cisco
JWE header
Hello,
plainText = "test"
....
static const char *JWK_RSA
= "{ \"kty\": \"RSA\", "
"\"e\": \"AQAB\", "
"\"n\": "
"\"wsqJbopx18NQFYLYOq4ZeMSE89yGiEankUpf25yV8QqroKUGrASj_OeqTWUjwPGKTN1vGFFuHYxiJeAUQH2qQPmg9Oqk6-"
"ATBEKn9COKYniQ5459UxCwmZA2RL6ufhrNyq0JF3GfXkjLDBfhU9zJJEOhknsA0L_c-X4AI3d_NbFdMqxNe1V_"
"UWAlLcbKdwO6iC9fAvwUmDQxgy6R0DC1CMouQpenMRcALaSHar1cm4K-syoNobv3HEuqgZ3s6-hOOSqauqAO0GUozPpaIA7OeruyRl5sTWT0r-"
"iz39bchID2bIKtcqLiFcSYPLBcxmsaQCqRlGhmv6stjTCLV1yT9w\", "
"\"kid\": \"ff3c5c96-392e-46ef-a839-6ff16027af78\", "
"\"d\": "
"\"b9hXfQ8lOtw8mX1dpqPcoElGhbczz_-xq2znCXQpbBPSZBUddZvchRSH5pSSKPEHlgb3CSGIdpLqsBCv0C_XmCM9ViN8uqsYgDO9uCLIDK5plWttbkqA_"
"EufvW03R9UgIKWmOL3W4g4t-"
"C2mBb8aByaGGVNjLnlb6i186uBsPGkvaeLHbQcRQKAvhOUTeNiyiiCbUGJwCm4avMiZrsz1r81Y1Z5izo0ERxdZymxM3FRZ9vjTB-"
"6DtitvTXXnaAm1JTu6TIpj38u2mnNLkGMbflOpgelMNKBZVxSmfobIbFN8CHVc1UqLK2ElsZ9RCQANgkMHlMkOMj-XT0wHa3VBUQ\", "
"\"p\": "
"\"8mgriveKJAp1S7SHqirQAfZafxVuAK_A2QBYPsAUhikfBOvN0HtZjgurPXSJSdgR8KbWV7ZjdJM_eOivIb_XiuAaUdIOXbLRet7t9a_"
"NJtmX9iybhoa9VOJFMBq_rbnbbte2kq0-FnXmv3cukbC2LaEw3aEcDgyURLCgWFqt7M0\", "
"\"q\": "
"\"zbbTv5421GowOfKVEuVoA35CEWgl8mdasnEZac2LWxMwKExikKU5LLacLQlcOt7A6n1ZGUC2wyH8mstO5tV34Eug3fnNrbnxFUEE_ZB_njs_"
"rtZnwz57AoUXOXVnd194seIZF9PjdzZcuwXwXbrZ2RSVW8if_ZH5OVYEM1EsA9M\", "
"\"dp\": "
"\"1BaIYmIKn1X3InGlcSFcNRtSOnaJdFhRpotCqkRssKUx2qBlxs7ln_5dqLtZkx5VM_UE_GE7yzc6BZOwBxtOftdsr8HVh-14ksSR9rAGEsO2zVBiEuW4qZf_"
"aQM-ScWfU--wcczZ0dT-Ou8P87Bk9K9fjcn0PeaLoz3WTPepzNE\", "
"\"dq\": "
"\"kYw2u4_UmWvcXVOeV_VKJ5aQZkJ6_sxTpodRBMPyQmkMHKcW4eKU1mcJju_"
"deqWadw5jGPPpm5yTXm5UkAwfOeookoWpGa7CvVf4kPNI6Aphn3GBjunJHNpPuU6w-wvomGsxd-NqQDGNYKHuFFMcyXO_zWXglQdP_1o1tJ1M-BM\", "
"\"qi\": "
"\"j94Ens784M8zsfwWoJhYq9prcSZOGgNbtFWQZO8HP8pcNM9ls7YA4snTtAS_"
"B4peWWFAFZ0LSKPCxAvJnrq69ocmEKEk7ss1Jo062f9pLTQ6cnhMjev3IqLocIFt5Vbsg_PWYpFSR7re6FRbF9EYOM7F2-HRv1idxKCWoyQfBqk\" }";
cjose_err err;
cjose_jwk_t *jwk = cjose_jwk_import(JWK_RSA, strlen(JWK_RSA), &err);
// set header for JWE
cjose_header_t *hdr = cjose_header_new(&err);
cjose_header_set(hdr, CJOSE_HDR_ALG, CJOSE_HDR_ALG_RSA_OAEP, &err);
cjose_header_set(hdr, CJOSE_HDR_ENC, CJOSE_HDR_ENC_A256GCM, &err);
// create the JWE
size_t plain1_len = strlen(plainText);
cjose_jwe_t *jwe1 = cjose_jwe_encrypt(jwk, hdr, (const uint8_t *)plainText, plain1_len, &err);
// get the compact serialization of JWE
char *compact = cjose_jwe_export(jwe1, &err);
printf("compact %s", compact);
//cjose_get_dealloc()(plain2);
cjose_header_release(hdr);
cjose_jwe_release(jwe1);
//cjose_jwe_release(jwe2);
cjose_jwk_release(jwk);
//cjose_get_dealloc()(compact);
This code print the result:
eyJhbGciOiAiUlNBLU9BRVAiLCAiZW5jIjogIkEyNTZHQ00ifQ.vKVHv3OdkAoCImJIo9lHHrAiEaUhJurtqeqRv-53OFrUwovqvvpgIWuq-1mhIsxadGgyOqgFHZK9SBNwes8ilCL4QeW3T2UqGdv02SWjBWxopr3qgeR56RvLQNQvncW74hM142WKUmqKxamNREAxG6i19X6oEAVqoYzqdPP3L91jRFPIY-qrm2am3n_yg2RPQxSimj6zNMf-Gr9SLI0WlfR00IwLx1gyVujUDs8KMp8FpqFppsLLBx-j52-q6Wi9uKzEsJW_0hBRWtZSKKmDBvOuB8138AkTfy7Q9AOOQOoXmHwQfzHbNzdNcmxyExy8TCZF2PbNxnJWKyf0BzK8qg.5h6eNxL4t1sH73R9.t8g0zw.JQ8ucCXXJRKeLywlqesDIQ
When i do a base64URl for the header part :
eyJhbGciOiAiUlNBLU9BRVAiLCAiZW5jIjogIkEyNTZHQ00ifQ I am getting this result:
{"alg": "RSA-OAEP", "enc": "A256GCM"}
Why i am not getting the right header? with the kid part:
{"kid":"ff3c5c96-392e-46ef-a839-6ff16027af78","alg":"RSA-OAEP","enc":"A256GCM"}
The kid attribute is optional, so I believe the implementation just does not assume you want it to be set. You should be able to set it explicitly, though I would agree it would be convenient to have an option to have it automatically pulled from the encryption key.
Thanks @balthorium. It's not easy to understand what's happened when you just want to use a JOSE library without knowing all the RFC. Do you know if there are other header attributes witch can be in the key part and should be set the header part like the kid attribute. (I think that i should read all the JOSE RFC :) )
I would think that any of the x5* headers of the JWK would be fair game. But again, these are all optional fields in the JWE, so in the interest of not making too many bold assumptions I would be inclined to keeping the default as it is. An opt-in flag to "carry fields from JWK to JWE" might be an interesting feature, though.