That will be great to have a Javascript version widely available as
well, when it's ready. I also know someone working on a Python app to
handle the same task on the commandline, and I look forward to people
having their pick of tools to do this job. If key generation isn't easy,
people will get lazy and re-use keys, fail to rotate them when needed,
or other, worse things.
-- Justin
On 11/4/2014 9:54 AM, Richard Barnes wrote:
Note that with WebCrypto, the crypto parts of this become one-liners.
crypto.subtle.generateKey({name: "RSA-OAEP", hash: "SHA-1"}, true,
["encrypt", "decrypt"])
.then( function(keyPair) {
})
On Tue, Nov 4, 2014 at 9:44 AM, Justin Richer <[email protected]
<mailto:[email protected]>> wrote:
A while ago, I was fed up with creating self-signed X.509
certificates just to manage the bare keys used in JOSE processing.
There's a lot of extraneous effort that goes into making fake
certificate chains that are then dutifully ignored by the
application, especially when the JWK format can hold both public
and private keys natively already. So we switched our apps over to
reading the JWK format instead of X.509, but we still needed
something to securely generate the keys themselves. So I created a
commandline Java application to generate keys in JWK format (based
on the NimbusDS JOSE library):
https://github.com/mitreid-connect/json-web-key-generator
It's slightly unwieldy to compile and run but it gets the job
done. Last night, I wrapped that commandline application with a
webapp and made it publicly available:
https://mkjwk.org/
This simple service will generate a JWK in RSA, EC, or Oct (shared
secret) format for you, using Java's cryptographic engine. You can
add in the use, kid, and alg parameters, and the results are
formatted into easily-copyable JSON. It will even wrap the key in
a keyset and pull out the public key separately for you, in case
you need those.
We don't log any of the keys being generated by the service, but
to be extra safe I would still recommend using a local generation
mechanism (like the commandline app above) for production systems.
Finally, I put the code to the site online in the name of
transparency:
https://github.com/mitreid-connect/mkjwk.org
I hope that people can find this useful, and we can start moving
off of X.509 for bare key storage in applications. Much thanks to
MIT KIT for providing hosting and support.
-- Justin
_______________________________________________
jose mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
