How to hash a JWT signature using Public & private key (Have both key in JSON format & X.509 PEM Format), using ES256 algo for JWT

Amit Mishra

4/21/24, 7:33 AM

I want to hash my signature of JWT using public & private key, since we are using ES-256 algorithm in JWT. But the problem is that I have both the keys in JSON & .PEM format, so how can I do it in one openssl command? below is the shell script code which I am using to hash the signature:

The problem over here is that the variable "$SECRET" need to have both private & public key. So could anyone help me with this. Thanks in advance!

NOTE : The variable $DATA is concatenation of header & payload encrypted in base64, required for JWT authentication.

235

0 + 7

hash-signature

jwt

DannyNiu

4/22/24, 2:01 AM

Using an asymmetric-key cryptography "key-pair" with a symmetric-key HMAC is definitely a sign that you got something wrong.

Amit Mishra

4/22/24, 7:59 AM

@DannyNiu : Thanks for your comment!... Could you please provide any asymmetric way of signing the JWT token instead of using HMAC?

DannyNiu

4/22/24, 10:39 AM

The signing operation involves the signing private key. In JOSE, the [key usage](https://www.iana.org/assignments/jose/jose.xhtml#web-key-use) should be `sig`, and [key type](https://www.iana.org/assignments/jose/jose.xhtml#web-key-types) should be EC, RSA, or OKP depending on your algorithm.

Amit Mishra

4/28/24, 8:42 AM

@DannyNiu : Thanks for your comment!..We already have a private key with key usage "sig" and key type as "EC"..generated from the portal "https://mkjwk.org/". But the problem which we are having is signing the hashed message with this key..We are using the below code: `Openssl dgst -sha256 -sign private_key.pem -out signature.sig data_tst.txt` The file data_tst.txt contain the concatenate header(base64URL)+”.”+payload(base64URL). But this signature is not getting verified in "https://jwt.io/" portal. I am not sure if there is any other method in openssl to sign using ECDSA key P-256 curve

DannyNiu

4/28/24, 11:50 AM

Format also matters. OpenSSL probably outputs in DER-encoded ASN.1 SEQUENCE structure, where as JOSE uses simple concatenation.

Amit Mishra

5/3/24, 5:03 AM

@DannyNiu : Thanks for your comment! Do you happen to know how to change the format of the signature file generated by openssl into the JOSE format??

DannyNiu

5/3/24, 8:13 AM

I've never used JOSE in pactice so I'm not sure. The general idea is that you parse the OpenSSL output using some ASN.1 parser, then truncate the 2 INTEGER elements to 32 bytes (for P-256, or 48 bytes for P-384), then concatenate them. I've heard of asn1c, and [this command-line tool](https://github.com/phish108/node-jose-tools), but never used them. You'll have to work on this part yourself, or consult StackOverflow.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to hash a JWT signature using Public & private key (Have both key in JSON format & X.509 PEM Format), using ES256 algo for JWT

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.