1. Brian Campbell Avatar Brian Campbell
  2. Untitled project
  3. jose4j
  4. Issues

Distributing Keys

Issue #34 new
Sriram Mandiramoorthy created an issue

This is not a bug or enhancement. But i can't stop my self from asking here. I am developing a backend application where I am in a position to provide SDKs to developers to use my service. JWT is really helpful and this library is really cool. But what i could not figure out is if create RSA key per client, how can i distribute the private/public key with the developers? Ofcourse i have an admin panel where they could come and get their private key, but i could see the only way to convert RSA key into sting is base64 encoded. Is there a better way i could convert RSA keys and share with the developers?

One more way just came in my mind is, can I write SDK in a way that it make an handshake with the server and get the private key over HTTPS? Please advice.

Comments (8)

  1. Brian Campbell repo owner

    I don't think I'm really in a position to design key distribution for your situation.

    I will say that JSON Web Key (JWK) provides a nice way to represent keys as strings using JSON. And the library has support for working with JWKs. Some quick examples:

            // Generate a new RSA key pair wrapped in a JWK
        PublicJsonWebKey rsaJwk = RsaJwkGenerator.generateJwk(2048);

        // or an EC key, if you prefer
        PublicJsonWebKey ecJwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);

        // A JSON string with only the public key info
        String publicKeyJwkString = rsaJwk.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY);
        System.out.println(publicKeyJwkString);

        // A JSON string with both the public and private key info
        String keyPairJwkString = rsaJwk.toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);
        System.out.println(keyPairJwkString);

        // parse and convert into PublicJsonWebKey/JsonWebKey objects
        PublicJsonWebKey parsedPublicKeyJwk = PublicJsonWebKey.Factory.newPublicJwk(publicKeyJwkString);
        PublicJsonWebKey parsedKeyPairJwk = PublicJsonWebKey.Factory.newPublicJwk(keyPairJwkString);

        // the private key can be used to sign (JWS) or decrypt (JWE)
        PrivateKey privateKey = parsedKeyPairJwk.getPrivateKey();

        // the public key can be used to verify (JWS) or encrypt (JWE)
        PublicKey publicKey = parsedPublicKeyJwk.getPublicKey();
  4. Sergiy Yevtushenko

    Thanks for example, it's extremely helpful. The only thing which is not yet clear to me is following: how can I generate correct key for particular algorithmId? For example, if I'm going to use HS256 for signing and verification of JWS with alg set to "HS256", I need key which will be suitable for this purpose. How can I generate such key? Some kind of factory class would be extremely convenient for such a purpose.

  6. Sergiy Yevtushenko

    Sorry, I've found no such method. And I did mean something like

    PublicJsonWebKey jwk = JwkGenerator.generateJwk(AlgorithmIdentifiers.HMAC_SHA256);

  7. Brian Campbell repo owner

    Sorry, I messed up that reply. The generateJwk is on OctJwkGenerator not OctetSequenceJsonWebKey. i.e.:

    OctetSequenceJsonWebKey jwk = OctJwkGenerator.generateJwk(256); // (both in org.jose4j.jwk package)

    OctetSequenceJsonWebKey is the subclass of JsonWebKey that's for symmetric keys. See https://tools.ietf.org/html/rfc7518#section-6.4

    BTW, HMAC is a symmetric algorithm (shared secret) so something that produces a PublicJsonWebKey like that wouldn't make sense.

  9. Log in to comment
Assignee
Type
proposal
Priority
minor
Status
new
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!