Key Wrapping
Key Wrapping shares a symmetric key, kind of like Direct Key Encryption. However, instead of using the shared key as the CEK, it uses it to wrap the actual CEK, so that only a recipient with the correct KEK can unwrap the CEK and decrypt the token.
WARNING
The KEK
MUST have a specific length, depending on the preset used. You can refer to JSON Web Keys for hints on how to generate a valid KEK for your algorithm.
go
package main
import "github.com/a-novel-kit/jwt/jwe/jwek"
func main() {
// CEK is generated by the producer, and shared securely within the
// token, using the KEK. Recipient does not need to know it in
// advance, given it received the KEK.
var cek []byte
// The KEK is shared directly between the producer and the recipient.
var kek []byte
keyManager := jwek.NewAESKWManager(
&jwek.AESKWManagerConfig{CEK: cek, WrapKey: kek},
jwek.A128KW,
)
}
Available presets:
Preset | Target "alg" |
---|---|
jwek.A128KW | A128KW |
jwek.A192KW | A192KW |
jwek.A256KW | A256KW |