search

mozilla / browserid-crypto

INACTIVE - JavaScript implementation of JSON Web Signatures, JSON Web Tokens, and JSON Web Certificates
http://identity.mozilla.com
Mozilla Public License 2.0
183 stars 44 forks source link

new-format keys use "+" and "/" (non-URL base64).. is that right? #42

Closed warner closed 4 months ago

warner commented 12 years ago

Most of browserid uses "base64url" encoding, the Base64 encoding that uses "_" and "-" instead of "+" and "/". As an experiment, I ran jwcrypto's bin/generate-keypair with lib/version.js modified to use DEFAULT_DATA_FORMAT_VERSION = '2012.08.15', and the key it generated is using the "+/" alphabet instead of "-_":

{"algorithm":"DS","version":"2012.08.15","y":"HPh1+Oq/FL2ZZYV2ppm6NchlG4gFhJxeMnT/+ZCHj2zj/8kTapXQIKRLPcG8XCjchWNRFw/LSq2N0623NznCdeQUkETGeS3FvznEnO25flMt+jOwlznR/zBt7QzgumLRKkaG/FiyyCB7OgtnBk1xUvlRbs2CShG7HGUVKteUCSvv9bUSQ2a1NmrSMNwVuKoVYRImjTtolPQIXhmyxiO1QWU8FSnoN9qv84g0i0BXxFd0y5XVLicGhNd69OhTv2RJHyi5pZzYWQd38rhhgrLugUafSbfAH+2OX/jntctSxjtxH8g7KHWGgjE/hh1LwwgHUC8gXjgLXeNHam/V3D/bng==","p":"1sTlBFaXdWx6MS0CwiicJdQPmVQmH3tYdiFLbfEJxzi3Yiaxmbt+M/j8esHcwxbh58eJc5Ub/G/y4AzJh812/PsLjACWsLRg//rJYMpBNsKPS/tYDeR89+eTTDmF47PZQ7d/Bu8q86w0lPw8b8SYEKY4U4YqArscgkoBt/xojkAoUnpYrVjJ1RKSJmDbXVBbwmOvKTvJO81tiFoVdXnX9SlSI23Z0GpPw7wiR9IfGnD1hI6wF2UTU3yYP1o2c38B+CtEVG6Ofw+rxFfj3h2cXbqWllsQoqBYCwrQ+IF54QBmEH+3QxSgfmdFhjvHl7cALr7AsACpjraXQUcJrBe0AQ==","q":"seNw9kcsh1TM116ZZm7I7x/XSLdIu7wIUD2CzoBVqzs=","g":"moJpqy47czpSQhedj43bF/+TKX2eqwA3bbIRoisZyFTfqAFm3yEyy8UfsiSwkEq7Itose3hQ94ISTLV1sRb0HqfE/HWx13UlIEzXwjoVmZAEwjzetyNZ7nTohqHd54Va4F/oR0R9CmgFkALDgZp13H3Lsw4576w24H4sQEt8qYsmOyX6MUupPAYlcYvUic6m0EuksLfxVu60xWxEtQ5Ptbzp164NVbN5Il/rAhSgS+1y8z4GZNKQ58hA3z4qu15IGJ+k6QZG8YZ9sonGVgR2eZ976EIKbcAdB43kN/KA//LX3fEkjVbhpUuTOkFinWwlKYPFh5UQWALTDXvNgZz27w=="}

Is this intentional? Do you want to change this to use the "-" alphabet before switching to the new format? (if so, you should probably do it soon, since 0.4.0 won't actually be able to accept version=2012.08.15 keys if the spec is changed to make those keys use the "-" alphabet)

jedp commented 12 years ago

@warner @benadida this also differs from the native implementation, which uses the "-_" alphabet:

http://hg.mozilla.org/projects/pine/file/c84885ff69b1/toolkit/identity/IdentityCryptoService.cpp#l50

benadida commented 12 years ago

@jedp I think we're just talking about the format for JWK single values, which right now is just decimal in the native implementation.

That said, @warner is right: JWK specifies base64url encoding here http://tools.ietf.org/html/draft-ietf-jose-json-web-key-05 time to fix this! @warner if you have time, I would welcome a jwcrypto PR.

jedp commented 12 years ago

@benadida quite right - sorry about the confusion. My eyes were simply dazzled by dashes and underscores :)