search

frasertweedale / hs-jose

Haskell JOSE and JWT library
http://hackage.haskell.org/package/jose
Apache License 2.0
122 stars 46 forks source link

JWK.Alg not exported #19

Closed jkarni closed 7 years ago

jkarni commented 8 years ago

The Crypto.JWK module does not export the Alg type and it's constructors. I'm not sure why, or how to get the JWS algorithm of a JWK without that.

frasertweedale commented 7 years ago

note: the "alg" JWK header parameter is optional and the RFCs say very little about how it should be used. I'd recommend examining key data to decide what algorithm should be used.

See https://github.com/frasertweedale/hs-jose/blob/7715cd23fceb11bc9488bc9f386afb13bf5a5263/example/Main.hs#L54-L57 as an (incomplete) example. For EC key types, it is necessary to further inspect the key material to ensure the appropriate algorithm is selected.

I implemented a "choose the cryptographically strongest alg supported by the key" heuristic in the bestJWSAlg function. (https://github.com/frasertweedale/hs-jose/blob/e996553f7adc6e2b5a2c5fe0fecec6de9a0b2be9/src/Crypto/JOSE/JWK.hs#L185-L208)

For usage, see the updated example program: https://github.com/frasertweedale/hs-jose/blob/a47427c1fc92b21df82518289b87af3ad313452c/example/Main.hs#L52. Makes things pretty straightforward.

If choosing "most compatible" alg is desired, feel free to submit a PR or open a new ticket.

Thanks for your input to the library.