This library provides an AWS KMS(Key Management Service) adapter to be used with the popular GoLang JWT library golang-jwt/jwt-go.
It will Sign a JWT token using an asymmetric key stored in AWS KMS.
Verification can be done both using KMS Verify method or locally with a cached public key (default).
The minimum supported GoLang version is 1.20, since github.com/aws/aws-sdk-go-v2 v1.28.0 fails to build with anything older.
| Signature Algorithm | JWT alg |
Note |
|---|---|---|
| ECC_NIST_P256 | ES256 | |
| ECC_NIST_P384 | ES384 | |
| ECC_NIST_P521 | ES512 | |
| ECC_SECG_P256K1 | - | secp256k1 is not supported by JWT |
| RSASSA_PKCS1_V1_5_SHA_256 | RS256 | |
| RSASSA_PKCS1_V1_5_SHA_384 | RS384 | |
| RSASSA_PKCS1_V1_5_SHA_512 | RS512 | |
| RSASSA_PSS_SHA_256 | PS256 | |
| RSASSA_PSS_SHA_384 | PS384 | |
| RSASSA_PSS_SHA_512 | PS512 |
See example.go
Shouting out to:
-
for the easy to extend GoLang JWT Library
-
for taking over the project from dgrijalva
-
AWS KMS ECC returns the signature in DER-encoded object as defined by ANS X9.62–2005 as mentioned here
-
for their DER to (R,S) and (R,S) to DER methods found here
-
for reviewing my code
-
for various contributions especially around the library's unit testability