Hi,
On 18/03/16 00:21, Giriraj Bhojak wrote:
Thank you Sergey.
I went through the spec. It mentions that the spec is not stable yet and is
subject to change. Would you know if it is widely used?
There are two specs involved here, JOSE and WebCrypto, the former is
stable and is already quite widely used, though mostly in OAuth2 flows,
but JOSE is independent of OAuth2.
WebCrypto is a browser specific mechanism on how to get the keys/etc,
the demo worked for me in Firefox/Chrome, not sure about the other
browsers, though I might've tried IE too when trying on Windows, do not
remember now. I think it is unlikely anything but some minor details
will get changed there.
If you'd like to start doing signing/encrypting within a script running
inside a browser then I guess you have to be prepared at this stage to
go some not-very standard-safe path.
I was hoping to use one of the JavaScript tools such as jsrrsasign, but
looks like it is our of picture.
Would you be able to share the source code/API details of the demo that you
gave in Apache Con?
On the demo page, click at the WebCrypto++ icon and it will bring you to
a page with a link to the source code. In my demo I only replaced the
server code which validates JWS signatures, the code that signs the data
from within a script was the same as in the original demo.
I have not experimented with that script, I only wanted to demo the JOSE
JWS interoperability between a non-CXF client (the script) and CXF server
Could you please expand on the trusted server approach you mentioned in the
follow-up?
If you can not sign directly within the script then post the data to be
signed to the trusted server that will do it for you and return the
signed data.
HTH, Sergey
Thank you for responding to my queries.
Thanks,
Giriraj
Thanks,
Giriraj
On Mar 17, 2016 6:10 PM, "Sergey Beryozkin" <sberyoz...@gmail.com> wrote:
Or a browser may ask a trusted server to help with it, and get this server
returning a String representing a JOSE payload, then script then forward it
somewhere else...
Sergey
On 17/03/16 21:35, Sergey Beryozkin wrote:
Hi
You may be talking about WebCrypto.
If you have a CXF client sending JSON, then JWE/JWS protecting it is
easy enough, but you have a script running in a browser then this script
have no access to the key stores, unless it is a WebCrypto aware browser
and most of them are by now AFAIK,
See this demo:
https://test.webpki.org/WCPPSignatureDemo/signcmd
(it says a password is 1234). It shows an interaction between a
WebCrypto (https://www.w3.org/TR/WebCryptoAPI/) browser based client
and a regular Java HTTP server, the data are signed, using JOSE (JWS
Compact) as one option.
I actually presented this demo at Apache Con NA 2015, except I replaced
the demo server with a CXF JWS-enabled server.
Sergey
On 17/03/16 15:45, Giriraj Bhojak wrote:
Hi,
I have been struggling with a basic question related to using signing and
encryption for REST services.
If the REST call (using JSON) happens over http or https via a
browser, how
can I ensure that JSON payload is signed and encrypted, just like a SOAP
request that is signed and encrypted?
Is there a JavaScript component that I can use to implement JOSE for
browser based REST requests?
Or am I interpreting this in a wrong way?
Thanks,
Giriraj.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
