- changed title to Encrypt or sign the tokens with external service
- edited description
Encrypt or sign the tokens with external service
I am using the library to create and read tokens.
The infrastructure that I am using has AWS KMS to store our keys stored, sign and encrypt data.
However, JsonWebEncryption
requires to have the actual key, which it is not possible when using KMS. KMS stores the keys but can not be retrieved.
Would it be possible to add a parameter to JsonWebEncryption
that includes a Java function to encrypt the token? The same mechanism for signing a token.
i.e. jwe.setEncryptFunction()
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setPayload(jws.getCompactSerialization());
jwe.setEncryptFunction((keyId, bytes) -> {
return kms.encrypt(keyId, bytes);
});
...
Comments (3)
-
reporter -
The abstractions, algorithms, formats, etc. don’t line up in a way that would make that workable.
I think a more viable approach would be to use the KMS to encrypt/decrypt the key(s) that’ll be used with JWE/JWS rather than trying to use the KMS directly at that layer.
I’m not real familiar with AWS KMS but the data keys they describe here https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys sound like the same concept.
-
I think it is possible to do with a JCE provider by setting a ProviderContext. I have found this implementation https://github.com/aws-samples/aws-kms-jce, which if it works (have not verified) will let you use aws kms as a JCE provider.
- Log in to comment