JavaScript implementation of JSON Web Signatures and JSON Web Tokens as needed by BrowserID.

libs contains third-party libraries that need to be included. See libs/dependencies.txt and libs/package.txt

This is written as CommonJS modules for node and such. Browserify is used to bundle it all up.

NOTE: this is written as future documentation of v0.2 APIs, which will not be backwards compatible with v0.1.

Overview

JSON Web Tokens (JWTs) look like:

eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt cGxlLmNvbS9pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVP-mB92K27uhbUJU1p1r _wW1gFWFOEjXk

(line breaks are for readability)

JWTs are made up of three components, each base64url-encoded, joined by a period character. A JWT can be either a JWS (JSON Web Signature) or a JWE (JSON Web Encryption). In this library, we only consider JWS. Because JWT is effectively the abstract superclass of both JWS and JWE, we don't expose JWT APIs directly (as of v0.2.0). We simply expose a JWS API.

We use JWK (JSON Web Keys) to specify keys: http://tools.ietf.org/html/draft-ietf-jose-json-web-key-00

We use JWA (JSON Web Algorithms) to specify algorithms: http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-00 (we add algorithm "DSA" to indicate DSA, with DS160 the standard DSA 1024/160.)

Usage

for Node 4+ ensure that you are using g++ 4.8 (use CXX=g++-4.8 to force that version) npm install browserid-crypto in javascript: require('browserid-crypto')

Basic API

var jwcrypto = require ( "browserid-crypto" ); require ( "browserid-crypto/lib/algs/ds" ); jwcrypto.addEntropy( 'entropy' ); jwcrypto.generateKeypair({ algorithm : 'DSA' , keysize : 160 }, function ( err, keypair ) { console .log(keypair.publicKey.serialize()); console .log( JSON .stringify({ stuff : keypair.publicKey.toSimpleObject()})); var publicKeyToCertify = keypair.publicKey.serialize(); var payload = { principal : { email : 'some@dude.domain' }, pubkey : jwcrypto.loadPublicKey(publicKeyToCertify)}; jwcrypto.sign(payload, keypair.secretKey, function ( err, jws ) { console .log(jws.toString()); var signedObject = jws; var publicKey = keypair.publicKey; jwcrypto.verify(signedObject, publicKey, function ( err, payload ) { }); }); var storedSecretKey = keypair.secretKey.serialize(); var otherSecretKey = jwcrypto.loadSecretKey(storedSecretKey); });

Assertions

Sometimes the JSON object to sign should be a standard assertion with pre-defined fields.

var assertion = require ( "browserid-crypto" ).assertion; var payload = { principal : { email : 'some@dude.domain' }}; assertion.sign(payload, { issuer : "foo.com" , expiresAt : new Date ( new Date ().valueOf() + 5000 ), issuedAt : new Date ().valueOf(), audience : "https://example.com" }, keypair.secretKey, function ( err, signedAssertion ) { var now = new Date (); assertion.verify(signedObject, keypair.publicKey, now, function ( err, payload, assertionParams ) { }); });

Note that timestamps (for issuedAt and expiresAt ) are integers containing the standard JS milliseconds-since-epoch, or objects with methods named .valueOf() which will return such an integer. The assertion format currently serializes these integers verbatim; a future version may serialize them as seconds (instead of milliseconds) to conform with the JWT specifications.

Certs

Sometimes the JSON objects to sign are certificates