Skip to content

Key Wrapping

Key Wrapping shares a symmetric key, kind of like Direct Key Encryption. However, instead of using the shared key as the CEK, it uses it to wrap the actual CEK, so that only a recipient with the correct KEK can unwrap the CEK and decrypt the token.

WARNING

The KEK MUST have a specific length, depending on the preset used. You can refer to JSON Web Keys for hints on how to generate a valid KEK for your algorithm.

go
package main

import "github.com/a-novel-kit/jwt/jwe/jwek"

func main() {
	// CEK is generated by the producer, and shared securely within the
	// token, using the KEK. Recipient does not need to know it in
	// advance, given it received the KEK.
	var cek []byte
	// The KEK is shared directly between the producer and the recipient.
	var kek []byte

	keyManager := jwek.NewAESKWManager(
		&jwek.AESKWManagerConfig{CEK: cek, WrapKey: kek},
		jwek.A128KW,
	)
}

Available presets:

PresetTarget "alg"
jwek.A128KWA128KW
jwek.A192KWA192KW
jwek.A256KWA256KW