Minor vanities.

check.go

@@ -30,7 +30,7 @@ func ParseWithoutCheck(token []byte) (*Claims, error) {
 
 // ECDSACheck parses a JWT if, and only if, the signature checks out.
 // The return is an AlgError when the algorithm is not in ECDSAAlgs.
-// See Valid to complete the verification.
+// Use Valid to complete the verification.
 func ECDSACheck(token []byte, key *ecdsa.PublicKey) (*Claims, error) {
 	var c Claims
 	firstDot, lastDot, sig, alg, err := c.scan(token)
@@ -55,7 +55,7 @@ func ECDSACheck(token []byte, key *ecdsa.PublicKey) (*Claims, error) {
 }
 
 // EdDSACheck parses a JWT if, and only if, the signature checks out.
-// See Valid to complete the verification.
+// Use Valid to complete the verification.
 func EdDSACheck(token []byte, key ed25519.PublicKey) (*Claims, error) {
 	var c Claims
 	firstDot, lastDot, sig, alg, err := c.scan(token)
@@ -76,7 +76,7 @@ func EdDSACheck(token []byte, key ed25519.PublicKey) (*Claims, error) {
 
 // HMACCheck parses a JWT if, and only if, the signature checks out.
 // The return is an AlgError when the algorithm is not in HMACAlgs.
-// See Valid to complete the verification.
+// Use Valid to complete the verification.
 func HMACCheck(token, secret []byte) (*Claims, error) {
 	if len(secret) == 0 {
 		return nil, errNoSecret
@@ -104,7 +104,7 @@ func HMACCheck(token, secret []byte) (*Claims, error) {
 
 // RSACheck parses a JWT if, and only if, the signature checks out.
 // The return is an AlgError when the algorithm is not in RSAAlgs.
-// See Valid to complete the verification.
+// Use Valid to complete the verification.
 func RSACheck(token []byte, key *rsa.PublicKey) (*Claims, error) {
 	var c Claims
 	firstDot, lastDot, sig, alg, err := c.scan(token)

examples_test.go

@@ -47,7 +47,7 @@ func init() {
 }
 
 // Issue and validate a token with extra JOSE heading and non-standard claims.
-// Note how the token is flawed due to absense of a purpose classification. The
+// Note how the token is flawed due to absence of a purpose classification. The
 // bare minimum should include time constraints.
 func Example() {
 	// Approval is a custom (a.k.a. private) claim element.

fuzz.go

@@ -25,7 +25,7 @@ func FuzzCheck(data []byte) int {
 	}
 
 	var keys KeyRegister
-	keys.Secrets = [][]byte{[]byte{'s', 'e', 'c', 'r', 'e', 't'}}
+	keys.Secrets = [][]byte{{'s', 'e', 'c', 'r', 'e', 't'}}
 	_, err := keys.LoadPEM([]byte(`-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEc5/E+krowgL6Q1Xv6g1Hrh74kccf
 QdmMuEk/xPJQZD22ITRYiaCRaKFWaoDBcIv21JfJo2F4whHnOCFX0Y/ALg==

register.go

@@ -31,7 +31,7 @@ type KeyRegister struct {
 }
 
 // Check parses a JWT if, and only if, the signature checks out.
-// See Claims.Valid to complete the verification.
+// Use Claims.Valid to complete the verification.
 func (keys *KeyRegister) Check(token []byte) (*Claims, error) {
 	var c Claims
 	firstDot, lastDot, sig, alg, err := c.scan(token)

sign.go

@@ -13,7 +13,7 @@ import (
 	"strconv"
 )
 
-// FormatWithoutSign updates the Raw field and returns a new JWT, with only the
+// FormatWithoutSign updates the Raw fields and returns a new JWT, with only the
 // first two parts.
 //
 //	tokenWithoutSignature :≡ header-base64 '.' payload-base64
@@ -25,7 +25,7 @@ func (c *Claims) FormatWithoutSign(alg string, extraHeaders ...json.RawMessage)
 	return c.newToken(alg, 0, extraHeaders)
 }
 
-// ECDSASign updates the Raw field and returns a new JWT.
+// ECDSASign updates the Raw fields and returns a new JWT.
 // The return is an AlgError when alg is not in ECDSAAlgs.
 // The caller must use the correct key for the respective algorithm (P-256 for
 // ES256, P-384 for ES384 and P-521 for ES512) or risk malformed token production.
@@ -78,7 +78,7 @@ func (c *Claims) ECDSASign(alg string, key *ecdsa.PrivateKey, extraHeaders ...js
 	return token[:cap(token)], nil
 }
 
-// EdDSASign updates the Raw field and returns a new JWT.
+// EdDSASign updates the Raw fields and returns a new JWT.
 //
 // The JOSE header (content) can be extended with extraHeaders, in the form of
 // JSON objects. Redundant and/or duplicate keys are applied as provided.
@@ -95,7 +95,7 @@ func (c *Claims) EdDSASign(key ed25519.PrivateKey, extraHeaders ...json.RawMessa
 	return token[:cap(token)], nil
 }
 
-// HMACSign updates the Raw field and returns a new JWT.
+// HMACSign updates the Raw fields and returns a new JWT.
 // The return is an AlgError when alg is not in HMACAlgs.
 //
 // The JOSE header (content) can be extended with extraHeaders, in the form of
@@ -124,7 +124,7 @@ func (c *Claims) HMACSign(alg string, secret []byte, extraHeaders ...json.RawMes
 	return token[:cap(token)], nil
 }
 
-// RSASign updates the Raw field and returns a new JWT.
+// RSASign updates the Raw fields and returns a new JWT.
 // The return is an AlgError when alg is not in RSAAlgs.
 //
 // The JOSE header (content) can be extended with extraHeaders, in the form of
@@ -160,10 +160,10 @@ func (c *Claims) RSASign(alg string, key *rsa.PrivateKey, extraHeaders ...json.R
 }
 
 var (
-	headerEdDSA = []byte(`{"alg":"EdDSA"}`)
 	headerES256 = []byte(`{"alg":"ES256"}`)
 	headerES384 = []byte(`{"alg":"ES384"}`)
 	headerES512 = []byte(`{"alg":"ES512"}`)
+	headerEdDSA = []byte(`{"alg":"EdDSA"}`)
 	headerHS256 = []byte(`{"alg":"HS256"}`)
 	headerHS384 = []byte(`{"alg":"HS384"}`)
 	headerHS512 = []byte(`{"alg":"HS512"}`)
@@ -221,9 +221,6 @@ func (c *Claims) newToken(alg string, encSigLen int, extraHeaders []json.RawMess
 	if len(extraHeaders) == 0 && c.KeyID == "" {
 		var fixed string
 		switch alg {
-		case EdDSA:
-			fixed = "eyJhbGciOiJFZERTQSJ9."
-			c.RawHeader = headerEdDSA
 		case ES256:
 			fixed = "eyJhbGciOiJFUzI1NiJ9."
 			c.RawHeader = headerES256
@@ -233,6 +230,9 @@ func (c *Claims) newToken(alg string, encSigLen int, extraHeaders []json.RawMess
 		case ES512:
 			fixed = "eyJhbGciOiJFUzUxMiJ9."
 			c.RawHeader = headerES512
+		case EdDSA:
+			fixed = "eyJhbGciOiJFZERTQSJ9."
+			c.RawHeader = headerEdDSA
 		case HS256:
 			fixed = "eyJhbGciOiJIUzI1NiJ9."
 			c.RawHeader = headerHS256