Comments (12)
@shaxbee this might be a more relevant issue instead of being a JWT #126 specific issue. I appreciate your quick attention to all this.
Please note headers like x5t, x5c, should probably be a bool like JWK and added automatically if set since they are the fingerprint and contents of the public key associated with the private key being used to sign.
If you have any questions please let me know. Thanks again for the quick work!
from go-jose.
@eriksten x5t contains certificate chain so I'll have to figure out the way to optionally pass it to signer.
from go-jose.
Do you use crypto/x509 to load/manage certificate pool?
from go-jose.
@shaxbee I think that's reasonable to expect (using the crypto/x509). For example in my uses and in a few other uses I've seen, there is no certificate authority being used, its just the base64 encoding of the public key that corresponds to the private key being used in the signing algorithm, RSA or EC. I'm not using signed certs, just a generated private key and deriving the public key from it.
from go-jose.
from go-jose.
from go-jose.
It seems to be based on DER certificate which is public key part.
The "x5t" (x.509 certificate thumbprint) header parameter provides a base64url encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate that can be used to match a certificate.
https://morgansimonsen.com/2013/04/16/understanding-x-509-digital-certificate-thumbprints/
I've provided helper functions to generate thumbprints from *x509.Certificate
See #131 for prototype.
from go-jose.
From the standard, about x5c ordering:
The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The recipient MUST validate the certificate chain according to RFC 5280 [RFC5280] and consider the certificate or certificate chain to be invalid if any validation failure occurs.
from go-jose.
Oh, also:
Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.2008] PKIX certificate value.
The use of base64 vs. base64url here is rather annoying.
from go-jose.
@csstaub Thanks, I'm generating thumbprints and populating x5* headers in JWS, thumbprints can be provided as JSONWebKey field as well. I'll work on test and JWE headers next.
@ekristen could you try out my PR and see if API is convenient enough?
from go-jose.
@shaxbee is there currently a way to set "kid"
on a JWS header as described here?
https://tools.ietf.org/html/rfc7515#section-4.1.4
Edit: nvm, I see you can pass a JsonWebKey
to NewSigner
. But what about being able to set Private Header Parameter Names as specified in the RFC here?
https://tools.ietf.org/html/rfc7515#section-4.3
from go-jose.
So #242 added a bit of support for x5t
header, but https://github.com/square/go-jose/pull/131
has also code to generate the field, which I would find very useful as well, to be able to get from JWK directly to x5t
in go.
from go-jose.
Related Issues (20)
- OpaqueSigner makes unnecessary operations HOT 1
- How to verify signature using set of JWKS via https url? HOT 3
- Can we manually validate token using CA certificate Public key? HOT 3
- json.Unmarshal converts json literal integer to float64 instead of int64 when taget type is of type interface{} HOT 7
- It is not possible to configure json decoder when unmarshalling JSONWebToken's claims
- Issues for v3 fork HOT 1
- Pad x/y for ES512 - P-521 HOT 2
- ES256/etc algs produce non-deterministic ECDSA signatures inconsistent with the IETF JWT BCP HOT 2
- Wrong error returned when verifying HOT 2
- NewEncrypter does not handles neither non-pointer JWKs as Recipient Keys, nor non-JWK HOT 1
- Setting about "Unprotected", "Header", "iv" HOT 2
- test environment breaking - TravisCI
- Validate claims with jwks file HOT 1
- Trivy scan reports vulnerabilities for v2.6.0 HOT 1
- square/go-jose: error in cryptographic primitive HOT 1
- Hope to keep the float type when the fractional part ends with '. 0' by using UnmarshalIntOrFloat HOT 1
- AutoRefreshing JWK ? HOT 1
- Unencoded Payload Option WithBase64 still encodes payload to base64 through MarshalJSON?
- x5t and x5t#S256 headers with padding breaking key unmarshalling
- Protected header in NewMultiEncrypter
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-jose.