{"id":54869,"date":"2022-04-23T16:01:59","date_gmt":"2022-04-23T10:31:59","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=54869"},"modified":"2024-06-10T15:40:23","modified_gmt":"2024-06-10T10:10:23","slug":"jose-encryption-and-aem-keystore-integration","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/jose-encryption-and-aem-keystore-integration\/","title":{"rendered":"JOSE Encryption and AEM Keystore Integration"},"content":{"rendered":"<h2><span style=\"font-weight: 400;\">What is JOSE?<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">JOSE or JSON Object Signing and Encryption , in brief, <\/span><span style=\"font-weight: 400;\">is a framework intended to provide a method to securely transfer claims (such as authorization information) between parties. The JOSE framework provides a collection of specifications to serve this purpose.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">One big plus for this framework is that it has excellent support in most programming languages.\u00a0<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Usages\u00a0<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">JOSE encryption can be used for encryption of token along the network for maintaining authenticity.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">We used it for securing payments on our website. According to <\/span><a href=\"https:\/\/rbidocs.rbi.org.in\/rdocs\/notification\/PDFs\/MD7493544C24B5FC47D0AB12798C61CDB56F.PDF\"><span style=\"font-weight: 400;\">RBI circular <\/span><\/a><span style=\"font-weight: 400;\">\u201c An appropriate level of encryption and security shall be implemented in the digital payment ecosystem.\u201d<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Other use cases are Security Tokens, OAuth, Web Cryptography, XMPP.<\/span><\/p>\n<h2><span style=\"font-weight: 400;\">Understanding the structure<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Now these are the things that comprise the JOSE standard.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><b>JWK<\/b><span style=\"font-weight: 400;\"> : JSON Web Key (Public Key shared over the network in JSON format)<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>JWS <\/b><span style=\"font-weight: 400;\">: JSON Web Signature. So this is a serialized message with 3 (.) separated strings of below format.<\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-54934 size-full\" src=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-01.png\" alt=\"JOSE Encryption and AEM Keystore Integration\" width=\"2501\" height=\"318\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-01.png 2501w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-01-300x38.png 300w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-01-1024x130.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-01-768x98.png 768w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-01-1536x195.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-01-2048x260.png 2048w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-01-624x79.png 624w\" sizes=\"(max-width: 2501px) 100vw, 2501px\" \/><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><b>JWE <\/b><span style=\"font-weight: 400;\">: JSON Web Encryption. This is a serialized message with 5 (.) separated strings of below format.<\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"wp-image-54935 aligncenter\" src=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-02.png\" alt=\"\" width=\"546\" height=\"70\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-02.png 2501w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-02-300x38.png 300w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-02-1024x130.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-02-768x98.png 768w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-02-1536x195.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-02-2048x260.png 2048w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Diagram-02-624x79.png 624w\" sizes=\"(max-width: 546px) 100vw, 546px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">This is how the decryption works at the receiver end.<\/span><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-54933 size-full\" src=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Screenshot-2022-04-20-142610.png\" alt=\"\" width=\"1762\" height=\"237\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Screenshot-2022-04-20-142610.png 1762w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Screenshot-2022-04-20-142610-300x40.png 300w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Screenshot-2022-04-20-142610-1024x138.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Screenshot-2022-04-20-142610-768x103.png 768w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Screenshot-2022-04-20-142610-1536x207.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Screenshot-2022-04-20-142610-624x84.png 624w\" sizes=\"(max-width: 1762px) 100vw, 1762px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">This blog talks about integration of JOSE with an application hosted on AEM utilizing AEM keystore for safekeeping of key pairs i.e. Public and Private Keys.<\/span><\/p>\n<p>Here are the four steps required to follow:<\/p>\n<p><b>1. Storing Encryption Keys in AEM<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Firstly let&#8217;s go through the process of storing keys on AEM.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here are the Adobe documentation link for <a href=\"https:\/\/developer.adobe.com\/events\/docs\/guides\/using\/aem\/aem_keystore_setup\/\">keystore<\/a> and <a href=\"https:\/\/experienceleague.adobe.com\/docs\/experience-manager-65\/forms\/administrator-help\/manage-certificates-credentials\/certificates.html?lang=en\">truststore<\/a> setup. <\/span><span style=\"font-weight: 400;\">Using these steps you can store receivers public certificate in truststore and senders private public key pair in keystore for safekeeping.<\/span><\/p>\n<p><i><span style=\"font-weight: 400;\">This complete the cert setup.<\/span><\/i><\/p>\n<p><b>2. Fetching Keys<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Next is fetching these certificates.\u00a0I am using<b> RSA keys<\/b> in the project which are the most commonly used type of encryption keys in asymmetric encryption techniques.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Check code from the repo below for understanding how to fetch keys from Keystore and trustore.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><a href=\"https:\/\/github.com\/PulkitVashistha\/Jose\/blob\/master\/core\/src\/main\/java\/com\/jose\/encryption\/core\/util\/KeysUtil.java\"><span style=\"font-weight: 400;\">KeysUtil.java<\/span><\/a><\/p>\n<p><b>3. Using the Library\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">We are using <\/span><b>nimbus-jose-jwt<\/b><span style=\"font-weight: 400;\"> maven dependency in our project.<\/span><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-54930 \" src=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-01.png\" alt=\"\" width=\"523\" height=\"215\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-01.png 7122w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-01-300x123.png 300w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-01-1024x421.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-01-768x316.png 768w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-01-1536x631.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-01-2048x842.png 2048w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-01-624x257.png 624w\" sizes=\"(max-width: 523px) 100vw, 523px\" \/><\/p>\n<p><span style=\"font-weight: 400;\"><span style=\"font-size: 1rem;\"><br \/>\nNimbus also doesn\u2019t provide support for PS256 right away, but using BouncyCastle provider we can ensure the same. <\/span>We also tried with the <\/span><b>JOSE4j <\/b><span style=\"font-weight: 400;\">library but we couldn\u2019t use that one because it did not have support for <\/span><b>PS256 <\/b><span style=\"font-weight: 400;\">encryption, which is a rather scarcely used encryption algorithm. <\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p><span style=\"font-weight: 400;\">As you\u2019ll be seeing below, we are using this algorithm for signing our JWT web token.<\/span><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-54931 \" src=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-02.png\" alt=\"JOSE Encryption and AEM Keystore Integration\" width=\"530\" height=\"229\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-02.png 2560w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-02-300x130.png 300w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-02-1024x442.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-02-768x332.png 768w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-02-1536x664.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-02-2048x885.png 2048w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-02-624x270.png 624w\" sizes=\"(max-width: 530px) 100vw, 530px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Now what we need to do is make sure this line gets executed at the start to allow the PS256 algorithm to work for Nimbus JOSE.<\/span><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-54932 \" src=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-03.png\" alt=\"JOSE Encryption and AEM Keystore Integration\" width=\"532\" height=\"143\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-03.png 2560w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-03-300x81.png 300w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-03-1024x276.png 1024w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-03-768x207.png 768w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-03-1536x414.png 1536w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-03-2048x552.png 2048w, \/blog\/wp-ttn-blog\/uploads\/2022\/04\/Code-03-624x168.png 624w\" sizes=\"(max-width: 532px) 100vw, 532px\" \/><\/p>\n<p><b>4. Performing JOSE Encryption<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Check the functions for encryption and decryption in the repo below.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><a href=\"https:\/\/github.com\/PulkitVashistha\/Jose\/blob\/master\/core\/src\/main\/java\/com\/jose\/encryption\/core\/util\/JoseUtil.java\"><span style=\"font-weight: 400;\">JoseUtil.java<\/span><\/a><\/p>\n<h2>References<\/h2>\n<ol>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/jose.sambego.tech\/\"><span style=\"font-weight: 400;\">No way, JOSE!<\/span><\/a><span style=\"font-weight: 400;\"> This is a ppt that covers the basics of hashing and encryption along with some insights to prevalent encryption algorithms. Then it gives a detailed insight into the workings of JOSE.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/jwt.io\/\"><span style=\"font-weight: 400;\">JWT.io<\/span><\/a><span style=\"font-weight: 400;\"> This is the documentation for JSON Web Token that can cover your interests in JWT.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/www.youtube.com\/watch?v=dpm00tLhSc4\"><span style=\"font-weight: 400;\" data-rich-links=\"{&quot;fple-t&quot;:&quot;No Way Jose! Cryptography &amp; Encryption - JS Monthly London - January 2021&quot;,&quot;fple-u&quot;:&quot;https:\/\/www.youtube.com\/watch?v=dpm00tLhSc4&quot;,&quot;fple-mt&quot;:null,&quot;type&quot;:&quot;first-party-link&quot;}\">No Way JOSE! Cryptography &amp; Encryption &#8211; JS Monthly London &#8211; January 2021<\/span><\/a><span style=\"font-weight: 400;\">: This is the presentation on the above mentioned PPT. Great watch!<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/www.youtube.com\/watch?v=4zahvcJ9glg\"><span style=\"font-weight: 400;\" data-rich-links=\"{&quot;fple-t&quot;:&quot;The RSA Encryption Algorithm (1 of 2: Computing an Example)&quot;,&quot;fple-u&quot;:&quot;https:\/\/www.youtube.com\/watch?v=4zahvcJ9glg&quot;,&quot;fple-mt&quot;:null,&quot;type&quot;:&quot;first-party-link&quot;}\">The RSA Encryption Algorithm (1 of 2: Computing an Example)<\/span><\/a><span style=\"font-weight: 400;\">: Now this is something of interest if you are geeky about the math of the RSA encryption Algorithm and its basic working. It has 2 very short parts, part1 and part2. Definitely recommended. Very well explained.<\/span><\/li>\n<\/ol>\n<div class=\"ap-custom-wrapper\"><\/div><!--ap-custom-wrapper-->","protected":false},"excerpt":{"rendered":"<p>What is JOSE? JOSE or JSON Object Signing and Encryption , in brief, is a framework intended to provide a method to securely transfer claims (such as authorization information) between parties. The JOSE framework provides a collection of specifications to serve this purpose. One big plus for this framework is that it has excellent support [&hellip;]<\/p>\n","protected":false},"author":1453,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":73},"categories":[5868,446,1994],"tags":[4961],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/54869"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1453"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=54869"}],"version-history":[{"count":13,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/54869\/revisions"}],"predecessor-version":[{"id":54948,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/54869\/revisions\/54948"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=54869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=54869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=54869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}