Use in real world - Githubissues

jpf / lokey

A tool that makes it easy to work with and convert between cryptographic key formats

GNU General Public License v3.0

93 stars 15 forks source link

Use in real world #3

Open tc09 opened 7 years ago

tc09 commented 7 years ago

when I did

$ lokey fetch jwk login.yahoo.com Multiple keys found:

3466d51f7dd0c780565688c183921816c45889ad
6ff94cdad11e7c3ac08dc9ec3c44844b87e364f7 Printing the first key ('3466d51f7dd0c780565688c183921816c45889ad') {"use": "sig", "crv": "P-256", "kty": "EC", "alg": "ES256", "y": "AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y", "x": "cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I", "kid": "3466d51f7dd0c780565688c183921816c45889ad"}

What I would like to have is some way to get the PEM files for the two keys.

I know about the lokey to pem. But I am struggling with the correct inputs from what I can retrieve from yahoo.

jpf commented 7 years ago

I struggled with how to handle this sort of scenario. Can you explain more about what you're trying to accomplish? That would help me figure out what the right sort of syntax would be. Suggestions welcome too!

tc09 commented 7 years ago

There are two things I could share with you base on my further experience with it.

One, you could simply print out the PEM format of the multiple keys. Two, at the moment lokey does not seem to handle the the EC public key. The lokey to pem does work with RSA public key. To try this out, the output we have earlier, {"use": "sig", ... ad"} could be saved into, say key2. Then cat key2 | lokey to pem would complain:

Error: Input is not recognized. Got this on input:

{"kty":"EC","alg":"ES256","use":"sig","crv":"P-256","kid":"3466d51f7dd0c780565688c183921816c45889ad","x":"cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I","y":"AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y"}

tc09 commented 7 years ago

One possible design for your interface could be

lokey fetch jwk login.yahoo.com

to print out all the keys from login.yahoo.com similar to what yahoo does in the https://login.yahoo.com/openid/v1/certs:

{"keys":[{"kty":"RSA","alg":"RS256","use":"sig","kid":"6ff94cdad11e7c3ac08dc9ec3c44844b87e364f7","n":"AL1LkSgnGk-sKqFDBrojoqvpqOwmN7tgvz0p6J9g8O_nOzXMAwzMUUs4H_FMgeNWcuE6XzJX3spVwAYBp-rBLwyXXCGbO_chhwcpBDNndlZyqS2zOvwmZYdh4MhrUnIOcA8cdDB1hqoDdKOx9M-EjuoafcgqEPA7rWsZTH6TITMP","e":"AQAB"},{"kty":"EC","alg":"ES256","use":"sig","crv":"P-256","kid":"3466d51f7dd0c780565688c183921816c45889ad","x":"cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I","y":"AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y"}]}

Then lokey fetch jwk login.yahoo.com | lokey to pem could simply print out the two keys in PEM formats.

jpf commented 7 years ago

Oh, interesting. I didn't consider using the JWK format for multiple keys. That's a good idea.

As far as EC keys go. I don't know enough about elliptic curve to know how easy it is to switch formats around like you can with RSA keys (my guess would be yes, but my "minimum viable product" was RSA)

Lastly, I built lokey because I found myself converting keys a lot in validation code I was writing. But I have no idea how other people would use lokey - what are you using it for?