Question

165

How to sign a JWT with a private key (pem) in CryptoJS?

rated 0 times [ 171] [ 6] / answers: 1 / hits: 17201 / 6 Years ago, fri, december 28, 2018, 12:00:00

I am trying to create a signed JWT in postman with the following code

function base64url(source) {

    // Encode in classical base64

    encodedSource = CryptoJS.enc.Base64.stringify(source);



    // Remove padding equal characters

    encodedSource = encodedSource.replace(/=+$/, '');



    // Replace characters according to base64url specifications

    encodedSource = encodedSource.replace(/+/g, '-');

    encodedSource = encodedSource.replace(///g, '_');



    return encodedSource;

}



function addIAT(request) {

    var iat = Math.floor(Date.now() / 1000) + 257;

    data.iat = iat;

    return data;

}





var header = {

    typ: JWT,

    alg: HS256

};



var data = {

    fname: name,

    lname: name,

    email: [email protected],

    password: abc123$

};



data = addIAT(data);



var secret = 'myjwtsecret';



// encode header

var stringifiedHeader = CryptoJS.enc.Utf8.parse(JSON.stringify(header));

var encodedHeader = base64url(stringifiedHeader);



// encode data

var stringifiedData = CryptoJS.enc.Utf8.parse(JSON.stringify(data));

var encodedData = base64url(stringifiedData);



// build token

var token = encodedHeader + . + encodedData;



// sign token

var signature = CryptoJS.HmacSHA256(token, secret);

signature = base64url(signature);

var signedToken = token + . + signature;



postman.setEnvironmentVariable(payload, signedToken);

Code taken from https://gist.github.com/corbanb/db03150abbe899285d6a86cc480f674d .

I've been trying to input the PEM as the secret but does not work. Also can't find any HmacSHA256 overload that takes a PEM.

How can that be done?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

pranavrorys

Add To Favorites

Follow

Total Points: 466

Total Questions: 87

Total Answers: 115

Location: Barbados

Member since Sun, Nov 27, 2022

2 Years ago

pranavrorys questions

1 'unsafe-eval' is not an allowed source of script

Fri, May 27, 22, 00:00, 2 Years ago

1 How do I run Hardhat with the --constructor-args parameter?

Thu, Oct 28, 21, 00:00, 3 Years ago

1 Task :react-native-webview:compileDebugJavaWithJavac FAILED

Sat, May 30, 20, 00:00, 4 Years ago

1 In React-Table, how to check/uncheck all checkboxes in a row or column

Tue, Mar 3, 20, 00:00, 4 Years ago

1 How to get value of jquery nice select

Fri, Dec 20, 19, 00:00, 5 Years ago

View All

answered 6 Years ago davism · Accepted Answer

The mention of postman changed this. I have a solution for you, but it's not exactly a clean way by any mean.

You'll need to create a request that you will need to execute whenever you open postman. Go as follows:

The purpose of this request is to side-load jsrsasign-js and storing it in a global Postman variable.

Once this is done, you can then use this content elsewhere. For every request you need a RSA256 JWT signature, the following pre-request script will update a variable (here, token) with the token:

var navigator = {};

var window = {};

eval(pm.globals.get("jsrsasign-js"));



function addIAT(request) {

    var iat = Math.floor(Date.now() / 1000) + 257;

    data.iat = iat;

    return data;

}



var header = {"alg" : "RS256","typ" : "JWT"};

var data = {

    "fname": "name",

    "lname": "name",

    "email": "[email protected]",

    "password": "abc123$"

};



data = addIAT(data);



var privateKey = "-----BEGIN RSA PRIVATE KEY----- 

MIIBOQIBAAJAcrqH0L91/j8sglOeroGyuKr1ABvTkZj0ATLBcvsA91/C7fipAsOn

RqRPZr4Ja+MCx0Qvdc6JKXa5tSb51bNwxwIDAQABAkBPzI5LE+DuRuKeg6sLlgrJ

h5+Bw9kUnF6btsH3R78UUANOk0gGlu9yUkYKUkT0SC9c6HDEKpSqILAUsXdx6SOB

AiEA1FbR++FJ56CEw1BiP7l1drM9Mr1UVvUp8W71IsoZb1MCIQCKUafDLg+vPj1s

HiEdrPZ3pvzvteXLSuniH15AKHEuPQIhAIsgB519UysMpXBDbtxJ64jGj8Z6/pOr

NrwV80/EEz45AiBlgTLZ2w2LjuNIWnv26R0eBZ+M0jHGlD06wcZK0uLsCQIgT1kC

uNcDTERjwEbFKJpXC8zTLSPcaEOlbiriIKMnpNw=

-----END RSA PRIVATE KEY-----";



var sHeader = JSON.stringify(header);

var sPayload = JSON.stringify(data);



var sJWT = KJUR.jws.JWS.sign(header.alg, sHeader, sPayload, privateKey);



pm.variables.set('token', sJWT);

In order:

I define mock window and navigator objects as jsrsasign-js needs them.

I then eval() the content of what we fetched earlier in order to rehydrate everything

The rest of your code is simple usage of jsrsasign-js. Your token info is there, and I've defined a private key there. You can change this or use an environment variable; it's just there for demo purposes. I then simply use the rehydrated library to sign it, and set the variable to the value of the signed JWT.

A PEM, as you refer to it, is a container format specifying a combination of public and/or private key. You're using it to sign using HMAC-SHA256, which operates on a shared secret. This obviously isn't going to work (unless you take the poor man's approach and use your public key as the shared secret).

Fortunately enough, there are other signature methods defined in the RFCs. For instance, there is a way to sign using RSA, and a very convenient way of defining a public key as a JSON web key (JWK). We're going to be leveraging both.

I've generated a key pair for testing, they're named out and out.pub. Generation tool is genrsa (and as such, they're an RSA keypair).

In order to sign, we're going to have to change a few things:

We're changing algorithms from HS256 to RS256, as explained above

We're going to need a new library to do the signing itself, as crypto-js does not support asymmetric key crypto. We'll fall back to the native crypto module, though there are pure-JS alternatives

The code:

var CryptoJS = require("crypto-js");

var keyFileContent = require("fs").readFileSync("./out");

var pubkey = require("fs").readFileSync("./out.pub");

var base64url = require("base64url");

var nJwt = require("njwt");

function addIAT(request) {

    var iat = Math.floor(Date.now() / 1000) + 257;

    data.iat = iat;

    return data;

}





var header = {

    "typ": "JWT",

    "alg": "RS256"

};



var data = {

    "fname": "name",

    "lname": "name",

    "email": "[email protected]",

    "password": "abc123$"

};



data = addIAT(data);



// encode header

var stringifiedHeader = JSON.stringify(header);

var encodedHeader = base64url(stringifiedHeader);



// encode data

var stringifiedData = JSON.stringify(data);

var encodedData = base64url(stringifiedData);



// build token

var token = encodedHeader + "." + encodedData;



// sign token

var signatureAlg = require("crypto").createSign("sha256");

signatureAlg.update(token);

var signature = signatureAlg.sign(keyFileContent);

signature = base64url(signature);

var signedToken = token + "." + signature;



console.log(signedToken);



// Verify

var verifier = new nJwt.Verifier();

verifier.setSigningAlgorithm('RS256');

verifier.setSigningKey(pubkey);

verifier.verify(signedToken, function() {

  console.log(arguments);

});

And that's it! It's quite literally that simple, although I would not recommend rewriting the sign() function from crypto from scratch. Leave it to a library that has had thorough inspection by the community, and crypto is pretty serious business.