Skip to content
Permalink
Browse files

AIOSEC-3 Fix "60 second" JWT never expiring

Move claims from JWT header section to payload section
  • Loading branch information
rocketeerbkw authored and Schnitzel committed Feb 7, 2020
1 parent cbe2073 commit 20a821bbaafa7d704f22cab37bbb277e5ae9264c
Showing with 17 additions and 22 deletions.
  1. +17 −22 services/ssh/create_60_sec_jwt.sh
@@ -1,25 +1,6 @@
#!/usr/bin/env bash
set -o pipefail

header_template='{
"typ": "JWT",
"alg": "HS256",
"iss": "ssh Bash JWT Generator",
"sub": "ssh"
}'

build_header() {
jq -c \
--arg iat_str "$(date +%s)" \
--arg alg "${1:-HS256}" \
"
(\$iat_str | tonumber) as \$iat
| .alg = \$alg
| .iat = \$iat
| .exp = (\$iat + ${4:-60})
" <<<"$header_template" | tr -d '\n'
}

b64enc() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; }
json() { jq -c . | LC_CTYPE=C tr -d '\n'; }
hs_sign() { openssl dgst -binary -sha"${1}" -hmac "$2"; }
@@ -28,8 +9,20 @@ rs_sign() { openssl dgst -binary -sha"${1}" -sign <(printf '%s\n' "$2"); }
sign() {
local algo payload header sig secret=$3
algo=${1:-RS256}; algo=${algo^^}
header=$(build_header "$algo") || return
payload=${2:-$test_payload}

header='{
"typ": "JWT",
"alg": "'$algo'"
}'

payload=$(jq -c \
--arg iat_str "$(date +%s)" \
"
(\$iat_str | tonumber) as \$iat
| .iat = \$iat
| .exp = (\$iat + ${4:-60})
" <<< ${2} | tr -d '\n')

signed_content="$(json <<<"$header" | b64enc).$(json <<<"$payload" | b64enc)"
case $algo in
HS*) sig=$(printf %s "$signed_content" | hs_sign "${algo#HS}" "$secret" | b64enc) ;;
@@ -42,8 +35,10 @@ sign() {
set -euo pipefail

PAYLOAD='{
"iss": "ssh Bash JWT Generator",
"sub": "ssh",
"role": "admin",
"aud": "'$JWTAUDIENCE'"
}'

sign hs256 "${PAYLOAD}" "${JWTSECRET}" 60
sign hs256 "${PAYLOAD}" "${JWTSECRET}" 60

0 comments on commit 20a821b

Please sign in to comment.
You can’t perform that action at this time.