Created
July 17, 2019 17:23
-
-
Save avoidik/78f04fd5be5a05ed330efd798b4f85ab to your computer and use it in GitHub Desktop.
JWS in Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # JOSE header and JWT payload | |
| HEADER='{"alg": "ES256","typ": "JWT"}' | |
| PAYLOAD='{"sub": "1234567890","name": "John Doe"}' | |
| # Create a key in Vault. | |
| vault write transit/keys/mykey exportable=true type=ecdsa-p256 | |
| # Prepare header and payload for signing | |
| HEADER_B64=$(echo $HEADER | openssl base64 -A) | |
| PAYLOAD_B64=$(echo $PAYLOAD | openssl base64 -A) | |
| MESSAGE=$(echo -n "$HEADER_B64.$PAYLOAD_B64" | openssl base64 -A) | |
| # Sign the message using JWS marshaling type, and remove the vault key | |
| prefix | |
| JWS=$(vault write -format=json transit/sign/mykey input=$MESSAGE | |
| marshaling_algorithm=jws | jq -r .data.signature | cut -d ":" -f3) | |
| # Combine to build the JWT | |
| JWT="$HEADER_B64.$PAYLOAD_B64.$JWS" | |
| printf "\nJWT:\n" | |
| echo $JWT | |
| # Export the the key and print out the public key portion | |
| vault read -format=json transit/export/signing-key/mykey/1 | jq -r | |
| '.data.keys."1"' > /tmp/privkey | |
| printf "\nPublic Key:\n" | |
| openssl ec -in /tmp/privkey -pubout 2>/dev/null | |
| # You should be able to successfully decode the JWT on https://jwt.io | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment