cwt library

CBOR Web Tokens (CWT) on top of COSE Sign1.

datatracker.ietf.org/doc/html/rfc8392

Tokens carry a set of Claims encoded as a CBOR map. Standard CWT and EAT claims have typed accessors; custom claims use integer keys via operator[].

Example

import 'package:darkbio_crypto/cwt.dart' as cwt;
import 'package:darkbio_crypto/xdsa.dart' as xdsa;

final issuerKey = xdsa.SecretKey.generate();
final deviceKey = xdsa.SecretKey.generate();

// Issue a token
final claims = cwt.Claims()
  ..subject = 'device-abc'
  ..notBefore = 1000000
  ..expiration = 2000000
  ..setConfirmXdsa(deviceKey.publicKey());

final domain = Uint8List.fromList('device-cert'.codeUnits);
final token = cwt.issue(
  claims: claims,
  signer: issuerKey,
  domain: domain,
);

// Verify a token
final verified = cwt.verify(
  token: token,
  verifier: issuerKey.publicKey(),
  domain: domain,
  now: 1500000,
);
print(verified.subject); // 'device-abc'

Classes

Claims

A CWT claims set with typed accessors for standard CWT (RFC 8392) and EAT (RFC 9711) claims.

Enums

DebugState

Debug port state per RFC 9711 Section 4.2.9.

IntendedUse

Token intended purpose per RFC 9711 Section 4.3.3.

Functions

issue({required Claims claims, required SecretKey signer, required Uint8List domain}) → Uint8List

Issues a CWT by signing the claims with COSE Sign1.

peek({required Uint8List token}) → Claims

Extracts claims from a CWT without verifying the signature.

signer({required Uint8List token}) → Fingerprint

Extracts the signer's fingerprint from a CWT without verifying.

verify({required Uint8List token, required PublicKey verifier, required Uint8List domain, int? now}) → Claims

Verifies a CWT's COSE signature and temporal validity, then returns the decoded claims.