JWE JSON Serialization Representation Support
Hi,
I went through examples and source code and it seems to me that the library doesn't support JWE JSON Serialization Representation (with multiple recipients).
JsonWebEncryption class expects both 'alg' and 'enc' provided either in JWE token header value or individually through setters, while 'alg' is not present in 'protected' attribute value. The 'alg' cannot be added to the 'protected' value by API user because it (or JWE header in case of compact 5 parts serialized representation) is used as Additional Authenticated Data (AAD) during token encryption.
If I have not missed anything and JWE JSON Serialization representation is not supported indeed, are you planning to start supporting it?
Thank you
Here is a sample of JWE JSON representation:
{ "protected": "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0", "unprotected": {"jku":"https://server.example.com/keys.jwks"}, "recipients":[ {"header": {"alg":"RSA1_5","kid":"2011-04-29"}, "encrypted_key": "UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0- kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKx GHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3 YvkkysZIFNPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPh cCdZ6XDP0_F8rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPg wCp6X-nZZd9OHBv-B3oWh2TbqmScqXMR4gp_A"}, {"header": {"alg":"A128KW","kid":"7"}, "encrypted_key": "6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ"}], "iv": "AxY8DCtDaGlsbGljb3RoZQ", "ciphertext": "KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY", "tag": "Mz-VPPyU4RlcuYv1IwIvzw" }
Source: http://self-issued.info/docs/draft-ietf-jose-json-web-encryption.html#rfc.appendix.A.1.5
Comments (7)
-
repo owner -
reporter Thank you for the quick response, Brian.
-
@b_c would you be open to a PR? I also need to serialize JWS and JWE tokens in flattened syntax, and I figured it would be useful to add that feature to jose4j directly.
-
repo owner @bjansen, I have to be upfront in saying that I probably wouldn't take a PR for the JSON Serializations (general or flattened). The unprotected headers and multiple signatures/recipients that come with it change the data and processing model and will likely impact the API and add complexity and risk that I'm not prepared to take on in this project.
-
repo owner - changed status to on hold
Never say never but not anytime soon.
-
I was thinking the PR would only cover protected headers, and only take into account the first signature/recipient (and possibly emit a warning if there's more than one signature/recipient).
-
repo owner Limited functionality like that makes some sense for specific needs but is very problematic in a general library as it effectively has to be maintained and supported forever. It shouldn't be too difficult to build that kind of flattened serialization support in your own application code using underlying functionality from jose4j. But I can't do that in the core library.
- Log in to comment
I'm sorry to say that you haven't missed anything. The JWE or JWS JSON Serializations aren't supported at this time. I don't have plans to support it anytime in the foreseeable future. One could maybe use some of the lower level classes in org.jose4j.jwe, like the implementations of ContentEncryptionAlgorithm and KeyManagementAlgorithm, to do the jose operations and then compose the JSON serialization from the results. Maybe.