Questions on Assymetric Keys
Closed this issue · 5 comments
I'm learning my way through this spec and lib and have a couple of questions.
- Is there a way to generate AssymetricKeys without the following code:
$privateKey = new AsymmetricSecretKey(sodium_crypto_sign_keypair());
$publicKey = $privateKey->getPublicKey();
var_dump($privateKey->encode());
var_dump($publicKey->encode());
Meaning is it possible to supply my own custom key in place of sodium_crypto_sign_keypair()
as the argument? Thus far I have been unsuccessful and have had to copy the output of the encoded private key and use it like so to decode:
$privateKey = AsymmetricSecretKey::fromEncodedString('62Z63Tlo27ijk355y-4BkPdTquSGgvftHncfTTqBsj1jhs6kGN63VYUh3ZpqLHOAur3n7bfHGepU3_d5_yz1yg');
echo Version4::verify($token, $privateKey->getPublicKey());
When trying building keys like this I am unable to decode them:
new AsymmetricSecretKey('mabdivRiQuavvunOtIkwalOwbocImsAls8SlafdovShatvegbisOfvaHedIcVenn');
- When I decode public PASETOs I am not seeing footer data like I do with local ones:
{"claim_data":"is encrypted","sub":"5e28e9ed-f3e1-4eb2-aa88-8d618f4021ee","iat":"2022-05-26T03:47:35+00:00","nbf":"2022-05-26T03:47:35+00:00","exp":"2022-05-27T03:47:35+00:00"}
- I take it that AsymmetricKeys are not a replacement for JWKS. But I am unsure whether KeyRings are the replacement or if PASERK is?
- Yes:
paseto/src/Keys/AsymmetricSecretKey.php
Lines 156 to 166 in 2c8c4be
$key = AsymmetricSecretKey::generate($version);
Don't generate keys elsewhere then import them. Instead, generate with the library then export. PASERK helps here.
More information: https://github.com/paseto-standard/paserk
-
There are other methods. We intentionally don't clobber claim values with the footer, or vice-versa, and keep them separate.
JsonToken
hasgetFooterArray()
. -
The
KeyRing
class does what a JWK does at runtime, but for advanced use-cases, PASERK provides those features instead of polluting PASETO with features.
Thanks for the answers.
Any thoughts about providing a shell command within this library to generate AssymetricKeys or is that found within PASERK?
We hadn't considered that, but it might be a useful thing to make.
Yes, would be nice if I could run something like vendor/bin/paseto keygen
or vendor/bin/paseto keygen -encode
or whatever...
Ps. @paragonie-security I could try my hand at building one. Just not sure if this library would prefer to roll its own command ala phpcs or would be okay pulling in a depedency like symfony/console to ease creation.