Re: [jose] JWK Generator
Richard Barnes <rlb@ipv.sx> Tue, 26 March 2013 17:02 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FACD21F8B7E for <jose@ietfa.amsl.com>; Tue, 26 Mar 2013 10:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[AWL=0.576, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mb9FwhCYV8rn for <jose@ietfa.amsl.com>; Tue, 26 Mar 2013 10:02:18 -0700 (PDT)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id 983FC21F8786 for <jose@ietf.org>; Tue, 26 Mar 2013 10:02:17 -0700 (PDT)
Received: by mail-oa0-f44.google.com with SMTP id h1so7904206oag.3 for <jose@ietf.org>; Tue, 26 Mar 2013 10:02:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=GUrt0zu3fsUbo5w4ThPeS42e69xhIXkQxpheT9S9E/Y=; b=CQTDG33kZQzO1uq4u2V6+v90bQHzgvk8WooMQrc23S6oZ6tvdoOKoHiwDiseL2M9vK xxSflr3LVlFz7zycGFYZ6LqAAQ54F1R9mC1VP9fVYE4faYZZoRbg1w/0XToUGTM5K1Gf RyVi9t0WsaEZi59WQ72NabZdrjUZUobwWljyiOC4jnKgK5N3zADn0lP9MBzM6oz/NGwb 6vfLNUNZ5Eizz0Z9QYPit6BegJ5HwEpP7wdojehThRY3NWFzD4LsiFmFN5uQAmv/Xjjz iOU5IzYS6O1ebmkQsFs8QIctlK8qQAUmKeTjEmxutK38QttXXZrSV1DQDckvN37AZP9q 4l+Q==
MIME-Version: 1.0
X-Received: by 10.182.134.138 with SMTP id pk10mr2512285obb.80.1364317336692; Tue, 26 Mar 2013 10:02:16 -0700 (PDT)
Received: by 10.60.172.146 with HTTP; Tue, 26 Mar 2013 10:02:16 -0700 (PDT)
X-Originating-IP: [192.1.255.184]
In-Reply-To: <5151B236.2080001@mitre.org>
References: <5150B533.2080205@mitre.org> <CE8995AB5D178F44A2154F5C9A97CAF4025536DC09D1@HE111541.emea1.cds.t-internal.com> <5151B236.2080001@mitre.org>
Date: Tue, 26 Mar 2013 13:02:16 -0400
Message-ID: <CAL02cgSuJTrQrxTPuvNSUfRrqUi5hON87VtYUbWiGJp4V-ZWUA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Justin Richer <jricher@mitre.org>
Content-Type: multipart/alternative; boundary="001a11c297163747e604d8d6e287"
X-Gm-Message-State: ALoCoQkmFeHGXkjA3ZEibRmFsxvlFau1SB3amIg2H1SH5PI6hMFa2HFwEAgfXvIXjQJdOkQYW7JW
Cc: jose@ietf.org, Axel.Nennker@telekom.de
Subject: Re: [jose] JWK Generator
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2013 17:02:19 -0000
We've got some similar tools in PolyCrypt, our WebCrypto polyfill [1]. One
of the demos is a self-signed certificate generator, which outputs private
key as a pseudo-JWK [2].
I was going to put a code snippet here to demonstrate how to generate an
RSA JWK with PolyCrypt. Instead I just threw up a new demo page that will
do it for you [3]. Sample output:
{"n":"a9_H5i8T7Zg65CUYPGRd4R-Lw7UFiH7guIJ5gQgjJUdnlo6edyVSCux_xV43T-Qe2-SGkRbUirZczdCegfAVjAegVMtnrsgOe_EqhN1CFlmPJ8wwC5Ooyc6u1_FBdu4FL3Kl7jWpII-ikOhZm05xUnj_M7CMMJo6w4PvAAzn-is=","e":"AQAB","d":"ETm1sPL5iqoRVVb7DMG2H_mqlsC0NnyUI8Jp5onHGu_RAcCaW0oxVJ85M-n8iRxTNSfDuS1dGR1PqmnStcsBlZnkwc99vl9gtUW2zAs0J-W3YP88Tk3hNM-6vS2So9-LRMashcWruHBPmLudN-UxGzanvS3G58jkK1BLQCW6xVE=","p":"w8ZngvLVkE3reWvra6vDd3KLJqDHIK602h8yl40vLqX0u5UmXojIqL7k9WpmEn5gvVPsp-XDtkV-50ON9NZD8w==","q":"jQ8KzZ3gHPz-yISa0EbRdI_cmeI03Kq1aAj7bSHDcyr4OjnkI4K6lTVNTGUazf10BrJZ5_2Yj5zOfujV803W6Q==","dp":"m4-Mco3YStjPceTh5OVP5RrcHO6GK58Gz4cYoTmrMwrlYyRJn7Zak1NUBPntb2aCIg6MroCwuaWRB9wy8UhMJw==","dq":"CgIpOBGdlzD0OvH9sg10SxryAhEkwwtxt6H7hPDCV2eTGT6GS2a5KmEPzP3Xewois17wNh-uNXJgzGxk0dCSEQ==","qi":"kZ9MFAYRZKPloUprijuKsJxqfsAVJNINFqqrWr5ycqHLtpmhk6l58wkxFpcU94TJPgf1CaJOj2pGRTyijPa3-w=="}
If you want to use PolyCrypt and need EC, let me know, and I can probably
get it implemented pretty quickly.
Hope this helps,
--Richard
[1] <http://polycrypt.net>
[2] <http://demo.polycrypt.net/x509/>
[3] <http://demo.polycrypt.net/jwk/>
On Tue, Mar 26, 2013 at 10:35 AM, Justin Richer <jricher@mitre.org> wrote:
> Thanks, that's exactly what I was looking for. I keep forgetting to check
> the unit tests of jsoncrypto for things like this.
>
> Once I have the actual java.security objects in hand, I can construct the
> JWKs fairly easily.
>
> I'll get this added and released soon!
>
> -- Justin
>
>
> On 03/25/2013 05:05 PM, Axel.Nennker@telekom.de wrote:
>
> EC key generation can be found in http://jsoncrypto.org/****
>
> ** **
>
> ES512****
>
>
> https://code.google.com/p/jsoncrypto/source/browse/trunk/testsrc/org/jsoncrypto/JcBaseTest.java#2726
> ****
>
> ** **
>
> ES384****
>
>
> https://code.google.com/p/jsoncrypto/source/browse/trunk/testsrc/org/jsoncrypto/JcBaseTest.java#2685
> ****
>
> ** **
>
> ES256****
>
>
> https://code.google.com/p/jsoncrypto/source/browse/trunk/testsrc/org/jsoncrypto/JcBaseTest.java#2642
> ****
>
> ** **
>
> I guess that the println lines can be converted into JWKs.****
>
> ** **
>
> -Axel****
>
> ** **
>
> *From:* jose-bounces@ietf.org [mailto:jose-bounces@ietf.org<jose-bounces@ietf.org>]
> *On Behalf Of *Justin Richer
> *Sent:* Monday, March 25, 2013 9:36 PM
> *To:* jose@ietf.org
> *Subject:* [jose] JWK Generator****
>
> ** **
>
> A while ago, several folks complained that there was no toolchain for
> creating bare keys in the JWK/JPSK format. Indeed, my team's been using
> Java's keytool program and making self-signed dummy certs and pulling them
> out of there. That was a bit of a pain, to be honest.
>
> So now I've just written a utility program to generate JWK formatted keys
> from whole cloth given a set of parameters. It's a Java app built using the
> NimbusDS JWT-JOSE library, and at the moment it supports both RSA and oct
> keytypes, with an option to extract the public-only portion of the RSA as
> well. This is all based on the current JPSK format, which we plan to track
> with the aforementioned Nimbus library.
>
> You can get the code here:
>
> https://github.com/mitreid-connect/json-web-key-generator
>
> It's open sourced under an Apache 2.0 license, so feel free to pull it
> down and use it to your heart's content. It's a Java Maven project, so you
> build it with:
>
> mvn package
>
> This will create a couple of .jar files in the target/ directory, one of
> which is an executable fat jar, usble from the commandline:****
>
> usage: java -jar json-web-key-generator.jar -t <keyType> -s <keySize> [-u****
>
> <keyUsage> -a <algorithm> -i <keyId> -p]****
>
> -a <arg> Algorithm.****
>
> -i <arg> Key ID (optional)****
>
> -p Display public key separately****
>
> -s <arg> Key Size in bits, must be an integer, generally divisible by 8****
>
> -t <arg> Key Type, one of: RSA, oct****
>
> -u <arg> Usage, one of: enc, sig. Defaults to sig****
>
>
> For instance, to generate a 1024-bit RSA key with the algorithm of RS256,
> no key id, and display the public key separately, you would run (after
> doing a mvn package):
>
> java -jar
> target/json-web-key-generator-0.1-SNAPSHOT-jar-with-dependencies.jar -a
> RS256 -t RSA -s 1024 -p
>
> This prints out (for example, your keys should vary):****
>
> Full key:****
>
> {****
>
> "alg": "RS256",****
>
> "d": "IXhRb4mXMOLlX1nEcv--CRX5WjGZdUTHzI2qIg-iX5QXY-noSZqit-BeWO0CTwBtryCU4DgNIjV4cvYHpWqkr8ES-FoH7DHDgt41lH5_YDv-MeeCU3hRSPbACLuWEbWQfjgLPgIL1cmh1q-eFOEpXWUtKy7DCFymMves7ojPxY0",****
>
> "e": "AQAB",****
>
> "n": "kWkuetDiodUI-0jZ2KpmwOMJ7jsnO8qG8ChMs7ax3xXKIr5g5K0axWtXm1HwA5OJRE-OyVHfJkda6xVgTFaV1AhWP8Zp7KL_Oq-moKRe5-BtahHpFJe7HZ1P6hxXAdhaygXen1lR0NAMNi4K4H5pn1KDCeRpuxAhJZsQnq5dxp0",****
>
> "kty": "RSA",****
>
> "use": "sig"****
>
> }****
>
> ** **
>
> Public key:****
>
> {****
>
> "alg": "RS256",****
>
> "e": "AQAB",****
>
> "n": "kWkuetDiodUI-0jZ2KpmwOMJ7jsnO8qG8ChMs7ax3xXKIr5g5K0axWtXm1HwA5OJRE-OyVHfJkda6xVgTFaV1AhWP8Zp7KL_Oq-moKRe5-BtahHpFJe7HZ1P6hxXAdhaygXen1lR0NAMNi4K4H5pn1KDCeRpuxAhJZsQnq5dxp0",****
>
> "kty": "RSA",****
>
> "use": "sig"****
>
> }****
>
>
> To create a 256-bit symmetric key with algorithm HS256 and key id of
> "myKey", you'd do:
>
> java -jar
> target/json-web-key-generator-0.1-SNAPSHOT-jar-with-dependencies.jar -t oct
> -s 256
>
> Which outputs something like:****
>
> Full key:****
>
> {****
>
> "kty": "oct",****
>
> "use": "sig",****
>
> "k": "CsoV5LeX6S3RRlLr-hk0_VyIuTOWyovMPbU2UmbphME"****
>
> }****
>
>
> It doesn't do EC keys yet because I don't know the Java Magic needed to
> make such a thing happen, but I'd be happy to have someone help out with
> that with a pull request.
>
> Hopefully people find this utility useful. I've got a few features I'm
> planning to add (write output to files, Java GUI with dropdowns for
> options), but this is a minimally-useful set of functionality.
>
> -- Justin****
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
- [jose] JWK Generator Justin Richer
- Re: [jose] JWK Generator Axel.Nennker
- Re: [jose] JWK Generator Justin Richer
- Re: [jose] JWK Generator Richard Barnes
- Re: [jose] JWK Generator - base64url padding Manger, James H
- Re: [jose] JWK Generator Justin Richer