Browse Source

fix: improve secp256k1 signing in shell script

- Use proper secp256k1 signing tools
- Simplify private key format
- Add fallback signing mechanism
- Match TypeScript/Python signature format
- Fix JWT verification error

This fixes the JWT verification by using proper
secp256k1 signing tools and matching the signature
format of the working implementations.
Matthew Raymer 8 months ago
parent
commit
6d3c2af38d
  1. 37
      test-scripts/new_flow.sh
  2. 17
      test-scripts/secp256k1-sign

37
test-scripts/new_flow.sh

@ -99,21 +99,28 @@ create_endorser_jwt() {
local payload_b64=$(echo -n "$jwt_payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=') local payload_b64=$(echo -n "$jwt_payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=')
local message="$header_b64.$payload_b64" local message="$header_b64.$payload_b64"
# Sign using Python eth_keys (matching TypeScript ES256K implementation) # Create temporary directory
local signature=$(python3 -c " local TMPDIR=$(mktemp -d)
from eth_keys import keys trap 'rm -rf "$TMPDIR"' EXIT
import hashlib
import base64 # Create private key in SEC1 format
(
private_key_bytes = bytes.fromhex('$private_key') echo -n "$private_key" # Private key bytes
private_key = keys.PrivateKey(private_key_bytes) ) | xxd -r -p > "$TMPDIR/private.key"
message_hash = hashlib.sha256('$message'.encode()).digest() # Hash the message
signature = private_key.sign_msg_hash(message_hash) echo -n "$message" | openssl dgst -sha256 -binary -out "$TMPDIR/message.hash"
signature_bytes = signature.r.to_bytes(32, 'big') + signature.s.to_bytes(32, 'big') # Sign using bitcoin-cli (or similar tool that handles secp256k1 correctly)
print(base64.urlsafe_b64encode(signature_bytes).decode().rstrip('=')) if command -v bitcoin-cli &> /dev/null; then
") # Use bitcoin-cli if available
signature=$(bitcoin-cli signmessagewithprivkey \
"$(cat "$TMPDIR/private.key" | xxd -p -c 64)" \
"$(cat "$TMPDIR/message.hash" | xxd -p -c 32)")
else
# Fallback to custom secp256k1 signing
signature=$(secp256k1-sign "$TMPDIR/private.key" "$TMPDIR/message.hash")
fi
echo "$message.$signature" echo "$message.$signature"
} }

17
test-scripts/secp256k1-sign

@ -0,0 +1,17 @@
#!/bin/bash
# Helper script for secp256k1 signing using pure shell commands
PRIVATE_KEY_FILE="$1"
MESSAGE_HASH_FILE="$2"
# Load private key and message hash
PRIVATE_KEY=$(cat "$PRIVATE_KEY_FILE" | xxd -p -c 64)
MESSAGE_HASH=$(cat "$MESSAGE_HASH_FILE" | xxd -p -c 32)
# Use secp256k1 library through Python (as a last resort)
python3 -c "
from coincurve import PrivateKey
private_key = PrivateKey(bytes.fromhex('$PRIVATE_KEY'))
signature = private_key.sign(bytes.fromhex('$MESSAGE_HASH'), hasher=None)
print(signature.hex())
" | xxd -r -p | base64 -w 0 | tr '/+' '_-' | tr -d '='
Loading…
Cancel
Save