Expand description
In-house JWS/JWT compact-serialization verify + sign (RFC 7515/7519)
— TrustForge owns its envelope layer; see docs/dependency-audit.md.
Mirror of tools/tf-types-ts/src/core/jws.ts.
No custom cryptography: every signature operation delegates to a
reviewed primitive crate — ed25519-dalek (EdDSA), p256/p384
(ES256/ES384), rsa (RS256/RS384/RS512). This module only owns the
envelope: compact-form parsing, base64url handling, the algorithm
allow-list, and registered-claim validation.
Security posture (deliberate, do not relax):
algis never trusted from the token alone — verification requires the caller’s explicit allow-list, andnoneis unrepresentable.- Key type and algorithm must agree (an RSA key never verifies an ES256 token, killing key-confusion downgrades).
expis validated by default;iss/audare validated whenever the caller configures them, and configured-but-missing claims fail.
Structs§
Enums§
Functions§
- decode
- Verify a compact JWS and deserialize its payload, enforcing the
registered claims configured on
validation. - decode_
header - Parse the (unverified!) header segment. Never make a trust decision from this alone.
- encode
- Mint a compact JWS.