gose - v2.0.0

gose/jose/encrypted_key

Encrypted JWK Export/Import - RFC 7516

Export and import JWKs as encrypted JSON using JWE. The plaintext JWK JSON becomes the JWE payload with cty: "jwk+json".

Example

Key-based encryption:

import gose/jose/encrypted_key
import gose/algorithm
import gose/jose/jwe
import gose/key
import kryptos/ec

// Generate a wrapping key and an EC key to protect
let wrapping_key = key.generate_enc_key(algorithm.AesGcm(algorithm.Aes256))
let k = key.generate_ec(ec.P256)

// Export with key-based encryption
let assert Ok(encrypted) = encrypted_key.encrypt_with_key(
  k,
  alg: algorithm.Direct,
  enc: algorithm.AesGcm(algorithm.Aes256),
  with: wrapping_key,
)

// Import it back
let assert Ok(decryptor) = jwe.key_decryptor(
  algorithm.Direct,
  algorithm.AesGcm(algorithm.Aes256),
  [wrapping_key],
)
let assert Ok(recovered) = encrypted_key.decrypt(decryptor, encrypted)

Password-based encryption:

import gose/jose/encrypted_key
import gose/algorithm
import gose/jose/jwe
import gose/key
import kryptos/ec

let k = key.generate_ec(ec.P256)

// Export with password protection
let assert Ok(encrypted) = encrypted_key.encrypt_with_password(
  k,
  algorithm.Pbes2Sha256Aes128Kw,
  algorithm.AesGcm(algorithm.Aes256),
  "my-secure-password",
)

// Import it back using a decryptor
let decryptor = jwe.password_decryptor(
  algorithm.Pbes2Sha256Aes128Kw,
  algorithm.AesGcm(algorithm.Aes256),
  "my-secure-password",
)
let assert Ok(recovered) = encrypted_key.decrypt(decryptor, encrypted)

Values

decrypt

</> 
pub fn decrypt(
  decryptor: jwe.Decryptor,
  encrypted: String,
) -> Result(key.Key(String), gose.GoseError)

Import a JWK from encrypted JSON using a decryptor with algorithm pinning.

Works for all algorithms. Create a decryptor with jwe.key_decryptor for key-based algorithms or jwe.password_decryptor for PBES2.

Example

let decryptor =
  jwe.password_decryptor(
    algorithm.Pbes2Sha256Aes128Kw,
    algorithm.AesGcm(algorithm.Aes256),
    "my-password",
  )
let assert Ok(key) = encrypted_key.decrypt(decryptor, encrypted_token)

encrypt_with_key

</> 
pub fn encrypt_with_key(
  key: key.Key(String),
  alg alg: algorithm.KeyEncryptionAlg,
  enc enc: algorithm.ContentAlg,
  with encryption_key: key.Key(String),
) -> Result(String, gose.GoseError)

Export a JWK as encrypted JSON using a key-based algorithm.

Supports all key-based JWE algorithms: direct symmetric (dir), AES Key Wrap, AES-GCM Key Wrap, RSA-OAEP, and ECDH-ES. PBES2 password-based algorithms return an error. Use encrypt_with_password for those.

The encryption key type must match the algorithm:

  • Direct: octet key matching the content encryption key size
  • AesKeyWrap(AesKw, _): octet key (16, 24, or 32 bytes)
  • AesKeyWrap(AesGcmKw, _): octet key (16, 24, or 32 bytes)
  • ChaCha20KeyWrap(_): octet key (32 bytes)
  • RsaEncryption(_): RSA key
  • EcdhEs(_): EC or XDH key

If the encryption key has a kid, it is included in the JWE header.

encrypt_with_password

</> 
pub fn encrypt_with_password(
  key: key.Key(String),
  alg alg: algorithm.Pbes2Alg,
  enc enc: algorithm.ContentAlg,
  password password: String,
) -> Result(String, gose.GoseError)

Export a JWK as encrypted JSON using PBES2 password-based encryption.

This is the most common method for protecting stored keys with a password. The JWK is serialized to JSON, then encrypted using the specified PBES2 algorithm and content encryption algorithm.

Search Document