keyStore size limit and encrypt recipient

[x-077]

Hello,

Is there a limitation on the number of keys to put in the keyStore ? Could it be an alternative to store the key in cache like redis if any limitation ? I'm just wondering how to deal with them if there are a lot of users. ( one user = one key ).

Also I feel a bad to ask as your documentation is great/extensive but what is exactly the purpose of encrypt.recipient(key[, header]) ?
Is it if in the case I want to encrypt data with multiple user keys, and each of them can read the content of the encrypted payload ?
what is the purpose of the header exactly, I'm not sure to understand ? Just to define if it's sig/enc ?

thanks by advance

[panva]

Is there a limitation on the number of keys to put in the keyStore ?

None imposed by the library. That being said the key lookup process is not efficient and if you have hundreds or thousands of keys maybe you should come up with your own lookup and storage/cache mechanism where you'll store the keys.

The following is already part of the documentation and all comes from the JWE serialization formats specification.

what is exactly the purpose of encrypt.recipient(key[, header]) ?

The <JWE.Encrypt> class is intended for General serialization JWEs, for compact and flattened there are shorthand helpers JWE.encrypt and JWE.encrypt.flattened. So yes, multiple recipients.

what is the purpose of the header exactly, I'm not sure to understand ? Just to define if it's sig/enc ?

This is the JWE Per-Recipient Unprotected Header. When multiple recipients' "alg" (Algorithm) Header Parameters aren't the same, due to their keys being of different types, it's used for indicating the recipient's specific alg. If you don't specify one as part of that recipient's unprotected header one will be inferred from the passed in key and put in there automatically. Keep in mind this header is unprotected.

const { inspect } = require('util')

const jose = require('@panva/jose')

const recipient1 = jose.JWK.generateSync('oct')
const recipient2 = jose.JWK.generateSync('RSA')
const recipient3 = jose.JWK.generateSync('EC')

let enc = new jose.JWE.Encrypt('foobar', { sharedProtected: 1 }, { sharedUnprotected: 2 }, 'aad')

enc.recipient(recipient1)
enc.recipient(recipient2)
enc.recipient(recipient3)

let jwe = enc.encrypt('general')

console.log(inspect(jwe, { colors: true, compact: false, depth: Infinity }))



enc = new jose.JWE.Encrypt('foobar', { sharedProtected: 1 }, { sharedUnprotected: 2 }, 'aad')

enc.recipient(recipient1, { alg: 'A256GCMKW' })
enc.recipient(recipient2, { alg: 'RSA1_5' })
enc.recipient(recipient3, { alg: 'ECDH-ES+A256KW' })

jwe = enc.encrypt('general')

console.log(inspect(jwe, { colors: true, compact: false, depth: Infinity }))

[x-077]

Hello @panva ,

Thank you for this detailed answer and the examples, I really appreciate, it's clear now.