ewjoachim/http-payload.txt

## http-payload.txt
POST /your/token/endpoint HTTP/1.1
Host: yourhost.com
User-Agent: curl/7.54.0
Accept: */*
Content-Type: application/json
GITHUB-PUBLIC-KEY-IDENTIFIER: 90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a
GITHUB-PUBLIC-KEY-SIGNATURE: MEQCIAfgjgz6Ou/3DXMYZBervz1TKCHFsvwMcbuJhNZse622AiAG86/cku2XdcmFWNHl2WSJi2fkE8t+auvB24eURaOd2A==

[{"type":"github_oauth_token","token":"cb4985f91f740272c0234202299f43808034d7f5","url":" https://github.com/github/faketestrepo/blob/b0dd59c0b500650cacd4551ca5989a6194001b10/production.env"}]

## implementation.rb
require 'openssl'
require 'net/http'
require 'uri'
require 'json'
require 'base64'

payload = <<-EOL
[{"type":"github_oauth_token","token":"cb4985f91f740272c0234202299f43808034d7f5","url":" https://github.com/github/faketestrepo/blob/b0dd59c0b500650cacd4551ca5989a6194001b10/production.env"}]
EOL

# Get rid of the trailing newline from the heredoc payload
payload.chomp!

signature = "MEQCIAfgjgz6Ou/3DXMYZBervz1TKCHFsvwMcbuJhNZse622AiAG86/cku2XdcmFWNHl2WSJi2fkE8t+auvB24eURaOd2A=="

key_id = "90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a"

url = URI.parse('https://api.github.com/meta/public_keys/token_scanning')

request = Net::HTTP::Get.new(url.path)
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == "https")

response = http.request(request)

parsed_response = JSON.parse(response.body)

current_key_object = parsed_response["public_keys"].find { |key| key["key_identifier"] == key_id }

current_key = current_key_object["key"]

openssl_key = OpenSSL::PKey::EC.new(current_key)

puts openssl_key.verify(OpenSSL::Digest::SHA256.new, Base64.decode64(signature), payload)

## meta-payload.json
{
  "public_keys": [
    {
      "key_identifier": "90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a",
      "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9MJJHnMfn2+H4xL4YaPDA4RpJqUq\nkCmRCBnYERxZanmcpzQSXs1X/AljlKkbJ8qpVIW4clayyef9gWhFbNHWAA==\n-----END PUBLIC KEY-----\n",
      "is_current": true
    }
  ]
}
	POST /your/token/endpoint HTTP/1.1
	Host: yourhost.com
	User-Agent: curl/7.54.0
	Accept: /
	Content-Type: application/json
	GITHUB-PUBLIC-KEY-IDENTIFIER: 90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a
	GITHUB-PUBLIC-KEY-SIGNATURE: MEQCIAfgjgz6Ou/3DXMYZBervz1TKCHFsvwMcbuJhNZse622AiAG86/cku2XdcmFWNHl2WSJi2fkE8t+auvB24eURaOd2A==

	[{"type":"github_oauth_token","token":"cb4985f91f740272c0234202299f43808034d7f5","url":" https://github.com/github/faketestrepo/blob/b0dd59c0b500650cacd4551ca5989a6194001b10/production.env"}]
	require 'openssl'
	require 'net/http'
	require 'uri'
	require 'json'
	require 'base64'

	payload = <<-EOL
	[{"type":"github_oauth_token","token":"cb4985f91f740272c0234202299f43808034d7f5","url":" https://github.com/github/faketestrepo/blob/b0dd59c0b500650cacd4551ca5989a6194001b10/production.env"}]
	EOL

	# Get rid of the trailing newline from the heredoc payload
	payload.chomp!

	signature = "MEQCIAfgjgz6Ou/3DXMYZBervz1TKCHFsvwMcbuJhNZse622AiAG86/cku2XdcmFWNHl2WSJi2fkE8t+auvB24eURaOd2A=="

	key_id = "90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a"

	url = URI.parse('https://api.github.com/meta/public_keys/token_scanning')

	request = Net::HTTP::Get.new(url.path)
	http = Net::HTTP.new(url.host, url.port)
	http.use_ssl = (url.scheme == "https")

	response = http.request(request)

	parsed_response = JSON.parse(response.body)

	current_key_object = parsed_response["public_keys"].find { \|key\| key["key_identifier"] == key_id }

	current_key = current_key_object["key"]

	openssl_key = OpenSSL::PKey::EC.new(current_key)

	puts openssl_key.verify(OpenSSL::Digest::SHA256.new, Base64.decode64(signature), payload)
	{
	"public_keys": [
	{
	"key_identifier": "90a421169f0a406205f1563a953312f0be898d3c7b6c06b681aa86a874555f4a",
	"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9MJJHnMfn2+H4xL4YaPDA4RpJqUq\nkCmRCBnYERxZanmcpzQSXs1X/AljlKkbJ8qpVIW4clayyef9gWhFbNHWAA==\n-----END PUBLIC KEY-----\n",
	"is_current": true
	}
	]
	}