2

Can anyone help regarding this?? I generated a key in python using jwk using below command and stored in a variable key

key = jwk.JWK.generate(kty='RSA', size=512)

and when i used key.export() it returned the below dict

{'d': 'Z1apo6KRMoS0xyqqTu7lEwZ7f_AON_tve42nSUkwXypMF1rDNj_xgIn9J5I4TvAisUaRYq82uZfYf76eMgj8uQ',
 'dp': '4k-hSfYmT8H2zdHVFVQpBD-_w5G9ASSADgKn3F08AAs',
 'dq': 'E4fXlCY6oT3yPTnOb3LvLxMtKDPmwoI-FLYbNP2L0-k',
 'e': 'AQAB',
 'kty': 'RSA',
 'n': 'wuALgiButVPQy8bCnSkvU-QlBqYB5pk6rfwlcTr-csc8DOvPzekHJYWPjbP_ptAxSW3r5Bnpac1MDgMQKFjOtw',
 'p': '8ZI61ugJ3WblKvY-JfkyWXUcdoGAWQB8B9VcfWRvLuM',
 'q': 'zoPN8ItkA_0rf_XobRkjhYIdtoXyOLXCqYSU0i8etR0',
 'qi': 'JhXuF6EDTrrPysGzsVhco4hpVsSHCXgS7UGZUISc2Ug'}

can anyone explain what are the keys in this dict like d, dp, dq, e, n, p, q, qi

jps
  • 20,041
  • 15
  • 75
  • 79
Chip
  • 71
  • 1
  • 10
  • If my or any answer has solved your question please consider [accepting it](https://stackoverflow.com/help/someone-answers) by clicking the check-mark. This indicates to the wider community that you've found a solution and gives some reputation to both the answerer and yourself. If there's still anything unclear in the given answers, don't hesitate to ask by using the comment function under the answer. – jps Jun 07 '21 at 07:30

1 Answers1

8

You generated a JWK (JSON Web Key), a special representation of a key. In your case it's an RSA Key which contains the parameters for the private and the public key.

Please refer to the RFC7517, JSON Web Key (JWK) for the general keys. e.g.

  • "kty" (Key Type) Parameter
  • "kid" (Key ID) Parameter
  • "use" (Public Key Use) Parameter

The above mentioned "use" parameter will usually have the value "sig" (signature), when the key is used for JWT signatures (signing/verifying). The "kid" helps to find the matching key for signature verification.

RFC7518, JSON Web Algorithms (JWA) contains the definitions for the algorithm-specific part.

n and e are the modulus and exponent of the public key, all others are used for the private key. Section 6.3 of the RFC7518 lists all the specific entries of the RSA key:

  • "n" (Modulus) Parameter
  • "e" (Exponent) Parameter
  • "d" (Private Exponent) Parameter
  • "p" (First Prime Factor) Parameter
  • "q" (Second Prime Factor) Parameter
  • "dp" (First Factor CRT Exponent) Parameter
  • "dq" (Second Factor CRT Exponent) Parameter
  • "qi" (First CRT Coefficient) Parameter
jps
  • 20,041
  • 15
  • 75
  • 79
  • 1
    Thank You Boss for the help – Chip Jun 03 '21 at 12:49
  • are not few of these.. like `e`, `n` etc already part of the public key.. then why are they part of jwks again. Any special purpose. – samshers Nov 20 '21 at 22:26
  • I'm not sure what you mean with this question. Yes, `n` and `e` are parts of the public key as I wrote in the answer. *A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key* (from [rfc7517](https://datatracker.ietf.org/doc/html/rfc7517)), it can represent both, public and private keys. Often JWKS are used to publish public keys (and of course only public keys) for the purpose of token verification, as, eg. described here for [Amazon Cognito](https://aws.amazon.com/de/premiumsupport/knowledge-center/decode-verify-cognito-json-token/) – jps Nov 21 '21 at 10:04
  • `Yes, n and e are parts of the public key` - this answers. ++1. But my question is, when these are already part of the public, why does the spec want these values to be part of jwks. They (n and e) can be any way calculated from public key, so why the redundancy of explicitly have n and e in the jwks. – samshers Nov 21 '21 at 16:26
  • The JWK (JWKS is a set, an array of JWK), containing n and e **is** the public key that you will get. In the case of the Amazon example above, Amazon will offer nothing else than just a link from which you can obtain the JWKS. You will not have any other representation of the public key at hand from which you could derive anything. You read the JWKS, find the matching JWK (usually identified by a keyId (kid)) and use n and e like in this [example](https://stackoverflow.com/questions/61395261/how-to-validate-signature-of-jwt-from-jwks-without-x5c) to create an RSAKey object in your program. – jps Nov 21 '21 at 17:57