Use in real world

Question

Use in real world

Opened this issue 7 years ago · 4 comments

tc09 commented 7 years ago

when I did

$ lokey fetch jwk login.yahoo.com
Multiple keys found:

3466d51f7dd0c780565688c183921816c45889ad
6ff94cdad11e7c3ac08dc9ec3c44844b87e364f7
Printing the first key ('3466d51f7dd0c780565688c183921816c45889ad')
{"use": "sig", "crv": "P-256", "kty": "EC", "alg": "ES256", "y": "AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y", "x": "cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I", "kid": "3466d51f7dd0c780565688c183921816c45889ad"}

What I would like to have is some way to get the PEM files for the two keys.

I know about the lokey to pem. But I am struggling with the correct inputs from what I can retrieve from yahoo.

Answer 1 · 2017-09-08T07:31:14.000Z

I struggled with how to handle this sort of scenario. Can you explain more about what you're trying to accomplish? That would help me figure out what the right sort of syntax would be. Suggestions welcome too!

Answer 2 · 2017-09-12T19:29:31.000Z

There are two things I could share with you base on my further experience with it.

One, you could simply print out the PEM format of the multiple keys.
Two, at the moment lokey does not seem to handle the the EC public key. The lokey to pem does work with RSA public key. To try this out, the output we have earlier, {"use": "sig", ... ad"} could be saved into, say key2. Then cat key2 | lokey to pem would complain:

Error: Input is not recognized. Got this on input:

{"kty":"EC","alg":"ES256","use":"sig","crv":"P-256","kid":"3466d51f7dd0c780565688c183921816c45889ad","x":"cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I","y":"AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y"}

Answer 3 · 2017-09-12T19:38:23.000Z

One possible design for your interface could be

lokey fetch jwk login.yahoo.com

to print out all the keys from login.yahoo.com similar to what yahoo does in the https://login.yahoo.com/openid/v1/certs:

{"keys":[{"kty":"RSA","alg":"RS256","use":"sig","kid":"6ff94cdad11e7c3ac08dc9ec3c44844b87e364f7","n":"AL1LkSgnGk-sKqFDBrojoqvpqOwmN7tgvz0p6J9g8O_nOzXMAwzMUUs4H_FMgeNWcuE6XzJX3spVwAYBp-rBLwyXXCGbO_chhwcpBDNndlZyqS2zOvwmZYdh4MhrUnIOcA8cdDB1hqoDdKOx9M-EjuoafcgqEPA7rWsZTH6TITMP","e":"AQAB"},{"kty":"EC","alg":"ES256","use":"sig","crv":"P-256","kid":"3466d51f7dd0c780565688c183921816c45889ad","x":"cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I","y":"AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y"}]}

Then lokey fetch jwk login.yahoo.com | lokey to pem could simply print out the two keys in PEM formats.

Answer 4 · 2017-09-12T22:10:09.000Z

Oh, interesting. I didn't consider using the JWK format for multiple keys. That's a good idea.

As far as EC keys go. I don't know enough about elliptic curve to know how easy it is to switch formats around like you can with RSA keys (my guess would be yes, but my "minimum viable product" was RSA)

Lastly, I built lokey because I found myself converting keys a lot in validation code I was writing. But I have no idea how other people would use lokey - what are you using it for?