The crate, does not support all, and probably will never support all of the features described in the various RFCs, including some algorithms and verification.
A checkmark (✔) usually indicates that the particular feature is supported in the library, although there might be caveats. Refer to the remark for the feature.
A cross (✘) usually indicates that the feature is not supported by the library. If there is no intention to ever support it, it will be noted in the remark.
A field that can be serialized or deserialized by the library, but with no particular handling will be listed as unsupported.
JWT Registered Claims is defined in Section 4 of RFC 7519.
| Registered Claim | Support | Remarks |
|---|---|---|
iss |
✔ | Validation is left to user. |
sub |
✔ | Validation is left to user. |
aud |
✔ | Validation is left to user. |
exp |
✔ | Validation provided. |
nbf |
✔ | Validation provided. |
iat |
✔ | Validation provided. |
jti |
✔ | Validation is left to user. |
Optional private claims are supported as part of the biscuit::ClaimsSet
struct. (as of v0.0.2)
JWK is defined in RFC 7517.
Both JWK and JWKSetare supported (as of v0.0.2).
JWK Thumbprint is supported (as of v0.5.0).
JWK Common Parameters are defined in RFC 7517 Section 4.
Additional key type specific parameters are defined in RFC 7518 Section 6, and additionally in RFC 8037.
JWK is currently not used in signing JWS, pending features in ring. See this
issue in ring.
| Parameter | Support | Remarks |
|---|---|---|
kty |
✔ | Used during cryptographic operations to ensure the key is of the right type. |
use |
✘ | Can be (de)serialized; but usage is not validated. |
key_ops |
✘ | Can be (de)serialized; but key operation is not validated. |
| `alg | ✘ | Can be (de)serialized; but usage with algorithm is not validated. |
kid |
✘ | Can be (de)serialized; but not processed. |
x5u |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
x5c |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
x5t |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
x5t#S256 |
✘ | Cannot be (de)serialized. |
The list of key types can be found here.
Support in the table below simply means that they can be (de)serialized from JSON input. Support for their use with the various algorithms is listed in the relevant section on this page.
| Key Type | Support | Remarks |
|---|---|---|
EC |
✔ | |
RSA |
✔ | |
oct |
✔ | |
OKP |
✔ |
| Parameter | Support | Remarks |
|---|---|---|
crv |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
x |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
y |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
The list of key types can be found here.
Support in the table below simply means that they can be (de)serialized from JSON input. Support for their use with the various algorithms is listed in the relevant section on this page.
| Key Type | Support | Remarks |
|---|---|---|
P-256 |
✔ | |
P-384 |
✔ | |
P-521 |
✘ | No plan to support. |
| Parameter | Support | Remarks |
|---|---|---|
n |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
e |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
d |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
p |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
q |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
dp |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
dq |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
qi |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
oth |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
oth → r |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
oth → d |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
oth → t |
✘ | Can be (de)serialized; but cannot be used in signing and verification yet pending support from ring. |
| Parameter | Support | Remarks |
|---|---|---|
k |
✔ |
| Parameter | Support | Remarks |
|---|---|---|
crv |
✘ | |
x |
✘ | |
d |
✘ |
The list of key types can be found here.
Support in the table below simply means that they can be (de)serialized from JSON input. Support for their use with the various algorithms is listed in the relevant section on this page.
| Key Type | Support | Remarks |
|---|---|---|
Ed25519 |
✘ | |
Ed448 |
✘ | |
X25519 |
✘ | |
X448 |
✘ |
JWS is defined in RFC 7515.
JWS Unencoded Payload Option is not supported.
The headers are defined in RFC 7515 Section 4, and
the b64 header is defined in RFC 7797 Section 3.
A list can be found here.
| Registered Header | Support | Remarks |
|---|---|---|
alg |
✔ | Not all algorithms supported — see below. |
jku |
✘ | Can be (de)serialized, but no processing is handled at the moment. |
jwk |
✘ | Can be (de)serialized, but no processing is handled at the moment. |
kid |
✘ | Can be (de)serialized, but no processing is handled at the moment. |
x5u |
✘ | Can be (de)serialized, but no processing is handled at the moment. |
x5c |
✘ | Can be (de)serialized, but no processing is handled at the moment. |
x5t |
✘ | Can be (de)serialized, but no processing is handled at the moment. |
x5t#S256 |
✘ | Cannot be (de)serialized. |
typ |
✘ | Can be (de)serialized, but no processing is handled at the moment. |
cty |
✘ | Can be (de)serialized, but no processing is handled at the moment. |
crit |
✘ | Can be (de)serialized, but no processing is handled at the moment. |
b64 |
✘ | Cannot be (de)serialized. |
Supported as part of
biscuit::jws::Header
(as of v0.0.2)
The algorithms are described here and additionally here.
A list can be found here.
| Algorithm | Support | Remarks |
|---|---|---|
none |
✔ | |
HS256 |
✔ | |
HS384 |
✔ | |
HS512 |
✔ | |
RS256 |
✔ | |
RS384 |
✔ | |
RS512 |
✔ | |
ES256 |
✘ | Only verification of signature |
ES384 |
✘ | No plan to support. |
ES512 |
✘ | Only verification of signature |
PS256 |
✔ | |
PS384 |
✔ | |
PS512 |
✔ | |
EdDSA |
✘ |
| Format | Support | Remarks |
|---|---|---|
| Compact | ✔ | |
| General JSON | ✘ | |
| Flattened JSON | ✔ | As of v0.6.0 |
JWE is defined in RFC 7516, and supported since v0.0.2.
The headers are defined in RFC 7516 Section 4.
A list can be found here.
| Registered Header | Support | Remarks |
|---|---|---|
alg |
✔ | Not all algorithms supported — see below. |
enc |
✔ | Not all algorithms supported — see below. |
zip |
✘ | Can be (de)serialized; but no compression us supported. |
jku |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
jwk |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
kid |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
x5u |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
x5c |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
x5t |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
x5t#S256 |
✘ | Cannot be (de)serialized. |
typ |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
cty |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
crit |
✘ | Can be (de)serialized; but no processing is handled at the moment. |
iss |
✘ | Cannot be (de)serialized. |
sub |
✘ | Cannot be (de)serialized. |
aud |
✘ | Cannot be (de)serialized. |
Supported as part of
biscuit::jwe::Header
(as of v0.0.2)
This is defined in RFC 7518 Section 4.6.1.
A list can be found here.
| Parameter | Support | Remarks |
|---|---|---|
epk |
✘ | |
apu |
✘ | |
apv |
✘ |
This is defined in RFC 7518 Section 4.7.1.
A list can be found here.
| Parameter | Support | Remarks |
|---|---|---|
iv |
✔ | |
tag |
✔ |
This is defined in RFC 7518 Section 4.8.1.
A list can be found here.
| Parameter | Support | Remarks |
|---|---|---|
p2s |
✘ | |
p2c |
✘ |
The algorithms are described here and additionally here.
A list can be found here.
| Algorithm | Support | Remarks |
|---|---|---|
RSA1_5 |
✘ | |
RSA-OAEP |
✘ | |
RSA-OAEP-256 |
✘ | |
A128KW |
✘ | |
A192KW |
✘ | |
A256KW |
✘ | |
dir |
✔ | |
ECDH-ES |
✘ | |
ECDH-ES+A128KW |
✘ | |
ECDH-ES+A192KW |
✘ | |
ECDH-ES+A256KW |
✘ | |
A128GCMKW |
✔ | |
A192GCMKW |
✘ | Probably will never be supported — see comment |
A256GCMKW |
✔ | |
PBES2-HS256+A128KW |
✘ | |
PBES2-HS384+A192KW |
✘ | |
PBES2-HS512+A256KW |
✘ |
The algorithms are described here and additionally here.
A list can be found here.
| Algorithm | Support | Remarks |
|---|---|---|
A128CBC-HS256 |
✘ | |
A192CBC-HS384 |
✘ | |
A256CBC-HS512 |
✘ | |
A128GCM |
✔ | |
A192GCM |
✘ | Probably will never be supported — see comment |
A256GCM |
✔ |
| Format | Support | Remarks |
|---|---|---|
| Compact | ✔ | |
| General JSON | ✘ | |
| Flattened JSON | ✘ |