dove-jwt

0.0.4 • Public • Published

dove-jwt

Build Status

(That stands for Domain Verified JSON Web Tokens.)

What is?

JWTs are good. One of the ways JWTs may be signed and verified are with an RSA public/private keypair.

With dove-jwt, we take this to its logical conclusion and use your TLS key as the private key, and your CA-verified TLS certificate chain as the public key. The following things are true of a valid dove-jwt:

  • The JWT is signed using the RS265 algorithm.
  • The x5c header contains a CA-verified certificate chain.
  • The first certificate in this chain validates as the correct public key for the JWT.
  • The iss (issuer) claim matches the Common Name [CN] on the signing certificate.

Thus, through the magic of the global X.509 key infrastructure, you can be reasonably confident that posession of a valid dove-jwt indicates that it really was signed by the issuer specified in the iss header.

How use?

Signing:

import dove from "dove-jwt";
import fs from "fs";
 
const cert = fs.readFileSync("example-com-cert.pem", "utf8");
const key = fs.readFileSync
 
# Unless you're doing something with self-signed CAs, you'll want to use the system certs.
dove.useSystemCertAuthorities();
 
// The "options" field is passed through to jsonwebtoken.
const token = dove.sign({foo: "bar", key, cert, {/* options */});
 
export default token;

Verifying:

import dove from "dove-jwt";
import token from "./signing.js";
 
dove.useSystemCertAuthorities();
 
const parsed = dove.verify(token); // will throw an error unless valid
console.log(parsed.foo) // bar

Current Limitations

  • Only works with RSA, not ECC keys. This is a limitation of node-forge.
  • Currently only can use system certificates on Linux, not Mac or Windows. (#2)
  • Only works with the common name (CN) record on the cert, not any Subject Alternative Names (#3)
  • Only supports RS256 encryption algorithm. We could probably support the other RS algorithms without much trouble, just have to test it.

Tests

npm run test

Currently we're using jasmine-es6 rather than jest because of a bug in node-forge.

Readme

Keywords

Package Sidebar

Install

npm i dove-jwt

Weekly Downloads

5

Version

0.0.4

License

MIT

Last publish

Collaborators

  • iameli