José is a C-language implementation of the Javascript Object Signing and Encryption standards. Specifically, José aims towards implementing the following standards:
José is extensively tested against the RFC test vectors.
Algorithm | Supported | Algorithm Type | JWK Type |
---|---|---|---|
HS256 | YES | Signature | oct |
HS384 | YES | Signature | oct |
HS512 | YES | Signature | oct |
RS256 | YES | Signature | RSA |
RS384 | YES | Signature | RSA |
RS512 | YES | Signature | RSA |
ES256 | YES | Signature | EC |
ES384 | YES | Signature | EC |
ES512 | YES | Signature | EC |
PS256 | YES | Signature | RSA |
PS384 | YES | Signature | RSA |
PS512 | YES | Signature | RSA |
none | NO | Signature | N/A |
RSA1_5 | YES | Key Wrap | RSA |
RSA-OAEP | YES | Key Wrap | RSA |
RSA-OAEP-256 | YES | Key Wrap | RSA |
A128KW | YES | Key Wrap | oct |
A192KW | YES | Key Wrap | oct |
A256KW | YES | Key Wrap | oct |
dir | YES | Key Wrap | oct |
ECDH-ES | YES | Key Wrap | EC |
ECDH-ES+A128KW | YES | Key Wrap | EC |
ECDH-ES+A192KW | YES | Key Wrap | EC |
ECDH-ES+A256KW | YES | Key Wrap | EC |
A128GCMKW | YES | Key Wrap | oct |
A192GCMKW | YES | Key Wrap | oct |
A256GCMKW | YES | Key Wrap | oct |
PBES2-HS256+A128KW | YES | Key Wrap | N/A |
PBES2-HS384+A192KW | YES | Key Wrap | N/A |
PBES2-HS512+A256KW | YES | Key Wrap | N/A |
A128CBC-HS256 | YES | Encryption | oct |
A192CBC-HS384 | YES | Encryption | oct |
A256CBC-HS512 | YES | Encryption | oct |
A128GCM | YES | Encryption | oct |
A192GCM | YES | Encryption | oct |
A256GCM | YES | Encryption | oct |
José provides a command-line utility which encompasses most of the JOSE features. This allows for easy integration into your project and one-off scripts. Below you will find examples of the common commands.
José can generate keys, remove private keys and show thumbprints. For example:
# Generate three different kinds of keys
$ jose jwk gen -i '{"alg": "A128GCM"}' -o oct.jwk
$ jose jwk gen -i '{"alg": "RSA1_5"}' -o rsa.jwk
$ jose jwk gen -i '{"alg": "ES256"}' -o ec.jwk
# Remove the private keys
$ jose jwk pub -i oct.jwk -o oct.pub.jwk
$ jose jwk pub -i rsa.jwk -o rsa.pub.jwk
$ jose jwk pub -i ec.jwk -o ec.pub.jwk
# Calculate thumbprints
$ jose jwk thp -i oct.jwk
9ipMcxQLsI56Mqr3yYS8hJguJ6Mc8Zh6fkufoiKokrM
$ jose jwk thp -i rsa.jwk
rS6Yno3oQYRIztC6np62nthbmdydhrWmK2Zn_Izmerw
$ jose jwk thp -i ec.jwk
To8yMD92X82zvGoERAcDzlPP6awMYGM2HYDc1G5xOtc
José can sign and verify data. For example:
$ echo hi | jose jws sig -i- -k ec.jwk -o msg.jws
$ jose jws ver -i msg.jws -k ec.pub.jwk
hi
$ jose jws ver -i msg.jws -k oct.jwk
No signatures validated!
José can encrypt and decrypt data. For example:
$ echo hi | jose jwe enc -i- -k rsa.pub.jwk -o msg.jwe
$ jose jwe dec -i msg.jwe -k rsa.jwk
hi
$ jose jwe dec -i msg.jwe -k oct.jwk
Decryption failed!
Building Jose is fairly straightforward:
$ mkdir build && cd build
$ meson .. --prefix=/usr
$ ninja
$ sudo ninja install
You can even run the tests if you'd like:
$ meson test
To build a FreeBSD, HardenedBSD or OPNsense package use:
(as root) # pkg install meson pkgconf jansson openssl
$ mkdir build && cd build
$ meson .. --prefix=/usr/local
$ ninja
$ meson test
(as root) # ninja install
Once built it does not require meson and pkgconf, but still requires jansson and openssl.