Convert from pem cert

[hound672]

Hello!

1. Generate cert with command: openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.crt
2. Try to convert cert.crt to JKW:

        // certData is data from cert.crt file
	key, err := jwk.ParseKey(certData, jwk.WithPEM(true))
	if err != nil {
		fmt.Printf("err parrse jwk: %v\n", err)
		return
	}

There is no error, but key does not have KID, Algorithm and so on. What do I do wrong?

[lestrrat]

I took the liberty of converting your question to a discussion post, and not an issue.

---

tl;dr: Bare PEM-encoded keys do not contain any extra metadata -- at least yours doesn't. There may exist a convention to encode such data, but I'm not aware of a universally accepted standard to encode key ID / algorithm in this format. If there is one, PRs are welcome.

the long answer:

There are two parts to my answer. The first part is the reason why your particular case would not have worked even if the library was smarter.

Please take look at the command you presented: openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.crt.
There are no explicit mentions of key ID nor an algorithm. Simply, we can't extract data that's not being presented when you created the key.

This is especially true for the algorithm part. The "algorithm" that a JWK contains is not something you can easily and automatically compute. For example, for a given RSA key, you could use any of the RS256, RS384, RS512 algorithms. But there's more to it: the key could be used for encryption as well. In such cases the value could now be RSA-OAEP-SHA1, RSA-PKCS1v1.5, etc. So there is just no way to automatically come up with an algorithm unless the user specifically sets one somewhere.

The second part of my answer is about our current implementation of DER format parsing.

I'm going to admit that I'm not an expert of formats for ASN.1 DER encoded keys. There may very well be an established standard to encode the above information in a DER format that I'm not aware of. But as far as I could gather at the time of writing the support to parse ASN.1 DER keys, I could not find it, and therefore no metadata is currently extracted out of these keys.

If there is an established standard, I would greatly appreciate PRs.

Now as far as the key ID goes, it could be argued that jwk.ParseKey() should extract the fingerprint of said key.
However, AFAIK, there is no official standard that states this. On top of that there are people who think that the fingerprint of the public key should be used even when the presented key itself is the private key. I believe there isn't single standard to automatically assign a key ID, and therefore this feature is not implemented. Again, I could be wrong and there may be an established convention, but if that's the case, PRs are much appreciated.

You can mimic such behavior though:

key, _ := jwk.ParseKey(...)
// note, this is not the same as what openssl rsa ... --fingerprint creates
tb, _ := key.Thumbprint(crypto.SHA256)
key.Set(jwk.KeyIDKey, hex.EncodeToString(tb))

[hound672]

Many thanks for you answer!
For example, if I put contains of cert.crt file to https://8gwifi.org/jwkconvertfunctions.jsp and convert "PEM-toJWK"
I got struct with fields: kty, n, e.
Also I tried to use python lib jwcrypto:

    with open('./cert.crt', "rb") as fp:
        cert = fp.read()

    res = jwk.JWK.from_pem(cert)
    jwk_str = res.export()

The same result.
How can I done it with your lib?

[lestrrat]

Okay, so that was your real question: You wanted to get to N and E, but you didn't know how.
That makes sense.

N, and E are specific to RSA keys, and is easier done with raw keys.
Example (untested):

key, _ := jwk.Parse(...)

var privkey rsa.PrivateKey
if err := key.Raw(&privkey); err != nil {
   ...
}

log.Printf(`N is %s and E is %d`, privkey.PublicKey.N, privkey.PublicKey.E)

Unless you want the JSON representation, in which case you should access via .Get()

key, _ := jwk.Parse(...)

key.Get(`n`)
key.Get(`e`)

[hound672]

Yes, I wanted to obtain these fields. As I sent link early:
https://8gwifi.org/jwkconvertfunctions.jsp

[lestrrat]

Sending me a link for a site I have never seen or used doesnt show me what you are looking for.

[hound672]

https://8gwifi.org/jwkconvertfunctions.jsp
Here you can convert from PEM to JWK

[hound672]

Sorry again worrying you.
I've tried to use:

	key, err := jwk.ParseKey(certByte, jwk.WithPEM(true))
	if err != nil {
		fmt.Printf("err parrse jwk: %v\n", err)
		return
	}

	n, ok := key.Get("n")
	if !ok {
		fmt.Printf("Error obtain N")
		return
	}
	fmt.Printf("N: %v\n", hex.EncodeToString(n.([]byte)))
	fmt.Printf("N: %v\n", n)

How could I convert this to ascii format (that I obtain from python-jwk or from site above)?