Thank you very much Sergey. Thanks, Giriraj On Mar 18, 2016 6:06 AM, "Sergey Beryozkin" <[email protected]> wrote:
> Hi, > On 18/03/16 00:21, Giriraj Bhojak wrote: > >> Thank you Sergey. >> I went through the spec. It mentions that the spec is not stable yet and >> is >> subject to change. Would you know if it is widely used? >> > There are two specs involved here, JOSE and WebCrypto, the former is > stable and is already quite widely used, though mostly in OAuth2 flows, but > JOSE is independent of OAuth2. > > WebCrypto is a browser specific mechanism on how to get the keys/etc, the > demo worked for me in Firefox/Chrome, not sure about the other browsers, > though I might've tried IE too when trying on Windows, do not remember now. > I think it is unlikely anything but some minor details will get changed > there. > > If you'd like to start doing signing/encrypting within a script running > inside a browser then I guess you have to be prepared at this stage to go > some not-very standard-safe path. > > > I was hoping to use one of the JavaScript tools such as jsrrsasign, but >> looks like it is our of picture. >> >> Would you be able to share the source code/API details of the demo that >> you >> gave in Apache Con? >> >> On the demo page, click at the WebCrypto++ icon and it will bring you to > a page with a link to the source code. In my demo I only replaced the > server code which validates JWS signatures, the code that signs the data > from within a script was the same as in the original demo. > > I have not experimented with that script, I only wanted to demo the JOSE > JWS interoperability between a non-CXF client (the script) and CXF server > > Could you please expand on the trusted server approach you mentioned in the >> follow-up? >> > If you can not sign directly within the script then post the data to be > signed to the trusted server that will do it for you and return the signed > data. > > HTH, Sergey > >> >> Thank you for responding to my queries. >> >> Thanks, >> Giriraj >> Thanks, >> Giriraj >> On Mar 17, 2016 6:10 PM, "Sergey Beryozkin" <[email protected]> wrote: >> >> Or a browser may ask a trusted server to help with it, and get this server >>> returning a String representing a JOSE payload, then script then forward >>> it >>> somewhere else... >>> >>> Sergey >>> On 17/03/16 21:35, Sergey Beryozkin wrote: >>> >>> Hi >>>> >>>> You may be talking about WebCrypto. >>>> >>>> If you have a CXF client sending JSON, then JWE/JWS protecting it is >>>> easy enough, but you have a script running in a browser then this script >>>> have no access to the key stores, unless it is a WebCrypto aware browser >>>> and most of them are by now AFAIK, >>>> >>>> See this demo: >>>> >>>> >>>> https://test.webpki.org/WCPPSignatureDemo/signcmd >>>> >>>> (it says a password is 1234). It shows an interaction between a >>>> WebCrypto (https://www.w3.org/TR/WebCryptoAPI/) browser based client >>>> and a regular Java HTTP server, the data are signed, using JOSE (JWS >>>> Compact) as one option. >>>> >>>> I actually presented this demo at Apache Con NA 2015, except I replaced >>>> the demo server with a CXF JWS-enabled server. >>>> >>>> Sergey >>>> On 17/03/16 15:45, Giriraj Bhojak wrote: >>>> >>>> Hi, >>>>> >>>>> I have been struggling with a basic question related to using signing >>>>> and >>>>> encryption for REST services. >>>>> >>>>> If the REST call (using JSON) happens over http or https via a >>>>> browser, how >>>>> can I ensure that JSON payload is signed and encrypted, just like a >>>>> SOAP >>>>> request that is signed and encrypted? >>>>> >>>>> Is there a JavaScript component that I can use to implement JOSE for >>>>> browser based REST requests? >>>>> >>>>> Or am I interpreting this in a wrong way? >>>>> >>>>> Thanks, >>>>> Giriraj. >>>>> >>>>> >>>>> >>>> >>>> >>> -- >>> Sergey Beryozkin >>> >>> Talend Community Coders >>> http://coders.talend.com/ >>> >>> >> > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ >
