I'm generating and exporting a JSON web key (jwk) (see RFC 7517) using the browser crypto API with the following code (with thanks to this excellent webCrypto examples page on GitHub):

async function makeKey(){ const key = await window.crypto.subtle.generateKey( { name: "AES-CTR", length: 128 }, false, ["encrypt", "decrypt"] ) return window.crypto.subtle.exportKey("jwk", key) } 

What I get back is a JSON object with a number of properties, very similar to the one in the MDN documentation, looking something like this:

{ alg: "A256CTR", ext: true, k: "...", //the actual key, a random string of characters key_ops: undefined, kty: "oct" } 

All of the above properties are defined in the RFC linked above, except for ext. I've looked through a number of sources (including but not only MDN and the RFC) and I cannot seem to find a definition. While all works fine just leaving it as defined above, I'd much rather (particularly for something like crypto) know what everything is there for. So, what is the purpose of the ext property of a jwk?

1 Answer

I finally found a reference to this in the w3 webCrypto API documentation.

It is an extension to the jwk specification. Section 15 on the JsonWebKey dictionary has the following definition:

dictionary JsonWebKey { // The following fields are defined in Section 3.1 of JSON Web Key DOMString kty; DOMString use; sequence<DOMString> key_ops; DOMString alg; // The following fields are defined in JSON Web Key Parameters Registration boolean ext; // The following fields are defined in Section 6 of JSON Web Algorithms DOMString crv; DOMString x; DOMString y; DOMString d; DOMString n; DOMString e; DOMString p; DOMString q; DOMString dp; DOMString dq; DOMString qi; sequence<RsaOtherPrimesInfo> oth; DOMString k; }; 

Which leads to the section on JSON Web Key Parameters Registration which defines it as being short for extractable which, from the context of the rest of the document, indicates if the key can be exported.

Given that the jwt was generated by exporting it this will always be true for any key thus generated, however setting it to false before importing a key would prevent it from being re-exported.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge that you have read and understand our privacy policy and code of conduct.