Pages: 1

#1 Re: mORMot 2 » JWT ES256 Code Example » 2024-05-22 01:48:58

Dweomer

I just tested with my provided key and the one I created. They both validated correctly on JWT.io.

Thank you so much! You are a life saver. And I do love mORMot. I will use other APIs as well.

#2 Re: mORMot 2 » JWT ES256 Code Example » 2024-05-20 07:46:53

Dweomer

I have tested and although everything appears to work internally, the JWT.IO website sees the signature as invalid.

The signature created by a common JS library and validated by both the JWT API and JWT.IO is 9 characters shorter than the one generated by Mormot:
5mzvfO7OHFFWhhv2fzlqqARznylbhBaGrXC54T0z_GjJCBMo_6-TBkWL6dXndYZm6-ek6e-BNJVksB8LqTRgoA (86 characters)
MEUCIQDpe-pimZzIgZKT9QYYO5hbKUyv5w6DalS3p4dh5dP6sAIgb88dDuuIH6mVRkW3Q3RAP_QbmWNlLpVAfA_vHzJyrUs (95 characters)

I am now going to attempt using OpenSSL again. And also create a new key myself to test with Postman vs the JWT.IO website.

I am told the private key should be generated as follows:
openssl ecparam -name prime256v1 -genkey -noout -out <filename>.pem

#3 Re: mORMot 2 » JWT ES256 Code Example » 2024-05-16 22:56:47

Dweomer

Emailed you.

And they were provided to me by the internal group responsible for the JWT API used to authenticate with all APIs at the large organization. I have asked them how it was generated.

#4 Re: mORMot 2 » JWT ES256 Code Example » 2024-05-16 07:25:37

Dweomer

Thank you sooo much for committing a fix! I will need to buy you a coffee. smile

I did not get a notification that you edited your post. I tested with trunk just now and it can read my public key now. It is however failing when loading the private key with  jwtCrytp.LoadPrivateKey(privateKey). The private key I'm using is only for a test environment. I can email it to you if you can also quickly check/fix why it is not loading. The headers contain EC ie. '-----BEGIN EC PRIVATE KEY-----'.

While waiting for your response, I got OpenSSL v3 working and tried using TJwtEs256Osl. I was able to create the JWT and even internally verify() it. But despite converting to string using Utf8ToString(), when copy/pasting the string to the JWT.io website with the public key, the signature failed validation there. Whereas the token created using a js library in Postman did pass this external test. I would vastly prefer using the native encryption of mormot (even if slower) if we can get it working instead.

#5 Re: mORMot 2 » JWT ES256 Code Example » 2024-05-14 04:50:12

Dweomer

Thanks for your help. I now need to figure out why my public key is not valid for the Create(). It works fine when creating a new key (key:=''):

        publicKey := StringFromFile('public.key'); //-----BEGIN PUBLIC KEY-----
        privateKey := StringFromFile('private.key'); //-----BEGIN EC PRIVATE KEY-----

        jwtCrytp := TJwtCrypt.Create( caaES256, publicKey, [jrcAudience],[OAuthConfiguration.ClientAssertionPayloadAudience], 60 );
        jwtCrytp.LoadPrivateKey(privateKey);
        fSignedTokenAsString := jwtCrytp.Compute([],OAuthConfiguration.ClientAssertionPayloadIssuer, OAuthConfiguration.ClientAssertionPayloadSubject, OAuthConfiguration.ClientAssertionPayloadAudience);

        result := fSignedTokenAsString;

I have stepped through the code but it has not helped to give a hint.
My public.key file looks like this and I expect is correct as my private key works in Postman and is a P-256 ES256  key. I assume P-256 means the same as secp256r1 or prime256v1:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoIQ8m1iBHYoxrdLT1A6MH9naG+hk
/ccw/Ij0p9Mk7JmNdzCUeEjzlU5/E683I9PZaz2/5RFj1HfKPTgDkxQFkA==
-----END PUBLIC KEY-----

Is it because I have the wrong format? Or need to include my private key in the file?
The full public key info is:

Public key in PEM format is:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoIQ8m1iBHYoxrdLT1A6MH9naG+hk
/ccw/Ij0p9Mk7JmNdzCUeEjzlU5/E683I9PZaz2/5RFj1HfKPTgDkxQFkA==
-----END PUBLIC KEY-----

Public key in JWK format is:
{"crv":"P-256","x":"oIQ8m1iBHYoxrdLT1A6MH9naG-hk_ccw_Ij0p9Mk7Jk","y":"jXcwlHhI85VOfxOvNyPT2Ws9v-URY9R3yj04A5MUBZA","kty":"EC","kid":"jIaUOEPIVw3jh6TWN0MxccCnN2IcbFib1d2F3qbjZHo"}

Public key in GitHub format is:
{\"keys\": [{\"crv\": \"P-256\", \"x\": \"oIQ8m1iBHYoxrdLT1A6MH9naG-hk_ccw_Ij0p9Mk7Jk\", \"y\": \"jXcwlHhI85VOfxOvNyPT2Ws9v-URY9R3yj04A5MUBZA\", \"kty\": \"EC\", \"kid\": \"jIaUOEPIVw3jh6TWN0MxccCnN2IcbFib1d2F3qbjZHo\"}]}

#6 mORMot 2 » JWT ES256 Code Example » 2024-05-13 06:35:11

Dweomer
Replies: 12

I am new to mORMot and JWT. I am currently only importing the mORMot library as I need to sign a JWT as ES256 in Delphi. I have been provided a simple private key (eg. text file starting with '-----BEGIN EC PRIVATE KEY-----' ) and able to use it from Postman using a js library sign() command.

I have no yet found a simple example using ES256 especially around loading a certificate object for use by the TJwtEs256.Create() function. Every example is using HS256. Any help is greatly appreciated. I would hope this is quite simple. My current code is below.

        fCertificate := TEccCertificate.Create();
       
        if( fCertificate.FromFile(OAuthConfiguration.ClientAssertionSignatureKeyFile) ) then
        begin
          fSignedToken := TJwtEs256.Create(fCertificate,[jrcIssuer,jrcSubject, jrcAudience, jrcExpirationTime],[OAuthConfiguration.ClientAssertionPayloadIssuer,OAuthConfiguration.ClientAssertionPayloadSubject,OAuthConfiguration.ClientAssertionPayloadAudience,expiryTimeStr]);
          fSignedTokenAsString := fSignedToken.Compute([], OAuthConfiguration.ClientAssertionPayloadIssuer);

          result := fSignedTokenAsString;
        end

Pages: 1

Board footer

Powered by FluxBB