I left my JWT in San JOSE `` Brian Campbell @__b_c Cloud Identity Summit 2014 http://www.slideshare.net/ briandavidcampbell A technical overview of JSON Web Token (JWT) and JavaScript Object Signing and Encryption (JOSE)
Aug 23, 2014
I left my JWT in San JOSE
``Brian Campbell
@__b_cCloud Identity Summit 2014
http://www.slideshare.net/briandavidcampbell
A technical overview of JSON Web Token (JWT) and JavaScript Object
Signing and Encryption (JOSE)
Introductions
http://blog.talkingidentity.com/2013/08/thanking-the-iam-venn-erables-in-my-own-way.html
Me
More Introductions…
Copyright © 2014 Ping Identity Corp. All rights reserved. 3https://twitter.com/itickr/status/354999490928857088
https://flic.kr/p/f6PKjB
• JavaScript Object Signing and Encryption (JOSE)– JSON Web Signature (JWS)
• A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding
– JSON Web Encryption (JWE)• Like JWS but for encrypting content
– JSON Web Key (JWK) • JSON data structures representing cryptographic keys
– JSON Web Algorithms • Defines the use cryptographic algorithms and identifiers for
JWS, JWE and JWK
• JSON Web Token (JWT)– A compact URL-safe means of representing
claims/attributes to be transferred between two parties
– A JWT is a JWS and/or a JWE with JSON claims as the payload Copyright © 2014 Ping Identity Corp. All rights
reserved. 4
JWT + JOSE Overview
JWS JWE
JWTJWK
JSON
• Not even official RFCs yet but – Well regarded
– And widely used:• OAuth
• OpenID Connect
• Mozilla Persona (ahem)
• W3C Web Cryptography API
• + more…
Three nerds holding a blurry piece of paper they tell me is some kind of award for the JOSE & JWT work.
http://www.kuppingercole.com/article/award2014
5
JWT + JOSE in the Wild
What’s in a Name?
https://twitter.com/metadaddy/status/454422069199900672
JW*
Copyright © 2014 Ping Identity Corp. All rights reserved. 7
But you wouldn't name your child ‘Attila the Hun’ would you?
"Attila, Scourge of God"http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg
I didn’t…
What would JOSE do? ‡
Call it
JW-STEAK
‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I’m not at all reluctant about
blaming him. JW-
JWSJWTJWEJWAJWK
Because who doesn’t like a good steak?
Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U
Okay, fine…
• Technically speaking, my vegan coworker does not like steak
• Even if it is ‘good’• But let’s not split hairs on this
one…
Copyright © 2014 Ping Identity Corp. All rights reserved. 10
Awkward Transition… into some of the more technical details
11
Few things are more awkward than Paul Madsen
eating a Slim Jim while wearing a sailor's outfit and
bowtie
All The Cool Kids Are Doing It
Copyright © 2014 Ping Identity Corp. All rights reserved. 12
{"JSON" : "a lightweight & human-readable data-interchange format"}
The 64 Character Question• base64
– A means of encoding binary data in a printable ASCII string format– Each 6 bits -> 1 character
• From a 64 character alphabet comprised of 62 alphanumeric characters and "+" and "/"
• Also padding "="
– 3 bytes -> 4 characters
• base64url – uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64 – "-" rather than "+" – "_" rather than "/"– Padding "=" is typically omitted
• A remaining unreserved URI character: "."– This will prove important shortly
Copyright © 2014 Ping Identity Corp. All rights reserved. 13
Example: 32 random bytes encoded
base64: qOo+pY+LPDB7sA2nuMp4TzmCThieol/J+bAXqcB8pAU=base64url: qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU
URL Encoded:qOo%2BpY%2BLPDB7sA2nuMp4TzmCThieol%2FJ%2BbAXqcB8pAU%3DqOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU
A closer look at JOSE’s bits and pieces: JWS
• JSON Web Signature (JWS)• A way of representing content secured with a digital signature or
MAC – Using a JSON data structure and base64url encoding– Encoded segments are concatenated with a "."– Intended for space constrained environments such as HTTP
Authorization headers and URI query parameters
• Conceptually Simple:– <Header>.<Payload>.<Signature>
Copyright © 2014 Ping Identity Corp. All rights reserved. 14
JOSE’s bits and pieces: The JWS Header• JWS Header is a bit of JSON that describes the digital signature or MAC
operation applied to create the JWS Signature value• Reserved Header Parameters
– "alg": Algorithm– HMAC, RSA, RSA-PSS and ECDSA
– Unsigned/none (controversy!)
– Extensible
• "kid": Key ID• "jku": JWK Set URL• "jwk": JSON Web Key• "x5u": X.509 URL• "x5t": X.509 Thumbprint• "x5c": X.509 Certificate Chain• "typ": Type• "cty": Content Type Copyright © 2014 Ping Identity Corp. All rights
reserved. 15
Header Example:
"I signed this thing with RSA-SHA256 using key we known as ‘9er’ which you
can find the corresponding public key for at https://www.example.com/jwks"
{"alg":"RS256", "kid":"9er", "jku":"https://www.example.com/jwks"}
JOSE’s bits and pieces: JWS Algorithms
Copyright © 2014 Ping Identity Corp. All rights reserved. 16
Digital Signature or Message Authentication Code Algorithm
JWS "alg" Parameter Values
HMAC using SHA2 HS256, HS384 and HS512
RSASSA-PKCS1-V1_5 Digital Signatures with with SHA2
RS256, RS384 and RS512
Elliptic Curve Digital Signatures (ECDSA) with SHA2 ES256, ES384 and ES512
RSASSA-PSS Digital Signatures with SHA2 PS256, PS384 and PS512
Unsigned Plaintext none
USA&
Canada
vs.
a little context…
Jingoistic JWS ExamplePayload -> USA #1!
base64url encoded payload -> VVNBICMxIQ
Header (going to sign with ECDSA P-256 SHA-256 via "my-first-key") -> {"alg":"ES256","kid":"my-first-key"}
base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9
Secured Input ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ
base64url encoded signature over the Secured Input ->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-
TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
JWS Compact Serialization (line breaks after dots added for readability) ->eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ.QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-
TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
Which you can think of sort of like:{"alg":"ES256","kid":"my-first-key"}."USA #1!".<SIGNATURE>
JOSE’s bits and pieces: JWE
• JSON Web Encryption
• Similar in motivation and design to JWS but for encrypting content
• A little more complicated
– Headers
• "alg": Algorithm (key wrap or agreement)
• "enc": Encryption Method (Authenticated Encryption only)
• "zip": Compression Algorithm
– "DEF" for the DEFLATE Compressed Data Format from RFC 1951 is currently the only one
• "kid”, “jku”, “jwk”, "x5u”, "x5t”, "x5c”, etc..
• Five Parts
<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>
Copyright © 2014 Ping Identity Corp. All rights reserved. 19
JOSE’s bits and pieces: JWE Content Encryption Algorithms ("enc")
Copyright © 2014 Ping Identity Corp. All rights reserved. 20
Content Encryption Algorithm JWE "enc" Parameter ValuesAuthenticated encryption with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)
A128GCM, A192GCM and A256GCM
Authenticated encryption with an AES-CBC and HMAC-SHA2 composite
A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512
JOSE’s bits and pieces: JWE Key Management Algorithms ("alg")
Copyright © 2014 Ping Identity Corp. All rights reserved. 21
Key Management Algorithm JWE "alg" Parameter ValuesDirect encryption with a shared symmetric key
dir
RSAES-PKCS1-V1_5 key encryption RSA1_5RSAES using OAEP key encryption RSA-OAEP and RSA-OAEP-256AES key wrap A128KW, A192KW and A256KWAES GCM key encryption A128GCMKW, A192GCMKW and
A256GCMKWElliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF
ECDH-ES
Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF with AES key wrap
ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW
PBES2 with HMAC SHA-2 and AES key wrapping
PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW
Payload/plaintext -> I actually really like Canada
Header -> {"kid":"use this one eh","alg":"RSA-OAEP","enc":"A128CBC-HS256"}
base64url encode header -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ
IV: base64url encoded 128 bit initialization vector -> OMRMiwPvh13089vcWAw_mg
Encrypted Key: RSA OAEP used wrap a 256 bit random key which is base64url encoded -> knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ
Ciphertext: base64url encoded AES 128 CBC encrypted payload -> G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw
Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> rCjFpLbuWKQMJLzQEP4aSw
JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) ->
eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ.knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ.OMRMiwPvh13089vcWAw_mg.G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw.rCjFpLbuWKQMJLzQEP4aSw
Confessional JWE Example
An aside, eh.
Looking for material, I started to Google "never trust a Canadian"…
Brian Campbell@__b_c
CIS 2014
JWT
• JSON Web Token• Suggested pronunciation: "jot"• Compact URL-safe means of representing claims to be
transferred between two parties• JWS and/or JWE with JSON claims as the payload• JWT Claim
– A piece of information asserted about a subject (or the JWT itself)– Represented name/value pairs, consisting of a Claim Name and a
Claim Value (which can be any JSON object)
Copyright © 2014 Ping Identity Corp. All rights reserved. 24
• "iss": Issuer – Who issued it
• "sub": Subject – Who’s it about
• "aud": Audience– Who’s it for
• "exp": Expiration Time– When it expires
• "nbf": Not Before– When it starts being value
• "iat": Issued At– When it was issued
• "jti": JWT ID– A unique identifier for it
Copyright © 2014 Ping Identity Corp. All rights reserved. 25
(some) Reserved JWT Claim Names
jot or not?
Copyright © 2014 Ping Identity Corp. All rights reserved. 26
The JWTeyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
The Header{"kid":"5","alg":"ES256"}
The Payload{"iss":"https:\/\/idp.example.com","exp":1357255788,"aud":"https:\/\/sp.example.org","jti":"tmYvYVU2x8LvN72B5Q_EacH._5A","acr":"2","sub":"Brian"}
The Signature[computery junk]
it’s not the size of your token…
Copyright © 2014 Ping Identity Corp. All rights reserved. 27
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
<Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z" ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference></ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext> </AuthnStatement></Assertion>
JWT
SAML ASSERTION
…it’s how you use it
• Simpler = Better• Web safe encoding w/ no canonicalization
(Because canonicalization is a four letter word*)
• Improved Interoperability & (hopefully) More Secure
• Eliminates entire classes of attacks – XSLT Transform DOS, Remote Code Execution, and Bypass
– C14N Hash Collision w/ & w/out comments
– Entity Expansion Attacks
– XPath Transform DOS and Bypass
– External Reference DOS
– Signature Wrapping Attacks
Copyright © 2014 Ping Identity Corp. All rights reserved. 28
Brad Hill, pictured here speaking at CIS in 2011, is wicked smaht and published some of these attacks
* especially when you spell it c14n
JSON Web Key (JWK)
Copyright © 2014 Ping Identity Corp. All rights reserved. 29
• JSON data structure representing cryptographic key(s)– Public/private keys: RSA & Elliptic Curve
– Symmetric keys (octet sequence)
• Can can be– included in a JWS/JWE/JWT header
– published at an HTTPS endpoint and referenced
– used in place of self signed certificates
– saved in a file
– sent in an email
– and more
JWK & JWT Working Together
Copyright © 2014 Ping Identity Corp. All rights reserved. 30
JWT/JWS Header{ "kid":"5", "alg":"ES256"}
JWK Set
{"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"}]}
Simple Is As Simple Does
• The relative simplicity of JW[STEAK] implies a simple programming interface
• Numerous implementations already exist for a wide variety of languages/platforms
• Going to make you take quick look at one of them…
Copyright © 2014 Ping Identity Corp. All rights reserved. 31
Introducing jose4j
• Open source Java implementation of the JOSE specification suite– https://bitbucket.org/b_c/jose4j
• Relies solely on the JCA APIs for cryptography• 100% Algorithm Support• Production ready
– Used throughout Ping Identity’s products
• Reference[able] implementation– Fact checked the JOSE cookbook:
http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A
• Completely free of NSA backdoors– (but I’m open to "sponsorship" opportunities) Copyright © 2014 Ping Identity Corp. All rights
reserved. 32
Producing the aforementioned JWS
Copyright © 2014 Ping Identity Corp. All rights reserved. 33
PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);jwk.setKeyId("my-first-key");
JsonWebSignature jws = new JsonWebSignature();jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);jws.setPayload("USA #1!");jws.setKey(jwk.getPrivateKey());jws.setKeyIdHeaderValue(jwk.getKeyId());String compactSerialization = jws.getCompactSerialization();
System.out.println(compactSerialization);
Consuming that JWS
Copyright © 2014 Ping Identity Corp. All rights reserved. 34
JsonWebKey jwk = JsonWebKey.Factory.newJwk("{\"kty\":\"EC\"," + "\"kid\":\"my-first-key\"," + "\"x\":\"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ\"," + "\"y\":\"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk\"," + "\"crv\":\"P-256\"}");
String compactSerialization = "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." + "VVNBICMxIQ." + "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAU" + "REzF1FF25BbrgyohbKdGE1cB-hrA";
JsonWebSignature jws = new JsonWebSignature();jws.setCompactSerialization(compactSerialization);jws.setKey(jwk.getKey());String payload = jws.getPayload();
System.out.println(payload);
Producing the aforementioned JWE
Copyright © 2014 Ping Identity Corp. All rights reserved. 35
String jwkJson = "{\"kty\":\"RSA\"," + "\"kid\":\"use this one eh\"," + "\"n\":\"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5X"+ "vT8bQO39k34s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtr" + "GJdXxQEgDE7Wg1YYi0yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZV" + "C5b61R37akzTB3abdAIBf4-UBLrvNgl0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw\"," + "\"e\":\"AQAB\"}";
JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson);
JsonWebEncryption jwe = new JsonWebEncryption();jwe.setPayload("I actually really like Canada");jwe.setKey(jwk.getKey());jwe.setKeyIdHeaderValue(jwk.getKeyId());jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);String compactSerialization = jwe.getCompactSerialization();
System.out.println(compactSerialization);
Consuming that JWE (1 of 2)
Copyright © 2014 Ping Identity Corp. All rights reserved. 36
String jwkJson = "{\"kty\":\"RSA\"," + "\"kid\":\"use this one eh\"," + "\"n\":\"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5XvT8bQO39k3" + "4s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtrGJdXxQEgDE7Wg1YYi0" + "yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZVC5b61R37akzTB3abdAIBf4-UBLrvNgl" + "0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw\"," + "\"e\":\"AQAB\"," + "\"d\":\"p1umPOWUnf-rTylRVnhG75sF7N3tyG_r86ZM2hV8qAShMgnzbZYefNg2Vxh2cobXUMLF0TncuUxAusCrNSgUyrjHjHDIws03" + "VdzphFPd3oI9o6_2hSBWJ6OWB5VEDAd1Cc_HKy4iPWUZWlk__G3RQg524_0Wfgp_1bTIyeGLEt6GGAasCRoi4crZ_cKLkzB3ZmwoIF" + "X4Z-jU6AKp_rCarj45tqdgpzIHKYuA2HjgGJwevknhTVEjY6stAiTXWJ4M8YxIwqQ-tCj1GM5pfvJNIzaW2KoZ234ll_DFnUDnAE1R" + "O22oBfW-iYsHcrNtslHxYDkGnOGFkJAOnbF8ihaQcQ\",\"p\":\"6JVJlrObtg02Sr0ZqERiOZMxf3lE8TK8j5cU5VBYYvfebtjI2" + "_wW_uT_N_wIETodgWJgkPlejrQM4B-inB8VfUPBe8RCRGmXf5jqyKf7r5XwGabda3UjaTwoAUxYSgb2HH4IU4KNMJ-rFuG2Nzz0t2W" + "7PtqHJjrcF3i952oKAGU\",\"q\":\"3-dPMaO1JerkElaP4FMV1Fio-ZFJwf5xCLMFdJZstLkKY7H63bxOb77iQ5xEOSWY4yScfXZ" + "hp2S1v0Plub-qTeuGHXt-T2rugGAmIKlPzkQU6aiGFXqwCK2TrETQkV5Pf__PRHhaJ1rTbGVyAvqL2vAoI46XwSMmLINncDy2xGM\"," + "\"dp\":\"T9bXYQ0cuZzFc1iAkzuOQFdf2XNmkCmrgtsJCELRZH_T8lcmdCWQO0WeurggiNFbSYvcvEduByyVcuZJKrCc7tgwde0EFn" + "ns0JdMmT7Y7ghZWGTogze9xSUqUm_Dqv3CxDsbXpdlIjjdQUiQBVw-YSph4YygciYoYUJIZkUHU-U\"," + "\"dq\":\"wklQ6t4HPlPIfDEov5rZAl28onJz8iX7p3TQcw5kXZ2DambyLJ5N4aFdbRWYDY6WT-Ng921V5474NnOQT9IE0YBh7AtQ21E" + "Ki9LiwsyoN2_URby6PMEtJxqXXZCI-ts_WO58yAk3EZc6hoCwoe0Olnh2HASLokgBw_ZyN243mck\"," + "\"qi\":\"4n-fctilEl81ig_NIa0GFHjV1wiMR5E9RuwJIrSnG6kDBZp2wxjRd8HY96xAC_mwKZzRLxHZnukLaSi4f43-wRuURQaIj8z" + "P8UFgH73C4sOp9rgRhsUlceniIasGE-3FKW0_2ofNMCNimYuSSIXfIyNvMdtptlg3BJv4gizH_l4\"}";
Consuming that JWE (2 of 2)
Copyright © 2014 Ping Identity Corp. All rights reserved. 37
String jwecs = "eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ." + "knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0M" + "lmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4" + "wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhY" + "V-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ." + "OMRMiwPvh13089vcWAw_mg." + "G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw." + "rCjFpLbuWKQMJLzQEP4aSw";
PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(jwkJson);
JsonWebEncryption jwe = new JsonWebEncryption();jwe.setCompactSerialization(jwecs);jwe.setKey(jwk.getPrivateKey());String payload = jwe.getPayload();
System.out.println(payload);
Are we finished yet?
38
Yes, finished. See you at Boot Camp (maybe).
Thank you!
Brian Campbell@__b_c
CIS 2014
https://flic.kr/p/f7zK1V