ILEastic icon indicating copy to clipboard operation
ILEastic copied to clipboard
verified publisher icon sitemule

Jwt RS256

Open pabloto opened this issue 2 years ago • 4 comments

After a week of struggling with the api of cryptography services, I successfully obtain an rsa certificate with qc3genpkakeypair and I can signed it with qc3calculatesignature.

Are you interested then I share it?

pabloto avatar May 19 '23 18:05 pabloto

Yes sharing is good !

richardschoen avatar May 19 '23 18:05 richardschoen

Hi. In my jwt implementation I save the key for a specific client into a table, so when I receive the client request I get the specific key, if I haven't create the specific key for this client I create and store it into my table, this need is because when I have to recreate or validate this specific jwt I chain the key and resign or validate it.

For the moment I fork the repository and I create a folder under jwt with named jwt_rsa, feel free to get everything you want. I hope you can understand my code, start from program testjwt.

If no-one can understand my code, I can try to integrate it into your service program when I have time.

my fork is there: https://github.com/pabloto/ILEastic

Bye

pabloto avatar May 29 '23 09:05 pabloto

@pabloto -- Have some questions regarding your code.

I am pretty new to IBMi Crypto world / API so bit difficult to follow these APIs. I have referred most of your code and built my own JWT token validation program to validate the JWT token received by our client. They use Identity server to generate the TOKEN.

Question: We have got public key from the client which is in UTF-8 format and for testing purpose, I have hard coded this public key in the program with -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- . I think I am doing wrong here because the key expected for field KeyD0200.KeyString is in different format.

When I see your code, you are generating PublIcKey using IBMi API and then put in DB file, in what format you are storing the public key in your file? If the RSA PublicKey is provided by external client, how it should be stored?

Sorry for connecting you here at comment section as I did not find any way better.

Your help would be highly appreciated.

mahesh-angadi avatar Jan 04 '24 16:01 mahesh-angadi

Hi @mahesh-angadi,

I create my own jwt than I use on a web application, so a user connect to our IBMi apache server with his credential, it call a CGI, then if successfully connect to our app, before return ok to the client I generate on our IBMi the jwt, so the jwt it's created from server side.

Every login I call the procedure UJwtPkaKey then use the IBM i Api:

` Qc3GenPKAKeyPair(KEYTYPERSA :KEYSIZE2048 :PUBLICKEYEXP65537 :BERSTRING :KEYFORMCLEAR :'' :'' :SOFTWARECSP :' ' :DsKey.Private :%len(DsKey.Private) :DsKey.PrivateKeyLength :DsKey.Public :%len(DsKey.Public) :DsKey.PublicKeyLength :ApiError);

` in the data structure dskey.private you will find the private and public certificate in binary format (you can simple save into into a .der stream file and you have the binary key), if you look at procedure: UJwtWriteCertStmf I also translate it to PEM format the stream file that start with: -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----.

I don't understand why you are using a certificate create by client side...

but if you have the public certificate in PEM you have to check it with api:

Qc3VerifySignature https://www.ibm.com/docs/en/i/7.5?topic=ssw_ibm_i_75/apis/qc3vfysg.html

it also support the PEM certificate, I didn't try (those api are very complicated and you will not found a lot of example).

If you want share part of your code I could try to help you.

Bye

pabloto avatar Jan 04 '24 17:01 pabloto

Verifying and creating RS256,RS384,RS512 signatures has been implemented in the refactored version of the JWT plugin. If here are any issues please reopen this issue.

m1h43l avatar Jun 20 '24 14:06 m1h43l