search

paragonie / paseto

Platform-Agnostic Security Tokens
https://paseto.io
Other
3.23k stars 108 forks source link

Questions on Assymetric Keys #156

Closed cnizzardini closed 2 years ago

cnizzardini commented 2 years ago

I'm learning my way through this spec and lib and have a couple of questions.

  1. Is there a way to generate AssymetricKeys without the following code:
$privateKey = new AsymmetricSecretKey(sodium_crypto_sign_keypair());
$publicKey = $privateKey->getPublicKey();
var_dump($privateKey->encode());
var_dump($publicKey->encode());

Meaning is it possible to supply my own custom key in place of sodium_crypto_sign_keypair() as the argument? Thus far I have been unsuccessful and have had to copy the output of the encoded private key and use it like so to decode:

$privateKey = AsymmetricSecretKey::fromEncodedString('62Z63Tlo27ijk355y-4BkPdTquSGgvftHncfTTqBsj1jhs6kGN63VYUh3ZpqLHOAur3n7bfHGepU3_d5_yz1yg');
echo Version4::verify($token, $privateKey->getPublicKey());

When trying building keys like this I am unable to decode them:

new AsymmetricSecretKey('mabdivRiQuavvunOtIkwalOwbocImsAls8SlafdovShatvegbisOfvaHedIcVenn');
  1. When I decode public PASETOs I am not seeing footer data like I do with local ones:
{"claim_data":"is encrypted","sub":"5e28e9ed-f3e1-4eb2-aa88-8d618f4021ee","iat":"2022-05-26T03:47:35+00:00","nbf":"2022-05-26T03:47:35+00:00","exp":"2022-05-27T03:47:35+00:00"}
  1. I take it that AsymmetricKeys are not a replacement for JWKS. But I am unsure whether KeyRings are the replacement or if PASERK is?
paragonie-security commented 2 years ago
  1. Yes: https://github.com/paragonie/paseto/blob/2c8c4beeda951d652ca0612790072d03fe40e9fd/src/Keys/AsymmetricSecretKey.php#L156-L166
$key = AsymmetricSecretKey::generate($version);

Don't generate keys elsewhere then import them. Instead, generate with the library then export. PASERK helps here.

More information: https://github.com/paseto-standard/paserk

  1. There are other methods. We intentionally don't clobber claim values with the footer, or vice-versa, and keep them separate. JsonToken has getFooterArray().

  2. The KeyRing class does what a JWK does at runtime, but for advanced use-cases, PASERK provides those features instead of polluting PASETO with features.

cnizzardini commented 2 years ago

Thanks for the answers.

Any thoughts about providing a shell command within this library to generate AssymetricKeys or is that found within PASERK?

paragonie-security commented 2 years ago

We hadn't considered that, but it might be a useful thing to make.

cnizzardini commented 2 years ago

Yes, would be nice if I could run something like vendor/bin/paseto keygen or vendor/bin/paseto keygen -encode or whatever...

cnizzardini commented 2 years ago

Ps. @paragonie-security I could try my hand at building one. Just not sure if this library would prefer to roll its own command ala phpcs or would be okay pulling in a depedency like symfony/console to ease creation.