go-jose icon indicating copy to clipboard operation
go-jose copied to clipboard

Published 20 hours ago verified publisher icon square

WIP: X509 headers support in JWK/JWS

Open shaxbee opened this issue 8 years ago • 11 comments

shaxbee avatar Dec 02 '16 17:12 shaxbee

Pending additional tests to check if x5t, x5t#256 are generated correctly.

shaxbee avatar Dec 04 '16 15:12 shaxbee

@ekristen Could you test it out?

shaxbee avatar Dec 07 '16 09:12 shaxbee

@shaxbee apologies for the delay, I do appreciate the work, let me try and get this tested now.

ekristen avatar Dec 07 '16 14:12 ekristen

@shaxbee seems to work just fine, it would be nice to be able to control what fields make it into the JWK and the signing key headers. For example, if someone includes the certificates they might just want the x5t or the x5t#256 but not the x5c and visa-versa.

Thoughts on how it could be implemented to allow the person implementing the go-jose library to choose which fields are present and used?

ekristen avatar Dec 07 '16 15:12 ekristen

@ekristen you can set signature fields in JSONWebKey manually using X509Thumbprint and X509ThumbprintSHA256 functions without setting certs. When someone includes certificates already the thumbprints string size is minimal compared to embedded certificates.

On Wed, Dec 7, 2016, 11:35 PM Erik Kristensen [email protected] wrote:

@shaxbee https://github.com/shaxbee seems to work just fine, it would be nice to be able to control what fields make it into the JWK and the signing key headers. For example, if someone includes the certificates they might just want the x5t or the x5t#256 but not the x5c and visa-versa.

Thoughts on how it could be implemented to allow the person implementing the go-jose library to choose which fields are present and used?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/square/go-jose/pull/131#issuecomment-265479229, or mute the thread https://github.com/notifications/unsubscribe-auth/AE_mfW5OjQfN0kWegM3S06sDKWSG2dhjks5rFtI-gaJpZM4LC0fu .

shaxbee avatar Dec 07 '16 16:12 shaxbee

Maybe it is out of scope, but it would be nice to be able to provide the private key, certs, etc and still be able to indicate which fields you want in the JWK and the JWS headers.

ekristen avatar Dec 07 '16 21:12 ekristen

I don't want to make jwk struct too complicated, @csstaub what's your take?

On Thu, Dec 8, 2016, 5:51 AM Erik Kristensen [email protected] wrote:

Maybe it is out of scope, but it would be nice to be able to provide the private key, certs, etc and still be able to indicate which fields you want in the JWK and the JWS headers.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/square/go-jose/pull/131#issuecomment-265584603, or mute the thread https://github.com/notifications/unsubscribe-auth/AE_mfVXXJFzJs5jSXmFiInhFPp5HgbsQks5rFypXgaJpZM4LC0fu .

shaxbee avatar Dec 08 '16 02:12 shaxbee

Sorry for being a bit absent, was on vacation for a while -- going to take a look at this soon.

csstaub avatar Dec 20 '16 02:12 csstaub

@csstaub are we expecting to move forward with this PR?

dray92 avatar Jun 08 '18 22:06 dray92

@dray92 I don't think this can be merged as-is, but feel free to pick up this branch and work on it if you want to get this change merged. Probably needs to expose a function to fetch & verify certificates on the JWK given a CA bundle/trust store similar to the API we have for JWS in the base package.

csstaub avatar Jun 08 '18 22:06 csstaub

FYI, I'm trying to get this into v3, and x5u/x5t support at least for JWK (though not for JWS) was merged into master in #242.

csstaub avatar May 29 '19 19:05 csstaub