Last active
May 22, 2024 08:39
-
-
Save timmc/d2814d7da19521dda1883dd3cc046217 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
echo "DO NOT USE -- incorrect signature format, see comments on gist." | |
exit 1 | |
# Create and sign a JWT token with ES256 given the path to an ECDSA | |
# private key and a JSON payload. | |
# $0 path/to/keypair.der '{"JSON": "payload"}' | |
# Example keypair creation: | |
# openssl ecparam -name prime256v1 -genkey -noout -outform DER > example-keypair.der | |
# A few tips for generating the payload: | |
# - Pipe raw strings through `jq --raw-input .` to encode them as | |
# JSON strings. https://stedolan.github.io/jq/ | |
# - GNU date is great for generating the iat, nbf, and exp time | |
# fields: `date --date="15 minutes" +"%s"` | |
set -eu -o pipefail | |
keypair_path="$1" | |
payload="$2" | |
function base64_urlsafe { | |
# Implement own URL-safe Base64 based on standard version. Delete | |
# padding, undo wrapping, and swap out chars 62 and 63. Not all | |
# versions of `base64` have the `--wrap=0` that GNU coreutils has. | |
base64 | tr -d '\r\n=' | tr '+/' '-_' | |
} | |
header_enc="$(echo -n '{"typ":"JWT","alg":"ES256"}' | base64_urlsafe)" | |
payload_enc="$(echo -n "$payload" | base64_urlsafe)" | |
message="$header_enc.$payload_enc" | |
# If you're on a Mac, you might have a really old version of openssl | |
# that doesn't support ECDSA signing this way. | |
sig="$(echo -n "$message" | openssl dgst -sha256 -sign "$keypair_path" -keyform DER | base64_urlsafe)" | |
echo -n "$message.$sig" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I posted my take on the procedure here.
I think you can fix this by making the following switch:
I've just added a couple extra processing steps: