Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

extend jwk cert store #92

Closed
aeneasr opened this issue Jun 3, 2016 · 3 comments
Closed

extend jwk cert store #92

aeneasr opened this issue Jun 3, 2016 · 3 comments
Assignees
@aeneasr
Labels
feat New feature or request.

Comments

@aeneasr
Copy link
Member

aeneasr commented Jun 3, 2016

No description provided.

@aeneasr aeneasr added the feat New feature or request. label Jun 3, 2016
@aeneasr aeneasr added this to the 0.1-beta2 milestone Jun 3, 2016
@aeneasr aeneasr self-assigned this Jun 3, 2016
@aeneasr
Copy link
Member Author

aeneasr commented Jun 4, 2016

upstream square/go-jose#95

This was referenced Jun 4, 2016
Closed
Closed
@aeneasr
Copy link
Member Author

aeneasr commented Jun 4, 2016
edited
Loading

Without support from go-jose, the library needs to be forked and the functionality added. the specification for x509 certificates is available at https://tools.ietf.org/html/rfc7517

Until that is implemented, the HTTPS TLS certificate is gob encoded and stored as a PSK in the JWK store. It should be documented that the JWK store does not support the x509 claims as of now.

This approach is okay because:

  • There is no security impact. PSKs are encrypted using AES-GCM as well
  • It is not trivial to add a new TLS certificate using the HTTP REST API. this could be documented somewhere. importing TLS certificates still works!
  • Precomputed values are removed to reduce likelyhood of possible attack vector
  • One draw back is that clients need to be able to decode gob streams. As the certificate will be used only internally in hydra, this is not an issue.

@aeneasr aeneasr removed this from the 0.1-beta2 milestone Jun 4, 2016
@aeneasr
Copy link
Member Author

aeneasr commented Jun 5, 2016

There's not field for it in the struct right now, but it should be fairly simple to add. I can take a look at adding this next week maybe. Or if you want to take a shot at it, pull requests are welcome!

square/go-jose#95 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeneasr aeneasr

Labels
feat New feature or request.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aeneasr