Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the mime type to use for JSON Web Encryption

Looking at RFC 7515 and RFC 7516, I was trying to understand what the proper mime type for the JWE should be. It looks like JWE and JWS share the JOSE header information, and JWS defines its mime type as application/jose. JWE has no explicit media type information. But since the name is "jose" and both use JOSE header, I assume both should use the same mime type (also because JOSE stands for ... Signing and Encryption).

In this case, how do I differentiate between signed and/or encrypted messages? By value of the alg property? Or by presence/value of enc property?

To summarize:

  1. Is "application/jose" a mime type to use for JWE? If not, then what should it be?
  2. If yes, how to reliably tell between JWE and JWS messages?
like image 748
Pawel Veselov Avatar asked Oct 30 '22 10:10

Pawel Veselov


1 Answers

If I only paid more attention to the original RFC, I would have noticed that there is a section for this particular purpose (section 9).

In short, the code should examine presence of payload, ciphertext or enc properties, or by checking the value of alg. Alternatively, count period separators if compact serialization is used.

This also implies that the mime type for both is the same.

like image 165
Pawel Veselov Avatar answered Nov 09 '22 23:11

Pawel Veselov