Re: [jose] JWK Generator
Richard Barnes <rlb@ipv.sx> Tue, 26 March 2013 17:02 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FACD21F8B7E for <jose@ietfa.amsl.com>; Tue, 26 Mar 2013 10:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[AWL=0.576, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mb9FwhCYV8rn for <jose@ietfa.amsl.com>; Tue, 26 Mar 2013 10:02:18 -0700 (PDT)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id 983FC21F8786 for <jose@ietf.org>; Tue, 26 Mar 2013 10:02:17 -0700 (PDT)
Received: by mail-oa0-f44.google.com with SMTP id h1so7904206oag.3 for <jose@ietf.org>; Tue, 26 Mar 2013 10:02:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=GUrt0zu3fsUbo5w4ThPeS42e69xhIXkQxpheT9S9E/Y=; b=CQTDG33kZQzO1uq4u2V6+v90bQHzgvk8WooMQrc23S6oZ6tvdoOKoHiwDiseL2M9vK xxSflr3LVlFz7zycGFYZ6LqAAQ54F1R9mC1VP9fVYE4faYZZoRbg1w/0XToUGTM5K1Gf RyVi9t0WsaEZi59WQ72NabZdrjUZUobwWljyiOC4jnKgK5N3zADn0lP9MBzM6oz/NGwb 6vfLNUNZ5Eizz0Z9QYPit6BegJ5HwEpP7wdojehThRY3NWFzD4LsiFmFN5uQAmv/Xjjz iOU5IzYS6O1ebmkQsFs8QIctlK8qQAUmKeTjEmxutK38QttXXZrSV1DQDckvN37AZP9q 4l+Q==
MIME-Version: 1.0
X-Received: by 10.182.134.138 with SMTP id pk10mr2512285obb.80.1364317336692; Tue, 26 Mar 2013 10:02:16 -0700 (PDT)
Received: by 10.60.172.146 with HTTP; Tue, 26 Mar 2013 10:02:16 -0700 (PDT)
X-Originating-IP: [192.1.255.184]
In-Reply-To: <5151B236.2080001@mitre.org>
References: <5150B533.2080205@mitre.org> <CE8995AB5D178F44A2154F5C9A97CAF4025536DC09D1@HE111541.emea1.cds.t-internal.com> <5151B236.2080001@mitre.org>
Date: Tue, 26 Mar 2013 13:02:16 -0400
Message-ID: <CAL02cgSuJTrQrxTPuvNSUfRrqUi5hON87VtYUbWiGJp4V-ZWUA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Justin Richer <jricher@mitre.org>
Content-Type: multipart/alternative; boundary="001a11c297163747e604d8d6e287"
X-Gm-Message-State: ALoCoQkmFeHGXkjA3ZEibRmFsxvlFau1SB3amIg2H1SH5PI6hMFa2HFwEAgfXvIXjQJdOkQYW7JW
Cc: jose@ietf.org, Axel.Nennker@telekom.de
Subject: Re: [jose] JWK Generator
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2013 17:02:19 -0000
We've got some similar tools in PolyCrypt, our WebCrypto polyfill [1]. One of the demos is a self-signed certificate generator, which outputs private key as a pseudo-JWK [2]. I was going to put a code snippet here to demonstrate how to generate an RSA JWK with PolyCrypt. Instead I just threw up a new demo page that will do it for you [3]. Sample output: {"n":"a9_H5i8T7Zg65CUYPGRd4R-Lw7UFiH7guIJ5gQgjJUdnlo6edyVSCux_xV43T-Qe2-SGkRbUirZczdCegfAVjAegVMtnrsgOe_EqhN1CFlmPJ8wwC5Ooyc6u1_FBdu4FL3Kl7jWpII-ikOhZm05xUnj_M7CMMJo6w4PvAAzn-is=","e":"AQAB","d":"ETm1sPL5iqoRVVb7DMG2H_mqlsC0NnyUI8Jp5onHGu_RAcCaW0oxVJ85M-n8iRxTNSfDuS1dGR1PqmnStcsBlZnkwc99vl9gtUW2zAs0J-W3YP88Tk3hNM-6vS2So9-LRMashcWruHBPmLudN-UxGzanvS3G58jkK1BLQCW6xVE=","p":"w8ZngvLVkE3reWvra6vDd3KLJqDHIK602h8yl40vLqX0u5UmXojIqL7k9WpmEn5gvVPsp-XDtkV-50ON9NZD8w==","q":"jQ8KzZ3gHPz-yISa0EbRdI_cmeI03Kq1aAj7bSHDcyr4OjnkI4K6lTVNTGUazf10BrJZ5_2Yj5zOfujV803W6Q==","dp":"m4-Mco3YStjPceTh5OVP5RrcHO6GK58Gz4cYoTmrMwrlYyRJn7Zak1NUBPntb2aCIg6MroCwuaWRB9wy8UhMJw==","dq":"CgIpOBGdlzD0OvH9sg10SxryAhEkwwtxt6H7hPDCV2eTGT6GS2a5KmEPzP3Xewois17wNh-uNXJgzGxk0dCSEQ==","qi":"kZ9MFAYRZKPloUprijuKsJxqfsAVJNINFqqrWr5ycqHLtpmhk6l58wkxFpcU94TJPgf1CaJOj2pGRTyijPa3-w=="} If you want to use PolyCrypt and need EC, let me know, and I can probably get it implemented pretty quickly. Hope this helps, --Richard [1] <http://polycrypt.net> [2] <http://demo.polycrypt.net/x509/> [3] <http://demo.polycrypt.net/jwk/> On Tue, Mar 26, 2013 at 10:35 AM, Justin Richer <jricher@mitre.org> wrote: > Thanks, that's exactly what I was looking for. I keep forgetting to check > the unit tests of jsoncrypto for things like this. > > Once I have the actual java.security objects in hand, I can construct the > JWKs fairly easily. > > I'll get this added and released soon! > > -- Justin > > > On 03/25/2013 05:05 PM, Axel.Nennker@telekom.de wrote: > > EC key generation can be found in http://jsoncrypto.org/**** > > ** ** > > ES512**** > > > https://code.google.com/p/jsoncrypto/source/browse/trunk/testsrc/org/jsoncrypto/JcBaseTest.java#2726 > **** > > ** ** > > ES384**** > > > https://code.google.com/p/jsoncrypto/source/browse/trunk/testsrc/org/jsoncrypto/JcBaseTest.java#2685 > **** > > ** ** > > ES256**** > > > https://code.google.com/p/jsoncrypto/source/browse/trunk/testsrc/org/jsoncrypto/JcBaseTest.java#2642 > **** > > ** ** > > I guess that the println lines can be converted into JWKs.**** > > ** ** > > -Axel**** > > ** ** > > *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org<jose-bounces@ietf.org>] > *On Behalf Of *Justin Richer > *Sent:* Monday, March 25, 2013 9:36 PM > *To:* jose@ietf.org > *Subject:* [jose] JWK Generator**** > > ** ** > > A while ago, several folks complained that there was no toolchain for > creating bare keys in the JWK/JPSK format. Indeed, my team's been using > Java's keytool program and making self-signed dummy certs and pulling them > out of there. That was a bit of a pain, to be honest. > > So now I've just written a utility program to generate JWK formatted keys > from whole cloth given a set of parameters. It's a Java app built using the > NimbusDS JWT-JOSE library, and at the moment it supports both RSA and oct > keytypes, with an option to extract the public-only portion of the RSA as > well. This is all based on the current JPSK format, which we plan to track > with the aforementioned Nimbus library. > > You can get the code here: > > https://github.com/mitreid-connect/json-web-key-generator > > It's open sourced under an Apache 2.0 license, so feel free to pull it > down and use it to your heart's content. It's a Java Maven project, so you > build it with: > > mvn package > > This will create a couple of .jar files in the target/ directory, one of > which is an executable fat jar, usble from the commandline:**** > > usage: java -jar json-web-key-generator.jar -t <keyType> -s <keySize> [-u**** > > <keyUsage> -a <algorithm> -i <keyId> -p]**** > > -a <arg> Algorithm.**** > > -i <arg> Key ID (optional)**** > > -p Display public key separately**** > > -s <arg> Key Size in bits, must be an integer, generally divisible by 8**** > > -t <arg> Key Type, one of: RSA, oct**** > > -u <arg> Usage, one of: enc, sig. Defaults to sig**** > > > For instance, to generate a 1024-bit RSA key with the algorithm of RS256, > no key id, and display the public key separately, you would run (after > doing a mvn package): > > java -jar > target/json-web-key-generator-0.1-SNAPSHOT-jar-with-dependencies.jar -a > RS256 -t RSA -s 1024 -p > > This prints out (for example, your keys should vary):**** > > Full key:**** > > {**** > > "alg": "RS256",**** > > "d": "IXhRb4mXMOLlX1nEcv--CRX5WjGZdUTHzI2qIg-iX5QXY-noSZqit-BeWO0CTwBtryCU4DgNIjV4cvYHpWqkr8ES-FoH7DHDgt41lH5_YDv-MeeCU3hRSPbACLuWEbWQfjgLPgIL1cmh1q-eFOEpXWUtKy7DCFymMves7ojPxY0",**** > > "e": "AQAB",**** > > "n": "kWkuetDiodUI-0jZ2KpmwOMJ7jsnO8qG8ChMs7ax3xXKIr5g5K0axWtXm1HwA5OJRE-OyVHfJkda6xVgTFaV1AhWP8Zp7KL_Oq-moKRe5-BtahHpFJe7HZ1P6hxXAdhaygXen1lR0NAMNi4K4H5pn1KDCeRpuxAhJZsQnq5dxp0",**** > > "kty": "RSA",**** > > "use": "sig"**** > > }**** > > ** ** > > Public key:**** > > {**** > > "alg": "RS256",**** > > "e": "AQAB",**** > > "n": "kWkuetDiodUI-0jZ2KpmwOMJ7jsnO8qG8ChMs7ax3xXKIr5g5K0axWtXm1HwA5OJRE-OyVHfJkda6xVgTFaV1AhWP8Zp7KL_Oq-moKRe5-BtahHpFJe7HZ1P6hxXAdhaygXen1lR0NAMNi4K4H5pn1KDCeRpuxAhJZsQnq5dxp0",**** > > "kty": "RSA",**** > > "use": "sig"**** > > }**** > > > To create a 256-bit symmetric key with algorithm HS256 and key id of > "myKey", you'd do: > > java -jar > target/json-web-key-generator-0.1-SNAPSHOT-jar-with-dependencies.jar -t oct > -s 256 > > Which outputs something like:**** > > Full key:**** > > {**** > > "kty": "oct",**** > > "use": "sig",**** > > "k": "CsoV5LeX6S3RRlLr-hk0_VyIuTOWyovMPbU2UmbphME"**** > > }**** > > > It doesn't do EC keys yet because I don't know the Java Magic needed to > make such a thing happen, but I'd be happy to have someone help out with > that with a pull request. > > Hopefully people find this utility useful. I've got a few features I'm > planning to add (write output to files, Java GUI with dropdowns for > options), but this is a minimally-useful set of functionality. > > -- Justin**** > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > >
- [jose] JWK Generator Justin Richer
- Re: [jose] JWK Generator Axel.Nennker
- Re: [jose] JWK Generator Justin Richer
- Re: [jose] JWK Generator Richard Barnes
- Re: [jose] JWK Generator - base64url padding Manger, James H
- Re: [jose] JWK Generator Justin Richer