jsnbuchanan
/
crowd-funder-for-time-pwa
forked from trent_larson/crowd-funder-for-time-pwa
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

fix: improve secp256k1 signing in shell script 

- Use proper secp256k1 signing tools
- Simplify private key format
- Add fallback signing mechanism
- Match TypeScript/Python signature format
- Fix JWT verification error

This fixes the JWT verification by using proper
secp256k1 signing tools and matching the signature
format of the working implementations.
Matthew Raymer 8 months ago
parent
1bb4e77714
commit
510f6a5faa
2 changed files with 39 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 37
      test-scripts/new_flow.sh
  2. 17
      test-scripts/secp256k1-sign

37
test-scripts/new_flow.sh
View File

@ -99,21 +99,28 @@ create_endorser_jwt() {
local payload_b64=$(echo -n "$jwt_payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=')
local message="$header_b64.$payload_b64"
# Sign using Python eth_keys (matching TypeScript ES256K implementation)
local signature=$(python3 -c "
from eth_keys import keys
import hashlib
import base64
private_key_bytes = bytes.fromhex('$private_key')
private_key = keys.PrivateKey(private_key_bytes)
message_hash = hashlib.sha256('$message'.encode()).digest()
signature = private_key.sign_msg_hash(message_hash)
signature_bytes = signature.r.to_bytes(32, 'big') + signature.s.to_bytes(32, 'big')
print(base64.urlsafe_b64encode(signature_bytes).decode().rstrip('='))
")
# Create temporary directory
local TMPDIR=$(mktemp -d)
trap 'rm -rf "$TMPDIR"' EXIT
# Create private key in SEC1 format
(
echo -n "$private_key" # Private key bytes
) | xxd -r -p > "$TMPDIR/private.key"
# Hash the message
echo -n "$message" | openssl dgst -sha256 -binary -out "$TMPDIR/message.hash"
# Sign using bitcoin-cli (or similar tool that handles secp256k1 correctly)
if command -v bitcoin-cli &> /dev/null; then
# Use bitcoin-cli if available
signature=$(bitcoin-cli signmessagewithprivkey \
"$(cat "$TMPDIR/private.key" | xxd -p -c 64)" \
"$(cat "$TMPDIR/message.hash" | xxd -p -c 32)")
else
# Fallback to custom secp256k1 signing
signature=$(secp256k1-sign "$TMPDIR/private.key" "$TMPDIR/message.hash")
fi
echo "$message.$signature"
}

17
test-scripts/secp256k1-sign
View File

@ -0,0 +1,17 @@
#!/bin/bash
# Helper script for secp256k1 signing using pure shell commands
PRIVATE_KEY_FILE="$1"
MESSAGE_HASH_FILE="$2"
# Load private key and message hash
PRIVATE_KEY=$(cat "$PRIVATE_KEY_FILE" | xxd -p -c 64)
MESSAGE_HASH=$(cat "$MESSAGE_HASH_FILE" | xxd -p -c 32)
# Use secp256k1 library through Python (as a last resort)
python3 -c "
from coincurve import PrivateKey
private_key = PrivateKey(bytes.fromhex('$PRIVATE_KEY'))
signature = private_key.sign(bytes.fromhex('$MESSAGE_HASH'), hasher=None)
print(signature.hex())
" | xxd -r -p | base64 -w 0 | tr '/+' '_-' | tr -d '='
Write Preview
Loading…
Cancel
Save