Apache2
|
Data Structures | |
struct | apr_jose_data_t |
struct | apr_jose_text_t |
struct | apr_jose_json_t |
struct | apr_jose_jwk_t |
struct | apr_jose_jwks_t |
struct | apr_jose_signature_t |
struct | apr_jose_jws_t |
struct | apr_jose_encryption_t |
struct | apr_jose_recipient_t |
struct | apr_jose_jwe_t |
struct | apr_jose_jwt_t |
struct | apr_jose_t |
struct | apr_jose_cb_t |
Typedefs | |
typedef struct apr_jose_t | apr_jose_t |
typedef enum apr_jose_type_e | apr_jose_type_e |
typedef struct apr_jose_data_t | apr_jose_data_t |
typedef struct apr_jose_text_t | apr_jose_text_t |
typedef struct apr_jose_json_t | apr_jose_json_t |
typedef struct apr_jose_jwk_t | apr_jose_jwk_t |
typedef struct apr_jose_jwks_t | apr_jose_jwks_t |
typedef struct apr_jose_signature_t | apr_jose_signature_t |
typedef struct apr_jose_jws_t | apr_jose_jws_t |
typedef struct apr_jose_encryption_t | apr_jose_encryption_t |
typedef struct apr_jose_recipient_t | apr_jose_recipient_t |
typedef struct apr_jose_jwe_t | apr_jose_jwe_t |
typedef struct apr_jose_jwt_t | apr_jose_jwt_t |
typedef struct apr_jose_cb_t | apr_jose_cb_t |
Enumerations | |
enum | apr_jose_type_e { APR_JOSE_TYPE_NONE = 0 , APR_JOSE_TYPE_JWK = 1 , APR_JOSE_TYPE_JWKS , APR_JOSE_TYPE_JWS , APR_JOSE_TYPE_JWS_JSON , APR_JOSE_TYPE_JWE , APR_JOSE_TYPE_JWE_JSON , APR_JOSE_TYPE_JWT , APR_JOSE_TYPE_DATA , APR_JOSE_TYPE_TEXT , APR_JOSE_TYPE_JSON } |
The JOSE (JSON Object Signing and Encryption) library allows the encoding and decoding of JWS (JSON Web Signature), JWE (JSON Web Encryption), JWK (JSON Web Key) and JWT (JSON Web Token) objects, encoded using compact encoding, JSON encoding, or flattened JSON encoding.
The following RFCs are supported:
Encryption, decryption, signing and verification are implemented as callbacks to the caller's specification, and are not included.
When decrypting or verifying, the caller MUST verify that the 'alg' algorithm parameter in the JOSE message matches the algorithm expected by the implementation.
It is recommended that the apr_crypto library be used to implement the callbacks, however an alternatively crypto library of the caller's choice may be used instead.
#define APR_JOSE_FLAG_BREAK 2 |
When verifying or decrypting, break out of processing.
If the verification or decryption failed, processing will be aborted with the given error.
If the verification or decryption succeeded, processing will be considered successful and will move on to the nested structure.
#define APR_JOSE_FLAG_DECODE_ALL 1 |
Return the full JOSE structure, instead of innermost nested structure.
#define APR_JOSE_FLAG_NONE 0 |
Default options.
#define APR_JOSE_JWA_ES256 "ES256" |
ECDSA using P-256 and SHA-256
#define APR_JOSE_JWA_ES384 "ES384" |
ECDSA using P-384 and SHA-384
#define APR_JOSE_JWA_ES512 "ES512" |
ECDSA using P-512 and SHA-512
#define APR_JOSE_JWA_HS256 "HS256" |
HMAC using SHA-256
#define APR_JOSE_JWA_HS384 "HS384" |
HMAC using SHA-384
#define APR_JOSE_JWA_HS512 "HS512" |
HMAC using SHA-512
#define APR_JOSE_JWA_NONE "none" |
No digital signature or MAC performed
#define APR_JOSE_JWA_PS256 "PS256" |
RSASSA-PSS using SHA-256 and MGF1 with SHA-256
#define APR_JOSE_JWA_PS384 "PS384" |
RSASSA-PSS using SHA-384 and MGF1 with SHA-384
#define APR_JOSE_JWA_PS512 "PS512" |
RSASSA-PSS using SHA-512 and MGF1 with SHA-512
#define APR_JOSE_JWA_RS256 "RS256" |
RSASSA-PKCS1-v1_5 using SHA-256
#define APR_JOSE_JWA_RS384 "RS384" |
RSASSA-PKCS1-v1_5 using SHA-384
#define APR_JOSE_JWA_RS512 "RS512" |
RSASSA-PKCS1-v1_5 using SHA-512
#define APR_JOSE_JWE_AAD "aad" |
"aad" Parameter
#define APR_JOSE_JWE_CIPHERTEXT "ciphertext" |
"ciphertext" Parameter
#define APR_JOSE_JWE_COMPRESSION "zip" |
"zip" (Compression Algorithm) Header Parameter
#define APR_JOSE_JWE_EKEY "encrypted_key" |
"encrypted_key" Parameter
#define APR_JOSE_JWE_ENCRYPTION "enc" |
"enc" (Encryption Algorithm) Header Parameter
#define APR_JOSE_JWE_IV "iv" |
"iv" Parameter
#define APR_JOSE_JWE_RECIPIENTS "recipients" |
"recipients" Parameter
#define APR_JOSE_JWE_TAG "tag" |
"tag" Parameter
#define APR_JOSE_JWE_UNPROTECTED "unprotected" |
"unprotected" Parameter
#define APR_JOSE_JWK_KEY_OPERATIONS "key_ops" |
"key_ops" (Key Operations) Parameter
#define APR_JOSE_JWK_KEY_TYPE "kty" |
"kty" (Key Type) Parameter
#define APR_JOSE_JWK_KEYS "keys" |
"keys" Parameter
#define APR_JOSE_JWK_PUBLIC_KEY_USE "use" |
"use" (Public Key Use) Parameter
#define APR_JOSE_JWKSE_ALGORITHM "alg" |
#define APR_JOSE_JWKSE_KEYID "kid" |
"kid" (Key ID) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.4 https://tools.ietf.org/html/rfc7516#section-4.1.6
#define APR_JOSE_JWKSE_X509_CHAIN "x5c" |
"x5c" (X.509 Certificate Chain) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.6 https://tools.ietf.org/html/rfc7516#section-4.1.8
#define APR_JOSE_JWKSE_X509_SHA1_THUMBPRINT "x5t" |
"x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.7 https://tools.ietf.org/html/rfc7516#section-4.1.9
#define APR_JOSE_JWKSE_X509_SHA256_THUMBPRINT "x5t#S256" |
"x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.8 https://tools.ietf.org/html/rfc7516#section-4.1.10
#define APR_JOSE_JWKSE_X509_URL "x5u" |
"x5u" (X.509 URL) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.5 https://tools.ietf.org/html/rfc7516#section-4.1.7
#define APR_JOSE_JWS_PAYLOAD "payload" |
"payload" Parameter
#define APR_JOSE_JWS_SIGNATURE "signature" |
"signature" Parameter
#define APR_JOSE_JWS_SIGNATURES "signatures" |
"signatures" Parameter
#define APR_JOSE_JWSE_CONTENT_TYPE "cty" |
"cty" (Content Type) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.10 https://tools.ietf.org/html/rfc7516#section-4.1.12
#define APR_JOSE_JWSE_CRITICAL "crit" |
"crit" (Critical) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.11 https://tools.ietf.org/html/rfc7516#section-4.1.13
#define APR_JOSE_JWSE_HEADER "header" |
#define APR_JOSE_JWSE_JWK "jwk" |
"jwk" (JSON Web Key) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.3 https://tools.ietf.org/html/rfc7516#section-4.1.5
#define APR_JOSE_JWSE_JWK_SET_URL "jku" |
"jku" (JWK Set URL) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.2 https://tools.ietf.org/html/rfc7516#section-4.1.4
#define APR_JOSE_JWSE_PROTECTED "protected" |
#define APR_JOSE_JWSE_TYPE "typ" |
"typ" (Type) Header Parameter
https://tools.ietf.org/html/rfc7515#section-4.1.9 https://tools.ietf.org/html/rfc7516#section-4.1.11
#define APR_JOSE_JWSE_TYPE_JWT "JWT" |
"typ" (Type) Header Parameter representing a JWT
#define APR_JOSE_JWT_AUDIENCE "aud" |
"aud" (Audience) Claim
#define APR_JOSE_JWT_EXPIRATION_TIME "exp" |
"exp" (Expiration Time) Claim
#define APR_JOSE_JWT_ID "jti" |
"jti" (JWT ID) Claim
#define APR_JOSE_JWT_ISSUED_AT "iat" |
"iat" (Issued At) Claim
#define APR_JOSE_JWT_ISSUER "iss" |
"iss" (Issuer) Claim
#define APR_JOSE_JWT_NOT_BEFORE "nbf" |
"nbf" (Not Before) Claim
#define APR_JOSE_JWT_SUBJECT "sub" |
"sub" (Subject) Claim
typedef struct apr_jose_cb_t apr_jose_cb_t |
Callbacks for encryption, decryption, signing and verifying.
typedef struct apr_jose_data_t apr_jose_data_t |
Unsigned char data of a given length
typedef struct apr_jose_encryption_t apr_jose_encryption_t |
An encrypted payload within a a JSON web encryption.
typedef struct apr_jose_json_t apr_jose_json_t |
JSON object
typedef struct apr_jose_jwe_t apr_jose_jwe_t |
A JSON web encryption
typedef struct apr_jose_jwk_t apr_jose_jwk_t |
A JSON web key
typedef struct apr_jose_jwks_t apr_jose_jwks_t |
A JSON web key set
typedef struct apr_jose_jws_t apr_jose_jws_t |
A JSON web signature
typedef struct apr_jose_jwt_t apr_jose_jwt_t |
A JSON web token
typedef struct apr_jose_recipient_t apr_jose_recipient_t |
A single recipient within a a JSON web encryption.
typedef struct apr_jose_signature_t apr_jose_signature_t |
A single signature within a a JSON web signature.
typedef struct apr_jose_t apr_jose_t |
Forward declaration of the apr_jose_t structure.
typedef struct apr_jose_text_t apr_jose_text_t |
Signed char data of a given length
typedef enum apr_jose_type_e apr_jose_type_e |
Enum that represents the type of JOSE object.
enum apr_jose_type_e |
Enum that represents the type of JOSE object.
apr_jose_t* apr_jose_data_make | ( | apr_jose_t * | jose, |
const char * | typ, | ||
const unsigned char * | in, | ||
apr_size_t | inlen, | ||
apr_pool_t * | pool | ||
) |
Make a data buffer for encoding from the given data and length.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
typ | the content type of this data. |
in | the plaintext to sign. |
inlen | length of the plaintext. |
pool | pool used to allocate the result from. |
apr_status_t apr_status_t apr_jose_decode | ( | apr_jose_t ** | jose, |
const char * | typ, | ||
apr_bucket_brigade * | brigade, | ||
apr_jose_cb_t * | cb, | ||
int | level, | ||
int | flags, | ||
apr_pool_t * | pool | ||
) |
Decode, decrypt and verify the utf8-encoded JOSE string into apr_jose_t.
The JOSE structure may be nested to the given limit.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
typ | content type of this object. |
brigade | the JOSE structure to decode. |
cb | callbacks for verify and decrypt. |
level | depth limit of JOSE and JSON nesting. |
flags | APR_JOSE_FLAG_NONE to return payload only. APR_JOSE_FLAG_DECODE_ALL to return the full JWS/JWE structure. |
pool | pool used to allocate the result from. |
apr_status_t apr_jose_encode | ( | apr_bucket_brigade * | brigade, |
apr_brigade_flush | flush, | ||
void * | ctx, | ||
apr_jose_t * | jose, | ||
apr_jose_cb_t * | cb, | ||
apr_pool_t * | pool | ||
) |
Sign or encrypt the apr_jose_t, and write it to the brigade.
brigade | brigade the result will be appended to. |
flush | The flush function to use if the brigade is full |
ctx | The structure to pass to the flush function |
jose | the JOSE to encode. |
cb | callbacks for sign and encrypt. |
pool | pool to be used. |
apr_jose_encryption_t* apr_jose_encryption_make | ( | apr_jose_encryption_t * | encryption, |
apr_json_value_t * | unprotected, | ||
apr_json_value_t * | protected, | ||
apr_pool_t * | pool | ||
) |
Make an encryption structure for JWE.
encryption | the result. |
unprotected | the unprotected shared header. |
protected | the protected header. |
pool | the pool to use. |
apu_err_t* apr_jose_error | ( | apr_jose_t * | jose | ) |
Get the result of the last operation on the jose. If the result is NULL, the operation was successful.
jose | - context pointer |
apr_jose_t* apr_jose_json_make | ( | apr_jose_t * | jose, |
const char * | cty, | ||
apr_json_value_t * | json, | ||
apr_pool_t * | pool | ||
) |
Make a json structure for encoding.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
cty | the content type. |
json | the json object to add. |
pool | pool used to allocate the result from. |
apr_jose_t* apr_jose_jwe_json_make | ( | apr_jose_t * | jose, |
apr_jose_recipient_t * | recipient, | ||
apr_array_header_t * | recipients, | ||
apr_jose_encryption_t * | encryption, | ||
apr_jose_t * | payload, | ||
apr_pool_t * | pool | ||
) |
Make a JSON encoded JWE.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
recipient | the recipient for compact / flattened JWE. |
recipients | the recipients array for general JWE. |
encryption | the encryption structure. |
payload | the JOSE payload to encrypt. |
pool | pool used to allocate the result from. |
apr_jose_t* apr_jose_jwe_make | ( | apr_jose_t * | jose, |
apr_jose_recipient_t * | recipient, | ||
apr_array_header_t * | recipients, | ||
apr_jose_encryption_t * | encryption, | ||
apr_jose_t * | payload, | ||
apr_pool_t * | pool | ||
) |
Make a compact encoded JWE.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
recipient | the recipient for compact / flattened JWE. |
recipients | the recipients array for general JWE. |
encryption | the encryption structure. |
payload | the JOSE payload to encrypt. |
pool | pool used to allocate the result from. |
apr_jose_t* apr_jose_jwk_make | ( | apr_jose_t * | jose, |
apr_json_value_t * | key, | ||
apr_pool_t * | pool | ||
) |
Make a JSON Web Key for encoding or decoding.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
key | the json representing the key. May be NULL. |
pool | pool used to allocate the result from. |
apr_jose_t* apr_jose_jwks_make | ( | apr_jose_t * | jose, |
apr_json_value_t * | keys, | ||
apr_pool_t * | pool | ||
) |
Make a JSON Web Key Set.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
keys | the array of keys in JSON format. May be NULL. |
pool | pool used to allocate the result from. |
apr_jose_t* apr_jose_jws_json_make | ( | apr_jose_t * | jose, |
apr_jose_signature_t * | signature, | ||
apr_array_header_t * | signatures, | ||
apr_jose_t * | payload, | ||
apr_pool_t * | pool | ||
) |
Make a JSON encoded JWS.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
signature | the header / protected header / signature used with compact or flattened syntax. May be NULL. |
signatures | array of header / protected header / signature used with general JSON syntax. |
payload | the payload to be wrapped by this JWS. |
pool | pool used to allocate the result from. |
apr_jose_t* apr_jose_jws_make | ( | apr_jose_t * | jose, |
apr_jose_signature_t * | signature, | ||
apr_array_header_t * | signatures, | ||
apr_jose_t * | payload, | ||
apr_pool_t * | pool | ||
) |
Make a compact encoded JWS.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
signature | the header / protected header / signature used with compact or flattened syntax. May be NULL. |
signatures | array of header / protected header / signature used with general JSON syntax. |
payload | the payload to be wrapped by this JWS. |
pool | pool used to allocate the result from. |
apr_jose_t* apr_jose_jwt_make | ( | apr_jose_t * | jose, |
apr_json_value_t * | claims, | ||
apr_pool_t * | pool | ||
) |
Make a JWT claims payload.
To create a useful JWT, this payload needs to be wrapped in a JWS or JWE (or both), as required by the caller.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
claims | the claims to sign. |
pool | pool used to allocate the result from. |
apr_jose_t* apr_jose_make | ( | apr_jose_t * | jose, |
apr_jose_type_e | type, | ||
apr_pool_t * | pool | ||
) |
Make a generic JOSE structure.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
type | the type of structure to create. |
pool | pool used to allocate the result from. |
apr_jose_recipient_t* apr_jose_recipient_make | ( | apr_jose_recipient_t * | recipient, |
apr_json_value_t * | unprotected, | ||
void * | ctx, | ||
apr_pool_t * | pool | ||
) |
Make a recipient structure for JWE.
recipient | the result. |
unprotected | the unprotected header. |
ctx | user supplied context |
pool | the pool to use. |
apr_jose_signature_t* apr_jose_signature_make | ( | apr_jose_signature_t * | signature, |
apr_json_value_t * | header, | ||
apr_json_value_t * | protected, | ||
void * | ctx, | ||
apr_pool_t * | pool | ||
) |
Make a signature structure for JWS.
signature | the result. |
header | the unprotected header. |
protected | the protected header. |
ctx | user supplied context |
pool | the pool to use. |
apr_jose_t* apr_jose_text_make | ( | apr_jose_t * | jose, |
const char * | cty, | ||
const char * | in, | ||
apr_size_t | inlen, | ||
apr_pool_t * | pool | ||
) |
Make a UTF-8 text buffer for encoding from the given string and length.
jose | If jose points at NULL, a JOSE structure will be created. If the jose pointer is not NULL, the structure will be reused. |
cty | the content type. |
in | the UTF-8 encoded text string. |
inlen | length of the UTF-8 encoded text string. |
pool | pool used to allocate the result from. |