search

anvilresearch / jose

JSON Object Signing and Encryption for Node.js and the browser
MIT License
24 stars 7 forks source link

Certificating JWK public keys (JWC) #29

Open christiansmith opened 7 years ago

christiansmith commented 7 years ago

We've been experimenting with certificating JWK public key values. Like X.509 certificates, this key sharing scheme minimizes the need for fetching public keys used for encryption and signature verification. We're calling this JSON Web Certificates (JWC).

A JSON Web Certificate is created by adding descriptive properties to a JSON Web Key, representing the issuer (iss), subject (sub), and other key metadata, such as time of issue (iat), expiration (exp), and certificate identifier (jti). This JWK is then used as the payload of a JSON Web Token or JSON Web Document.

The following JWC is represented as a JSON Web Document signed with KS256.

{
  "payload": {
    "jti": "a49a290a8f185b3c30ab",
    "kid": "0f88678c349d41e4fd3e", 
    "iss": "https://example.org”, 
    "sub": "me@anvil.io",
    "kty": "EC",
    "crv": "K-256",
    "x": "wAa1grkJ4BLUJdNgRUG4ovcz3zXK6BeA3sDP3VT66As",
    "y": "fbZJQJgvxcgLupPb7Qp_7gL43FfTUHwBGNHJoProq34",
    "key_ops": [ "verify" ],
    "ext": true,
    "Iat": 1498398688,
    "exp": 1529934688
  },
  "signatures": [
    {
      "protected": {
        "alg": "KS256",
        "kid": "LGm6w06md1w",
        "jku": "https://example.org/jwks"
      },
      "signature": "MEYCIQDEwsaHMKPlH0teADyn5gs9CPY8c3O7z70N-xjwmM_JJwIhAPzzkSOuJ2..."
    }
  ]
}

A certificate can also be serialized as a compact JWT (line breaks for readability):

eyJhbGciOiJLUzI1NiIsImtpZCI6Ims1VHd4Y2UwYlJjIiwiamt1IjoiaHR0cDovL2xvY2FsaG9
zdDo1MTUwL2p3a3MifQ.eyJqdGkiOiJkMzkyNDE0NThjMjNiN2JmYjk1ZiIsImtpZCI6ImU
5N2M2MDZjMjliYWRjNWRhNDBkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MTUwIiwic
3ViIjoic21pdGhAYW52aWwuaW8iLCJrdHkiOiJFQyIsImNydiI6IkstMjU2IiwieCI6IndBYTF
ncmtKNEJMVUpkTmdSVUc0b3ZjejN6WEs2QmVBM3NEUDNWVDY2QXMiLCJ5IjoiZmJ
aSlFKZ3Z4Y2dMdXBQYjdRcF83Z0w0M0ZmVFVId0JHTkhKb1Byb3EzNCIsImtleV9vcH
MiOlsidmVyaWZ5Il0sImV4dCI6dHJ1ZSwiaWF0IjoxNDk4NDI0NTQ2LCJleHAiOjE1Mjk5
NjA1NDZ9.MEUCIQD2WRGkcZd-50q-jZtIl9tHqVmyOQ1zRLVTym2hAFyfLAIgVgZmI_5
7ouVwg5cZFHvPViIMo0u4kuDHY_YDGXGn6r0

A JWC can be included in a JOSE Protected Header object like so:

{
  "payload": {
    "hello": "world"
  },
  "signatures": [
    {
      "protected": {
        "alg": "KS256",
        "jwc": "eyJhbGciOiJLUzI1NiIsImtpZCI6Ims1VHd4Y2UwYlJjIiwiamt1IjoiaHR0cDovL2xvY2FsaG9zdDo1MTUwL2p3a3MifQ.eyJqdGkiOiJkMzkyNDE0NThjMjNiN2JmYjk1ZiIsImtpZCI6ImU5N2M2MDZjMjliYWRjNWRhNDBkIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MTUwIiwic3ViIjoic21pdGhAYW52aWwuaW8iLCJrdHkiOiJFQyIsImNydiI6IkstMjU2IiwieCI6IndBYTFncmtKNEJMVUpkTmdSVUc0b3ZjejN6WEs2QmVBM3NEUDNWVDY2QXMiLCJ5IjoiZmJaSlFKZ3Z4Y2dMdXBQYjdRcF83Z0w0M0ZmVFVId0JHTkhKb1Byb3EzNCIsImtleV9vcHMiOlsidmVyaWZ5Il0sImV4dCI6dHJ1ZSwiaWF0IjoxNDk4NDI0NTQ2LCJleHAiOjE1Mjk5NjA1NDZ9.MEUCIQD2WRGkcZd-50q-jZtIl9tHqVmyOQ1zRLVTym2hAFyfLAIgVgZmI_57ouVwg5cZFHvPViIMo0u4kuDHY_YDGXGn6r0"
      },
      "signature": "MEUCIAThnzOzVUFzv7CyZnNOou9xjrkk_4CYfpwRUF0j4OWyAiEAyOZFETZojdRjvaB-sLjIX7xOPn8_1w6CMuDy8AU1Plk"
    }
  ]
}

We now need to consider drafting a specification targeting IETF and incorporating necessary functions into this package.

EternalDeiwos commented 7 years ago

We'll probably be doing a separate repo for this soon (tm). Leaving this issue open until we get around to it.