JWT and RSA/ECDSA Signatures with JavaScript
Method |
RSA: RSA (PSS): ECDSA: |
---|---|
Issuer (ISS): | |
Subject (sub): | |
JWT ID (jti): | |
Password (Use to sign) | |
Keys | |
JWT Signed Token |
Coding
For a JSON Web Token, the methods that can provide a signature include HS256 (HMAC SHA-256), ES256 (ECDSA using P-256 and SHA-256), RS256 ( RSASSA-PKCS1-v1_5 with the SHA-256) and PS256 (RSA-PSS). HS256 uses a password to generate an encryption key for the signature, while ES256 and RS256 require a private key to sign the token and a public key to verify it. In this case, we will use public key encryption to sign the token, and where the private key signs the token, and the public key is used to verify it. Some JavaScript coding for signing a JSON Web Token with RSA is:
<script type="text/javascript">document.getElementById("m").value = "Hello"; function gojwt(size,method, iss, sub, id) { var kp = KEYUTIL.generateKeypair("RSA",size ); var priv = KEYUTIL.getPEM(kp.prvKeyObj, "PKCS8PRV"); document.getElementById("keys").innerHTML = "Private key:\n" + priv; var pub = KEYUTIL.getPEM(kp.pubKeyObj, "PKCS8PUB"); document.getElementById("keys").innerHTML += "Public key:\n" + pub; var oHeader = { alg: method, typ: 'JWT' }; var oPayload = {}; var tNow = KJUR.jws.IntDate.get('now'); var tEnd = KJUR.jws.IntDate.get('now + 1day'); oPayload.iss = iss; oPayload.sub = sub; oPayload.nbf = tNow; oPayload.iat = tNow; oPayload.exp = tEnd; oPayload.jti = id var sHeader = JSON.stringify(oHeader); var sPayload = JSON.stringify(oPayload); document.getElementById("JWT").innerHTML = "Header:\n" + sHeader; document.getElementById("JWT").innerHTML += "\n\nPayload:\n" + sPayload; var sJWT = KJUR.jws.JWS.sign(method, sHeader, sPayload, priv); document.getElementById("JWT").innerHTML += "\n\nSignature:\n" + sJWT; var isValid = KJUR.jws.JWS.verifyJWT(sJWT, pub, { alg: [method], iss: [iss], sub: [sub] }); document.getElementById("JWT").innerHTML += "\n\nValid JWT: " + isValid; } </script>
For ECDSA we generate ECC keys (such as with secp256k1 - as used in Bitcoin and Ethereum):
<script type="text/javascript">document.getElementById("m").value = "Hello"; function gojwt2(name, method, iss, sub, id) { var kp = KEYUTIL.generateKeypair("EC", name); var priv = KEYUTIL.getPEM(kp.prvKeyObj, "PKCS8PRV"); pub = KEYUTIL.getPEM(kp.pubKeyObj, "PKCS8PUB"); document.getElementById("keys").innerHTML = pub; document.getElementById("keys").innerHTML += "Public key:\n" + pub; var oHeader = { alg: method, typ: 'JWT' }; var oPayload = {}; var tNow = KJUR.jws.IntDate.get('now'); var tEnd = KJUR.jws.IntDate.get('now + 1day'); oPayload.iss = iss; oPayload.sub = sub; oPayload.nbf = tNow; oPayload.iat = tNow; oPayload.exp = tEnd; oPayload.jti = id var sHeader = JSON.stringify(oHeader); var sPayload = JSON.stringify(oPayload); document.getElementById("JWT").innerHTML = "Header:\n" + sHeader; document.getElementById("JWT").innerHTML += "\n\nPayload:\n" + sPayload; var sJWT = KJUR.jws.JWS.sign(method, sHeader, sPayload, priv); document.getElementById("JWT").innerHTML += "\n\nSignature:\n" + sJWT; var isValid = KJUR.jws.JWS.verifyJWT(sJWT, pub, { alg: [method], iss: [iss], sub: [sub] }); document.getElementById("JWT").innerHTML += "\n\nValid JWT: " + isValid; } }</script>