-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign and Encrypt from KeyPair #92
Comments
Hi @AccRPA , well, there are a lot of examples here: https://github.com/dvsekhvalnov/jose-jwt And it's definitely possible to sign or encrypt tokens or other arbitrary payload with the library. What are you looking to exactly? |
Hi @dvsekhvalnov, I'm a little stuck, because I generate key pairs (public and private) with this page https://mkjwk.org/, and I would like to get a token signed (RS256 ) and encrypted (RSA_OAEP and A128CBC_HS256). But the examples that I found are with p12 certificates:
I think that I already have a private key so I don't need to do the code above. If I convert the private key to byte[] and pass it to Encode method I get this error:
And also I've tried to pass an RSACryptoServiceProvider object, but I think it's not correct. This is an example code to illustrate the case: `// KEY PAIR GENERATED FROM THE WEB TO SIGN string myPrivateKey = "PRIVATE KEY"; // PUBLIC KEY GENERATED FROM THE WEB to ENCRYPT var payload = new Dictionary<string, object>() var headers = new Dictionary<string, object>() RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(); // Am I getting a signed and encrypted token here or I need to do separately? Thanks. |
Ok, how your public and private key files looks like?
You can also take a look here: https://github.com/dvsekhvalnov/jose-jwt#if-you-have-only-rsa-private-key
I'm not super sure what is purpose of signing encrypted messages, but if you really need to: string encrypted = JWT.Encode(payload, key , JweAlgorithm.RSA_OAEP, JweEncryption.A256GCM);
string encryptedAndThenSigned = JWT.Encode(encrypted, key, JwsAlgorithm.RS256); |
Hi dvsekhvalnov!, thank for your answer. That I would like to do is generate a jwt from a jwk. The private and public key are part of a json, I don't have .p12 or physical certificate that is used in the link you mentioned. I've just found this question that it's very similar to my problem, but I don't have very clear the solution. Thanks a lot. |
Hey @AccRPA , you have JWK? can you post sample here? Please strip all sensitive values or better generate sample key. |
Hi dvsekhvalnov! Of course I can, these are sample keys: Configuration: This is my private and public key: And this is the customer public key: What I want to do is get a token signed with my private key and encrypted with the customer public key. I've been trying some code but finally I've not achieve nothing. Maybe I'm wrong, some help is welcome! Thanks. |
Well, you'd probably have to write it yourself: convert JWK into RSA object. Hints:
Here your: Here is sample code created in another thread that you can use as reference: https://github.com/psteniusubi/jose-jwt/blob/master/jose-jwt/jwk/JwkRsa.cs#L54 Make sense? |
Hi dvsekhvalnov! thank you so much for your help. Definitely I'll do what you say. I'll post my results. |
Hi dvsekhvalnov!, sorry for the delay. I'm trying to follow your steps, and I've needed to convert the e, n and p parameters with Convert.FromBase64String. After that, when I call the JWT.Encode method, I receive the below error: This is a part of the code:
I'm looking some information and solutions about this. Thank you. |
Mm, if you remove |
Yes. I thought I needed to indicate this parameter. |
Ok, not much ideas without trying that. May be .NET doesn't like that you don't provide DP/DQ/InverseQ params along with D. Is there are way to have a JWK with all additional params? |
Well, I'm going to try to generate a jwk with jose-jwt java library, and then, use that jwk to compose the RSAParameters in C# and see if the encode method doesn't throw any exceptions. Thank you so much for your help. |
Well, I've not achieved what I said in the above post. I can generate a jwk like this: {"p":"2XsxRAadoo1hQgqO3JOKqrsgXZbJFSxlw5phcr2-By3rtNgPttti12YZChYzFOHuJmsWKZDjV0mvtmVt63-kVa2MzAvLXHM4mRUC2N7L6NsQUW3MZSZ7RiEZWSZ2qy7Vy66fcMXeN-GpRUlYXubN3muEFwkk3MMOtB1ibdj2Vhs","kty":"RSA","q":"tClNf-W2TAuZKOf7Td0fKbmSWnwQ7B8-00g-XsRiA_22m1uUTYn68bOBz90DcF98JoFZB_5oyCT9A99r5ak7jRAdkkQwnC9VRgpgackxj9SvxFqJJhCgKiEZPAiKiKOx9vnl3OJVEO1dfd0NpSITY6ED8mARLryLnYzuUfyFW28","d":"ORVmv32a4OUxYjxX_gDk4tHWg_hABO9mFfOSTheOI9BCwpAirnI-uj7qX5oF2D3IfwgNaIGJ2J2E19_tR8vaWZqgYc7Fd-iC830nqHvEZHXYEjK-SWfHCBmwlgqvLNYVp-a1N99Q-E8S5jsj7XDLWe9oudnDxpC_qCyjgfjeVrne72XslqDeyLNqVNdrwNVqORUbW_QmcOW_olMfwqBGpfEQce59v4ctlqginUr2ktLVau3u6i4MSe0wg5Ja_JQRiFNFydBE4zTl6nhuKuPWRyUs_wpJ3Cq5OhZzOYSYSYf4A_KgXx28YFgAtC_hBv23yzLrsNJsCPl0K2liDd24JQ","e":"AQAB","kid":"e5c1c652-12c6-4012-9c72-e37fee52122f","qi":"R8PL8elT-3c3iw4JaafZO4A4NiPbsGjlNN8NfKAte4zVifoQ7vmZMSJ2yU4mGIguVhni2c_a8oVMqHOiJPxojmS-QrW6Tyis-O9pyeR3cBs6GwXeOq3Rwri-ppZzL157b6w5ptUqNxEOU0B2ocsM-dfIFc9jx57KbLspZhVB7WI","dp":"a-wwVHub-jCClQ08O8WTyIm30_mhq7oufdS8iv4RsOpez41wruNLt2xY_KJrku9TCQmXI-Vci9JrOe43j-f1mvbWqeModaZP7dd5ZDmbouAixuXfykpAXlrKg20M8oH5YmwzfvkR_1UidNmi2uVaQAfGss-81TiOsV7rm2tRQwU","dq":"d2fYgagSBpy5Si9Wk-i2OsVPhsErxhN_ZDFBhTXLcLG7UYSE6k9FDuTWaJonKVdfxXV9OJsZf21kdCikLnbXjUrdDpA7V4jXj7BY7kP2oUlppU4MEDp8rO969hsDFkTIMtS10IwBrVJk4IKeBJBtIV8aao3ZVYyJTEaXvacMC-k","n":"mQ21NW2g3Yhwb5SGYG1JyB8uwvAcoCb-E5o-YC-NKeMZfYLwubkblNqbLbMJOtMr3EVL1-WhvdKfsPSLNXUVRAN_ecPFSyVjbGkkueq01c4sYvCT7VZQv4tKzuy7N217qJ080yX0KUP0CDuC3twC61K3BkH6aSMOforEvNv8RGuPmpitHjTsvUKMTBg-MguGn4bvQiIztEYNVD9BSac8iJpY3PZtt1R52LLb7xpd5PtT0rHNbN7-1BqGOXGqWvAOxmNEG-lQqHAeOncHvzsDuwDimgDIL3UQJIif4xTejLpnnNQmaSQ1PB7qEijdOBdRtKrhY77F4DQfIUcI83HutQ"} But when I call to the rsa.ImportParameters(RSAParams) method, it raises an Exception: "An unhandled exception of type 'System.Security.Cryptography.CryptographicException' occurred in mscorlib.dll I don't have any ideas. |
Ok, let me try to play with it myself. I'll try to give it a shot this week. |
Hey @AccRPA , here is working snippet for me with your latest key: string json = @"
{
""p"": ""2XsxRAadoo1hQgqO3JOKqrsgXZbJFSxlw5phcr2-By3rtNgPttti12YZChYzFOHuJmsWKZDjV0mvtmVt63-kVa2MzAvLXHM4mRUC2N7L6NsQUW3MZSZ7RiEZWSZ2qy7Vy66fcMXeN-GpRUlYXubN3muEFwkk3MMOtB1ibdj2Vhs"",
""kty"": ""RSA"",
""q"": ""tClNf-W2TAuZKOf7Td0fKbmSWnwQ7B8-00g-XsRiA_22m1uUTYn68bOBz90DcF98JoFZB_5oyCT9A99r5ak7jRAdkkQwnC9VRgpgackxj9SvxFqJJhCgKiEZPAiKiKOx9vnl3OJVEO1dfd0NpSITY6ED8mARLryLnYzuUfyFW28"",
""d"": ""ORVmv32a4OUxYjxX_gDk4tHWg_hABO9mFfOSTheOI9BCwpAirnI-uj7qX5oF2D3IfwgNaIGJ2J2E19_tR8vaWZqgYc7Fd-iC830nqHvEZHXYEjK-SWfHCBmwlgqvLNYVp-a1N99Q-E8S5jsj7XDLWe9oudnDxpC_qCyjgfjeVrne72XslqDeyLNqVNdrwNVqORUbW_QmcOW_olMfwqBGpfEQce59v4ctlqginUr2ktLVau3u6i4MSe0wg5Ja_JQRiFNFydBE4zTl6nhuKuPWRyUs_wpJ3Cq5OhZzOYSYSYf4A_KgXx28YFgAtC_hBv23yzLrsNJsCPl0K2liDd24JQ"",
""e"": ""AQAB"",
""kid"": ""e5c1c652-12c6-4012-9c72-e37fee52122f"",
""qi"": ""R8PL8elT-3c3iw4JaafZO4A4NiPbsGjlNN8NfKAte4zVifoQ7vmZMSJ2yU4mGIguVhni2c_a8oVMqHOiJPxojmS-QrW6Tyis-O9pyeR3cBs6GwXeOq3Rwri-ppZzL157b6w5ptUqNxEOU0B2ocsM-dfIFc9jx57KbLspZhVB7WI"",
""dp"": ""a-wwVHub-jCClQ08O8WTyIm30_mhq7oufdS8iv4RsOpez41wruNLt2xY_KJrku9TCQmXI-Vci9JrOe43j-f1mvbWqeModaZP7dd5ZDmbouAixuXfykpAXlrKg20M8oH5YmwzfvkR_1UidNmi2uVaQAfGss-81TiOsV7rm2tRQwU"",
""dq"": ""d2fYgagSBpy5Si9Wk-i2OsVPhsErxhN_ZDFBhTXLcLG7UYSE6k9FDuTWaJonKVdfxXV9OJsZf21kdCikLnbXjUrdDpA7V4jXj7BY7kP2oUlppU4MEDp8rO969hsDFkTIMtS10IwBrVJk4IKeBJBtIV8aao3ZVYyJTEaXvacMC-k"",
""n"": ""mQ21NW2g3Yhwb5SGYG1JyB8uwvAcoCb-E5o-YC-NKeMZfYLwubkblNqbLbMJOtMr3EVL1-WhvdKfsPSLNXUVRAN_ecPFSyVjbGkkueq01c4sYvCT7VZQv4tKzuy7N217qJ080yX0KUP0CDuC3twC61K3BkH6aSMOforEvNv8RGuPmpitHjTsvUKMTBg-MguGn4bvQiIztEYNVD9BSac8iJpY3PZtt1R52LLb7xpd5PtT0rHNbN7-1BqGOXGqWvAOxmNEG-lQqHAeOncHvzsDuwDimgDIL3UQJIif4xTejLpnnNQmaSQ1PB7qEijdOBdRtKrhY77F4DQfIUcI83HutQ""
}";
var js = new JavaScriptSerializer();
var jwk = js.Deserialize<IDictionary<string, string>>(json);
byte[] p = Base64Url.Decode(jwk["p"]);
byte[] q = Base64Url.Decode(jwk["q"]);
byte[] d = Base64Url.Decode(jwk["d"]);
byte[] e = Base64Url.Decode(jwk["e"]);
byte[] qi = Base64Url.Decode(jwk["qi"]);
byte[] dq = Base64Url.Decode(jwk["dq"]);
byte[] dp = Base64Url.Decode(jwk["dp"]);
byte[] n = Base64Url.Decode(jwk["n"]);
RSA key = RSA.Create();
RSAParameters keyParams = new RSAParameters();
keyParams.P = p;
keyParams.Q = q;
keyParams.D = d;
keyParams.Exponent = e;
keyParams.InverseQ = qi;
keyParams.DP = dp;
keyParams.DQ = dq;
keyParams.Modulus = n;
key.ImportParameters(keyParams);
string token = JWT.Encode("Hello JWK", key, JwsAlgorithm.RS256); Unfortunately i have to say you can't construct private key with .NET without primes (P and Q). So minimal set of JWK fields to do it would be: In theory P and Q can be recovered from D, see latest answer in SO thread: https://stackoverflow.com/questions/2921406/calculate-primes-p-and-q-from-private-exponent-d-public-exponent-e-and-the but i would not recommend it. |
Okay, correction, if you only getting JWK once (like registering) and not dealing with (N,E,D) keys runtime. You can recover P and Q given procedure above and then just keep full JWK version of RSA key. Or better convert it to .p12. |
Hi dvsekhvalnov!, Your solution works very fine. In my case, I only need to get the Jwk once so I work with the same jwk all the time. Thank you so much for your help! |
Feel free to close if your issue is resolved :) |
Hi dvsekhvalnov, if I'm right, the token generated in this line:
is a signed token. Is is correct to do the code below to encrypt this signed token with a public key of the customer?
And also, is there any way to change the length of the token? And do you know why if I put the signedToken or encryptedToken generated in this page always get "Invalid Signature"? Thanks. |
|
Hi dvsekhvalnov, yes, the code worked fine. My question is that in java library the length of the token is always the same (1212) but in this case I get a longer token. I've realized that if I change the expiration date in the payload (among other parameters), I get a token with different length. Thanks so much for your help. |
Hi!, I'm a newbie in jwt and I would like to generate a signed and encrypted token with private and public key generated from this website https://mkjwk.org/, but I've not found any examples in this repository about this, does this mean that it's not possible to do it with this library?
I had the hope to find examples in the wiki, but it's empty. Also, I've looking for this in internet without any good results. Any help please?
Thanks.
Regards
The text was updated successfully, but these errors were encountered: