chapter eleven

11 JSON Object Signing and Encryption

This chapter covers

Seeing what makes up the JavaScript Object Signing and Encryption (JOSE) standard
Creating and verifying JSON Web Signature (JWS) objects
Encrypting and decrypting JSON Web Encryption (JWE) objects
Avoiding common JWS and JWE security pitfalls

We live in a world where data is exchanged between systems implemented in multiple programming languages by multiple teams working for multiple organizations. Systems interoperate using standard networking protocols such as HTTP in a well-defined manner and use standard data formats. REST, for example, uses JSON, SOAP uses XML, and gRPC uses protocol buffers (protobuffers). Standardized data formats for exchanging encrypted and signed data make interoperability significantly easier.

Security protocols such as X.509 digital certificates (chapters 8 and 9), OpenID Connect (OIDC) and OAuth2 (chapters 12 and 13), SAML, and TLS (chapter 10) have to exchange encrypted and signed messages. These protocols rely on standard formats to represent encrypted and signed content. OIDC uses JSON, SAML uses XML, and X.509 certificates are represented in a standardized binary data format.

11.1 The standards layer cake

11.2 The problem solved by JWA

11.2.1 Exercises

11.3 JWK

11.3.1 Exercises

11.4 JWS

11.4.1 JWS structure

11.4.2 Creating and verifying a JWS object

11.4.3 The credit-card refund scenario with JWS

11.4.4 Exercises

11.5 JWE

11.5.1 JWE structure

11.5.2 Creating and verifying JWE objects

11.5.3 Exercises

11.6 JWT

11.6.1 Exercises

11.7 Exercise answers