[jose] JWK Generator
Justin Richer <jricher@mitre.org> Mon, 25 March 2013 20:37 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B07E21F8B11 for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 13:37:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.165
X-Spam-Level:
X-Spam-Status: No, score=-6.165 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GaoE73uZot6w for <jose@ietfa.amsl.com>; Mon, 25 Mar 2013 13:37:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 79C0821F86F5 for <jose@ietf.org>; Mon, 25 Mar 2013 13:37:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id F0E733250006 for <jose@ietf.org>; Mon, 25 Mar 2013 16:37:37 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 6872B6250012 for <jose@ietf.org>; Mon, 25 Mar 2013 16:37:35 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 25 Mar 2013 16:37:10 -0400
Message-ID: <5150B533.2080205@mitre.org>
Date: Mon, 25 Mar 2013 16:36:03 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130221 Thunderbird/17.0.3
MIME-Version: 1.0
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: multipart/alternative; boundary="------------090609030501070400030700"
X-Originating-IP: [129.83.31.58]
Subject: [jose] JWK Generator
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 20:37:42 -0000
A while ago, several folks complained that there was no toolchain for creating bare keys in the JWK/JPSK format. Indeed, my team's been using Java's keytool program and making self-signed dummy certs and pulling them out of there. That was a bit of a pain, to be honest. So now I've just written a utility program to generate JWK formatted keys from whole cloth given a set of parameters. It's a Java app built using the NimbusDS JWT-JOSE library, and at the moment it supports both RSA and oct keytypes, with an option to extract the public-only portion of the RSA as well. This is all based on the current JPSK format, which we plan to track with the aforementioned Nimbus library. You can get the code here: https://github.com/mitreid-connect/json-web-key-generator It's open sourced under an Apache 2.0 license, so feel free to pull it down and use it to your heart's content. It's a Java Maven project, so you build it with: mvn package This will create a couple of .jar files in the target/ directory, one of which is an executable fat jar, usble from the commandline: usage: java -jar json-web-key-generator.jar -t <keyType> -s <keySize> [-u <keyUsage> -a <algorithm> -i <keyId> -p] -a <arg> Algorithm. -i <arg> Key ID (optional) -p Display public key separately -s <arg> Key Size in bits, must be an integer, generally divisible by 8 -t <arg> Key Type, one of: RSA, oct -u <arg> Usage, one of: enc, sig. Defaults to sig For instance, to generate a 1024-bit RSA key with the algorithm of RS256, no key id, and display the public key separately, you would run (after doing a mvn package): java -jar target/json-web-key-generator-0.1-SNAPSHOT-jar-with-dependencies.jar -a RS256 -t RSA -s 1024 -p This prints out (for example, your keys should vary): Full key: { "alg": "RS256", "d": "IXhRb4mXMOLlX1nEcv--CRX5WjGZdUTHzI2qIg-iX5QXY-noSZqit-BeWO0CTwBtryCU4DgNIjV4cvYHpWqkr8ES-FoH7DHDgt41lH5_YDv-MeeCU3hRSPbACLuWEbWQfjgLPgIL1cmh1q-eFOEpXWUtKy7DCFymMves7ojPxY0", "e": "AQAB", "n": "kWkuetDiodUI-0jZ2KpmwOMJ7jsnO8qG8ChMs7ax3xXKIr5g5K0axWtXm1HwA5OJRE-OyVHfJkda6xVgTFaV1AhWP8Zp7KL_Oq-moKRe5-BtahHpFJe7HZ1P6hxXAdhaygXen1lR0NAMNi4K4H5pn1KDCeRpuxAhJZsQnq5dxp0", "kty": "RSA", "use": "sig" } Public key: { "alg": "RS256", "e": "AQAB", "n": "kWkuetDiodUI-0jZ2KpmwOMJ7jsnO8qG8ChMs7ax3xXKIr5g5K0axWtXm1HwA5OJRE-OyVHfJkda6xVgTFaV1AhWP8Zp7KL_Oq-moKRe5-BtahHpFJe7HZ1P6hxXAdhaygXen1lR0NAMNi4K4H5pn1KDCeRpuxAhJZsQnq5dxp0", "kty": "RSA", "use": "sig" } To create a 256-bit symmetric key with algorithm HS256 and key id of "myKey", you'd do: java -jar target/json-web-key-generator-0.1-SNAPSHOT-jar-with-dependencies.jar -t oct -s 256 Which outputs something like: Full key: { "kty": "oct", "use": "sig", "k": "CsoV5LeX6S3RRlLr-hk0_VyIuTOWyovMPbU2UmbphME" } It doesn't do EC keys yet because I don't know the Java Magic needed to make such a thing happen, but I'd be happy to have someone help out with that with a pull request. Hopefully people find this utility useful. I've got a few features I'm planning to add (write output to files, Java GUI with dropdowns for options), but this is a minimally-useful set of functionality. -- Justin
- [jose] JWK Generator Justin Richer
- Re: [jose] JWK Generator Axel.Nennker
- Re: [jose] JWK Generator Justin Richer
- Re: [jose] JWK Generator Richard Barnes
- Re: [jose] JWK Generator - base64url padding Manger, James H
- Re: [jose] JWK Generator Justin Richer