{"id":13338687,"url":"https://github.com/beatt83/jose-swift","last_synced_at":"2026-01-12T15:02:30.381Z","repository":{"id":217951127,"uuid":"743337973","full_name":"beatt83/jose-swift","owner":"beatt83","description":"A comprehensive Swift library for JOSE standards implementation, supporting JWA, JWK, JWE, JWS and JWT with robust encryption and signing functionalities.","archived":false,"fork":false,"pushed_at":"2026-01-10T11:51:34.000Z","size":2498,"stargazers_count":35,"open_issues_count":5,"forks_count":15,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-01-11T03:42:06.763Z","etag":null,"topics":["aes","aes-encryption","ecdh-1pu","ecdh-es","ecdsa","eddsa","encryption","hmac","ios","jose","jwa","jwe","jwk","jws","jwt","macos","rsa","swift","tvos","watchos"],"latest_commit_sha":null,"homepage":"https://beatt83.github.io/jose-swift/documentation/jose_swift/","language":"Swift","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/beatt83.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["beatt83"]}},"created_at":"2024-01-15T02:18:32.000Z","updated_at":"2026-01-10T11:51:00.000Z","dependencies_parsed_at":"2024-01-25T12:08:18.160Z","dependency_job_id":"70a663d1-d7c5-4c56-bf84-f664011f3da9","html_url":"https://github.com/beatt83/jose-swift","commit_stats":{"total_commits":58,"total_committers":2,"mean_commits":29.0,"dds":0.06896551724137934,"last_synced_commit":"1ab2c1f21c56683ee6d115f44fb8add1f3e47d8c"},"previous_names":["beatt83/jose-swift"],"tags_count":31,"template":false,"template_full_name":null,"purl":"pkg:github/beatt83/jose-swift","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beatt83%2Fjose-swift","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beatt83%2Fjose-swift/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beatt83%2Fjose-swift/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beatt83%2Fjose-swift/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/beatt83","download_url":"https://codeload.github.com/beatt83/jose-swift/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/beatt83%2Fjose-swift/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28340416,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T12:22:26.515Z","status":"ssl_error","status_checked_at":"2026-01-12T12:22:10.856Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aes","aes-encryption","ecdh-1pu","ecdh-es","ecdsa","eddsa","encryption","hmac","ios","jose","jwa","jwe","jwk","jws","jwt","macos","rsa","swift","tvos","watchos"],"created_at":"2024-07-29T19:17:08.489Z","updated_at":"2026-01-12T15:02:30.355Z","avatar_url":"https://github.com/beatt83.png","language":"Swift","funding_links":["https://github.com/sponsors/beatt83"],"categories":["库和框架"],"sub_categories":["Swift"],"readme":"![Screenshot](jose-swift-logo.png)\n# Jose Swift Library\n\n[![Swift](https://img.shields.io/badge/swift-brightgreen.svg)]() [![Swift6](https://img.shields.io/badge/swift6-brightgreen.svg)]() [![iOS](https://img.shields.io/badge/ios-brightgreen.svg)]() [![MacOS](https://img.shields.io/badge/macos-brightgreen.svg)]() [![WatchOS](https://img.shields.io/badge/watchos-brightgreen.svg)]() [![TvOS](https://img.shields.io/badge/tvos-brightgreen.svg)]() [![Linux](https://img.shields.io/badge/linux-brightgreen.svg)]()\n\nThis library provides comprehensive support for the Jose suite of standards, including JWA (JSON Web Algorithms), JWK (JSON Web Key), JWE (JSON Web Encryption), JWS (JSON Web Signature), and JWT (JSON Web Token). These standards are integral to modern security protocols on the web, offering methods for secure key management, data encryption, signing, and representation of claims among different parties.\n\n## Table of Contents\n1. [Available Features and Algorithms](#available-features-and-algorithms)\n2. [Requirements](#requirements)\n3. [Swift Package Manager (SPM)](#swift-package-manager-spm)\n - [Step 1: Add the Dependency](#step-1-add-the-dependency)\n - [Step 2: Add the Target Dependency](#step-2-add-the-target-dependency)\n - [Step 3: Import and Use in Your Project](#step-3-import-and-use-in-your-project)\n4. [Documentation](#documentation)\n5. [Modules](#modules)\n - [JWK (JSON Web Key)](#jwk-json-web-key)\n - [JWS (JSON Web Signature)](#jws-json-web-signature)\n - [JWE (JSON Web Encryption)](#jwe-json-web-encryption)\n - [JWT (JSON Web Token)](#jwt-json-web-token)\n - [JWA (JSON Web Algorithms)](#jwa-json-web-algorithms)\n6. [Contributing](#contributing)\n7. [References](#references)\n8. [Acknowledgments](#acknowledgments)\n9. [License](#license)\n\n## Available Features and Algorithms\n\n### JWT\n\n\u003ctable\u003e\n\u003ctr\u003e\u003cth\u003eJWT supported algorithms\u003c/th\u003e\u003cth\u003eJWT supported types\u003c/th\u003e\u003cth\u003eJWT supported claims validations\u003c/th\u003e\u003c/tr\u003e\n\u003c/td\u003e\u003ctd valign=\"top\"\u003e\n\n| Algorithms | Supported |\n|--------------------|------------------|\n| All JWE algorithms |:white_check_mark:|\n| All JWS algorithms |:white_check_mark:|\n\n\u003c/td\u003e\u003ctd valign=\"top\"\u003e\n\n| Types | Supported |\n|------------------|------------------|\n| Signed |:white_check_mark:|\n| Encrypted |:white_check_mark:|\n| Nested Signed |:white_check_mark:|\n| Nested Encrypted |:white_check_mark:|\n\n\u003c/td\u003e\u003ctd valign=\"top\"\u003e\n\n| Claims | Supported |\n|-------------------|------------------|\n| iss |:white_check_mark:|\n| sub |:white_check_mark:|\n| aud |:white_check_mark:|\n| nbf |:white_check_mark:|\n| exp |:white_check_mark:|\n| iat |:white_check_mark:|\n| typ |:white_check_mark:|\n| cty |:white_check_mark:|\n| x5c |:white_check_mark:|\n| DSL Claims Builder|:white_check_mark:|\n\n\u003c/td\u003e\u003c/tr\u003e \u003c/table\u003e\n\nNote: JWT supports X.509 validation in conformance with [RFC-7797](https://datatracker.ietf.org/doc/html/rfc7797)\n\n### JWE\n\n\u003ctable\u003e\n\u003ctr\u003e\u003cth\u003eJWE Supported Types\u003c/th\u003e\u003cth\u003eJWE Supported Algorithms\u003c/th\u003e\u003cth\u003eJWE Supported Encodings\u003c/th\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd valign=\"top\"\u003e\n\n| Type | Supported |\n|----------------|------------------|\n| Compact String |:white_check_mark:|\n| JSON |:white_check_mark:|\n| JSON Flattened |:white_check_mark:|\n\n\u003c/td\u003e\u003ctd valign=\"top\"\u003e\n\n| Algorithm | Supported |\n|--------------------|------------------|\n| RSA1_5 |:white_check_mark:|\n| RSA-OAEP |:white_check_mark:|\n| RSA-OAEP-256 |:white_check_mark:|\n| A128KW |:white_check_mark:|\n| A192KW |:white_check_mark:|\n| A256KW |:white_check_mark:|\n| DIRECT |:white_check_mark:|\n| ECDH-ES |:white_check_mark:|\n| ECDH-ES+A128KW |:white_check_mark:|\n| ECDH-ES+A192KW |:white_check_mark:|\n| ECDH-ES+A256KW |:white_check_mark:|\n| ECDH-1PU |:white_check_mark:|\n| ECDH-1PU+A128KW |:white_check_mark:|\n| ECDH-1PU+A192KW |:white_check_mark:|\n| ECDH-1PU+A256KW |:white_check_mark:|\n| A128GCMKW |:white_check_mark:|\n| A192GCMKW |:white_check_mark:|\n| A256GCMKW |:white_check_mark:|\n| PBES2-HS256+A128KW |:white_check_mark:|\n| PBES2-HS384+A192KW |:white_check_mark:|\n| PBES2-HS512+A256KW |:white_check_mark:|\n\n\u003c/td\u003e\u003ctd valign=\"top\"\u003e\n\n| Encoding Algorithm | Supported |\n|-----------------|------------------|\n| A128CBC-HS256 |:white_check_mark:|\n| A128CBC-HS384 |:white_check_mark:|\n| A128CBC-HS512 |:white_check_mark:|\n| A128GCMKW |:white_check_mark:|\n| A192GCMKW |:white_check_mark:|\n| A256GCMKW |:white_check_mark:|\n| C20P |:white_check_mark:|\n| XC20P |:white_check_mark:|\n\n\u003c/td\u003e\u003c/tr\u003e \u003c/table\u003e\n\n### JWS\n\n\u003ctable\u003e\n\u003ctr\u003e\u003cth\u003eJWS Supported Types\u003c/th\u003e\u003cth\u003eJWS Supported Algorithms\u003c/th\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd valign=\"top\"\u003e\n\n| Type | Supported |\n|---------------------|------------------|\n| Compact String |:white_check_mark:|\n| JSON |:white_check_mark:|\n| JSON Flattened |:white_check_mark:|\n| Unencoded Payload\\* |:white_check_mark:|\n\n\u003c/td\u003e\u003ctd valign=\"top\"\u003e\n\n| Algorithm | Supported |\n|-----------------|------------------|\n| HS256 |:white_check_mark:|\n| HS384 |:white_check_mark:|\n| HS512 |:white_check_mark:|\n| RS256 |:white_check_mark:|\n| RS384 |:white_check_mark:|\n| RS512 |:white_check_mark:|\n| ES256 |:white_check_mark:|\n| ES256K |:white_check_mark:|\n| ES384 |:white_check_mark:|\n| ES512 |:white_check_mark:|\n| PS256 |:white_check_mark:|\n| PS384 |:white_check_mark:|\n| PS512 |:white_check_mark:|\n| EdDSA |:white_check_mark:|\n\n\n\u003c/td\u003e\u003c/tr\u003e \u003c/table\u003e\n\nNote: JWS Unencoded payload as referenced in the [RFC-7797](https://datatracker.ietf.org/doc/html/rfc7797)\n\n### JWK\n\n\u003ctable\u003e\n\u003ctr\u003e\u003cth\u003eJWK Supported Key Types\u003c/th\u003e\u003cth\u003eJWK Supported Functionalities\u003c/th\u003e\u003c/tr\u003e\n\u003ctr\u003e\u003ctd valign=\"top\"\u003e\n\n| Key Type | Supported |\n|----------|------------------|\n| EC |:white_check_mark:|\n| RSA |:white_check_mark:|\n| OKT |:white_check_mark:|\n| OCK |:white_check_mark:|\n\n\u003c/td\u003e\u003ctd valign=\"top\"\u003e\n\n| Feature | Supported |\n|--------------------------|------------------|\n| PEM decoding |:white_check_mark:|\n| JWKSet |:white_check_mark:|\n| Thumbprint |:white_check_mark:|\n| Crypto keys encoding |:white_check_mark:|\n\n\u003c/td\u003e\u003c/tr\u003e \u003c/table\u003e\n\n## Requirements\n\n- Swift 5.8.1 or later\n- Swift 6 or later\n- iOS 15.0 or later\n- macOS 12.0 or later\n- Mac Catalyst 15.0 or later\n- tvOS 15.0 or later\n- watchOS 8.0 or later\n- Linux\n- Dependencies:\n - [swift-crypto](https://github.com/apple/swift-crypto)\n - [CryptoSwift](https://github.com/krzyzanowskim/CryptoSwift)\n - [secp256k1.swift](https://github.com/GigaBitcoin/secp256k1.swift)\n - [zlib](https://github.com/DLTAStudio/zlib)\n\n## Swift Package Manager (SPM)\n\nTo use the `jose-swift` package in your project, you need to add it as a dependency in your `Package.swift` file.\n\n### Step 1: Add the Dependency\n\nOpen your `Package.swift` file and add the `jose-swift` package to your `dependencies` array. Make sure to specify the version you want to use:\n\n```swift\ndependencies: [\n .package(url: \"https://github.com/beatt83/jose-swift.git\", .upToNextMinor(from: \"2.4.0\")),\n // ... other dependencies ...\n]\n```\n\n### Step 2: Add the Target Dependency\n\nIn the same Package.swift file, add jose-swift to the dependencies of your target:\n\n```swift\ntargets: [\n .target(\n name: \"YourTargetName\",\n dependencies: [\n \"jose-swift\",\n // ... other dependencies ...\n ]\n ),\n // ... other targets ...\n]\n```\n\n### Step 3: Import and Use in Your Project\n\nOnce you've added the package as a dependency, you can import JSONWebEncryption, JWS, JWA, or JWK in your Swift files depending on what functionality you need:\n\n```swift\nimport JSONWebEncryption\n// or\nimport JSONWebSignature\n// or\nimport JSONWebAlgorithms\n// or\nimport JSONWebKey\n// or\nimport JSONWebToken\n```\n\n## Documentation\n\nYou can access [here](https://beatt83.github.io/jose-swift/documentation/jose_swift/) to the documentation.\n\n### Getting Started\n\nFor a quick guide on how to use the library please visit the [Getting Started](https://beatt83.github.io/jose-swift/documentation/jose-swift/gettingstarted) tutorial.\n\nFor more examples on how to use this library please try to check the unit tests, they are extensive and should provide more information.\n\n## Modules\n\n### JWK (JSON Web Key)\nJWK is a standard way to represent cryptographic keys in a JSON format, as defined in [RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517). This module provides functionalities for generating, parsing, and managing JWKs, which are essential for encryption, decryption, and signing processes.\n\nPlease check our documentation for more on [JWS Signatures](https://beatt83.github.io/jose-swift/documentation/jose-swift/jwssignatures).\n\nJWK now also supports initialization from PEM-encoded key strings. This allows you to directly create a JWK from a PEM string containing either public or private keys in various formats including:\n- PKCS#8 formatted private keys,\n- SEC1 EC private keys (\"EC PRIVATE KEY\"),\n- PKCS#1 RSA private keys (\"RSA PRIVATE KEY\"),\n- SubjectPublicKeyInfo formatted public keys.\n\n```swift\nlet keyJWK = JWK(keyType: .rsa, algorithm: \"A256GCM\", keyID: rsaKeyId, e: rsaKeyExponent, n: rsaKeyModulus)\n// ---------------------\nlet key = secp256k1.Signing.PrivateKey()\nlet keyJWK = key.jwkRepresentation\n// ---------------------\nlet key = Curve25519.KeyAgreement.PrivateKey()\nlet publicKeyJWK = key.jwkRepresentation.publicKey\n```\n\n### JWS (JSON Web Signature)\nJWS is a standard for digitally signing arbitrary content, as detailed in [RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515). This module supports creating and verifying digital signatures, ensuring the integrity and authenticity of signed data.\n\n#### Supported Algorithms:\n- RS256 (RSA Signature with SHA-256)\n- RS384 (RSA Signature with SHA-384)\n- RS512 (RSA Signature with SHA-512)\n- HS256 (HMAC with SHA-256)\n- HS384 (HMAC with SHA-384)\n- HS512 (HMAC with SHA-512)\n- ES256 (ECDSA using P-256 and SHA-256)\n- ES384 (ECDSA using P-384 and SHA-384)\n- ES512 (ECDSA using P-521 and SHA-512)\n- ES256K (ECDSA using secp256k1 and SHA-256)\n- PS256 (RSA PSS with SHA-256)\n- PS384 (RSA PSS with SHA-384)\n- PS512 (RSA PSS with SHA-512)\n- EdDSA (EdDSA using Ed25519) - [RFC 8037](https://datatracker.ietf.org/doc/html/rfc8037)\n\n### Bouncy castle secp256k1 failsafe\n\nThere is a difference between the signatures given by Bouncy castle a prominent cryptographic Java library and used with Nimbus JWT and bitcoin secp256k1. The signatures are in DER format and for some reason the R and S are reverted.\n\nTo have signatures that are verifiable by Bouncy Castle you can set this flag `ES256KSigner.outputFormat = .der`, it will transform the signatures in DER format.\n\nWith this in mind this library provides a functionality to enable verification of Nimbus/Bouncy Castle signatures, this can be enabled by setting the flag `ES256KVerifier.bouncyCastleFailSafe = true`. This process requires manipualtion of the internal signature, and reverses the R and S bytes, use it at your own risk since it can add security flaw.\n\nExample:\n\n```swift\nlet payload = \"Hello world\".data(using: .utf8)!\nlet key = secp256k1.Signing.PrivateKey()\n\nlet jws = try JWS(payload: payload, key: key)\n\nlet jwsString = jws.compactSerialization\n\ntry JWS(jwsString: jwsString).verify(key: key)\n```\n\nIf you want to add additional headers beyond the default to the JWS:\n\n```swift\nlet rsaKeyId = \"Hello-keyId\"\nvar header = DefaultJWSHeaderImpl()\nheader.keyID = rsaKeyId\nheader.algorithm = .rsa512\n\nlet keyJWK = JWK(keyType: .rsa, algorithm: \"RSA512\", keyID: rsaKeyId, e: rsaKeyExponent, n: rsaKeyModulus)\nlet jwe = try JWS(payload: payload, protectedHeader: header, key: jwk)\n```\n\n### JWS with Unencoded payload (Compact string only)\n\nJWS also supports unencoded payloads, which is useful in scenarios where the payload is already in a compact, URL-safe form (such as in the case of small JSON objects or base64url-encoded strings). This can help reduce the overall size of the JWS and improve performance by avoiding redundant encoding steps.\n\nTo create a JWS with an unencoded payload, you need to set the b64 header parameter to false and ensure the payload is in a compatible format.\n\nExample:\n\n```\nlet payload = \"Hello world\".data(using: .utf8)!\nlet key = secp256k1.Signing.PrivateKey()\n\nlet jws = try JWS(payload: payload, key: key, options: [.unencodedPayload])\n\nlet jwsString = jws.compactSerialization\n\ntry JWS.verify(jwsString: jwsString, payload: payload, key: key)\n```\n\n\n### JWE (JSON Web Encryption)\nJWE represents encrypted content using JSON-based data structures, following the guidelines of [RFC 7516](https://datatracker.ietf.org/doc/html/rfc7516). This module includes functionalities for encrypting and decrypting data, managing encryption keys, and handling various encryption algorithms and methods.\n\nPlease check our documentation for more on [JWE Encryption](https://beatt83.github.io/jose-swift/documentation/jose-swift/jweencryption).\n\n#### Supported Algorithms:\n\n1. **Key Management Algorithms**:\n - RSA1_5 (RSAES-PKCS1-v1_5)\n - RSA-OAEP (RSAES OAEP using default parameters)\n - RSA-OAEP-256 (RSAES OAEP using SHA-256 and MGF1 with SHA-256)\n - A128KW (AES Key Wrap with default 128-bit key)\n - A192KW (AES Key Wrap with 192-bit key)\n - A256KW (AES Key Wrap with 256-bit key)\n - dir (Direct use of a shared symmetric key)\n - ECDH-ES (Elliptic Curve Diffie-Hellman Ephemeral Static key agreement)\n - ECDH-ES+A128KW (ECDH-ES using Concat KDF and A128KW wrapping)\n - ECDH-ES+A192KW (ECDH-ES using Concat KDF and A192KW wrapping)\n - ECDH-ES+A256KW (ECDH-ES using Concat KDF and A256KW wrapping)\n - ECDH-1PU (Elliptic Curve Diffie-Hellman One-Pass Unified Model)\n - ECDH-1PU+A128KW (ECDH-1PU using Concat KDF and A128KW wrapping)\n - ECDH-1PU+A192KW (ECDH-1PU using Concat KDF and A192KW wrapping)\n - ECDH-1PU+A256KW (ECDH-1PU using Concat KDF and A256KW wrapping)\n - A128GCMKW (Key wrapping with AES GCM using 128-bit key)\n - A192GCMKW (Key wrapping with AES GCM using 192-bit key)\n - A256GCMKW (Key wrapping with AES GCM using 256-bit key)\n - PBES2-HS256+A128KW (PBES2 with HMAC SHA-256 and \"A128KW\" wrapping)\n - PBES2-HS384+A192KW (PBES2 with HMAC SHA-384 and \"A192KW\" wrapping)\n - PBES2-HS512+A256KW (PBES2 with HMAC SHA-512 and \"A256KW\" wrapping)\n - Note: ECDH-1PU is specified in [draft-ietf-jose-cfrg-curves-10](https://datatracker.ietf.org/doc/draft-ietf-jose-cfrg-curves/10/)\n\n2. **Content Encryption Algorithms**:\n - A128CBC-HS256 (AES CBC using 128-bit key with HMAC SHA-256)\n - A192CBC-HS384 (AES CBC using 192-bit key with HMAC SHA-384)\n - A256CBC-HS512 (AES CBC using 256-bit key with HMAC SHA-512)\n - A128GCM (AES GCM using 128-bit key)\n - A192GCM (AES GCM using 192-bit key)\n - A256GCM (AES GCM using 256-bit key)\n - C20P (ChaCha20-Poly1305)\n - XC20P (XChaCha20-Poly1305)\n - Note: ChaChaPoly20-Poly1305 and XChaChaPoly20-Poly1305 is specified in [draft-amringer-jose-chacha-02](https://datatracker.ietf.org/doc/html/draft-amringer-jose-chacha-02)\n \n3. **Compression Algorithms**:\n - DEFLATE (zip)\n\nExample1:\n\n```swift\nlet payload = \"Hello world\".data(using: .utf8)!\nlet keyJWK = JWK(keyType: .rsa, algorithm: \"A256GCM\", keyID: rsaKeyId, e: rsaKeyExponent, n: rsaKeyModulus)\n\n\nlet serialization = try JWE(\n payload: payload,\n keyManagementAlg: .a256KW,\n encryptionAlgorithm: .a256GCM,\n compressionAlgorithm: .deflate,\n recipientKey: keyJWK\n)\n\nlet compact = serialization.compactSerialization\n\nlet jwe = try JWE(compactString: compact)\nlet decrypted = try jwe.decrypt(recipientKey: recipientKey)\n```\n\nExample2:\n\n```swift\nlet payload = \"Hello world\".data(using: .utf8)!\nlet key = P256.Signing.PrivateKey()\n\n\nlet serialization = try JWE(\n payload: payload,\n keyManagementAlg: .a256KW,\n encryptionAlgorithm: .a256GCM,\n compressionAlgorithm: .deflate,\n recipientKey: key\n)\n\nlet compact = serialization.compactSerialization()\n\nlet jwe = try JWE(compactString: compact)\nlet decrypted = try jwe.decrypt(recipientKey: recipientJWK)\n```\n\nIf you want to add additional headers beyond the default to the JWE:\n\n```swift\nlet rsaKeyId = \"Hello-keyId\"\nvar header = DefaultJWEHeaderImpl()\nheader.keyID = rsaKeyId\nheader.keyManagementAlgorithm = .rsaOAEP256\nheader.encodingAlgorithm = .a256GCM\nlet keyJWK = JWK(keyType: .rsa, algorithm: \"A256GCM\", keyID: rsaKeyId, e: rsaKeyExponent, n: rsaKeyModulus)\nlet jwe = try JWE(payload: wrappedPayload, protectedHeader: header, recipientKey: jwk)\n```\n\n\n### JWT (JSON Web Token)\nJWT is a compact, URL-safe means of representing claims to be transferred between two parties. This module offers tools for creating, parsing, validating, and manipulating JWTs, with support for various signing and encryption methods, as specified in [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519).\n\nPlease check our documentation for more on [JWT tokens](https://beatt83.github.io/jose-swift/documentation/jose-swift/jwtconcepts).\n\n#### Features:\n\n1. **Signed JWTs**:\n - Supports digital signatures to verify the authenticity and integrity of the token.\n - Utilizes JWS (JSON Web Signature) standards.\n - Supports all JWS algorithms previously mentioned.\n\n2. **Encrypted JWTs**:\n - Facilitates encryption of token content for confidentiality.\n - Uses JWE (JSON Web Encryption) for robust encryption standards.\n - Supports all JWE algorithms previously mentioned.\n\n3. **Nested JWT (JWS + JWE)**:\n - Implements Nested JWTs where a JWT is signed and then encrypted, providing both the benefits of JWS and JWE.\n - Ensures that a token is first authenticated (JWS) and then secured for privacy (JWE).\n \n4. **Domain-specific language (DSL) for Claim Creation**:\n - Allows for a more declarative approach to creating claims using a domain-specific language (DSL).\n - Facilitates the creation of both standard and custom claims in a readable and structured manner.\n\n5. **Claim Validation**:\n - Offers extensive capabilities to validate JWT claims.\n - Includes standard claims like issuer (`iss`), subject (`sub`), audience (`aud`), expiration (`exp`), not before (`nbf`), and issued at (`iat`).\n - Custom claim validation to meet specific security requirements.\n \n6. **X5C Validation**:\n - Adds support for validating the `x5c` (X.509 Certificate Chain) header as specified in [RFC 7515 Section 4.1.6](https://www.rfc-editor.org/rfc/rfc7515#section-4.1.6).\n - Verifies that the JWT’s certificate chain is valid against a provided trusted certificate store using the validator `X5CValidator`.\n - Supports P256, P384, P521, secp256k1, Ed25519 and RSA.\n - Throws detailed errors when the certificate chain is missing or fails validation.\n\nExample:\n\n- Signed JWT\n\n```swift\nlet key = P256.Signing.PrivateKey()\nlet mockClaims = DefaultJWTClaims(\n iss: \"testAlice\",\n sub: \"Alice\",\n exp: expiredAt\n)\n\nlet jwt = try JWT.signed(\n payload: mockClaims,\n protectedHeader: DefaultJWSHeaderImpl(algorithm: .ES256),\n key: key\n)\n\nlet jwtString = jwt.jwtString\n\nlet verifiedJWT = try JWT\u003cDefaultJWTClaims\u003e.verify(jwtString: jwtString, senderKey: key)\nlet verifiedPayload = verifiedJWT.payload\n```\n\n- Encrypted JWT\n\n```swift\nlet key = Curve25519.KeyAgreement.PrivateKey()\nlet mockClaims = DefaultJWTClaims(\n iss: \"testAlice\",\n sub: \"Alice\",\n exp: expiredAt\n)\n\nlet jwt = try JWT.encrypt(\n payload: payload,\n protectedHeader: DefaultJWSHeaderImpl(keyManagementAlgorithm: .a128KW, encodingAlgorithm: .a128CBCHS256),\n recipientKey: key\n)\n\nlet jwtString = jwt.jwtString\n\nlet verifiedJWT = try JWT\u003cDefaultJWTClaims\u003e.verify(jwtString: jwtString, recipientKey: key)\nlet verifiedPayload = verifiedJWT.payload\n```\n\n- DSL for Creating Claims\n - Standard Claims on signing a JWT\n \n ```swift\n let key = P256.Signing.PrivateKey()\n\n let jwt = try JWT.signed(\n payload: {\n IssuerClaim(value: \"testIssuer\")\n SubjectClaim(value: \"testSubject\")\n ExpirationTimeClaim(value: Date())\n IssuedAtClaim(value: Date())\n NotBeforeClaim(value: Date())\n JWTIdentifierClaim(value: \"ThisIdentifier\")\n AudienceClaim(value: \"testAud\")\n },\n protectedHeader: DefaultJWSHeaderImpl(algorithm: .ES256),\n key: key\n ).jwtString\n ```\n \n - Custom Claims\n \n ```swift\n let jsonClaimsObject = JWTClaimsBuilder.build {\n StringClaim(key: \"testStr1\", value: \"value1\")\n NumberClaim(key: \"testN1\", value: 0)\n NumberClaim(key: \"testN2\", value: 1.1)\n NumberClaim(key: \"testN3\", value: Double(1.233232))\n BoolClaim(key: \"testBool1\", value: true)\n ArrayClaim(key: \"testArray\") {\n ArrayElementClaim.string(\"valueArray1\")\n ArrayElementClaim.string(\"valueArray2\")\n ArrayElementClaim.bool(true)\n ArrayElementClaim.array {\n ArrayElementClaim.string(\"nestedNestedArray1\")\n }\n ArrayElementClaim.object {\n StringClaim(key: \"nestedNestedObject\", value: \"nestedNestedValue\")\n }\n }\n ObjectClaim(key: \"testObject\") {\n StringClaim(key: \"testDicStr1\", value: \"valueDic1\")\n }\n }\n \n // Output\n // {\n // \"testBool1\":true,\n // \"testArray\":[\n // \"valueArray1\",\n // \"valueArray2\",\n // true,\n // [\"nestedNestedArray1\"],\n // {\n // \"nestedNestedObject\":\"nestedNestedValue\"\n // }\n // ],\n // \"testObject\":{\n // \"testDicStr1\":\"valueDic1\"\n // },\n // \"testN1\":0,\n // \"testStr1\":\"value1\",\n // \"testN3\":1.233232,\n // \"testN2\":1.1\n // }\n ```\n\n### JWA (JSON Web Algorithms)\nJWA specifies cryptographic algorithms used in the context of Jose to perform digital signing and content encryption, as detailed in [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518). It includes standards for various types of algorithms like RSA, AES, HMAC, and more.\n\n\n## Contributing\nContributions to the library are welcome. Please ensure that your contributions adhere to the Jose standards and add value to the existing functionalities.\n\n## References\n- [JSON Web Signature (JWS) - RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515)\n- [JSON Web Encryption (JWE) - RFC 7516](https://datatracker.ietf.org/doc/html/rfc7516)\n- [JSON Web Key (JWK) - RFC 7517](https://datatracker.ietf.org/doc/html/rfc7517)\n- [JSON Web Algorithms (JWA) - RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518)\n- [JSON Web Token (JWT) - RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519)\n\n## Acknowledgments\n\nSpecial thanks to the [`swift-jose`](https://github.com/proxyco/swift-jose) repository by [Zsombor Szabo](https://github.com/zssz) for serving as an inspiration for this project. I have adopted parts of the `JWK` implementation and several test vectors from their work, which have been instrumental in shaping aspects of this library. Their contributions to the open-source community are sincerely appreciated.\n\n## License\nThis project is licensed under the Apache License 2.0. See the LICENSE file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbeatt83%2Fjose-swift","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbeatt83%2Fjose-swift","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbeatt83%2Fjose-swift/lists"}