February 5, 2025Less than 1 minuteproducerencryptionkey sharing
Key Wrapping
Key Wrapping shares a symmetric key, kind of like Direct Key Encryption. However, instead of using the shared key as the CEK, it uses it to wrap the actual CEK, so that only a recipient with the correct KEK can unwrap the CEK and decrypt the token.
Warning
The KEK MUST have a specific length, depending on the preset used. You can refer to JSON Web Keys for hints on how to generate a valid KEK for your algorithm.
AES KW
package main
import "github.com/a-novel-kit/jwt/jwe/jwek"
func main() {
// CEK is generated by the producer, and shared securely within the
// token, using the KEK. Recipient does not need to know it in
// advance, given it received the KEK.
var cek []byte
// The KEK is shared directly between the producer and the recipient.
var kek []byte
keyManager := jwek.NewAESKWManager(
&jwek.AESKWManagerConfig{CEK: cek, WrapKey: kek},
jwek.A128KW,
)
}Available presets:
| Preset | Target "alg" |
|---|---|
jwek.A128KW | A128KW |
jwek.A192KW | A192KW |
jwek.A256KW | A256KW |
AES-GCM KW
package main
import "github.com/a-novel-kit/jwt/jwe/jwek"
func main() {
// CEK is generated by the producer, and shared securely within the
// token, using the KEK. Recipient does not need to know it in
// advance, given it received the KEK.
var cek []byte
// The KEK is shared directly between the producer and the recipient.
var kek []byte
keyManager := jwek.NewAESGCMKWManager(
&jwek.AESKWManagerConfig{CEK: cek, WrapKey: kek},
jwek.A128GCMKW,
)
}Available presets:
| Preset | Target "alg" |
|---|---|
jwek.A128GCMKW | A128GCMKW |
jwek.A192GCMKW | A192GCMKW |
jwek.A256GCMKW | A256GCMKW |