dart jwt
435 views
Skip to first unread message
Anders Holmgren
Feb 23, 2014, 6:37:35 PM2/23/14
to mi...@dartlang.org
Anyone aware of any jwt implementations for dart. My searching has failed to find any
cheers
Anders
cheers
Anders
Warren
Feb 24, 2014, 8:41:14 AM2/24/14
to mi...@dartlang.org
Ivan Zaera Avellon
Feb 24, 2014, 9:01:14 AM2/24/14
to mi...@dartlang.org
> The challenge is that you need a lot of crypto libs to handle signing and verification
You have a beautiful ;-P package called cipher (http://izaera.github.io/cipher/) for that.
Said that, I don't know if the algorithms I'm covering right now in cipher are enough to implement jwt...
Cheers,
Ivan
El 24/02/14 14:41, Warren escribió:
> For other discussions, see https://groups.google.com/a/dartlang.org/
>
> For HOWTO questions, visit http://stackoverflow.com/tags/dart
>
> To file a bug report or feature request, go to http://www.dartbug.com/new
>
> To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org.
Martin Kustermann
Feb 24, 2014, 10:14:10 AM2/24/14
to mi...@dartlang.org
Hi Anders,
as was already mentioned by Warren, jwt requires cryptography. Which algorithms in detail, depends on what the token-issuing end support. e.g. For accessing Google apis, you can create service account in a google cloud project and can follow [0]. In this case you need the SHA+RSA algorithms for signing.
I've recently played a bit with this: When creating the service account, you'll get a *.p12 file. You can extract the private key from it into a *.pem file. Afterwards you can write a dart program to get an access token by using the 'openssl' command-line utility for the signing part.
You can find a simple proof-of-concept written in dart attached to this mail (tested on linux).
Since I'm not familiar with the cipher package, I can't tell you whether it contains the algorithms you need.
@Ivan: Does your package include an implementation of RSA?
Ivan Zaera Avellon
Feb 24, 2014, 10:27:45 AM2/24/14
to mi...@dartlang.org
> @Ivan: Does your package include an implementation of RSA?
I'll be releasing a new version during this week. In the meantime you can have a look at github's branch here: https://github.com/izaera/cipher/tree/development (It should not change too much until I release the new version).
Feel free to ask for any help you might need.
Cheers,
Ivan
El 24/02/14 16:14, Martin Kustermann escribió:
Warren
Feb 24, 2014, 12:42:42 PM2/24/14
to mi...@dartlang.org
Of the signature and MAC algorithms specified in JSON Web Algorithms (JWA) [JWA], only HMAC SHA-256 ("HS256") and "none" MUST be implemented by conforming JWT implementations. It is RECOMMENDED that implementations also support RSASSA-PKCS1-V1_5 with the SHA-256 hash algorithm ("RS256") and ECDSA using the P-256 curve and the SHA- 256 hash algorithm ("ES256"). Support for other algorithms and key sizes is OPTIONAL. If an implementation provides encryption capabilities, of the
encryption algorithms specified in [JWA], only RSAES-PKCS1-V1_5 with 2048 bit keys ("RSA1_5"), AES Key Wrap with 128 and 256 bit keys ("A128KW" and "A256KW"), and the composite authenticated encryption algorithm using AES CBC and HMAC SHA-2 ("A128CBC-HS256" and "A256CBC-HS512") MUST be implemented by conforming implementations. It is RECOMMENDED that implementations also support using ECDH-ES to agree upon a key used to wrap the Content Encryption Key ("ECDH-ES+A128KW" and "ECDH-ES+A256KW") and AES in Galois/Counter Mode (GCM) with 128 bit and 256 bit keys ("A128GCM" and "A256GCM"). Support for other algorithms and key sizes is OPTIONAL.
> > To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org <mailto:misc%2Bun...@dartlang.org>.
Ivan Zaera Avellon
Feb 24, 2014, 3:14:13 PM2/24/14
to mi...@dartlang.org
It seems that mostly everything listed there is implemented directly, and for things which are not (for example: AES key wrap) you would have at least the building pieces (namely AES in that case). Also, missing things may be contributed and I plan to keep adding functionality to cipher.
El 24/02/14 18:42, Warren escribió:
>
>
> Here is the latest excerpt from the JWT spec (http://tools.ietf.org/html/draft-ietf-jose-json-web-key-21)
>
>
> Of the signature and MAC algorithms specified in JSON Web Algorithms
> (JWA) [JWA <https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-16#ref-JWA>], only HMAC SHA-256 ("HS256") and "none" MUST be
>
> Here is the latest excerpt from the JWT spec (http://tools.ietf.org/html/draft-ietf-jose-json-web-key-21)
>
>
> Of the signature and MAC algorithms specified in JSON Web Algorithms
> implemented by conforming JWT implementations. It is RECOMMENDED
> that implementations also support RSASSA-PKCS1-V1_5 with the SHA-256
> hash algorithm ("RS256") and ECDSA using the P-256 curve and the SHA-
> 256 hash algorithm ("ES256"). Support for other algorithms and key
> sizes is OPTIONAL.
>
> If an implementation provides encryption capabilities, of the
>
> encryption algorithms specified in [JWA <https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-16#ref-JWA>], only RSAES-PKCS1-V1_5 with
> that implementations also support RSASSA-PKCS1-V1_5 with the SHA-256
> hash algorithm ("RS256") and ECDSA using the P-256 curve and the SHA-
> 256 hash algorithm ("ES256"). Support for other algorithms and key
> sizes is OPTIONAL.
>
> If an implementation provides encryption capabilities, of the
>
> 2048 bit keys ("RSA1_5"), AES Key Wrap with 128 and 256 bit keys
> ("A128KW" and "A256KW"), and the composite authenticated encryption
> algorithm using AES CBC and HMAC SHA-2 ("A128CBC-HS256" and
> "A256CBC-HS512") MUST be implemented by conforming implementations.
> It is RECOMMENDED that implementations also support using ECDH-ES to
> agree upon a key used to wrap the Content Encryption Key
> ("ECDH-ES+A128KW" and "ECDH-ES+A256KW") and AES in Galois/Counter
> Mode (GCM) with 128 bit and 256 bit keys ("A128GCM" and "A256GCM").
> Support for other algorithms and key sizes is OPTIONAL.
>
>
>
> So it looks like your package handles the MAC and signature piece - and possibly the encryption?
>
>
> On Monday, February 24, 2014 11:27:45 AM UTC-4, Iván Zaera Avellón wrote:
>
>
> > @Ivan: Does your package include an implementation of RSA?
>
> Yes. It has RSA encryption and signature ported from Bouncy Castle implementations. Regarding SHA-*, they are also implemented. More detailed info here: https://github.com/izaera/cipher/wiki/Table-of-provided-algorithms <https://github.com/izaera/cipher/wiki/Table-of-provided-algorithms>
> ("A128KW" and "A256KW"), and the composite authenticated encryption
> algorithm using AES CBC and HMAC SHA-2 ("A128CBC-HS256" and
> "A256CBC-HS512") MUST be implemented by conforming implementations.
> It is RECOMMENDED that implementations also support using ECDH-ES to
> agree upon a key used to wrap the Content Encryption Key
> ("ECDH-ES+A128KW" and "ECDH-ES+A256KW") and AES in Galois/Counter
> Mode (GCM) with 128 bit and 256 bit keys ("A128GCM" and "A256GCM").
> Support for other algorithms and key sizes is OPTIONAL.
>
>
>
> So it looks like your package handles the MAC and signature piece - and possibly the encryption?
>
>
> On Monday, February 24, 2014 11:27:45 AM UTC-4, Iván Zaera Avellón wrote:
>
>
> > @Ivan: Does your package include an implementation of RSA?
>
>
> I'll be releasing a new version during this week. In the meantime you can have a look at github's branch here: https://github.com/izaera/cipher/tree/development <https://github.com/izaera/cipher/tree/development> (It should not change too much until I release the new version).
>
> Feel free to ask for any help you might need.
>
> Cheers,
> Ivan
>
>
> El 24/02/14 16:14, Martin Kustermann escribió:
> > Hi Anders,
> >
> > as was already mentioned by Warren, jwt requires cryptography. Which algorithms in detail, depends on what the token-issuing end support. e.g. For accessing Google apis, you can create service account in a google cloud project and can follow [0]. In this case you need the SHA+RSA algorithms for signing.
> >
> > I've recently played a bit with this: When creating the service account, you'll get a *.p12 file. You can extract the private key from it into a *.pem file. Afterwards you can write a dart program to get an access token by using the 'openssl' command-line utility for the signing part.
> > You can find a simple proof-of-concept written in dart attached to this mail (tested on linux).
> >
> > Since I'm not familiar with the cipher package, I can't tell you whether it contains the algorithms you need.
> > @Ivan: Does your package include an implementation of RSA?
> >
> > [0] https://developers.google.com/accounts/docs/OAuth2ServiceAccount <https://developers.google.com/accounts/docs/OAuth2ServiceAccount>
> Feel free to ask for any help you might need.
>
> Cheers,
> Ivan
>
>
> El 24/02/14 16:14, Martin Kustermann escribió:
> > Hi Anders,
> >
> > as was already mentioned by Warren, jwt requires cryptography. Which algorithms in detail, depends on what the token-issuing end support. e.g. For accessing Google apis, you can create service account in a google cloud project and can follow [0]. In this case you need the SHA+RSA algorithms for signing.
> >
> > I've recently played a bit with this: When creating the service account, you'll get a *.p12 file. You can extract the private key from it into a *.pem file. Afterwards you can write a dart program to get an access token by using the 'openssl' command-line utility for the signing part.
> > You can find a simple proof-of-concept written in dart attached to this mail (tested on linux).
> >
> > Since I'm not familiar with the cipher package, I can't tell you whether it contains the algorithms you need.
> > @Ivan: Does your package include an implementation of RSA?
> >
> >
> >
> > On Mon, Feb 24, 2014 at 3:01 PM, Ivan Zaera Avellon <iza...@gmail.com <javascript:> <mailto:iza...@gmail.com <javascript:>>> wrote:
> >
> > > The challenge is that you need a lot of crypto libs to handle signing and verification
> >
> >
> > You have a beautiful ;-P package called cipher (http://izaera.github.io/cipher/ <http://izaera.github.io/cipher/>) for that.
> >
> > On Mon, Feb 24, 2014 at 3:01 PM, Ivan Zaera Avellon <iza...@gmail.com <javascript:> <mailto:iza...@gmail.com <javascript:>>> wrote:
> >
> > > The challenge is that you need a lot of crypto libs to handle signing and verification
> >
> >
> >
> > Said that, I don't know if the algorithms I'm covering right now in cipher are enough to implement jwt...
> >
> >
> > Cheers,
> > Ivan
> >
> >
> > El 24/02/14 14:41, Warren escribió:
> > >
> > >
> > > I started looking at this but didn't get very far. The challenge is that you need a lot of crypto libs to handle signing and verification jwt tokens. When I looked these libraries didn't exist.
> > >
> > >
> > >
> > >
> > > On Sunday, February 23, 2014 7:37:35 PM UTC-4, Anders Holmgren wrote:
> > >
> > > Anyone aware of any jwt implementations for dart. My searching has failed to find any
> > >
> > > cheers
> > > Anders
> > >
> > > --
> > > For other discussions, see https://groups.google.com/a/dartlang.org/ <https://groups.google.com/a/dartlang.org/>
> > Said that, I don't know if the algorithms I'm covering right now in cipher are enough to implement jwt...
> >
> >
> > Cheers,
> > Ivan
> >
> >
> > El 24/02/14 14:41, Warren escribió:
> > >
> > >
> > > I started looking at this but didn't get very far. The challenge is that you need a lot of crypto libs to handle signing and verification jwt tokens. When I looked these libraries didn't exist.
> > >
> > >
> > >
> > >
> > > On Sunday, February 23, 2014 7:37:35 PM UTC-4, Anders Holmgren wrote:
> > >
> > > Anyone aware of any jwt implementations for dart. My searching has failed to find any
> > >
> > > cheers
> > > Anders
> > >
> > > --
> > >
> > > For HOWTO questions, visit http://stackoverflow.com/tags/dart <http://stackoverflow.com/tags/dart>
> > > To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org <javascript:> <mailto:misc%2Bun...@dartlang.org <javascript:>>.
> >
> >
> > --
> > For other discussions, see https://groups.google.com/a/dartlang.org/ <https://groups.google.com/a/dartlang.org/>
> >
> > For HOWTO questions, visit http://stackoverflow.com/tags/dart <http://stackoverflow.com/tags/dart>
> > To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org <javascript:>.
Anders Holmgren
Feb 24, 2014, 4:28:23 PM2/24/14
to mi...@dartlang.org
I'm hoping to get to do a 20% project to create a dart version of our addon framework. Our hosts issue and consume jwt. I'm pretty certain ill get away just one algorithm.
If I get this off the ground then I may need to implement enough of jwt (on top of the crypto lib) for my needs.
Happy to collaborate w anyone that's interested.
There's an outside chance I'll get time this week.
Cheers
Anders
Anders Holmgren
Feb 24, 2014, 5:04:44 PM2/24/14
to mi...@dartlang.org
Just checked and we're using HS256 so looks like crypto lib has what we need
Reply all
Reply to author
Forward
0 new messages