Skip to main content

Module jws

Module jws 

Source
Expand description

In-house JWS/JWT compact-serialization verify + sign (RFC 7515/7519) — TrustForge owns its envelope layer; see docs/dependency-audit.md. Mirror of tools/tf-types-ts/src/core/jws.ts.

No custom cryptography: every signature operation delegates to a reviewed primitive crate — ed25519-dalek (EdDSA), p256/p384 (ES256/ES384), rsa (RS256/RS384/RS512). This module only owns the envelope: compact-form parsing, base64url handling, the algorithm allow-list, and registered-claim validation.

Security posture (deliberate, do not relax):

  • alg is never trusted from the token alone — verification requires the caller’s explicit allow-list, and none is unrepresentable.
  • Key type and algorithm must agree (an RSA key never verifies an ES256 token, killing key-confusion downgrades).
  • exp is validated by default; iss/aud are validated whenever the caller configures them, and configured-but-missing claims fail.

Structs§

Header
TokenData
Validation

Enums§

Algorithm
DecodingKey
EncodingKey
JwsError

Functions§

decode
Verify a compact JWS and deserialize its payload, enforcing the registered claims configured on validation.
decode_header
Parse the (unverified!) header segment. Never make a trust decision from this alone.
encode
Mint a compact JWS.