security

package
v0.39.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2026 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Decrypt 

func Decrypt(cipherText string, key string) ([]byte, error)

Decrypt decrypts encrypted text with key (must be valid 32 chars AES key).

This method uses AES-256-GCM block cypher mode.

func Encrypt 

func Encrypt(data []byte, key string) (string, error)

Encrypt encrypts "data" with the specified "key" (must be valid 32 char AES key).

This method uses AES-256-GCM block cypher mode.

func Equal 

func Equal(hash1 string, hash2 string) bool

Equal compares two hash strings for equality without leaking timing information.

func HS256 

func HS256(text string, secret string) string

HS256 creates a HMAC hash with sha256 digest algorithm.

func HS512 

func HS512(text string, secret string) string

HS512 creates a HMAC hash with sha512 digest algorithm.

func MD5 

func MD5(text string) string

MD5 creates md5 hash from the provided plain text.

func NewJWT 

func NewJWT(payload jwt.MapClaims, signingKey string, duration time.Duration) (string, error)

NewJWT generates and returns new HS256 signed JWT.

func ParseJWT 

func ParseJWT(token string, verificationKey string) (jwt.MapClaims, error)

ParseJWT verifies and parses JWT and returns its claims.

func ParseJWTWithJWKS added in v0.29.7 

func ParseJWTWithJWKS(ctx context.Context, token string, jwksURL string, jwksCache *JWKSCache) (jwt.MapClaims, error)

ParseJWTWithJWKS validates a JWT against a JWKS endpoint and returns the verified claims. Supports RS256, RS384, RS512.

The jwksCache parameter is optional; pass nil to skip caching (not recommended).

func ParseUnverifiedJWT 

func ParseUnverifiedJWT(token string) (jwt.MapClaims, error)

ParseUnverifiedJWT parses JWT and returns its claims but DOES NOT verify the signature.

It verifies only the exp, iat and nbf claims.

func PseudorandomString 

func PseudorandomString(length int) string

PseudorandomString generates a pseudorandom string with the specified length.

The generated string matches [A-Za-z0-9]+ and it's transparent to URL-encoding.

For a cryptographically random string (but a little bit slower) use RandomString instead.

func PseudorandomStringWithAlphabet 

func PseudorandomStringWithAlphabet(length int, alphabet string) string

PseudorandomStringWithAlphabet generates a pseudorandom string with the specified length and characters set.

For a cryptographically random (but a little bit slower) use RandomStringWithAlphabet instead.

func RandomString 

func RandomString(length int) string

RandomString generates a cryptographically random string with the specified length.

The generated string matches [A-Za-z0-9]+ and it's transparent to URL-encoding.

func RandomStringByRegex 

func RandomStringByRegex(pattern string, optFlags ...syntax.Flags) (string, error)

RandomStringByRegex generates a random string matching the regex pattern. If optFlags is not set, fallbacks to syntax.Perl.

NB! While the source of the randomness comes from crypto/rand this method is not recommended to be used on its own in critical secure contexts because the generated length could vary too much on the used pattern and may not be as secure as simply calling security.RandomString. If you still insist on using it for such purposes, consider at least a large enough minimum length for the generated string, e.g. `[a-z0-9]{30}`.

This function is inspired by github.com/pipe01/revregexp, github.com/lucasjones/reggen and other similar packages.

func RandomStringWithAlphabet 

func RandomStringWithAlphabet(length int, alphabet string) string

RandomStringWithAlphabet generates a cryptographically random string with the specified length and characters set.

It panics if for some reason rand.Int returns a non-nil error.

func S256Challenge 

func S256Challenge(code string) string

S256Challenge creates base64 encoded sha256 challenge string derived from code. The padding of the result base64 string is stripped per RFC 7636.

func SHA256 

func SHA256(text string) string

SHA256 creates sha256 hash as defined in FIPS 180-4 from the provided text.

func SHA512 

func SHA512(text string) string

SHA512 creates sha512 hash as defined in FIPS 180-4 from the provided text.

Types

type JWK added in v0.29.7 

type JWK struct {
	Kty string `json:"kty"`
	Kid string `json:"kid"`
	Use string `json:"use"`
	Alg string `json:"alg"`
	E   string `json:"e"`
	N   string `json:"n"`
}

JWK represents a JSON Web Key (RSA only, which covers RS256/RS384/RS512).

func (*JWK) PublicKey added in v0.29.7 

func (k *JWK) PublicKey() (*rsa.PublicKey, error)

PublicKey reconstructs the RSA public key from the JWK.

type JWKSCache added in v0.29.7 

type JWKSCache struct {
	// contains filtered or unexported fields
}

JWKSCache caches fetched JWKS keys with a configurable TTL.

func NewJWKSCache added in v0.29.7 

func NewJWKSCache(ttl time.Duration) *JWKSCache

NewJWKSCache creates a new JWKS cache with the given TTL.

func (*JWKSCache) FetchKey added in v0.29.7 

func (c *JWKSCache) FetchKey(ctx context.Context, jwksURL, kid string) (*JWK, error)

FetchKey retrieves a JWK by kid from the JWKS endpoint, using the cache.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.