1. Brian Campbell Avatar Brian Campbell
  2. Untitled project
  3. jose4j
  4. Issues

JWE JSON Serialization Representation Support

Issue #104 on hold
Andriy Kharchuk created an issue

Hi,

I went through examples and source code and it seems to me that the library doesn't support JWE JSON Serialization Representation (with multiple recipients).

JsonWebEncryption class expects both 'alg' and 'enc' provided either in JWE token header value or individually through setters, while 'alg' is not present in 'protected' attribute value. The 'alg' cannot be added to the 'protected' value by API user because it (or JWE header in case of compact 5 parts serialized representation) is used as Additional Authenticated Data (AAD) during token encryption.

If I have not missed anything and JWE JSON Serialization representation is not supported indeed, are you planning to start supporting it?

Thank you

Here is a sample of JWE JSON representation:

{ "protected": "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0", "unprotected": {"jku":"https://server.example.com/keys.jwks"}, "recipients":[ {"header": {"alg":"RSA1_5","kid":"2011-04-29"}, "encrypted_key": "UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0- kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKx GHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3 YvkkysZIFNPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPh cCdZ6XDP0_F8rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPg wCp6X-nZZd9OHBv-B3oWh2TbqmScqXMR4gp_A"}, {"header": {"alg":"A128KW","kid":"7"}, "encrypted_key": "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ"}], "iv": "AxY8DCtDaGlsbGljb3RoZQ", "ciphertext": "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY", "tag": "Mz-VPPyU4RlcuYv1IwIvzw" }

Source: http://self-issued.info/docs/draft-ietf-jose-json-web-encryption.html#rfc.appendix.A.1.5

Comments (7)

  1. Brian Campbell repo owner

    I'm sorry to say that you haven't missed anything. The JWE or JWS JSON Serializations aren't supported at this time. I don't have plans to support it anytime in the foreseeable future. One could maybe use some of the lower level classes in org.jose4j.jwe, like the implementations of ContentEncryptionAlgorithm and KeyManagementAlgorithm, to do the jose operations and then compose the JSON serialization from the results. Maybe.

  3. Bastien Jansen

    @b_c would you be open to a PR? I also need to serialize JWS and JWE tokens in flattened syntax, and I figured it would be useful to add that feature to jose4j directly.

  4. Brian Campbell repo owner

    @bjansen, I have to be upfront in saying that I probably wouldn't take a PR for the JSON Serializations (general or flattened). The unprotected headers and multiple signatures/recipients that come with it change the data and processing model and will likely impact the API and add complexity and risk that I'm not prepared to take on in this project.

  6. Bastien Jansen

    I was thinking the PR would only cover protected headers, and only take into account the first signature/recipient (and possibly emit a warning if there's more than one signature/recipient).

  7. Brian Campbell repo owner

    Limited functionality like that makes some sense for specific needs but is very problematic in a general library as it effectively has to be maintained and supported forever. It shouldn't be too difficult to build that kind of flattened serialization support in your own application code using underlying functionality from jose4j. But I can't do that in the core library.

  8. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
on hold
Votes
2
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!