Re: [jose] JWK Generator Service

Antonio Sanso <> Tue, 04 November 2014 14:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A075D1A8956 for <>; Tue, 4 Nov 2014 06:53:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id k90dVCAsp7o9 for <>; Tue, 4 Nov 2014 06:53:14 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::602]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 16C421A020B for <>; Tue, 4 Nov 2014 06:53:14 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 4 Nov 2014 14:52:50 +0000
Received: from ([]) by ([]) with mapi id 15.01.0006.000; Tue, 4 Nov 2014 14:52:50 +0000
From: Antonio Sanso <>
To: Justin Richer <jricher@MIT.EDU>
Thread-Topic: [jose] JWK Generator Service
Thread-Index: AQHP+D3c62ouHEyPJk6kjl6Jw8/M3JxQjk4A
Date: Tue, 04 Nov 2014 14:52:49 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:CO1PR02MB205;
x-exchange-antispam-report-test: UriScan:;
x-forefront-prvs: 03853D523D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(189002)(24454002)(199003)(51704005)(21056001)(54356999)(15975445006)(2171001)(66066001)(2656002)(36756003)(20776003)(92566001)(50986999)(31966008)(99396003)(87936001)(92726001)(76176999)(105586002)(95666004)(83716003)(97736003)(4396001)(33656002)(19580395003)(101416001)(106116001)(19580405001)(120916001)(122556002)(46102003)(82746002)(64706001)(40100003)(86362001)(106356001)(107046002)(77096003)(99286002)(62966003)(77156002)(104396001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR02MB205;; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [jose] JWK Generator Service
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Nov 2014 14:53:16 -0000

nice stuff Justin!! really :)



On Nov 4, 2014, at 3:44 PM, Justin Richer <jricher@MIT.EDU> wrote:

> A while ago, I was fed up with creating self-signed X.509 certificates just to manage the bare keys used in JOSE processing. There's a lot of extraneous effort that goes into making fake certificate chains that are then dutifully ignored by the application, especially when the JWK format can hold both public and private keys natively already. So we switched our apps over to reading the JWK format instead of X.509, but we still needed something to securely generate the keys themselves. So I created a commandline Java application to generate keys in JWK format (based on the NimbusDS JOSE library):
> It's slightly unwieldy to compile and run but it gets the job done. Last night, I wrapped that commandline application with a webapp and made it publicly available:
> This simple service will generate a JWK in RSA, EC, or Oct (shared secret) format for you, using Java's cryptographic engine. You can add in the use, kid, and alg parameters, and the results are formatted into easily-copyable JSON. It will even wrap the key in a keyset and pull out the public key separately for you, in case you need those.
> We don't log any of the keys being generated by the service, but to be extra safe I would still recommend using a local generation mechanism (like the commandline app above) for production systems.
> Finally, I put the code to the site online in the name of transparency:
> I hope that people can find this useful, and we can start moving off of X.509 for bare key storage in applications. Much thanks to MIT KIT for providing hosting and support.
> -- Justin
> _______________________________________________
> jose mailing list