@ -22,7 +22,7 @@
# ENDORSER_API_URL - API endpoint (defaults to test)
# DEBUG - Enable debug logging when set to 1
# Add debug logging function
# Enhanced debug logging
debug_log( ) {
if [ " ${ DEBUG :- 0 } " = "1" ] ; then
echo " DEBUG: $* " >& 2
@ -82,6 +82,15 @@ payload_b64=$(echo -n "$payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=')
# Create message to sign (header.payload)
message = " $header_b64 . $payload_b64 "
# Add debug points
debug_log "Creating JWT with:"
debug_log " ADMIN_DID: $ADMIN_DID "
debug_log " API_URL: $API_URL "
debug_log " Payload: $payload "
debug_log " Header base64: $header_b64 "
debug_log " Payload base64: $payload_b64 "
debug_log " Message to sign: $message "
# Create temporary directory for key operations
# Uses trap to ensure cleanup on exit
TMPDIR = $( mktemp -d)
@ -114,6 +123,10 @@ if [[ $der_sig =~ ^30([0-9a-f]{2})02([0-9a-f]{2})([0-9a-f]*)02([0-9a-f]{2})([0-9
s_len = " ${ BASH_REMATCH [4] } "
s_val = " ${ BASH_REMATCH [5] } "
debug_log "Raw signature values:"
debug_log " R ( ${# r_val } chars): $r_val "
debug_log " S ( ${# s_val } chars): $s_val "
# Convert lengths to decimal
r_len_dec = $(( 16# $r_len ))
s_len_dec = $(( 16# $s_len ))
@ -132,30 +145,98 @@ if [[ $der_sig =~ ^30([0-9a-f]{2})02([0-9a-f]{2})([0-9a-f]*)02([0-9a-f]{2})([0-9
s_val = $( printf "%064s" " $s_val " | tr ' ' '0' ) # Left pad
fi
# Ensure both values are exactly 64 characters
r_val = $( printf "%064s" " $r_val " | tr ' ' '0' )
s_val = $( printf "%064s" " $s_val " | tr ' ' '0' )
debug_log "Normalized values:"
debug_log " R ( ${# r_val } chars): $r_val "
debug_log " S ( ${# s_val } chars): $s_val "
# Create final signature
concat_sig = " ${ r_val } ${ s_val } "
# Debug the DER parsing
debug_log "DER Signature Analysis:"
debug_log " Full DER: $der_sig "
debug_log " Sequence length: ${ BASH_REMATCH [1] } "
debug_log " R length: $r_len ( $r_len_dec bytes) "
debug_log " S length: $s_len ( $s_len_dec bytes) "
# Debug signature components
debug_log "Signature components:"
debug_log " R value: $r_val (length: ${# r_val } ) "
debug_log " S value: $s_val (length: ${# s_val } ) "
debug_log " Concatenated: $concat_sig (length: ${# concat_sig } ) "
# Try both normal and high-S value signatures
s_val_alt = ""
if [ $s_len_dec -gt 32 ] ; then
# Store alternative S value
s_val_alt = " $s_val "
# Calculate N - s for high-S values
n = "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141"
# Use Python for hex math to avoid bc issues
normalized_s = $( python3 -c "
n = int( '$n' , 16)
s = int( '${s_val}' , 16)
result = hex( n - s) [ 2:] .zfill( 64)
print( result.lower( ) )
" 2>/dev/null || echo " ERROR" )
if [ " $normalized_s " = "ERROR" ] ; then
debug_log " Failed to normalize S value"
# Keep original s_val if normalization fails
s_val_alt = ""
else
s_val = $( printf "%064s" " $normalized_s " | tr ' ' '0' | tr '[:upper:]' '[:lower:]' )
debug_log " Normalized S value: $s_val "
fi
fi
# Calculate recovery bit (v)
# Try each possible recovery value (0-3) until we find one that works
for v in { 0..3} ; do
# Try both S values if we have an alternative
s_values = ( " $s_val " )
if [ -n " $s_val_alt " ] ; then
s_values += ( " $s_val_alt " )
fi
for current_s in " ${ s_values [@] } " ; do
concat_sig = " ${ r_val } ${ current_s } "
debug_log " Trying with S value: $current_s "
recovery_sig = $( printf "%s%02x" " $concat_sig " " $v " )
debug_log " Trying recovery bit $v : $recovery_sig "
debug_log " Recovery attempt $v : "
debug_log " Concatenated signature: $concat_sig "
debug_log " Recovery signature: $recovery_sig "
debug_log " Recovery signature length: ${# recovery_sig } "
# Ensure signature is exactly 65 bytes (130 hex chars)
if [ ${# recovery_sig } -ne 130 ] ; then
debug_log " Invalid signature length: ${# recovery_sig } , expected 130 "
continue
fi
# Convert to base64url
signature = $( echo -n " $recovery_sig " | xxd -r -p | base64 -w 0 | tr '/+' '_-' | tr -d '=' )
# Convert hex to binary, then to base64url
signature = $( echo -n " $recovery_sig " | xxd -r -p 2>/dev/null | base64 -w 0 | tr '/+' '_-' | tr -d '=' )
debug_log " Base64URL signature: $signature "
# Create JWT with this signature
JWT = " $message . $signature "
debug_log " Testing JWT: $JWT "
# Test the JWT against the API
response = $( curl -s -X GET " $API_URL " \
-H "Content-Type: application/json" \
-H " Authorization: Bearer $JWT " )
debug_log " API Response: $response "
# Check if the JWT worked
if ! echo " $response " | grep -q "JWT_VERIFY_FAILED" ; then
if ! echo " $response " | grep -q "JWT.*failed " ; then
echo "JWT Token:"
echo " $JWT "
debug_log " Success with v= $v and S= ${ current_s : 0 : 8 } ... "
echo
echo "Export command:"
echo " export TOKEN=' $JWT ' "
@ -167,7 +248,23 @@ if [[ $der_sig =~ ^30([0-9a-f]{2})02([0-9a-f]{2})([0-9a-f]*)02([0-9a-f]{2})([0-9
exit 0
else
echo " ❌ DID $CHECK_DID is not in the list "
echo "Attempting to add visibility..."
# Request visibility
visibility_response = $( curl -s -X POST \
'http://test-api.endorser.ch/api/report/canSeeMe' \
-H " Authorization: Bearer $JWT " \
-H "Content-Type: application/json" \
-d " {\"did\": \" $CHECK_DID \"} " )
if echo " $visibility_response " | grep -q "error" ; then
echo "❌ Failed to add visibility:"
echo " $visibility_response " | jq '.' --indent 2
exit 1
else
echo "✅ Successfully requested visibility. Please try checking again."
exit 0
fi
fi
else
# Show full list of visible DIDs
@ -176,6 +273,7 @@ if [[ $der_sig =~ ^30([0-9a-f]{2})02([0-9a-f]{2})([0-9a-f]*)02([0-9a-f]{2})([0-9
exit 0
fi
done
done
echo "Error: Could not find valid recovery bit"
exit 1
Matthew Raymer
1 week ago