[jose] JWK Generator Service

Justin Richer <jricher@mit.edu> Tue, 04 November 2014 14:44 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 52F291A8937 for <jose@ietfa.amsl.com>; Tue, 4 Nov 2014 06:44:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.395
X-Spam-Status: No, score=-3.395 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id q8SW5yMv0Ile for <jose@ietfa.amsl.com>; Tue, 4 Nov 2014 06:44:29 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07ED31A8928 for <jose@ietf.org>; Tue, 4 Nov 2014 06:44:28 -0800 (PST)
X-AuditID: 1209190f-f79aa6d000005b45-ae-5458e64b17f7
Received: from mailhub-auth-4.mit.edu ( []) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 07.93.23365.B46E8545; Tue, 4 Nov 2014 09:44:27 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu []) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id sA4EiRXW022585 for <jose@ietf.org>; Tue, 4 Nov 2014 09:44:27 -0500
Received: from [] (static-96-237-195-53.bstnma.fios.verizon.net []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sA4EiP23010552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <jose@ietf.org>; Tue, 4 Nov 2014 09:44:26 -0500
Message-ID: <5458E645.9020904@mit.edu>
Date: Tue, 04 Nov 2014 09:44:21 -0500
From: Justin Richer <jricher@mit.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "jose@ietf.org" <jose@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJIsWRmVeSWpSXmKPExsUixG6nruv9LCLE4HiTnsWaNd1MDoweS5b8 ZApgjOKySUnNySxLLdK3S+DKmPnnCnPBQ96Kh7N3sTQwNnF3MXJySAiYSMzY1sAIYYtJXLi3 nq2LkYtDSGA2k8SZDwdZIZwjjBK33p5jgnDeMUnsPbqQFaSFV0BNYlPbD7B2FgFViXvfroDZ bED29DUtTCC2qECUxJ1L/VD1ghInZz5hAbFFBJQlOs5MBqsXFpCT2NOwEaiGg4NZwFri2+4i kDCzgLzE9rdzmCcw8s1C0j0LoWoWkqoFjMyrGGVTcqt0cxMzc4pTk3WLkxPz8lKLdE30cjNL 9FJTSjcxgkKMU5J/B+O3g0qHGAU4GJV4eAOEIkKEWBPLiitzDzFKcjApifLOfAgU4kvKT6nM SCzOiC8qzUktPsQowcGsJMKr/hgox5uSWFmVWpQPk5LmYFES5930gy9ESCA9sSQ1OzW1ILUI JivDwaEkwfv/CVCjYFFqempFWmZOCUKaiYMTZDgP0PDrIDW8xQWJucWZ6RD5U4yKUuK8O0C2 CoAkMkrz4HphKeAVozjQK8K8yk+BqniA6QOu+xXQYCagwRY9YINLEhFSUg2MqU8Ff0y6PCF8 68wyj6CfPWz8siq3Vpw6lPnpqGxHwd6/OhWFkZ4MNr2Pu32KZpZvCdk850KTiilDVrgsg/qB DbXbTri/nLtdXGPn9+cKky4ZbjzUu9m8dcVnHQ8/w8kG8Zm12/8e5Vtmdf2g9fKCuvWGQU/e z3LoqE63ya/O6DB+c6lK0eiTEktxRqKhFnNRcSIA0byDgtwCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/uM8yrIY1Mx44FyTHgjHSgVEvyGc
Subject: [jose] JWK Generator Service
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 14:44:31 -0000

A while ago, I was fed up with creating self-signed X.509 certificates 
just to manage the bare keys used in JOSE processing. There's a lot of 
extraneous effort that goes into making fake certificate chains that are 
then dutifully ignored by the application, especially when the JWK 
format can hold both public and private keys natively already. So we 
switched our apps over to reading the JWK format instead of X.509, but 
we still needed something to securely generate the keys themselves. So I 
created a commandline Java application to generate keys in JWK format 
(based on the NimbusDS JOSE library):


It's slightly unwieldy to compile and run but it gets the job done. Last 
night, I wrapped that commandline application with a webapp and made it 
publicly available:


This simple service will generate a JWK in RSA, EC, or Oct (shared 
secret) format for you, using Java's cryptographic engine. You can add 
in the use, kid, and alg parameters, and the results are formatted into 
easily-copyable JSON. It will even wrap the key in a keyset and pull out 
the public key separately for you, in case you need those.

We don't log any of the keys being generated by the service, but to be 
extra safe I would still recommend using a local generation mechanism 
(like the commandline app above) for production systems.

Finally, I put the code to the site online in the name of transparency:


I hope that people can find this useful, and we can start moving off of 
X.509 for bare key storage in applications. Much thanks to MIT KIT for 
providing hosting and support.

  -- Justin