IETF Logo Mail Archive

Re: [jose] JWK Generator

Justin Richer <jricher@mitre.org> Thu, 28 March 2013 15:46 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA8F621F8EF7 for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 08:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.338
X-Spam-Level:
X-Spam-Status: No, score=-6.338 tagged_above=-999 required=5 tests=[AWL=0.260, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYL-3HpvTkkJ for <jose@ietfa.amsl.com>; Thu, 28 Mar 2013 08:46:29 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 0C29A21F8EEC for <jose@ietf.org>; Thu, 28 Mar 2013 08:46:29 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id A45102260098; Thu, 28 Mar 2013 11:46:28 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 93ACC1F0786; Thu, 28 Mar 2013 11:46:28 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 28 Mar 2013 11:46:07 -0400
Message-ID: <51546575.9090301@mitre.org>
Date: Thu, 28 Mar 2013 11:44:53 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130221 Thunderbird/17.0.3
MIME-Version: 1.0
To: Axel.Nennker@telekom.de
References: <5150B533.2080205@mitre.org> <CE8995AB5D178F44A2154F5C9A97CAF4025536DC09D1@HE111541.emea1.cds.t-internal.com>
In-Reply-To: <CE8995AB5D178F44A2154F5C9A97CAF4025536DC09D1@HE111541.emea1.cds.t-internal.com>
Content-Type: multipart/alternative; boundary="------------020501090904000201080701"
X-Originating-IP: [129.83.31.58]
Cc: jose@ietf.org
Subject: Re: [jose] JWK Generator
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2013 15:46:30 -0000

I've updated the key generator so that it now handles EC keys as well. 
Note that you'll have to wait for the latest Nimbus-JOSE-JWT library to 
hit Maven Central (should be any time now) before it'll build. By the 
time most of you read this message, it should compile and run. The new 
keytype paramter is "-k EC" and it requires a curve specification like 
"-c P-256".

  -- Justin

On 03/25/2013 05:05 PM, Axel.Nennker@telekom.de wrote:
>
> EC key generation can be found in http://jsoncrypto.org/
>
> ES512
>
> https://code.google.com/p/jsoncrypto/source/browse/trunk/testsrc/org/jsoncrypto/JcBaseTest.java#2726
>
> ES384
>
> https://code.google.com/p/jsoncrypto/source/browse/trunk/testsrc/org/jsoncrypto/JcBaseTest.java#2685
>
> ES256
>
> https://code.google.com/p/jsoncrypto/source/browse/trunk/testsrc/org/jsoncrypto/JcBaseTest.java#2642
>
> I guess that the println lines can be converted into JWKs.
>
> -Axel
>
> *From:*jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] *On Behalf 
> Of *Justin Richer
> *Sent:* Monday, March 25, 2013 9:36 PM
> *To:* jose@ietf.org
> *Subject:* [jose] JWK Generator
>
> A while ago, several folks complained that there was no toolchain for 
> creating bare keys in the JWK/JPSK format. Indeed, my team's been 
> using Java's keytool program and making self-signed dummy certs and 
> pulling them out of there. That was a bit of a pain, to be honest.
>
> So now I've just written a utility program to generate JWK formatted 
> keys from whole cloth given a set of parameters. It's a Java app built 
> using the NimbusDS JWT-JOSE library, and at the moment it supports 
> both RSA and oct keytypes, with an option to extract the public-only 
> portion of the RSA as well. This is all based on the current JPSK 
> format, which we plan to track with the aforementioned Nimbus library.
>
> You can get the code here:
>
> https://github.com/mitreid-connect/json-web-key-generator
>
> It's open sourced under an Apache 2.0 license, so feel free to pull it 
> down and use it to your heart's content. It's a Java Maven project, so 
> you build it with:
>
>   mvn package
>
> This will create a couple of .jar files in the target/ directory, one 
> of which is an executable fat jar, usble from the commandline:
>
> usage: java -jar json-web-key-generator.jar -t <keyType> -s <keySize> [-u
>              <keyUsage> -a <algorithm> -i <keyId> -p]
>   -a <arg>   Algorithm.
>   -i <arg>   Key ID (optional)
>   -p         Display public key separately
>   -s <arg>   Key Size in bits, must be an integer, generally divisible by 8
>   -t <arg>   Key Type, one of: RSA, oct
>   -u <arg>   Usage, one of: enc, sig. Defaults to sig
>
>
> For instance, to generate a 1024-bit RSA key with the algorithm of 
> RS256, no key id, and display the public key separately, you would run 
> (after doing a mvn package):
>
>   java -jar 
> target/json-web-key-generator-0.1-SNAPSHOT-jar-with-dependencies.jar 
> -a RS256 -t RSA -s 1024 -p
>
> This prints out (for example, your keys should vary):
>
> Full key:
> {
>    "alg": "RS256",
>    "d": "IXhRb4mXMOLlX1nEcv--CRX5WjGZdUTHzI2qIg-iX5QXY-noSZqit-BeWO0CTwBtryCU4DgNIjV4cvYHpWqkr8ES-FoH7DHDgt41lH5_YDv-MeeCU3hRSPbACLuWEbWQfjgLPgIL1cmh1q-eFOEpXWUtKy7DCFymMves7ojPxY0",
>    "e": "AQAB",
>    "n": "kWkuetDiodUI-0jZ2KpmwOMJ7jsnO8qG8ChMs7ax3xXKIr5g5K0axWtXm1HwA5OJRE-OyVHfJkda6xVgTFaV1AhWP8Zp7KL_Oq-moKRe5-BtahHpFJe7HZ1P6hxXAdhaygXen1lR0NAMNi4K4H5pn1KDCeRpuxAhJZsQnq5dxp0",
>    "kty": "RSA",
>    "use": "sig"
> }
>   
> Public key:
> {
>    "alg": "RS256",
>    "e": "AQAB",
>    "n": "kWkuetDiodUI-0jZ2KpmwOMJ7jsnO8qG8ChMs7ax3xXKIr5g5K0axWtXm1HwA5OJRE-OyVHfJkda6xVgTFaV1AhWP8Zp7KL_Oq-moKRe5-BtahHpFJe7HZ1P6hxXAdhaygXen1lR0NAMNi4K4H5pn1KDCeRpuxAhJZsQnq5dxp0",
>    "kty": "RSA",
>    "use": "sig"
> }
>
>
> To create a 256-bit symmetric key with algorithm HS256 and key id of 
> "myKey", you'd do:
>
>   java -jar 
> target/json-web-key-generator-0.1-SNAPSHOT-jar-with-dependencies.jar 
> -t oct -s 256
>
> Which outputs something like:
>
> Full key:
> {
>    "kty": "oct",
>    "use": "sig",
>    "k": "CsoV5LeX6S3RRlLr-hk0_VyIuTOWyovMPbU2UmbphME"
> }
>
>
> It doesn't do EC keys yet because I don't know the Java Magic needed 
> to make such a thing happen, but I'd be happy to have someone help out 
> with that with a pull request.
>
> Hopefully people find this utility useful. I've got a few features I'm 
> planning to add (write output to files, Java GUI with dropdowns for 
> options), but this is a minimally-useful set of functionality.
>
>  -- Justin
>

v2.23.0 | Report a Bug | By Email