search

liquidz / clj-jwt

Clojure library for JSON Web Token(JWT)
118 stars 30 forks source link

Process for generating ES512 keys? #23

Open venantius opened 8 years ago

venantius commented 8 years ago

Hi! How do you recommend we generate ES512 keys for usage with clj-jwt? Thanks.

venantius commented 8 years ago

Perhaps somewhat explicitly, trying to use a key generated either by:

openssl ecparam -name secp521r1 -genkey -noout

or:

ssh-keygen -t ecdsa -b 521

Gets me the following exception:

user=> (clj-jwt.key/private-key "common/resources/security/ec512-key")

java.security.NoSuchAlgorithmException: ECDSA KeyFactory not available
 org.bouncycastle.openssl.PEMException: unable to convert key pair: ECDSA KeyFactory not available
user=> (pst)
                                                clojure.core/eval         core.clj: 3105
                                                              ...
                                                    user/eval8551        REPL Input
                                                              ...
                                          clj-jwt.key/private-key          key.clj:   84
                                          clj-jwt.key/private-key          key.clj:   87
                                     clj-jwt.key/pem->private-key          key.clj:   82
                                        clj-jwt.key/eval8129/fn/G          key.clj:   12
                                          clj-jwt.key/eval8189/fn          key.clj:   44
    org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getKeyPair
 org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getKeyFactory
org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyFactory
                             java.security.KeyFactory.getInstance  KeyFactory.java:  172
                                  java.security.KeyFactory.<init>  KeyFactory.java:  138
java.security.NoSuchAlgorithmException: ECDSA KeyFactory not available
 org.bouncycastle.openssl.PEMException: unable to convert key pair: ECDSA KeyFactory not available
nil```
venantius commented 8 years ago

So, the problem here turns out not to have been an issue with my generation of ECDSA keys, but rather the fact that the BouncyCastle Provider hadn't been configured (refer to JIRA issue on BouncyCastle here: http://www.bouncycastle.org/jira/browse/BJA-625)

To get this working, you just need to add the BouncyCastle Provider to the java.security.Security class as follows:

(. java.security.Security addProvider (org.bouncycastle.jce.provider.BouncyCastleProvider.))
venantius commented 8 years ago

Ah, I just saw e13b665c1b19b8c83cc2effe64183128a323f46f. So really all you need to do is to update the README to make clear that the process for ingesting a ECDSA key is different than how it used to be.