`` Brian Campbell @__b_c Cloud Identity Summit 2014 http://www.slideshare.net/briandavidcampbell A technical overview of JSON Web Token (JWT) and JavaScript Object Signing and Encryption (JOSE)
Jan 15, 2015
`` Brian Campbell!
@__b_c!Cloud Identity Summit 2014!
http://www.slideshare.net/briandavidcampbell! !
A technical overview of JSON Web Token (JWT) and JavaScript Object
Signing and Encryption (JOSE)!
Introductions!
http://blog.talkingidentity.com/2013/08/thanking-the-iam-venn-erables-in-my-own-way.html!
Me!
More Introductions…!
Copyright © 2014 Ping Identity Corp. All rights reserved. 3 https://twitter.com/itickr/status/354999490928857088!
https://flic.kr/p/f6PKjB!
• JavaScript Object Signing and Encryption (JOSE)
– JSON Web Signature (JWS)
• A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding
– JSON Web Encryption (JWE)
• Like JWS but for encrypting content
– JSON Web Key (JWK)
• JSON data structures representing cryptographic keys
– JSON Web Algorithms
• Defines the use cryptographic algorithms and identifiers for JWS, JWE and JWK !
• JSON Web Token (JWT)
– A compact URL-safe means of representing claims/attributes to be transferred between two parties
– A JWT is a JWS and/or a JWE with JSON claims as the payload Copyright © 2014 Ping Identity Corp. All rights reserved. 4
JWT + JOSE Overview!
JWS JWE
JWT
JWK
JSON
• Not even official RFCs yet but – Well regarded
– And widely used: • OAuth
• OpenID Connect
• Mozilla Persona (ahem)
• W3C Web Cryptography API
• + more… Three nerds holding a blurry piece of paper they tell me is
some kind of award for the JOSE & JWT work.
http://www.kuppingercole.com/article/award2014 !
5
JWT + JOSE in the Wild!
What’s in a Name?!
https://twitter.com/metadaddy/status/454422069199900672
JW*!
Copyright © 2014 Ping Identity Corp. All rights reserved. 7
But you wouldn't name your child ‘Attila the Hun’ would you?!
"Attila, Scourge of God" http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg
I didn’t…
What would JOSE do? ‡ !
Call it
JW-STEAK
‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I’m not at all reluctant about blaming him. JW-
JWS JWT JWE JWA JWK
Because who doesn’t like a good steak? !
Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U
Okay, fine…!
• Technically speaking, my vegan coworker does not like steak
• Even if it is ‘good’ • But let’s not split hairs on this
one…
Copyright © 2014 Ping Identity Corp. All rights reserved. 10
Awkward Transition… into some of the more technical details!
11
Few things are more awkward than Paul Madsen
eating a Slim Jim while wearing a sailor's outfit and
bowtie
All The Cool Kids Are Doing It!
Copyright © 2014 Ping Identity Corp. All rights reserved. 12
{"JSON" : "a lightweight & human-readable data-interchange format"}!
The 64 Character Question!• base64
– A means of encoding binary data in a printable ASCII string format
– Each 6 bits -> 1 character
• From a 64 character alphabet comprised of 62 alphanumeric characters and "+" and "/"
• Also padding "="
– 3 bytes -> 4 characters
• base64url
– uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64
– "-" rather than "+" and "_" rather than "/"
– Padding "=" is typically omitted
• A remaining unreserved URI character: "."
– This will prove important shortly
Copyright © 2014 Ping Identity Corp. All rights reserved. 13
Example: 32 random bytes encoded
base64: qOo+pY+LPDB7sA2nuMp4TzmCThieol/J+bAXqcB8pAU=base64url: qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAUURL Encoded:qOo%2BpY%2BLPDB7sA2nuMp4TzmCThieol%2FJ%2BbAXqcB8pAU%3DqOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU
A closer look at JOSE’s bits and pieces: JWS!
• JSON Web Signature (JWS) • A way of representing content secured with a digital signature
or MAC – Using a JSON data structure and base64url encoding – Encoded segments are concatenated with a "." – Intended for space constrained environments such as HTTP
Authorization headers and URI query parameters
• Conceptually Simple: – <Header>.<Payload>.<Signature>
Copyright © 2014 Ping Identity Corp. All rights reserved. 14
JOSE’s bits and pieces: The JWS Header!• JWS Header is a bit of JSON that describes the digital signature or MAC operation applied
to create the JWS Signature value
• Reserved Header Parameters – "alg": Algorithm
– HMAC, RSA, RSA-PSS and ECDSA
– Unsigned/none (controversy!)
– Extensible
• "kid": Key ID
• "jku": JWK Set URL
• "jwk": JSON Web Key
• "x5u": X.509 URL
• "x5t": X.509 Thumbprint
• "x5c": X.509 Certificate Chain
• "typ": Type
• "cty": Content Type Copyright © 2014 Ping Identity Corp. All rights reserved. 15
Header Example:
"I signed this thing with RSA-SHA256 using key we known as ‘9er’ which you
can find the corresponding public key for at https://www.example.com/jwks"
{"alg":"RS256", "kid":"9er",
"jku":"https://www.example.com/jwks"}
JOSE’s bits and pieces: JWS Algorithms!
Copyright © 2014 Ping Identity Corp. All rights reserved. 16
Digital Signature or Message Authentication Code Algorithm!
JWS "alg" Parameter Values!
HMAC using SHA2! HS256, HS384 and HS512!
RSASSA-PKCS1-V1_5 Digital Signatures with with SHA2!
RS256, RS384 and RS512!
Elliptic Curve Digital Signatures (ECDSA) with SHA2! ES256, ES384 and ES512!!
RSASSA-PSS Digital Signatures with SHA2! PS256, PS384 and PS512!!
Unsigned Plaintext! none!
USA!&!
Canada
vs.
a little context…
Jingoistic JWS Example!Payload -> USA #1! base64url encoded payload -> VVNBICMxIQ Header (going to sign with ECDSA P-256 SHA-256 via "my-first-key") ->
{"alg":"ES256","kid":"my-first-key"} base64url encoded header ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9 Secured Input ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ base64url encoded signature over the Secured Input ->
QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA- TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
JWS Compact Serialization (line breaks after dots added for readability) ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9. VVNBICMxIQ. QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA- TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
Which you can think of sort of like:
{"alg":"ES256","kid":"my-first-key"}."USA #1!".<SIGNATURE>
JOSE’s bits and pieces: JWE!
• JSON Web Encryption
• Similar in motivation and design to JWS but for encrypting content
• A little more complicated
– Headers
• "alg": Algorithm (key wrap or agreement)
• "enc": Encryption Method (Authenticated Encryption only)
• "zip": Compression Algorithm
– "DEF" for the DEFLATE Compressed Data Format from RFC 1951 is currently the only one
• "kid”, “jku”, “jwk”, "x5u”, "x5t”, "x5c”, etc..
• Five Parts
<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>
Copyright © 2014 Ping Identity Corp. All rights reserved. 19
JOSE’s bits and pieces: !JWE Content Encryption Algorithms ("enc")!
Copyright © 2014 Ping Identity Corp. All rights reserved. 20
Content Encryption Algorithm! JWE "enc" Parameter Values!Authenticated encryption with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)!
A128GCM, A192GCM and A256GCM!
Authenticated encryption with an AES-CBC and HMAC-SHA2 composite !
A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512!
JOSE’s bits and pieces: !JWE Key Management Algorithms ("alg")!
Copyright © 2014 Ping Identity Corp. All rights reserved. 21
Key Management Algorithm! JWE "alg" Parameter Values!Direct encryption with a shared symmetric key! dir!
RSAES-PKCS1-V1_5 key encryption! RSA1_5!
RSAES using OAEP key encryption! RSA-OAEP and RSA-OAEP-256!
AES key wrap! A128KW, A192KW and A256KW!
AES GCM key encryption! A128GCMKW, A192GCMKW and A256GCMKW!
Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF!
ECDH-ES!
Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF with AES key wrap!
ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW!
PBES2 with HMAC SHA-2 and AES key wrapping! PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW!
Payload/plaintext -> I actually really like Canada Header -> {"kid":"use this one eh","alg":"RSA-OAEP","enc":"A128CBC-HS256"} base64url encode header -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFU CIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ IV: base64url encoded 128 bit initialization vector -> OMRMiwPvh13089vcWAw_mg Encrypted Key: RSA OAEP used wrap a 256 bit random key which is base64url encoded -> knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ Ciphertext: base64url encoded AES 128 CBC encrypted payload -> G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> rCjFpLbuWKQMJLzQEP4aSw JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ. knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ. OMRMiwPvh13089vcWAw_mg. G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw. rCjFpLbuWKQMJLzQEP4aSw
Confessional JWE Example!
An aside, eh. !Looking for material, I started to Google "never trust a Canadian"…
Brian Campbell!@__b_c!
CIS 2014
JWT!
• JSON Web Token • Suggested pronunciation: "jot" • Compact URL-safe means of representing claims to be
transferred between two parties • JWS and/or JWE with JSON claims as the payload • JWT Claim
– A piece of information asserted about a subject (or the JWT itself)
– Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object)
Copyright © 2014 Ping Identity Corp. All rights reserved. 24
• "iss": Issuer – Who issued it
• "sub": Subject – Who’s it about
• "aud": Audience – Who’s it for
• "exp": Expiration Time – When it expires
• "nbf": Not Before – When it starts being value
• "iat": Issued At – When it was issued
• "jti": JWT ID – A unique identifier for it
Copyright © 2014 Ping Identity Corp. All rights reserved. 25
(some) Reserved JWT Claim Names!
jot or not?!
Copyright © 2014 Ping Identity Corp. All rights reserved. 26
The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.
The Header {"kid":"5","alg":"ES256"}
The Payload {"iss":"https:\/\/idp.example.com", "exp":1357255788, "aud":"https:\/\/sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
it’s not the size of your token…!
Copyright © 2014 Ping Identity Corp. All rights reserved. 27
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-‐01-‐03T23:34:38.546Z" ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-‐more#ecdsa-‐sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-‐signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference></ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-‐format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z" NotBefore="2013-‐01-‐03T23:29:38.552Z"> <AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-‐01-‐03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext> </AuthnStatement> </Assertion>
…it’s how you use it!
• Simpler = Better • Web safe encoding w/ no canonicalization
(Because canonicalization is a four letter word*)
• Improved Interoperability & (hopefully) More Secure
• Eliminates entire classes of attacks – XSLT Transform DOS, Remote Code Execution, and Bypass
– C14N Hash Collision w/ & w/out comments
– Entity Expansion Attacks
– XPath Transform DOS and Bypass
– External Reference DOS
– Signature Wrapping Attacks
Copyright © 2014 Ping Identity Corp. All rights reserved. 28
Brad Hill, pictured here speaking at CIS in 2011, is wicked smaht and published some of these attacks
* especially when you spell it c14n
JSON Web Key (JWK)!
Copyright © 2014 Ping Identity Corp. All rights reserved. 29
• JSON data structure representing cryptographic key(s) – Public/private keys: RSA & Elliptic Curve
– Symmetric keys (octet sequence)
• Can can be – included in a JWS/JWE/JWT header
– published at an HTTPS endpoint and referenced
– used in place of self signed certificates
– saved in a file
– sent in an email
– and more
JWK & JWT Working Together!
Copyright © 2014 Ping Identity Corp. All rights reserved. 30
JWT/JWS Header { "kid":"5", "alg":"ES256" }
JWK Set {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
Simple Is As Simple Does!
• The relative simplicity of JW[STEAK] implies a simple programming interface!
• Numerous implementations already exist for a wide variety of languages/platforms !
• Going to make you take quick look at one of them… !
Copyright © 2014 Ping Identity Corp. All rights reserved. 31
Introducing jose4j!
• Open source Java implementation of the JOSE specification suite – https://bitbucket.org/b_c/jose4j
• Relies solely on the JCA APIs for cryptography • 100% Algorithm Support
• Production ready – Used throughout Ping Identity’s products
• Reference[able] implementation – Fact checked the JOSE cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A
• Completely free of NSA backdoors – (but I’m open to "sponsorship" opportunities)
Copyright © 2014 Ping Identity Corp. All rights reserved. 32
Producing the aforementioned JWS !
Copyright © 2014 Ping Identity Corp. All rights reserved. 33
PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);!jwk.setKeyId("my-first-key");!!JsonWebSignature jws = new JsonWebSignature();!jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);!jws.setPayload("USA #1!");!jws.setKey(jwk.getPrivateKey());!jws.setKeyIdHeaderValue(jwk.getKeyId());!String compactSerialization = jws.getCompactSerialization();!!System.out.println(compactSerialization);!!
Consuming that JWS!
Copyright © 2014 Ping Identity Corp. All rights reserved. 34
JsonWebKey jwk = JsonWebKey.Factory.newJwk("{\"kty\":\"EC\"," +! "\"kid\":\"my-first-key\"," +! "\"x\":\"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ\"," +! "\"y\":\"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk\"," +! "\"crv\":\"P-256\"}");!!String compactSerialization = ! "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." +! "VVNBICMxIQ." +! "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAU" + ! "REzF1FF25BbrgyohbKdGE1cB-hrA";!!JsonWebSignature jws = new JsonWebSignature();!jws.setCompactSerialization(compactSerialization);!jws.setKey(jwk.getKey());!String payload = jws.getPayload();!!System.out.println(payload);!!
Producing the aforementioned JWE !
Copyright © 2014 Ping Identity Corp. All rights reserved. 35
String jwkJson =! "{\"kty\":\"RSA\"," +! "\"kid\":\"use this one eh\"," +! "\"n\":\"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5X"+! "vT8bQO39k34s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtr" +! "GJdXxQEgDE7Wg1YYi0yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZV" +! "C5b61R37akzTB3abdAIBf4-UBLrvNgl0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw\"," +! "\"e\":\"AQAB\"}";!!JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson);!!JsonWebEncryption jwe = new JsonWebEncryption();!jwe.setPayload("I actually really like Canada");!jwe.setKey(jwk.getKey());!jwe.setKeyIdHeaderValue(jwk.getKeyId());!jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP);! jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);!String compactSerialization = jwe.getCompactSerialization();!!System.out.println(compactSerialization); !!
Consuming that JWE (1 of 2) !
Copyright © 2014 Ping Identity Corp. All rights reserved. 36
String jwkJson =! "{\"kty\":\"RSA\"," +! "\"kid\":\"use this one eh\"," +! "\"n\":\"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5XvT8bQO39k3" +! "4s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtrGJdXxQEgDE7Wg1YYi0" +! "yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZVC5b61R37akzTB3abdAIBf4-UBLrvNgl" +! "0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw\"," +! "\"e\":\"AQAB\"," +! "\"d\":\"p1umPOWUnf-rTylRVnhG75sF7N3tyG_r86ZM2hV8qAShMgnzbZYefNg2Vxh2cobXUMLF0TncuUxAusCrNSgUyrjHjHDIws03" +! "VdzphFPd3oI9o6_2hSBWJ6OWB5VEDAd1Cc_HKy4iPWUZWlk__G3RQg524_0Wfgp_1bTIyeGLEt6GGAasCRoi4crZ_cKLkzB3ZmwoIF" +! "X4Z-jU6AKp_rCarj45tqdgpzIHKYuA2HjgGJwevknhTVEjY6stAiTXWJ4M8YxIwqQ-tCj1GM5pfvJNIzaW2KoZ234ll_DFnUDnAE1R" +! "O22oBfW-iYsHcrNtslHxYDkGnOGFkJAOnbF8ihaQcQ\",\"p\":\"6JVJlrObtg02Sr0ZqERiOZMxf3lE8TK8j5cU5VBYYvfebtjI2" +! "_wW_uT_N_wIETodgWJgkPlejrQM4B-inB8VfUPBe8RCRGmXf5jqyKf7r5XwGabda3UjaTwoAUxYSgb2HH4IU4KNMJ-rFuG2Nzz0t2W" +! "7PtqHJjrcF3i952oKAGU\",\"q\":\"3-dPMaO1JerkElaP4FMV1Fio-ZFJwf5xCLMFdJZstLkKY7H63bxOb77iQ5xEOSWY4yScfXZ" +! "hp2S1v0Plub-qTeuGHXt-T2rugGAmIKlPzkQU6aiGFXqwCK2TrETQkV5Pf__PRHhaJ1rTbGVyAvqL2vAoI46XwSMmLINncDy2xGM\"," +! "\"dp\":\"T9bXYQ0cuZzFc1iAkzuOQFdf2XNmkCmrgtsJCELRZH_T8lcmdCWQO0WeurggiNFbSYvcvEduByyVcuZJKrCc7tgwde0EFn" +! "ns0JdMmT7Y7ghZWGTogze9xSUqUm_Dqv3CxDsbXpdlIjjdQUiQBVw-YSph4YygciYoYUJIZkUHU-U\"," +! "\"dq\":\"wklQ6t4HPlPIfDEov5rZAl28onJz8iX7p3TQcw5kXZ2DambyLJ5N4aFdbRWYDY6WT-Ng921V5474NnOQT9IE0YBh7AtQ21E" +! "Ki9LiwsyoN2_URby6PMEtJxqXXZCI-ts_WO58yAk3EZc6hoCwoe0Olnh2HASLokgBw_ZyN243mck\"," +! "\"qi\":\"4n-fctilEl81ig_NIa0GFHjV1wiMR5E9RuwJIrSnG6kDBZp2wxjRd8HY96xAC_mwKZzRLxHZnukLaSi4f43-wRuURQaIj8z" +! "P8UFgH73C4sOp9rgRhsUlceniIasGE-3FKW0_2ofNMCNimYuSSIXfIyNvMdtptlg3BJv4gizH_l4\"}";!
Consuming that JWE (2 of 2) !
Copyright © 2014 Ping Identity Corp. All rights reserved. 37
String jwecs = ! "eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ." + ! "knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0M" + ! "lmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4" +! "wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhY" + ! "V-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ." +! "OMRMiwPvh13089vcWAw_mg." +! "G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw." +! "rCjFpLbuWKQMJLzQEP4aSw";!!PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(jwkJson);!!JsonWebEncryption jwe = new JsonWebEncryption();!jwe.setCompactSerialization(jwecs);!jwe.setKey(jwk.getPrivateKey());!String payload = jwe.getPayload();!!System.out.println(payload);!!
Are we finished yet?!
38
Yes, finished. See you at Boot Camp (maybe).!
Thank you!!!!!!!!!!!
Brian Campbell!@__b_c!
CIS 2014 !
https://flic.kr/p/f7zK1V!