Implement JPSK
Issue #21
resolved
The new JOSE draft of JSON Private and Symmetric Keys extends JWK with a set of parameters to allow for the storage of non-public keys.
http://tools.ietf.org/id/draft-jones-jose-json-private-and-symmetric-key-00.html
While it's not a WG document yet, I think there's definite value in it and I'd like to see a class parallel to JWK (or extending JWK) that can handle these kinds of keys. It would be particularly useful for local storage of key material, such as what's used in server startup.
Comments (7)
-
-
reporter
That's what we've been doing so far, but it's cumbersome and overly awkward. For instance, you have to protect both the keystore and each individual key with a password, but then you have to store the password in the configuration files that load the keystore in order to actually use it, so the extra levels of protection aren't buying you anything. I'd prefer a simpler text-based format like JPSK on disk.
Plus, if we had this, then we could write a Java utility app to generate public and private keys and output them in this format. That would let us get out from under the JKS toolchain entirely, which would be very nice indeed.
-
reporter
Would you prefer these as separate objects or extensions of existing JWK subclasses?
-
reporter
-
assigned issue to
Justin Richer
The WG is deciding (it seems) to pull JPSK into the JWK/JWA definition envelope.
-
assigned issue to
-
reporter
- changed status to open
-
- changed status to resolved
Added JPSK in commit cea6902 .
-
Possible solutions ensuring class and toJSONObject separation of public and private key params: https://bitbucket.org/nimbusds/nimbus-jose-jwt/issue/22/prevent-accidental-leakage-of-private-key
- Log in to comment
Good :)
I remember there was a discussion about private JWKs on the JOSE list, but didn't look into it any further. What do you think of using Java's standard keystore for storing those type of keys? This has been our preferred approach for now.