node-jose | JavaScript implementation of the JSON Object Signing | Encryption library
kandi X-RAY | node-jose Summary
kandi X-RAY | node-jose Summary
A JavaScript implementation of the JSON Object Signing and Encryption (JOSE) for current web browsers and node.js-based servers. This library implements (wherever possible) all algorithms, formats, and options in JWS, JWE, JWK, and JWA and uses native cryptographic support (WebCrypto API or node.js' "crypto" module) where feasible.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Provides a JWT .
- Decrypts the given JWS object .
- Generates a PSM cipher .
- Create encrypt .
- Decrypt in GCM .
- Derive a private key
- create a sign function
- k - encrypt
- Generate a key from a hash
- Verify an HMAC
node-jose Key Features
node-jose Examples and Code Snippets
Lines of Code : 22License : Strong Copyleft (CC BY-SA 4.0)
Copyvar jose = require('node-jose')
async function tokenVerifyer()
{
let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzZXJpYWxfbnVtYmVyIjoiNWYxMGExNjMtMjk2OC00ZDZkLWIyZDgtOGQxNjQwMDNlMmQ0Iiwic2VxIjo1MTI4MTYsIm5hbWUiOiJOYW1lMSIsImlkIjvar f5 = require('f5-nodejs');
const { JWE, JWK } = require('node-jose')
var ilx = new f5.ILXServer();
var contentAlg = "A128CBC-HS256";
var key = "nok";
var token = "nok";
const skey =
{
"kty": "RSA",
"e": "AQAB",
"use": "enc"Community Discussions
Trending Discussions on node-jose
QUESTION
I am trying to use node-jose to verify signatures of my JWTs. I know the secret, but am having trouble converting this secret into a JWK used for the verification.
Here is an example of how I am trying to create my key with my secret and verify my token. This results in Error: no key found.
ANSWER
Answered 2021-Dec-28 at 20:08You have three problems with your code.
due to the asynchronous nature of the promises,
keygets a value when the promise is fulfilled (in the.thenpart), but that happens after the next line gets called.Place a
console.log(key)directly after the linejose.JWK.asKey(...and you see you get "undefined" as a result. So there is actually no key.the
kvalue in a JWK is treated as a Base64Url encoded octet. When you sign the token, you have to use the base64url decoded value ofk, but notkdirectly.the secret "SuperSecretKey" is too short for node.jose. For the HS256 algorithm, the secret has to be 256 bits long. node.jose seems to be quite strict, compared to other libs.
To solve the first problem, you can either nest the calls (which quickly becomes hard to read, or use the async/await syntax like shown below:
QUESTION
I am trying to create a JWE Token using the node-jose library's createEncrypt method. The problem is, I want to set the kid to a certain value. But when importing the key using the jose.JWK.asKey method, it's automatically calculating the kid and won't let me change/set it. Here is the sample code:
ANSWER
Answered 2021-Dec-23 at 09:44The kid is calculated automatically, when it's not known during the import:
When importing or generating a key that does not have a "kid" defined, a "SHA-256" thumbprint is calculated and used as the "kid".
(see https://github.com/cisco/node-jose#obtaining-a-keys-thumbprint)
But in the call to JWK.asKey, you can pass an additional parameter extras, that sets values for existing fields or contains additional fields for the JWK.
For your use case, you can set a kid as a JSON object
QUESTION
How can I validate an in-app purchase JWS Representation from StoreKit2 on my backend in Node?
Its easy enough to decode the payload, but I can't find public keys that Apple uses to sign these JWS/JWTs anywhere. Any other time I've worked with JWTs, you simply used the node jsonwebtoken library and passed in the signers public key or shared secret key, either configured or fetched from a JWK.
I can easily decode the JWS using node-jose j.JWS.createVerify().verify(jwsString, {allowEmbeddedKey: true}).then(r => obj = r) which gives me an object like:
ANSWER
Answered 2021-Oct-09 at 20:32The JWS x5c header parameter contains the entire certificate chain used to sign and validate the JWS. There is no need to fetch any other certificates or keys.
The RFC specifies that the certificate corresponding to the public key that was used to sign the JWS must be the first certificate.
You can extract the public key from this certificate and use it to verify the JWS signature. There is some guidance on this in this answer
One of the great improvements in StoreKit2 is that you are no longer required to use a server to validate in app purchase transactions securely.
Apple's WWDC 2021 session on StoreKit2 describes the content of the JWS and also shows how to validate on device that the JWS was actually generated for that device.
But, what if you do want to validate the transaction on a server? Since the x5c claim contains the certificate chain, an attacker could sign a forged JWS with their own certificate and include that certificate in the x5c claim.
The answer is that you have your app send the original transaction id to your server along with any other information you need, such as the user's account identifier. Your server can then request the corresponding JWS from Apple and validate the signature of the returned JWS.
As the JWS was fetched from Apple by your server code it can be sure that it is not a spoofed JWS.
If possible, include an appAccountToken in your purchase request and either determine the expected token value based on the user's authentication to your server or (less effective) have your app supply the token when it supplies the original transaction id. You can then verify the token value in the JWS matches the expected value. This makes it harder for an attacker to replay some other purchase event.
QUESTION
I've recently been working on implementing a web service that signs and issues JWT and also exposes the JWKs endpoint for the JWT validation purposes.
It's all fairly straightforward with the JWT / JWK according to the IETF spec, but I noticed something curious which I cannot explain just yet:
TL;DR: why EC P-256 source key works for the signing JWT with RSA algo?
Long story:
I am using a pre-existing private key file to sign the JWT and also to import the JWK to the node-jose keystore.
Keystore:
...ANSWER
Answered 2021-Aug-24 at 13:21Apparently, the problem was not in the JWT / JWK dependencies, but in the chain of openssl commands which were involved in the key and X509 generation process.
One of the commands - openssl req - mistakenly contained param -keyout (instead of -key) which was implicitly generating an RSA key without any mention of the key type in its source, as well as overriding the original EC key.
Unfortunately, I couldn't find a simple openssl command to verify the key type - something that I tried to do before posting this question - but my general recommendation is to look for the key type in the key source file. Looks like it is either explicitly stated, or implicitly assumed as RSA.
QUESTION
I am writing below code to get jwt token, which I want to validate with the SMART Health Cards Validation SDK
...ANSWER
Answered 2021-Jul-15 at 12:28You got basically two main errors:
The first one (I count these two messages as part of one error)
· JWS header missing 'zip' property.
· Error inflating JWS payload. Did you use raw DEFLATE compression?
means, that your token is not in the correct format.
Smart Health Cards require a compressed payload, using the DEFLATE (see RFC1951) algorithm, and a "zip" header with the value "DEF" to show that the payload is compressed, something I have only seen defined in the JWE RFC, but not for JWS. Most JWT libraries probably don't offer deflating payload for signed tokens, and node-jose also only supports this for JWE, therefore it has to be done manually.
To achieve that, you can use zlib to compress the payload and manually add a "zip":"DEF" to the header:
QUESTION
I have to encrypt the payload using ES256 algorithm. Also have to use kid in JWK as described in below code. I am using the jose libraries for creating signature. Below is the code:
...ANSWER
Answered 2021-Jul-12 at 13:11The alg parameter ({alg: 'ES256'}) is correct but the provided JWK is not complete, it's missing some parameters.
You have to provide the curve (crv), x and y coordinates (x, y) and ECC Private Key (d).
QUESTION
In jasonwebtoken, the option ignoreExpiration can be used as below for HS256:
ANSWER
Answered 2021-Mar-29 at 10:39node-jose is for general JOSE constructs, it does not support the JWT Claim Set validations like exp, iat, iss, aud, etc.
Therefore ignoreExpiration is not a valid option for any of the node-jose APIs.
You can of course refer to node-jose documentation to see there's no mention of any such option.
QUESTION
The app follows the instruction on node-jose 2.0.0 for import .pem key. Here is the documentation:
ANSWER
Answered 2021-Mar-29 at 10:36(as of March 2021) node-jose does not support the following keys: Ed25519, Ed448, X25519, or X448. It also does not support the secp256k1 EC curve. For any of those it will return the error you're encountering. As a result it does not support the JWS Algorithms EdDSA or ES256K.
On the other hand https://github.com/panva/jose supports all of the above in Node.js runtime.
QUESTION
I have this problem, I created a JWE in node.js using node-jose by this way:
...ANSWER
Answered 2020-Jun-04 at 11:24k is a base64url encoded representation of the octet key, unless the go interface specifically mentions passing keys in JWK format, which it doesn't, you need to provide the raw key. base64url.decode() the k to get the raw key bytes.
Also, as a sidenote, PBES2-HS256+A128KW is intended to be used with passwords, not keys, given it's computationally heavy i'd recommend a different key wrapping algorithm (not a symmetric passphrase based one). You can use asymmetric crypto to encrypt for a recipient. And if you also want to achieve authentication of the message, don't use key wrapping at all, use the Direct Key Agreement from JWE instead.
QUESTION
For a job where I need to put in place an oauth client authentication with private_key_jwt on an F5 big-ip.
Since the built-in module for oauth doesn't take in charge this kind of authentication, this have to be achieved via their iRuleLX module which is nodejs based.
I have the following code to encrypt the JWT, but on some system, the result of the first promise is not available before the second promise is executed, which leads to an error ofc.
I made some google effort to find a way to process the two promises sequentially, but I was not able to find the correct way to achieve it (process asKey before executing the createEncrypt promise).
To be honest I'm not familiar with Node.js.
ANSWER
Answered 2020-Mar-04 at 08:35You can use async await:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
Install node-jose
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
