This library provides Json Web Key (JWK) APIs. JWS is defined in RFC 7517.
This library also supports OKP defined in RFC 8037.
The following examples show how to interact with (crypto) keys.
;; (crypto) keys to JWK/JWKS
(import (rnrs)
(crypto)
(rfc jwk))
(define keypair (generate-key-pair Ed25519))
(define private-key (keypair-private keypair))
(define jwk-config (jwk-config-builder (kid "my key id")))
(let ((jwks (make-jwk-set (list (key->jwk private-key jwk-config)))))
(jwk-set->json-string jwks) ;; -> {"keys":[{"kid":"my key id",...}]}
(jwk-set:find-key jwks (jwk-matcher:kid "my key id")) ;; -> #<jwk>
(jwk-set->public-jwk-set jwks)) ;; -> #<jwk-set> contains only public key
;; JWK/JWKS to (crypto) key
(import (rnrs)
(crypto)
(rfc jwk))
;; JWKS with EC private key
(define jwks-json
#(("keys"
#(("kty" . "EC")
("crv" . "P-256")
("x" . "MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4")
("y" . "4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM")
("d" . "870MB6gfuTJ4HtUnUvYMyJpr5eUZNP4Bk43bVdj3eAE")
("use" . "enc")
("kid" . "1")))))
(define jwks (json->jwk-set jwks-json))
(define kid-matcher (jwk-matcher:kid "1"))
(define jwk (jwk-set:find-key jwks kid-matcher))
(jwk->public-key jwk) ;; -> ECDSA public key
(jwk->private-key jwk) ;; -> ECDSA private key
JWK Set (JWKS) is an object represents a set of JWKs.
Returns #t if the given obj is a JWKS object otherwise #f.
Construct a newly allocated JWKS object whose keys are keys.
keys must be a list of JWK objects.
Retrieves a list of JWKs from the given jwk-set.
Construct JWKS from S-exp JSON representation of obj, from input port port or a string string.
If the first form of read-jwk-set is used, then it reads from
current input port.
Serialize the given jwk-set to a S-exp representaion, to port or string.
If first form of write-jwk-set is used, then it writes the
serialized JWK set to current output port.
Finds a key which matches to jwk-matcher from given jwk-set.
A JWK matcher is a procedure takes one argument, jwk, and returns the given jwk if it matches the condition otherwise returns #f.
The matchers provided by this library complies to the above so that users can compose matchers like this:
(import (rnrs)
(rfc jwk)
(sagittarius combinators))
(define kid/alg-matcher
(compose (jwk-matcher:kid "kid") (jwk-matcher:alg 'EdDSA)))
Creates a JWK matcher which checks kty, use, alg,
kid, x5t, x5t-s256 or crv field of the
target JWK is equal to obj, respectively.
Creates a JWK matcher which checks key-ops field of the
target JWK contains given obj.
Convenient JWK matchers which check kty to be RSA,
EC, oct or OKP, respectively.
JWK is an object which contains key information. The object contains the following fields:
kty: key type, symbol
use: key usage, symbol, must be either sig or enc
key-ops: key operation, a list of symbols
alg: key algorithm, symbol
kid: key ID
x5u: URL of certificate
x5c: Certificate chain, list of x509 certificate
x5t: SHA-1 certificate finger print, bytevector
x5t-s256: SHA-256 certificate finger print, bytevector
Returns #t if the given obj is a JWK object otherwise #f.
Retrieves the field value of jwk.
Construct JWK from S-exp JSON representation of obj, from input port port or a string string.
If the first form of read-jwk is used, then it reads from
current input port.
Serialize the given jwk to a S-exp representaion, to port or string.
If first form of write-jwk is used, then it writes the
serialized JWK to current output port.
The below conversion procedures raise an error if the conversion is
not possible. For example, key type oct can't be public key.
Convert given jwk to (crypto) public key and private key,
respectively.
Convert given jwk to octet key bytevector.
Convert given jwk to JWK which only contains public key information.
Returns #t if the given obj is a JWK config object otherwise #f.
JWK may contain meta data, such as kid, to provide the information,
users can use JWK config object. The object has the below fields:
use: key usage, symbol, must be either sig or enc
kid: key ID
key-ops: key operation, a list of symbols
alg: key algorithm, symbol
x5u: URL of certificate
x5c: Certificate chain, list of x509 certificate
e: RSA public key exponent
e is provided due to the historical reason of not to have public
exponent in non CRT RSA private key. By default, the value is 65537.
A builder macro of JWK config. The macro is generated by
(record builder). see (record builder)for more details.
Construct JWK config from given jwk.
Converts given key to JWK object.
If the second form is used, then the returning JWK contains the configured information.
The key must be one of public key, private key, or secret key of
(crypto).