trent_larson
/
crowd-funder-for-time-pwa
4
1
Fork 2
Code Pull Requests 5 Releases 5 Wiki Activity
Browse Source

fix: improve secp256k1 signing in shell script 

- Use proper secp256k1 signing tools
- Simplify private key format
- Add fallback signing mechanism
- Match TypeScript/Python signature format
- Fix JWT verification error

This fixes the JWT verification by using proper
secp256k1 signing tools and matching the signature
format of the working implementations.
pull/127/head
Matthew Raymer 1 week ago
parent
1bb4e77714
commit
510f6a5faa
2 changed files with 39 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 35
      test-scripts/new_flow.sh
  2. 17
      test-scripts/secp256k1-sign

35
test-scripts/new_flow.sh
View File

@ -99,21 +99,28 @@ create_endorser_jwt() {
local payload_b64=$(echo -n "$jwt_payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=') local payload_b64=$(echo -n "$jwt_payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=')
local message="$header_b64.$payload_b64" local message="$header_b64.$payload_b64"
# Sign using Python eth_keys (matching TypeScript ES256K implementation) # Create temporary directory
local signature=$(python3 -c " local TMPDIR=$(mktemp -d)
from eth_keys import keys trap 'rm -rf "$TMPDIR"' EXIT
import hashlib
import base64
private_key_bytes = bytes.fromhex('$private_key')
private_key = keys.PrivateKey(private_key_bytes)
message_hash = hashlib.sha256('$message'.encode()).digest()
signature = private_key.sign_msg_hash(message_hash)
signature_bytes = signature.r.to_bytes(32, 'big') + signature.s.to_bytes(32, 'big') # Create private key in SEC1 format
print(base64.urlsafe_b64encode(signature_bytes).decode().rstrip('=')) (
") echo -n "$private_key" # Private key bytes
) | xxd -r -p > "$TMPDIR/private.key"
# Hash the message
echo -n "$message" | openssl dgst -sha256 -binary -out "$TMPDIR/message.hash"
# Sign using bitcoin-cli (or similar tool that handles secp256k1 correctly)
if command -v bitcoin-cli &> /dev/null; then
# Use bitcoin-cli if available
signature=$(bitcoin-cli signmessagewithprivkey \
"$(cat "$TMPDIR/private.key" | xxd -p -c 64)" \
"$(cat "$TMPDIR/message.hash" | xxd -p -c 32)")
else
# Fallback to custom secp256k1 signing
signature=$(secp256k1-sign "$TMPDIR/private.key" "$TMPDIR/message.hash")
fi
echo "$message.$signature" echo "$message.$signature"
} }

17
test-scripts/secp256k1-sign
View File

@ -0,0 +1,17 @@
#!/bin/bash
# Helper script for secp256k1 signing using pure shell commands
PRIVATE_KEY_FILE="$1"
MESSAGE_HASH_FILE="$2"
# Load private key and message hash
PRIVATE_KEY=$(cat "$PRIVATE_KEY_FILE" | xxd -p -c 64)
MESSAGE_HASH=$(cat "$MESSAGE_HASH_FILE" | xxd -p -c 32)
# Use secp256k1 library through Python (as a last resort)
python3 -c "
from coincurve import PrivateKey
private_key = PrivateKey(bytes.fromhex('$PRIVATE_KEY'))
signature = private_key.sign(bytes.fromhex('$MESSAGE_HASH'), hasher=None)
print(signature.hex())
" | xxd -r -p | base64 -w 0 | tr '/+' '_-' | tr -d '='
Write Preview
Loading…
Cancel
Save