Re: [jose] JWK Generator Service

Tue, 04 Nov 2014 06:54:44 -0800 

Note that with WebCrypto, the crypto parts of this become one-liners.

crypto.subtle.generateKey({name: "RSA-OAEP", hash: "SHA-1"}, true,
["encrypt", "decrypt"])
  .then( function(keyPair) {

  })

On Tue, Nov 4, 2014 at 9:44 AM, Justin Richer <[email protected]> wrote:

> A while ago, I was fed up with creating self-signed X.509 certificates
> just to manage the bare keys used in JOSE processing. There's a lot of
> extraneous effort that goes into making fake certificate chains that are
> then dutifully ignored by the application, especially when the JWK format
> can hold both public and private keys natively already. So we switched our
> apps over to reading the JWK format instead of X.509, but we still needed
> something to securely generate the keys themselves. So I created a
> commandline Java application to generate keys in JWK format (based on the
> NimbusDS JOSE library):
>
>   https://github.com/mitreid-connect/json-web-key-generator
>
> It's slightly unwieldy to compile and run but it gets the job done. Last
> night, I wrapped that commandline application with a webapp and made it
> publicly available:
>
>   https://mkjwk.org/
>
> This simple service will generate a JWK in RSA, EC, or Oct (shared secret)
> format for you, using Java's cryptographic engine. You can add in the use,
> kid, and alg parameters, and the results are formatted into easily-copyable
> JSON. It will even wrap the key in a keyset and pull out the public key
> separately for you, in case you need those.
>
> We don't log any of the keys being generated by the service, but to be
> extra safe I would still recommend using a local generation mechanism (like
> the commandline app above) for production systems.
>
> Finally, I put the code to the site online in the name of transparency:
>
>   https://github.com/mitreid-connect/mkjwk.org
>
> I hope that people can find this useful, and we can start moving off of
> X.509 for bare key storage in applications. Much thanks to MIT KIT for
> providing hosting and support.
>
>  -- Justin
>
> _______________________________________________
> jose mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/jose
>

_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose

Reply via email to