More Related Content Similar to I Left My JWT in San JOSE (20) More from Brian Campbell (14) I Left My JWT in San JOSE1. ``
Brian Campbell
@__b_c
Cloud Identity Summit 2014
http://www.slideshare.net/briandavidcampbell
A technical overview of JSON Web
Token (JWT) and JavaScript Object
Signing and Encryption (JOSE)
3. More Introductions…
Copyright © 2014 Ping Identity Corp. All rights reserved.
3https://twitter.com/itickr/status/354999490928857088
https://flic.kr/p/f6PKjB
4. • JavaScript Object Signing and Encryption (JOSE)
– JSON Web Signature (JWS)
• A way of representing content secured with a digital
signature or MAC using JSON data structures and base64url
encoding
– JSON Web Encryption (JWE)
• Like JWS but for encrypting content
– JSON Web Key (JWK)
• JSON data structures representing cryptographic keys
– JSON Web Algorithms
• Defines the use cryptographic algorithms and identifiers for
JWS, JWE and JWK
• JSON Web Token (JWT)
– A compact URL-safe means of representing claims/attributes
to be transferred between two parties
– A JWT is a JWS and/or a JWE with JSON claims as the
payload Copyright © 2014 Ping Identity Corp. All rights reserved.
4
JWT + JOSE Overview
JWS JWE
JWT
JWK
JSON
5. • Not even official RFCs yet but
– Well regarded
– And widely used:
• OAuth
• OpenID Connect
• Mozilla Persona (ahem)
• W3C Web Cryptography API
• + more…
Three nerds holding a blurry piece of paper they tell me is
some kind of award for the JOSE & JWT work.
http://www.kuppingercole.com/article/award2014
5
JWT + JOSE in the Wild
6. What’s in a Name?
https://twitter.com/metadaddy/status/454422069199900672
JW*
7. Copyright © 2014 Ping Identity Corp. All rights reserved.
7
But you wouldn't name your child ‘Attila the Hun’
would you?
"Attila, Scourge of God"
http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg
I didn’t…
8. What would JOSE do? ‡
Call it
JW-STEAK
‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended
by it, in which case I’m not at all reluctant about blaming him.
JW-
JWS
JWT
JWE
JWA
JWK
9. Because who doesn’t like a
good steak?
Don Julio is a famous (to gringo tourists anyway) steakhouse
in Buenos Aires, Argentina - https://flic.kr/p/ezE99U
10. Okay, fine…
• Technically speaking, my
vegan coworker does not like
steak
• Even if it is ‘good’
• But let’s not split hairs on this
one…
Copyright © 2014 Ping Identity Corp. All rights reserved.
10
11. Awkward Transition… into some of the more technical details
11
Few things are more
awkward than Paul Madsen
eating a Slim Jim while
wearing a sailor's outfit and
bowtie
12. All The Cool Kids Are Doing It
Copyright © 2014 Ping Identity Corp. All rights reserved.
12
{"JSON" : "a lightweight & human-readable data-interchange
format"}
13. The 64 Character Question
• base64
– A means of encoding binary data in a printable ASCII string format
– Each 6 bits -> 1 character
• From a 64 character alphabet comprised of 62 alphanumeric characters and "+" and "/"
• Also padding "="
– 3 bytes -> 4 characters
• base64url
– uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64
– "-" rather than "+"
– "_" rather than "/"
– Padding "=" is typically omitted
• A remaining unreserved URI character: "."
– This will prove important shortly
Copyright © 2014 Ping Identity Corp. All rights reserved.
13
Example: 32 random bytes encoded
base64: qOo+pY+LPDB7sA2nuMp4TzmCThieol/J+bAXqcB8pAU=
base64url: qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU
URL Encoded:
qOo%2BpY%2BLPDB7sA2nuMp4TzmCThieol%2FJ%2BbAXqcB8pAU%3D
qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU
14. A closer look at JOSE’s bits and pieces: JWS
• JSON Web Signature (JWS)
• A way of representing content secured with a digital signature
or MAC
– Using a JSON data structure and base64url encoding
– Encoded segments are concatenated with a "."
– Intended for space constrained environments such as HTTP
Authorization headers and URI query parameters
• Conceptually Simple:
– <Header>.<Payload>.<Signature>
Copyright © 2014 Ping Identity Corp. All rights reserved.
14
15. JOSE’s bits and pieces: The JWS Header
• JWS Header is a bit of JSON that describes the digital signature or MAC operation applied
to create the JWS Signature value
• Reserved Header Parameters
– "alg": Algorithm
– HMAC, RSA, RSA-PSS and ECDSA
– Unsigned/none (controversy!)
– Extensible
• "kid": Key ID
• "jku": JWK Set URL
• "jwk": JSON Web Key
• "x5u": X.509 URL
• "x5t": X.509 Thumbprint
• "x5c": X.509 Certificate Chain
• "typ": Type
• "cty": Content Type Copyright © 2014 Ping Identity Corp. All rights reserved.
15
Header Example:
"I signed this thing with RSA-SHA256
using key we known as ‘9er’ which you
can find the corresponding public key for
at https://www.example.com/jwks"
{"alg":"RS256", "kid":"9er",
"jku":"https://www.example.com/jwks"}
16. JOSE’s bits and pieces: JWS Algorithms
Copyright © 2014 Ping Identity Corp. All rights reserved.
16
Digital Signature or Message Authentication
Code Algorithm
JWS "alg" Parameter Values
HMAC using SHA2 HS256, HS384 and HS512
RSASSA-PKCS1-V1_5 Digital Signatures with with
SHA2
RS256, RS384 and RS512
Elliptic Curve Digital Signatures (ECDSA) with SHA2 ES256, ES384 and ES512
RSASSA-PSS Digital Signatures with SHA2 PS256, PS384 and PS512
Unsigned Plaintext none
18. Jingoistic JWS Example
Payload -> USA #1!
base64url encoded payload -> VVNBICMxIQ
Header (going to sign with ECDSA P-256 SHA-256 via "my-first-key") ->
{"alg":"ES256","kid":"my-first-key"}
base64url encoded header ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9
Secured Input ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ
base64url encoded signature over the Secured Input ->
QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-
TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
JWS Compact Serialization (line breaks after dots added for readability) ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.
VVNBICMxIQ.
QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-
TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
Which you can think of sort of like:
{"alg":"ES256","kid":"my-first-key"}."USA #1!".<SIGNATURE>
19. JOSE’s bits and pieces: JWE
• JSON Web Encryption
• Similar in motivation and design to JWS but for encrypting content
• A little more complicated
– Headers
• "alg": Algorithm (key wrap or agreement)
• "enc": Encryption Method (Authenticated Encryption only)
• "zip": Compression Algorithm
– "DEF" for the DEFLATE Compressed Data Format from RFC 1951 is currently the only one
• "kid”, “jku”, “jwk”, "x5u”, "x5t”, "x5c”, etc..
• Five Parts
<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>
Copyright © 2014 Ping Identity Corp. All rights reserved.
19
20. JOSE’s bits and pieces:
JWE Content Encryption Algorithms ("enc")
Copyright © 2014 Ping Identity Corp. All rights reserved.
20
Content Encryption Algorithm JWE "enc" Parameter Values
Authenticated encryption with Advanced Encryption
Standard (AES) in Galois/Counter Mode (GCM)
A128GCM, A192GCM and
A256GCM
Authenticated encryption with an AES-CBC and
HMAC-SHA2 composite
A128CBC-HS256, A192CBC-
HS384 and A256CBC-HS512
21. JOSE’s bits and pieces:
JWE Key Management Algorithms ("alg")
Copyright © 2014 Ping Identity Corp. All rights reserved.
21
Key Management Algorithm JWE "alg" Parameter Values
Direct encryption with a shared symmetric key dir
RSAES-PKCS1-V1_5 key encryption RSA1_5
RSAES using OAEP key encryption RSA-OAEP and RSA-OAEP-256
AES key wrap A128KW, A192KW and A256KW
AES GCM key encryption A128GCMKW, A192GCMKW and
A256GCMKW
Elliptic Curve Diffie-Hellman Ephemeral Static key
agreement using Concat KDF
ECDH-ES
Elliptic Curve Diffie-Hellman Ephemeral Static key
agreement using Concat KDF with AES key wrap
ECDH-ES+A128KW, ECDH-
ES+A192KW and ECDH-ES+A256KW
PBES2 with HMAC SHA-2 and AES key wrapping PBES2-HS256+A128KW, PBES2-
22. Payload/plaintext
-> I actually really like Canada
Header
-> {"kid":"use this one eh","alg":"RSA-OAEP","enc":"A128CBC-HS256"}
base64url encode header
-> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFU
CIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ
IV: base64url encoded 128 bit initialization vector -> OMRMiwPvh13089vcWAw_mg
Encrypted Key: RSA OAEP used wrap a 256 bit random key which is base64url encoded ->
knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3
uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-
SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ
Ciphertext: base64url encoded AES 128 CBC encrypted payload -> G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw
Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> rCjFpLbuWKQMJLzQEP4aSw
JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) ->
eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ.
knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3
uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-
SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ.
OMRMiwPvh13089vcWAw_mg.
G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw.
rCjFpLbuWKQMJLzQEP4aSw
Confessional JWE Example
23. An aside, eh.
Looking for material, I started to Google "never trust a Canadian"…
Brian Campbell
@__b_c
CIS 2014
24. JWT
• JSON Web Token
• Suggested pronunciation: "jot"
• Compact URL-safe means of representing claims to be
transferred between two parties
• JWS and/or JWE with JSON claims as the payload
• JWT Claim
– A piece of information asserted about a subject (or the JWT
itself)
– Represented name/value pairs, consisting of a Claim Name and
a Claim Value (which can be any JSON object)
Copyright © 2014 Ping Identity Corp. All rights reserved.
24
25. • "iss": Issuer
– Who issued it
• "sub": Subject
– Who’s it about
• "aud": Audience
– Who’s it for
• "exp": Expiration Time
– When it expires
• "nbf": Not Before
– When it starts being value
• "iat": Issued At
– When it was issued
• "jti": JWT ID
– A unique identifier for it
Copyright © 2014 Ping Identity Corp. All rights reserved.
25
(some) Reserved JWT Claim Names
26. jot or not?
Copyright © 2014 Ping Identity Corp. All rights reserved.
26
The JWT
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm
V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ
VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.
The Header
{"kid":"5","alg":"ES256"}
The Payload
{"iss":"https://idp.example.com",
"exp":1357255788,
"aud":"https://sp.example.org",
"jti":"tmYvYVU2x8LvN72B5Q_EacH._5A",
"acr":"2",
"sub":"Brian"}
27. it’s not the size of your token…
Copyright © 2014 Ping Identity Corp. All rights reserved.
27
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcG
xlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUG
wikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
<Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z" ID="oPm.DxOqT3ZZi83IwuVr3x83xlr"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<Issuer>https://idp.example.com</Issuer>
<ds:Signature><ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/>
</SubjectConfirmation>
</Subject>
<Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z">
<AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr">
<AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext>
</AuthnStatement>
</Assertion>
28. …it’s how you use it
• Simpler = Better
• Web safe encoding w/ no canonicalization
(Because canonicalization is a four letter word*)
• Improved Interoperability & (hopefully) More
Secure
• Eliminates entire classes of attacks
– XSLT Transform DOS, Remote Code Execution, and Bypass
– C14N Hash Collision w/ & w/out comments
– Entity Expansion Attacks
– XPath Transform DOS and Bypass
– External Reference DOS
– Signature Wrapping Attacks
Copyright © 2014 Ping Identity Corp. All rights reserved.
28
Brad Hill, pictured here speaking at CIS in 2011, is wicked smaht and
published some of these attacks
* especially when you spell it c14n
29. JSON Web Key (JWK)
Copyright © 2014 Ping Identity Corp. All rights reserved.
29
• JSON data structure representing cryptographic key(s)
– Public/private keys: RSA & Elliptic Curve
– Symmetric keys (octet sequence)
• Can can be
– included in a JWS/JWE/JWT header
– published at an HTTPS endpoint and referenced
– used in place of self signed certificates
– saved in a file
– sent in an email
– and more
30. JWK & JWT Working Together
Copyright © 2014 Ping Identity Corp. All rights reserved.
30
JWT/JWS Header
{
"kid":"5",
"alg":"ES256"
}
JWK Set
{"keys":[
{"kty":"EC",
"kid":"4",
"x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo",
"y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",
"crv":"P-256"},
{"kty":"EC",
"kid":"5",
"x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
"crv":"P-256"},
{"kty":"EC",
"kid":"6",
"x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",
"y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",
"crv":"P-256"}
]}
31. Simple Is As Simple Does
• The relative simplicity of JW[STEAK]
implies a simple programming interface
• Numerous implementations already exist
for a wide variety of languages/platforms
• Going to make you take quick look at one
of them…
Copyright © 2014 Ping Identity Corp. All rights reserved.
31
32. Introducing jose4j
• Open source Java implementation of the JOSE specification suite
– https://bitbucket.org/b_c/jose4j
• Relies solely on the JCA APIs for cryptography
• 100% Algorithm Support
• Production ready
– Used throughout Ping Identity’s products
• Reference[able] implementation
– Fact checked the JOSE cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A
• Completely free of NSA backdoors
– (but I’m open to "sponsorship" opportunities)
Copyright © 2014 Ping Identity Corp. All rights reserved.
32
33. Producing the aforementioned JWS
Copyright © 2014 Ping Identity Corp. All rights reserved.
33
PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);
jwk.setKeyId("my-first-key");
JsonWebSignature jws = new JsonWebSignature();
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
jws.setPayload("USA #1!");
jws.setKey(jwk.getPrivateKey());
jws.setKeyIdHeaderValue(jwk.getKeyId());
String compactSerialization = jws.getCompactSerialization();
System.out.println(compactSerialization);
34. Consuming that JWS
Copyright © 2014 Ping Identity Corp. All rights reserved.
34
JsonWebKey jwk = JsonWebKey.Factory.newJwk("{"kty":"EC"," +
""kid":"my-first-key"," +
""x":"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ"," +
""y":"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk"," +
""crv":"P-256"}");
String compactSerialization =
"eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." +
"VVNBICMxIQ." +
"QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAU" +
"REzF1FF25BbrgyohbKdGE1cB-hrA";
JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(compactSerialization);
jws.setKey(jwk.getKey());
String payload = jws.getPayload();
System.out.println(payload);
35. Producing the aforementioned JWE
Copyright © 2014 Ping Identity Corp. All rights reserved.
35
String jwkJson =
"{"kty":"RSA"," +
""kid":"use this one eh"," +
""n":"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5X"+
"vT8bQO39k34s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtr" +
"GJdXxQEgDE7Wg1YYi0yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZV" +
"C5b61R37akzTB3abdAIBf4-UBLrvNgl0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw"," +
""e":"AQAB"}";
JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson);
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setPayload("I actually really like Canada");
jwe.setKey(jwk.getKey());
jwe.setKeyIdHeaderValue(jwk.getKeyId());
jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP);
jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);
String compactSerialization = jwe.getCompactSerialization();
System.out.println(compactSerialization);
36. Consuming that JWE (1 of 2)
Copyright © 2014 Ping Identity Corp. All rights reserved.
36
String jwkJson =
"{"kty":"RSA"," +
""kid":"use this one eh"," +
""n":"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5XvT8bQO39k3" +
"4s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtrGJdXxQEgDE7Wg1YYi0" +
"yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZVC5b61R37akzTB3abdAIBf4-UBLrvNgl" +
"0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw"," +
""e":"AQAB"," +
""d":"p1umPOWUnf-rTylRVnhG75sF7N3tyG_r86ZM2hV8qAShMgnzbZYefNg2Vxh2cobXUMLF0TncuUxAusCrNSgUyrjHjHDIws03" +
"VdzphFPd3oI9o6_2hSBWJ6OWB5VEDAd1Cc_HKy4iPWUZWlk__G3RQg524_0Wfgp_1bTIyeGLEt6GGAasCRoi4crZ_cKLkzB3ZmwoIF" +
"X4Z-jU6AKp_rCarj45tqdgpzIHKYuA2HjgGJwevknhTVEjY6stAiTXWJ4M8YxIwqQ-tCj1GM5pfvJNIzaW2KoZ234ll_DFnUDnAE1R" +
"O22oBfW-iYsHcrNtslHxYDkGnOGFkJAOnbF8ihaQcQ","p":"6JVJlrObtg02Sr0ZqERiOZMxf3lE8TK8j5cU5VBYYvfebtjI2" +
"_wW_uT_N_wIETodgWJgkPlejrQM4B-inB8VfUPBe8RCRGmXf5jqyKf7r5XwGabda3UjaTwoAUxYSgb2HH4IU4KNMJ-rFuG2Nzz0t2W" +
"7PtqHJjrcF3i952oKAGU","q":"3-dPMaO1JerkElaP4FMV1Fio-ZFJwf5xCLMFdJZstLkKY7H63bxOb77iQ5xEOSWY4yScfXZ" +
"hp2S1v0Plub-qTeuGHXt-T2rugGAmIKlPzkQU6aiGFXqwCK2TrETQkV5Pf__PRHhaJ1rTbGVyAvqL2vAoI46XwSMmLINncDy2xGM"," +
""dp":"T9bXYQ0cuZzFc1iAkzuOQFdf2XNmkCmrgtsJCELRZH_T8lcmdCWQO0WeurggiNFbSYvcvEduByyVcuZJKrCc7tgwde0EFn" +
"ns0JdMmT7Y7ghZWGTogze9xSUqUm_Dqv3CxDsbXpdlIjjdQUiQBVw-YSph4YygciYoYUJIZkUHU-U"," +
""dq":"wklQ6t4HPlPIfDEov5rZAl28onJz8iX7p3TQcw5kXZ2DambyLJ5N4aFdbRWYDY6WT-Ng921V5474NnOQT9IE0YBh7AtQ21E" +
"Ki9LiwsyoN2_URby6PMEtJxqXXZCI-ts_WO58yAk3EZc6hoCwoe0Olnh2HASLokgBw_ZyN243mck"," +
""qi":"4n-fctilEl81ig_NIa0GFHjV1wiMR5E9RuwJIrSnG6kDBZp2wxjRd8HY96xAC_mwKZzRLxHZnukLaSi4f43-wRuURQaIj8z" +
"P8UFgH73C4sOp9rgRhsUlceniIasGE-3FKW0_2ofNMCNimYuSSIXfIyNvMdtptlg3BJv4gizH_l4"}";
37. Consuming that JWE (2 of 2)
Copyright © 2014 Ping Identity Corp. All rights reserved.
37
String jwecs =
"eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ." +
"knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0M" +
"lmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4" +
"wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhY" +
"V-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ." +
"OMRMiwPvh13089vcWAw_mg." +
"G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw." +
"rCjFpLbuWKQMJLzQEP4aSw";
PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(jwkJson);
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setCompactSerialization(jwecs);
jwe.setKey(jwk.getPrivateKey());
String payload = jwe.getPayload();
System.out.println(payload);
39. Yes, finished. See you at Boot Camp (maybe).
Thank you!
Brian Campbell
@__b_c
CIS 2014
https://flic.kr/p/f7zK1V