1*e7b1675dSTing-Kang Chang// Copyright 2022 Google LLC 2*e7b1675dSTing-Kang Chang// 3*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang// 7*e7b1675dSTing-Kang Chang// http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang// 9*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS, 11*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang// limitations under the License. 14*e7b1675dSTing-Kang Chang// 15*e7b1675dSTing-Kang Chang//////////////////////////////////////////////////////////////////////////////// 16*e7b1675dSTing-Kang Chang 17*e7b1675dSTing-Kang Changpackage jwt 18*e7b1675dSTing-Kang Chang 19*e7b1675dSTing-Kang Changimport ( 20*e7b1675dSTing-Kang Chang "fmt" 21*e7b1675dSTing-Kang Chang 22*e7b1675dSTing-Kang Chang "google.golang.org/protobuf/proto" 23*e7b1675dSTing-Kang Chang "github.com/google/tink/go/internal/tinkerror" 24*e7b1675dSTing-Kang Chang jepb "github.com/google/tink/go/proto/jwt_ecdsa_go_proto" 25*e7b1675dSTing-Kang Chang jwtmacpb "github.com/google/tink/go/proto/jwt_hmac_go_proto" 26*e7b1675dSTing-Kang Chang jrsppb "github.com/google/tink/go/proto/jwt_rsa_ssa_pkcs1_go_proto" 27*e7b1675dSTing-Kang Chang jrpsspb "github.com/google/tink/go/proto/jwt_rsa_ssa_pss_go_proto" 28*e7b1675dSTing-Kang Chang tinkpb "github.com/google/tink/go/proto/tink_go_proto" 29*e7b1675dSTing-Kang Chang) 30*e7b1675dSTing-Kang Chang 31*e7b1675dSTing-Kang Changfunc createJWTHMACKeyTemplate(keySize uint32, algorithm jwtmacpb.JwtHmacAlgorithm, outputPrefixType tinkpb.OutputPrefixType) *tinkpb.KeyTemplate { 32*e7b1675dSTing-Kang Chang format := &jwtmacpb.JwtHmacKeyFormat{ 33*e7b1675dSTing-Kang Chang KeySize: keySize, 34*e7b1675dSTing-Kang Chang Version: jwtHMACKeyVersion, 35*e7b1675dSTing-Kang Chang Algorithm: algorithm, 36*e7b1675dSTing-Kang Chang } 37*e7b1675dSTing-Kang Chang serializedFormat, err := proto.Marshal(format) 38*e7b1675dSTing-Kang Chang if err != nil { 39*e7b1675dSTing-Kang Chang tinkerror.Fail(fmt.Sprintf("failed to marshal key format: %s", err)) 40*e7b1675dSTing-Kang Chang } 41*e7b1675dSTing-Kang Chang return &tinkpb.KeyTemplate{ 42*e7b1675dSTing-Kang Chang TypeUrl: jwtHMACTypeURL, 43*e7b1675dSTing-Kang Chang Value: serializedFormat, 44*e7b1675dSTing-Kang Chang OutputPrefixType: outputPrefixType, 45*e7b1675dSTing-Kang Chang } 46*e7b1675dSTing-Kang Chang} 47*e7b1675dSTing-Kang Chang 48*e7b1675dSTing-Kang Changfunc createJWTECDSAKeyTemplate(algorithm jepb.JwtEcdsaAlgorithm, outputPrefixType tinkpb.OutputPrefixType) *tinkpb.KeyTemplate { 49*e7b1675dSTing-Kang Chang format := &jepb.JwtEcdsaKeyFormat{ 50*e7b1675dSTing-Kang Chang Version: jwtECDSASignerKeyVersion, 51*e7b1675dSTing-Kang Chang Algorithm: algorithm, 52*e7b1675dSTing-Kang Chang } 53*e7b1675dSTing-Kang Chang serializedFormat, err := proto.Marshal(format) 54*e7b1675dSTing-Kang Chang if err != nil { 55*e7b1675dSTing-Kang Chang tinkerror.Fail(fmt.Sprintf("failed to marshal key format: %s", err)) 56*e7b1675dSTing-Kang Chang } 57*e7b1675dSTing-Kang Chang return &tinkpb.KeyTemplate{ 58*e7b1675dSTing-Kang Chang TypeUrl: jwtECDSASignerTypeURL, 59*e7b1675dSTing-Kang Chang Value: serializedFormat, 60*e7b1675dSTing-Kang Chang OutputPrefixType: outputPrefixType, 61*e7b1675dSTing-Kang Chang } 62*e7b1675dSTing-Kang Chang} 63*e7b1675dSTing-Kang Chang 64*e7b1675dSTing-Kang Changfunc createJWTRSKeyTemplate(algorithm jrsppb.JwtRsaSsaPkcs1Algorithm, modulusSizeInBits uint32, outputPrefixType tinkpb.OutputPrefixType) *tinkpb.KeyTemplate { 65*e7b1675dSTing-Kang Chang format := &jrsppb.JwtRsaSsaPkcs1KeyFormat{ 66*e7b1675dSTing-Kang Chang Version: jwtRSSignerKeyVersion, 67*e7b1675dSTing-Kang Chang Algorithm: algorithm, 68*e7b1675dSTing-Kang Chang ModulusSizeInBits: modulusSizeInBits, 69*e7b1675dSTing-Kang Chang PublicExponent: []byte{0x01, 0x00, 0x01}, 70*e7b1675dSTing-Kang Chang } 71*e7b1675dSTing-Kang Chang serializedFormat, err := proto.Marshal(format) 72*e7b1675dSTing-Kang Chang if err != nil { 73*e7b1675dSTing-Kang Chang tinkerror.Fail(fmt.Sprintf("failed to marshal key format: %s", err)) 74*e7b1675dSTing-Kang Chang } 75*e7b1675dSTing-Kang Chang return &tinkpb.KeyTemplate{ 76*e7b1675dSTing-Kang Chang TypeUrl: jwtRSSignerTypeURL, 77*e7b1675dSTing-Kang Chang Value: serializedFormat, 78*e7b1675dSTing-Kang Chang OutputPrefixType: outputPrefixType, 79*e7b1675dSTing-Kang Chang } 80*e7b1675dSTing-Kang Chang} 81*e7b1675dSTing-Kang Chang 82*e7b1675dSTing-Kang Changfunc createJWTPSKeyTemplate(algorithm jrpsspb.JwtRsaSsaPssAlgorithm, modulusSizeInBits uint32, outputPrefixType tinkpb.OutputPrefixType) *tinkpb.KeyTemplate { 83*e7b1675dSTing-Kang Chang format := &jrpsspb.JwtRsaSsaPssKeyFormat{ 84*e7b1675dSTing-Kang Chang Version: jwtPSSignerKeyVersion, 85*e7b1675dSTing-Kang Chang Algorithm: algorithm, 86*e7b1675dSTing-Kang Chang PublicExponent: []byte{0x01, 0x00, 0x01}, 87*e7b1675dSTing-Kang Chang ModulusSizeInBits: modulusSizeInBits, 88*e7b1675dSTing-Kang Chang } 89*e7b1675dSTing-Kang Chang serializedFormat, err := proto.Marshal(format) 90*e7b1675dSTing-Kang Chang if err != nil { 91*e7b1675dSTing-Kang Chang tinkerror.Fail(fmt.Sprintf("failed to marshal key format: %s", err)) 92*e7b1675dSTing-Kang Chang } 93*e7b1675dSTing-Kang Chang return &tinkpb.KeyTemplate{ 94*e7b1675dSTing-Kang Chang TypeUrl: jwtPSSignerTypeURL, 95*e7b1675dSTing-Kang Chang Value: serializedFormat, 96*e7b1675dSTing-Kang Chang OutputPrefixType: outputPrefixType, 97*e7b1675dSTing-Kang Chang } 98*e7b1675dSTing-Kang Chang} 99*e7b1675dSTing-Kang Chang 100*e7b1675dSTing-Kang Chang// HS256Template creates a JWT key template for JWA algorithm "HS256", which is a 101*e7b1675dSTing-Kang Chang// HMAC-SHA256 with a 32 byte key. It will set a key ID header "kid" in the token. 102*e7b1675dSTing-Kang Changfunc HS256Template() *tinkpb.KeyTemplate { 103*e7b1675dSTing-Kang Chang return createJWTHMACKeyTemplate(32, jwtmacpb.JwtHmacAlgorithm_HS256, tinkpb.OutputPrefixType_TINK) 104*e7b1675dSTing-Kang Chang} 105*e7b1675dSTing-Kang Chang 106*e7b1675dSTing-Kang Chang// RawHS256Template creates a JWT key template for JWA algorithm "HS256", which is a 107*e7b1675dSTing-Kang Chang// HMAC-SHA256 with a 32 byte key. It will not set a key ID header "kid" in the token. 108*e7b1675dSTing-Kang Changfunc RawHS256Template() *tinkpb.KeyTemplate { 109*e7b1675dSTing-Kang Chang return createJWTHMACKeyTemplate(32, jwtmacpb.JwtHmacAlgorithm_HS256, tinkpb.OutputPrefixType_RAW) 110*e7b1675dSTing-Kang Chang} 111*e7b1675dSTing-Kang Chang 112*e7b1675dSTing-Kang Chang// HS384Template creates a JWT key template for JWA algorithm "HS384", which is a 113*e7b1675dSTing-Kang Chang// HMAC-SHA384 with a 48 byte key. It will set a key ID header "kid" in the token. 114*e7b1675dSTing-Kang Changfunc HS384Template() *tinkpb.KeyTemplate { 115*e7b1675dSTing-Kang Chang return createJWTHMACKeyTemplate(48, jwtmacpb.JwtHmacAlgorithm_HS384, tinkpb.OutputPrefixType_TINK) 116*e7b1675dSTing-Kang Chang} 117*e7b1675dSTing-Kang Chang 118*e7b1675dSTing-Kang Chang// RawHS384Template creates a JWT key template for JWA algorithm "HS384", which is a 119*e7b1675dSTing-Kang Chang// HMAC-SHA384 with a 48 byte key. It will not set a key ID header "kid" in the token. 120*e7b1675dSTing-Kang Changfunc RawHS384Template() *tinkpb.KeyTemplate { 121*e7b1675dSTing-Kang Chang return createJWTHMACKeyTemplate(48, jwtmacpb.JwtHmacAlgorithm_HS384, tinkpb.OutputPrefixType_RAW) 122*e7b1675dSTing-Kang Chang} 123*e7b1675dSTing-Kang Chang 124*e7b1675dSTing-Kang Chang// HS512Template creates a JWT key template for JWA algorithm "HS512", which is a 125*e7b1675dSTing-Kang Chang// HMAC-SHA512 with a 64 byte key. It will set a key ID header "kid" in the token. 126*e7b1675dSTing-Kang Changfunc HS512Template() *tinkpb.KeyTemplate { 127*e7b1675dSTing-Kang Chang return createJWTHMACKeyTemplate(64, jwtmacpb.JwtHmacAlgorithm_HS512, tinkpb.OutputPrefixType_TINK) 128*e7b1675dSTing-Kang Chang} 129*e7b1675dSTing-Kang Chang 130*e7b1675dSTing-Kang Chang// RawHS512Template creates a JWT key template for JWA algorithm "HS512", which is a 131*e7b1675dSTing-Kang Chang// HMAC-SHA512 with a 64 byte key. It will not set a key ID header "kid" in the token. 132*e7b1675dSTing-Kang Changfunc RawHS512Template() *tinkpb.KeyTemplate { 133*e7b1675dSTing-Kang Chang return createJWTHMACKeyTemplate(64, jwtmacpb.JwtHmacAlgorithm_HS512, tinkpb.OutputPrefixType_RAW) 134*e7b1675dSTing-Kang Chang} 135*e7b1675dSTing-Kang Chang 136*e7b1675dSTing-Kang Chang// ES256Template creates a JWT key template for JWA algorithm "ES256", which is digital 137*e7b1675dSTing-Kang Chang// signature with the NIST P-256 curve. It will set a key ID header "kid" in the token. 138*e7b1675dSTing-Kang Changfunc ES256Template() *tinkpb.KeyTemplate { 139*e7b1675dSTing-Kang Chang return createJWTECDSAKeyTemplate(jepb.JwtEcdsaAlgorithm_ES256, tinkpb.OutputPrefixType_TINK) 140*e7b1675dSTing-Kang Chang} 141*e7b1675dSTing-Kang Chang 142*e7b1675dSTing-Kang Chang// RawES256Template creates a JWT key template for JWA algorithm "ES256", which is digital 143*e7b1675dSTing-Kang Chang// signature with the NIST P-256 curve. It will not set a key ID header "kid" in the token. 144*e7b1675dSTing-Kang Changfunc RawES256Template() *tinkpb.KeyTemplate { 145*e7b1675dSTing-Kang Chang return createJWTECDSAKeyTemplate(jepb.JwtEcdsaAlgorithm_ES256, tinkpb.OutputPrefixType_RAW) 146*e7b1675dSTing-Kang Chang} 147*e7b1675dSTing-Kang Chang 148*e7b1675dSTing-Kang Chang// ES384Template creates a JWT key template for JWA algorithm "ES384", which is digital 149*e7b1675dSTing-Kang Chang// signature with the NIST P-384 curve. It will set a key ID header "kid" in the token. 150*e7b1675dSTing-Kang Changfunc ES384Template() *tinkpb.KeyTemplate { 151*e7b1675dSTing-Kang Chang return createJWTECDSAKeyTemplate(jepb.JwtEcdsaAlgorithm_ES384, tinkpb.OutputPrefixType_TINK) 152*e7b1675dSTing-Kang Chang} 153*e7b1675dSTing-Kang Chang 154*e7b1675dSTing-Kang Chang// RawES384Template creates a JWT key template for JWA algorithm "ES384", which is digital 155*e7b1675dSTing-Kang Chang// signature with the NIST P-384 curve. It will not set a key ID header "kid" in the token. 156*e7b1675dSTing-Kang Changfunc RawES384Template() *tinkpb.KeyTemplate { 157*e7b1675dSTing-Kang Chang return createJWTECDSAKeyTemplate(jepb.JwtEcdsaAlgorithm_ES384, tinkpb.OutputPrefixType_RAW) 158*e7b1675dSTing-Kang Chang} 159*e7b1675dSTing-Kang Chang 160*e7b1675dSTing-Kang Chang// ES512Template creates a JWT key template for JWA algorithm "ES512", which is digital 161*e7b1675dSTing-Kang Chang// signature with the NIST P-521 curve. It will set a key ID header "kid" in the token. 162*e7b1675dSTing-Kang Changfunc ES512Template() *tinkpb.KeyTemplate { 163*e7b1675dSTing-Kang Chang return createJWTECDSAKeyTemplate(jepb.JwtEcdsaAlgorithm_ES512, tinkpb.OutputPrefixType_TINK) 164*e7b1675dSTing-Kang Chang} 165*e7b1675dSTing-Kang Chang 166*e7b1675dSTing-Kang Chang// RawES512Template creates a JWT key template for JWA algorithm "ES512", which is digital 167*e7b1675dSTing-Kang Chang// signature with the NIST P-521 curve. It will not set a key ID header "kid" in the token. 168*e7b1675dSTing-Kang Changfunc RawES512Template() *tinkpb.KeyTemplate { 169*e7b1675dSTing-Kang Chang return createJWTECDSAKeyTemplate(jepb.JwtEcdsaAlgorithm_ES512, tinkpb.OutputPrefixType_RAW) 170*e7b1675dSTing-Kang Chang} 171*e7b1675dSTing-Kang Chang 172*e7b1675dSTing-Kang Chang// RS256_2048_F4_Key_Template creates a JWT key template for JWA algorithm "RS256", which is digital 173*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PKCS1 and SHA256. It will set a key ID header "kid" in the token. 174*e7b1675dSTing-Kang Changfunc RS256_2048_F4_Key_Template() *tinkpb.KeyTemplate { 175*e7b1675dSTing-Kang Chang return createJWTRSKeyTemplate(jrsppb.JwtRsaSsaPkcs1Algorithm_RS256, 2048, tinkpb.OutputPrefixType_TINK) 176*e7b1675dSTing-Kang Chang} 177*e7b1675dSTing-Kang Chang 178*e7b1675dSTing-Kang Chang// RawRS256_2048_F4_Key_Template creates a JWT key template for JWA algorithm "RS256", which is digital 179*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PKCS1 and SHA256. It will not set a key ID header "kid" in the token. 180*e7b1675dSTing-Kang Changfunc RawRS256_2048_F4_Key_Template() *tinkpb.KeyTemplate { 181*e7b1675dSTing-Kang Chang return createJWTRSKeyTemplate(jrsppb.JwtRsaSsaPkcs1Algorithm_RS256, 2048, tinkpb.OutputPrefixType_RAW) 182*e7b1675dSTing-Kang Chang} 183*e7b1675dSTing-Kang Chang 184*e7b1675dSTing-Kang Chang// RS256_3072_F4_Key_Template creates a JWT key template for JWA algorithm "RS256", which is digital 185*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PKCS1 and SHA256. It will set a key ID header "kid" in the token. 186*e7b1675dSTing-Kang Changfunc RS256_3072_F4_Key_Template() *tinkpb.KeyTemplate { 187*e7b1675dSTing-Kang Chang return createJWTRSKeyTemplate(jrsppb.JwtRsaSsaPkcs1Algorithm_RS256, 3072, tinkpb.OutputPrefixType_TINK) 188*e7b1675dSTing-Kang Chang} 189*e7b1675dSTing-Kang Chang 190*e7b1675dSTing-Kang Chang// RawRS256_3072_F4_Key_Template creates a JWT key template for JWA algorithm "RS256", which is digital 191*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PKCS1 and SHA256. It will not set a key ID header "kid" in the token. 192*e7b1675dSTing-Kang Changfunc RawRS256_3072_F4_Key_Template() *tinkpb.KeyTemplate { 193*e7b1675dSTing-Kang Chang return createJWTRSKeyTemplate(jrsppb.JwtRsaSsaPkcs1Algorithm_RS256, 3072, tinkpb.OutputPrefixType_RAW) 194*e7b1675dSTing-Kang Chang} 195*e7b1675dSTing-Kang Chang 196*e7b1675dSTing-Kang Chang// RS384_3072_F4_Key_Template creates a JWT key template for JWA algorithm "RS384", which is digital 197*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PKCS1 and SHA384. It will set a key ID header "kid" in the token. 198*e7b1675dSTing-Kang Changfunc RS384_3072_F4_Key_Template() *tinkpb.KeyTemplate { 199*e7b1675dSTing-Kang Chang return createJWTRSKeyTemplate(jrsppb.JwtRsaSsaPkcs1Algorithm_RS384, 3072, tinkpb.OutputPrefixType_TINK) 200*e7b1675dSTing-Kang Chang} 201*e7b1675dSTing-Kang Chang 202*e7b1675dSTing-Kang Chang// RawRS384_3072_F4_Key_Template creates a JWT key template for JWA algorithm "RS384", which is digital 203*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PKCS1 and SHA384. It will not set a key ID header "kid" in the token. 204*e7b1675dSTing-Kang Changfunc RawRS384_3072_F4_Key_Template() *tinkpb.KeyTemplate { 205*e7b1675dSTing-Kang Chang return createJWTRSKeyTemplate(jrsppb.JwtRsaSsaPkcs1Algorithm_RS384, 3072, tinkpb.OutputPrefixType_RAW) 206*e7b1675dSTing-Kang Chang} 207*e7b1675dSTing-Kang Chang 208*e7b1675dSTing-Kang Chang// RS512_4096_F4_Key_Template creates a JWT key template for JWA algorithm "RS512", which is digital 209*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PKCS1 and SHA512. It will set a key ID header "kid" in the token. 210*e7b1675dSTing-Kang Changfunc RS512_4096_F4_Key_Template() *tinkpb.KeyTemplate { 211*e7b1675dSTing-Kang Chang return createJWTRSKeyTemplate(jrsppb.JwtRsaSsaPkcs1Algorithm_RS512, 4096, tinkpb.OutputPrefixType_TINK) 212*e7b1675dSTing-Kang Chang} 213*e7b1675dSTing-Kang Chang 214*e7b1675dSTing-Kang Chang// RawRS512_4096_F4_Key_Template creates a JWT key template for JWA algorithm "RS512", which is digital 215*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PKCS1 and SHA512. It will not set a key ID header "kid" in the token. 216*e7b1675dSTing-Kang Changfunc RawRS512_4096_F4_Key_Template() *tinkpb.KeyTemplate { 217*e7b1675dSTing-Kang Chang return createJWTRSKeyTemplate(jrsppb.JwtRsaSsaPkcs1Algorithm_RS512, 4096, tinkpb.OutputPrefixType_RAW) 218*e7b1675dSTing-Kang Chang} 219*e7b1675dSTing-Kang Chang 220*e7b1675dSTing-Kang Chang// PS256_2048_F4_Key_Template creates a JWT key template for JWA algorithm "PS256", which is digital 221*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PSS, a 2048 bit modulus, and SHA256. It will set a key ID header "kid" in the token. 222*e7b1675dSTing-Kang Changfunc PS256_2048_F4_Key_Template() *tinkpb.KeyTemplate { 223*e7b1675dSTing-Kang Chang return createJWTPSKeyTemplate(jrpsspb.JwtRsaSsaPssAlgorithm_PS256, 2048, tinkpb.OutputPrefixType_TINK) 224*e7b1675dSTing-Kang Chang} 225*e7b1675dSTing-Kang Chang 226*e7b1675dSTing-Kang Chang// RawPS256_2048_F4_Key_Template creates a JWT key template for JWA algorithm "PS256", which is digital 227*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PSS, a 2048 bit modulus, and SHA256. It will not set a key ID header "kid" in the token. 228*e7b1675dSTing-Kang Changfunc RawPS256_2048_F4_Key_Template() *tinkpb.KeyTemplate { 229*e7b1675dSTing-Kang Chang return createJWTPSKeyTemplate(jrpsspb.JwtRsaSsaPssAlgorithm_PS256, 2048, tinkpb.OutputPrefixType_RAW) 230*e7b1675dSTing-Kang Chang} 231*e7b1675dSTing-Kang Chang 232*e7b1675dSTing-Kang Chang// PS256_3072_F4_Key_Template creates a JWT key template for JWA algorithm "PS256", which is digital 233*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PSS, a 3072 bit modulus, and SHA256. It will set a key ID header "kid" in the token. 234*e7b1675dSTing-Kang Changfunc PS256_3072_F4_Key_Template() *tinkpb.KeyTemplate { 235*e7b1675dSTing-Kang Chang return createJWTPSKeyTemplate(jrpsspb.JwtRsaSsaPssAlgorithm_PS256, 3072, tinkpb.OutputPrefixType_TINK) 236*e7b1675dSTing-Kang Chang} 237*e7b1675dSTing-Kang Chang 238*e7b1675dSTing-Kang Chang// RawPS256_3072_F4_Key_Template creates a JWT key template for JWA algorithm "PS256", which is digital 239*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PSS, a 3072 bit modulus, and SHA256. It will not set a key ID header "kid" in the token. 240*e7b1675dSTing-Kang Changfunc RawPS256_3072_F4_Key_Template() *tinkpb.KeyTemplate { 241*e7b1675dSTing-Kang Chang return createJWTPSKeyTemplate(jrpsspb.JwtRsaSsaPssAlgorithm_PS256, 3072, tinkpb.OutputPrefixType_RAW) 242*e7b1675dSTing-Kang Chang} 243*e7b1675dSTing-Kang Chang 244*e7b1675dSTing-Kang Chang// PS384_3072_F4_Key_Template creates a JWT key template for JWA algorithm "PS384", which is digital 245*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PSS, a 3072 bit modulus, and SHA384. It will set a key ID header "kid" in the token. 246*e7b1675dSTing-Kang Changfunc PS384_3072_F4_Key_Template() *tinkpb.KeyTemplate { 247*e7b1675dSTing-Kang Chang return createJWTPSKeyTemplate(jrpsspb.JwtRsaSsaPssAlgorithm_PS384, 3072, tinkpb.OutputPrefixType_TINK) 248*e7b1675dSTing-Kang Chang} 249*e7b1675dSTing-Kang Chang 250*e7b1675dSTing-Kang Chang// RawPS384_3072_F4_Key_Template creates a JWT key template for JWA algorithm "PS384", which is digital 251*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PSS, a 3072 bit modulus, and SHA384. It will not set a key ID header "kid" in the token. 252*e7b1675dSTing-Kang Changfunc RawPS384_3072_F4_Key_Template() *tinkpb.KeyTemplate { 253*e7b1675dSTing-Kang Chang return createJWTPSKeyTemplate(jrpsspb.JwtRsaSsaPssAlgorithm_PS384, 3072, tinkpb.OutputPrefixType_RAW) 254*e7b1675dSTing-Kang Chang} 255*e7b1675dSTing-Kang Chang 256*e7b1675dSTing-Kang Chang// PS512_4096_F4_Key_Template creates a JWT key template for JWA algorithm "PS512", which is digital 257*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PSS, a 4096 bit modulus, and SHA512. It will set a key ID header "kid" in the token. 258*e7b1675dSTing-Kang Changfunc PS512_4096_F4_Key_Template() *tinkpb.KeyTemplate { 259*e7b1675dSTing-Kang Chang return createJWTPSKeyTemplate(jrpsspb.JwtRsaSsaPssAlgorithm_PS512, 4096, tinkpb.OutputPrefixType_TINK) 260*e7b1675dSTing-Kang Chang} 261*e7b1675dSTing-Kang Chang 262*e7b1675dSTing-Kang Chang// RawPS512_4096_F4_Key_Template creates a JWT key template for JWA algorithm "PS512", which is digital 263*e7b1675dSTing-Kang Chang// signature with RSA-SSA-PSS, a 4096 bit modulus, and SHA512. It will not set a key ID header "kid" in the token. 264*e7b1675dSTing-Kang Changfunc RawPS512_4096_F4_Key_Template() *tinkpb.KeyTemplate { 265*e7b1675dSTing-Kang Chang return createJWTPSKeyTemplate(jrpsspb.JwtRsaSsaPssAlgorithm_PS512, 4096, tinkpb.OutputPrefixType_RAW) 266*e7b1675dSTing-Kang Chang} 267