>,
60
61    /// X.509 certificate chain
62    #[serde(rename = "x5c", default, skip_serializing_if = "Option::is_none")]
63    pub certificate_chain: Option<Vec<String>>,
64
65    /// X.509 certificate URL
66    #[serde(rename = "x5u", default, skip_serializing_if = "Option::is_none")]
67    pub certificate_url: Option<String>,
68
69    /// X.509 certificate SHA-1 thumbprint
70    #[serde(rename = "x5t", default, skip_serializing_if = "Option::is_none")]
71    pub certificate_sha1_thumbprint: Option<String>,
72
73    /// X.509 certificate SHA-256 thumbprint
74    #[serde(rename = "x5t#S256", default, skip_serializing_if = "Option::is_none")]
75    pub certificate_sha256_thumbprint: Option<String>,
76
77    /// JWK Set URL
78    #[serde(rename = "jku", default, skip_serializing_if = "Option::is_none")]
79    pub key_set_url: Option<String>,
80
81    /// Embedded JWK public key
82    #[serde(rename = "jwk", default, skip_serializing_if = "Option::is_none")]
83    pub public_key: Option<serde_json::Value>,
84}
85
86impl JWEHeader {
87    /// Create a new JWE header with the specified algorithms.
88    pub fn new(algorithm: impl Into<String>, encryption: impl Into<String>) -> Self {
89        JWEHeader {
90            algorithm: algorithm.into(),
91            encryption: encryption.into(),
92            key_id: None,
93            token_type: None,
94            content_type: None,
95            ephemeral_public_key: None,
96            apu: None,
97            apv: None,
98            iv: None,
99            tag: None,
100            p2s: None,
101            p2c: None,
102            critical: None,
103            certificate_chain: None,
104            certificate_url: None,
105            certificate_sha1_thumbprint: None,
106            certificate_sha256_thumbprint: None,
107            key_set_url: None,
108            public_key: None,
109        }
110    }
111
112    /// Set the key ID.
113    pub fn with_key_id(mut self, key_id: impl Into<String>) -> Self {
114        self.key_id = Some(key_id.into());
115        self
116    }
117
118    /// Set the content type.
119    pub fn with_content_type(mut self, content_type: impl Into<String>) -> Self {
120        self.content_type = Some(content_type.into());
121        self
122    }
123
124    /// Set the ephemeral public key (for ECDH).
125    pub fn with_ephemeral_public_key(mut self, epk: serde_json::Value) -> Self {
126        self.ephemeral_public_key = Some(epk);
127        self
128    }
129}
130
131impl Default for JWEHeader {
132    fn default() -> Self {
133        JWEHeader::new("RSA-OAEP", "A256GCM")
134    }
135}