update the script commands for JWT signature generation & validation

1 year ago · 92fcffdfc5
4 changed files with 44 additions and 23 deletions
--- a/README.md
+++ b/README.md
@ -28,7 +28,7 @@ npm run lint

 ## Tests

-###
+### Web-push

 For your own web-push tests, change the 'vapid' URL in App.vue, and install apps on the same domain.

@ -54,8 +54,8 @@ by an existing user:
 On the test server, User #0 has rights to register others, so you can start
 playing one of two ways:

- Import the keys for the test User `did:ethr:0x000Ee5654b9742f6Fe18ea970e32b97ee2247B51` by importing this seed phrase:
-  `seminar accuse mystery assist delay law thing deal image undo guard initial shallow wrestle list fragile borrow velvet tomorrow awake explain test offer control`
+- Import the keys for the test User `did:ethr:0x0000694B58C2cC69658993A90D3840C560f2F51F` by importing this seed phrase:
+  `rigid shrug mobile smart veteran half all pond toilet brave review universe ship congress found yard skate elite apology jar uniform subway slender luggage`
  (Other test users are found [here](https://github.com/trentlarson/endorser-ch/blob/master/test/util.js).)

 - Alternatively, register someone else under User #0 automatically:
--- a/openssl_signing_console.rst
+++ b/openssl_signing_console.rst
@ -1,8 +1,11 @@
-Prerequisites:
+JWT Creation & Verification

-jq 
+To run this in a script, see ./openssl_signing_console.sh

-You can create a JWT using a library or by encoding the header and payload base64Url and signing it with a secret using a ES256K algorithm. Here is an example of how you can create a JWT using the jq and openssl command line utilities:
+Prerequisites: openssl, jq
+
+You can create a JWT using a library or by encoding the header and payload base64Url and signing it with a secret using
+a ES256K algorithm. Here is an example of how you can create a JWT using the jq and openssl command line utilities:

 Here is an example of how you can use openssl to sign a JWT with the ES256K algorithm:

@ -15,20 +18,22 @@ openssl ec -in private.pem -pubout -out public.pem

 header='{"alg":"ES256K", "issuer": "", "typ":"JWT"}'

-    Next, create a payload object as a JSON object containing the claims you want to include in the JWT. For example schema.org :
+    Next, create a payload object as a JSON object containing the claims you want to include in the JWT.
+    For example schema.org :

 payload='{"@context": "http://schema.org", "@type": "PlanAction", "identifier": "did:ethr:0xb86913f83A867b5Ef04902419614A6FF67466c12", "name": "Test", "description": "Me"}'

    Encode the header and payload objects as base64Url strings. You can use the jq command line utility to do this:

-header_b64=$(echo -n "$header" | jq -c -M . | tr -d '\n')
-payload_b64=$(echo -n "$payload" | jq -c -M . | tr -d '\n')
+header_b64=$(echo -n "$header" | jq -c -M . | tr -d '\n' | base64 | tr -d '=' | tr '+' '-' | tr '/' '_')
+payload_b64=$(echo -n "$payload" | jq -c -M . | tr -d '\n' | base64 | tr -d '=' | tr '+' '-' | tr '/' '_')

    Concatenate the encoded header, payload, and a secret to create the signing input:

 signing_input="$header_b64.$payload_b64"

-    Create the signature by signing the signing input with a ES256K algorithm and your secret. You can use the openssl command line utility to do this:
+    Create the signature by signing the signing input with a ES256K algorithm and your secret.
+    You can use the openssl command line utility to do this:

 signature=$(echo -n "$signing_input" | openssl dgst -sha256 -sign private.pem)

@ -43,7 +48,7 @@ Authorization: Bearer $jwt

    To verify the JWT, you can use the openssl utility with the public key:

-openssl dgst -sha256 -verify public.pem -signature <(echo -n "$signature") "$signing_input"
-
-    This will verify the signature and output Verified OK if the signature is valid. If the signature is not valid, it will output an error.
+echo -n "$signing_input" | openssl dgst -sha256 -verify public.pem -signature <(echo -n "$signature")

+    This will verify the signature and output "Verified OK" if the signature is valid.
+    If the signature is not valid, it will give an error response and output "Verification failure".
--- a/openssl_signing_console.sh
+++ b/openssl_signing_console.sh
@ -1,5 +1,17 @@
 #!/bin/bash

+# Generate a JWT, with signature verified using OpenSSL
+#
+# Prerequisites: openssl, jq
+#
+# Usage: source ./openssl_signing_console.sh
+#
+# For a more complete explanation, see ./openssl_signing_console.rst
+#
+# It's crazy that raw execution only works about 20% of the time!
+# See https://stackoverflow.com/questions/77505582/why-would-openssl-verify-succeed-every-time-with-source-but-fail-80-of-the
+
+
 openssl ecparam -name secp256k1 -genkey -noout -out private.pem
 openssl ec -in private.pem -pubout -out public.pem

@ -7,19 +19,25 @@ header='{"alg":"ES256K", "issuer": "", "typ":"JWT"}'

 payload='{"@context": "http://schema.org", "@type": "PlanAction", "identifier": "did:ethr:0xb86913f83A867b5Ef04902419614A6FF67466c12", "name": "Test", "description": "Me"}'

-header_b64=$(echo -n "$header" | jq -c -M . | tr -d '\n')
-payload_b64=$(echo -n "$payload" | jq -c -M . | tr -d '\n')
+header_b64=$(echo -n "$header" | jq -c -M . | tr -d '\n' | base64 | tr -d '=' | tr '+' '-' | tr '/' '_')
+payload_b64=$(echo -n "$payload" | jq -c -M . | tr -d '\n' | base64 | tr -d '=' | tr '+' '-' | tr '/' '_')

 signing_input="$header_b64.$payload_b64"

-echo -n "$signing_input" | openssl dgst -sha256 -sign private.pem -out signature.bin
+signature=$(echo -n "$signing_input" | openssl dgst -sha256 -sign private.pem)

-# Read binary signature from file and encode it to Base64 URL-Safe format
-signature_b64=$(base64 -w 0 < signature.bin | tr -d '=' | tr '+' '-' | tr '/' '_')
+echo -n "$signing_input" | openssl dgst -sha256 -verify public.pem -signature <(echo -n "$signature")

-# Construct the JWT
-jwt="$signing_input.$signature_b64"
+# Also tested this, to no avail.
+#echo -n "$signature" > sig.out
+#echo -n "$signing_input" | openssl dgst -sha256 -verify public.pem -signature sig.out

-openssl dgst -sha256 -verify public.pem -signature signature.bin -out verified.txt <(echo -n "$signing_input")


+# Read binary signature and encode it to Base64 URL-Safe format
+signature_b64=$(echo -n "$signature" | base64 | tr -d '=' | tr '+' '-' | tr '/' '_')
+
+# Construct the JWT
+jwt="$signing_input.$signature_b64"
+
+echo Resulting JWT: $jwt
--- a/project.task.yaml
+++ b/project.task.yaml
@ -5,8 +5,6 @@ tasks:
 - 40 notifications :
  - push, where we trigger a ServiceWorker(?) in the app to reach out and check for new data assignee:matthew

- 01 Show pop-up or some message confirming that settings & contacts download has been initiated/finished
-
 - 01 Ensure each action sent to the server has a confirmation - eg registration (ie a toast something that dismisses after 5-10s)

 - Home Feed & Quick Give screen :