Skip to content

Latest commit

 

History

History
103 lines (68 loc) · 4 KB

README.md

File metadata and controls

103 lines (68 loc) · 4 KB

C# JWKs - JSON Web Keys (RFC7517)

This repository provides an implementation in C# of RFC7517 (JSON Web Keys).

Notice: The current implementation has been used in a production environment.
However, no support will be offered for this project. Here be dragons. Please fill any bugs you may find.

Getting Started

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.

All details of the implementation are based on the following literature:

Supported Key Types for creating new JWKs (with the corresponding intended algorithm):

Algorithm Support
RSA RS256, RS384, RS512
Eliptic Curves ES256, ES384, ES512
HMAC HS256, HS384, HS512
AES A128GCMKW, A192GCMKW, A256GCMKW
None none
Meaning
Fully implemented and tested
Currently being implemented / Untested
Not implemented yet

Building JSON Web Key Sets is also supported.

Build

The following configuration has been succesfully tested for building and running the project:

  • Visual Studio for Mac - Version 17.4.2 (build 17)
  • .Net Core - Version 6.0.402

Build status

Limitations

Project TODOs

  • [] Complete support for all JWK key types
  • [] Support for EdDSA keys (See RFC8037)
  • [] Support for x5u, x5c, x5t, x5t#S256 parameters in a JWK
  • [] Check for required key parameters on deserialization
  • [] Follow RFC7517 security conciderations guidelines

INSTALL

NuGet

https://www.nuget.org/packages/CreativeCode.JWK/

dotnet add package CreativeCode.JWK

Building from source

  1. git clone https://github.com/alexzautke/JWK.git
  2. dotnet pack -c Release
  3. Install NuGet package from local source

Usage

See JWK Example

Test

Simply run dotnet test in the root folder of the project. All tests should be passing.

Security Conciderations

More details about security risks associated with JWKs are documented in RFC section 9.

Key Provenance and Trust

One should place no more trust in the data cryptographically secured by a key than in the method by which it was obtained and in the trustworthiness of the entity asserting an association with the key.

Please follow the recommendations on how to obtain a JWK.

Current issues:

  • This library does currently not support the "x5c" element within a JWK. It would enable the user to provide additional information about the authorship of the key.

Preventing Disclosure of Non-public Key Information

Private and symmetric keys MUST be protected from disclosure to unintended parties.

Current issues:

  • This library does currently not use any kind of protected memory to store the generated key associated with a JWK.

Key Entropy and Random Values

Keys are only as strong as the amount of entropy used to generate them. Current issues:

  • This library does currenty not check if "enough" entropy is available on a system to generate a secure key.

License

This project is licensed under the MIT License - see the LICENSE file for details