Closed groovecoder closed 8 years ago
Merging #219 into master will decrease coverage by -0.08%
- 2 files in
push
were modified. more
@@ master #219 diff @@
==========================================
Files 46 46
Lines 1077 1085 +8
Methods 0 0
Messages 0 0
Branches 37 36 -1
==========================================
+ Hits 995 1001 +6
- Misses 72 75 +3
+ Partials 10 9 -1
Powered by Codecov. Last updated by 5558e11...930fcbf
Looks good, other than removing a bit more hand waving about where the private key comes from in python. Might want to do the same for the js. (if we have to use shovels to find the bar, I'm totally OK with that.)
Updated with more explicit code samples:
import ecdsa
from jose import jws
private_key = ecdsa.SigningKey.from_pem("you_vapid_key.pem")
sig = jws.sign(
'{"aud": "https://developer.services.mozilla.com/42ffaf0f-3f46-4bd6-9671-e83aedfb28d4"}',
private_key,
algorithm='ES256'
)
print sig
and
const crypto = require('crypto');
const jws = require('jws');
const curve = crypto.createECDH("prime256v1");
curve.generateKeys()
privateKey = curve.getPrivateKey();
var jwt = jws.sign(
{
header: {typ: 'JWT', alg: 'ES256'},
payload: {"aud": "https://developer.services.mozilla.com/42ffaf0f-3f46-4bd6-9671-e83aedfb28d4"},
privateKey: privateKey
}
);
console.log(jwt);
@marco-c - this node-jws example code doesn't work because jws.sign
wants the privateKey
in PEM format. I notice your web-push
library does a lot of work for that. Should we have your web-push
library export its toPem
function and change this example to use your higher-level web-push
library instead of the lower-level node-jws
?
Yeah, this is where things get crappy between languages. PEM is the older format that a lot of older languages want to use (or at least make it really, really damn easy). Javascript (and I'm pretty sure node) want to use the newer "jwk" format, which skips the weird "Base64 of a RIF tagged binary stream" approach for JSON that doesn't make baby Crockford cry.
I'm ok with having a certain level of "hand waving" around this, because moving between PEM and JWK is how you decide to go raise sheep in Vermont instead. Figure for those who have WebCrypto available, they're going to use JWK for key exchange.
Okay, I put back some hand-waving privateKeyInPEMFormat
in the node-jws
sample code. So this is good to merge ... and we'll have to just see how confused users get with the UX. :/
change validation logic to jws.verify