ywt/verify_key
Types
Values
pub fn decoder() -> decode.Decoder(VerifyKey)Decodes a public JWK into a verification key.
Only decode keys from trusted sources. Unknown JWK fields are ignored;
key_ops, use, certificates, and key pinning are not enforced.
This decoder accepts EC and RSA public keys, not HMAC shared-secret JWKs.
RSA JWKs may omit alg. In that case, JWT decoding uses the signed alg
header to specialize the key. Raw signature verification with that key fails
closed because there is no JWT header.
For raw JSON strings, prefer parse_jwk so duplicate member handling is
consistent on all targets.
json.parse(jwk_json, verify_key.decoder())
pub fn derived(sign_key: sign_key.SignKey) -> VerifyKeyDerives a verification key from a signing key.
For RSA and ECDSA this extracts public key material. For HMAC this returns the same shared secret, so treat the result as sensitive.
let verify_key = verify_key.derived(signing_key)
pub fn id(key: VerifyKey) -> Result(String, Nil)Returns the key id, if one is set.
verify_key.id(key)
pub fn parse_jwk(
jwk: String,
) -> Result(VerifyKey, json.DecodeError)Parses a public JWK into a verification key.
Duplicate JSON object members are handled consistently on all targets: the
lexically last member value is used, matching JavaScript’s JSON.parse.
verify_key.parse_jwk(jwk_json)
pub fn parse_jwks(
jwks: String,
) -> Result(List(VerifyKey), json.DecodeError)Parses a JWKS into a list of verification keys.
Duplicate JSON object members are handled consistently on all targets: the
lexically last member value is used, matching JavaScript’s JSON.parse.
verify_key.parse_jwks(jwks_json)
pub fn set_decoder() -> decode.Decoder(List(VerifyKey))Decodes a JWKS into a list of verification keys.
This has the same trust and validation limits as decoder. It expects a JSON
object with a keys list.
For raw JSON strings, prefer parse_jwks so duplicate member handling is
consistent on all targets.
json.parse(jwks_json, verify_key.set_decoder())