This repository provides an implementation in C# of RFC7517 (JSON Web Keys).
Notice: The current implementation has not been used in a production environment.
Here be dragons. Please fill any bugs you may find.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key.
All details of the implementation are based on the following literature:
Supported Key Types for creating new JWKs (with the corresponding intended algorithm):
| Algorithm | Support | |
|---|---|---|
| RSA | RS256, RS384, RS512 | ✅ |
| Eliptic Curves | ES256, ES384, ES512 | ✅ |
| HMAC | HS256, HS384, HS512 | ❎ |
| AES | A128GCMKW, A192GCMKW, A256GCMKW | ❎ |
| None | none | ❎ |
| Meaning | |
|---|---|
| ✅ | Fully implemented and tested |
| ❎ | Currently being implemented / Untested |
| ❌ | Not implemented yet |
The following configuration has been succesfully tested for building and running the project:
- Visual Studio for Mac - Version 8.7.8 (build 4)
- .Net Core - Version 3.1.402
- [] Complete support for all JWK key types
- [] Support for EdDSA keys
- [] Support for exporting private / public keys in a JWKS (JSON Web Key Set)
- [] Support for x5u, x5c, x5t, x5t#S256 parameters in a JWK
- [] Check for required key parameters on deserialization
- [] Follow RFC7517 security conciderations guidelines
- [] Describe how to run tests (Test section)
https://www.nuget.org/packages/CreativeCode.JWK/
dotnet add package CreativeCode.JWK
git clone https://github.com/alexzautke/JWK.gitdotnet pack -c Release- Install NuGet package from local source
See JWK Example
More details about security risks associated with JWKs are documented in RFC section 9.
One should place no more trust in the data cryptographically secured by a key than in the method by which it was obtained and in the trustworthiness of the entity asserting an association with the key.
Please follow the recommendations on how to obtain a JWK.
Current issues:
- This library does currently not support the "x5c" element within a JWK. It would enable the user to provide additional information about the authorship of the key.
Private and symmetric keys MUST be protected from disclosure to unintended parties.
Current issues:
- This library does currently not use any kind of protected memory to store the generated key associated with a JWK.
Keys are only as strong as the amount of entropy used to generate them.
Current issues:
- This library does currenty not check if "enough" entropy is available on a system to generate a secure key.
This project is licensed under the MIT License - see the LICENSE file for details