jwt-cli icon indicating copy to clipboard operation
jwt-cli copied to clipboard

Published 20 hours ago verified publisher icon emcrisostomo

verify signature

Open stokito opened this issue 5 years ago • 2 comments

here is a script that can also make a verification of signature https://gist.github.com/stokito/f2d7ea0b300f14638a9063559384ec89

I guess you may want to reuse this logic. Also in my version is fixed a problem when the base64 is failing with a message:

base64: invalid input
parse error: Invalid numeric literal at EOF at line 1, column 1

this happens because JWT uses Base64 URL encoding and we need to make an additional step and replace - to + and _ to / with command tr -- '-_ ' '+/='

stokito avatar Jan 21 '20 00:01 stokito

Thanks for your contribution @stokito. I'll have a look at it ASAP.

emcrisostomo avatar Feb 02 '20 15:02 emcrisostomo

no worry, in fact to verify signature there is just a simple line:

echo -n "$JWT_BODY" | openssl dgst -sha256 -verify "${PUB_KEY_FILE}" -signature ${SIG_FILE}

It supports only RS256 tokens but I checked that all public OAuth providers uses only it. The base64 urlencode is a bug so it would be nice to fix it. TBH my script was just a playground and I developed and tested another script for OpenWrt (a small Linux for routers) https://gist.github.com/stokito/43afca84fc34d1d362bf210cd941a366 which is more fresh.

One key change is that my script is adopted for ash/dash which is more simpler but is available by default on almost all platforms while your is uses zsh which is too big for small routers

stokito avatar Feb 02 '20 15:02 stokito