HS256 JWT creation and validation in BASH with openssl
read more about JWT and use the free online tool at https://jwt.io
Note for those of you who are new to this stuff: jwt HS256 is not encryption, it is identity/message validation with symmetric HMAC signing, the data in a jwt is easily decoded if an adversary gets the jwt, it is just base64 encoded, just base64 decode the first two sections to read the header and payload. The HMAC secret is a shared secret between the server and client or the two parties. You might derive that secret from ECC or otherwise share it with public key encryption method. And then the jwt itself should be sent in an encrypted way like with TLS or SSH etc, and might be further wrapped in another layer of encryption if it is written to disk if you need to be careful about storage of plaintext jwt payloads.
This is another code snippet for manual stuff, demo, proto, shell, generating and validating JSON web tokens
You might take this as a starting place or validation control as you build out JWT in your backend prototype
$> cat payload.json
{
"key": "value"
}
$> ./generate things
setting load to {
"key": "value"
}
for jwt.io (base64) validation:
dGhpbmdz
generated jwt:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAia2V5IjogInZhbHVlIiB9.Xty9gu_6vpzYOFaTdmigFgOtDGDQL9izBqx4npgYr_s
$> ./validate eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyAia2V5IjogInZhbHVlIiB9.Xty9gu_6vpzYOFaTdmigFgOtDGDQL9izBqx4npgYr_s things
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 as header
eyAia2V5IjogInZhbHVlIiB9 as payload
Xty9gu_6vpzYOFaTdmigFgOtDGDQL9izBqx4npgYr_s as signature
we computed Xty9gu_6vpzYOFaTdmigFgOtDGDQL9izBqx4npgYr_s
compare against signature:
passed
generate-jwt_2-shares shamir-shares-generate validate-jwt-2_shares
shamir-shares-generate creates an encrypted file containing 2000 shares, with a threshold of two shares required to unlock the secret. The arg passed to shamir-shares-generate is the password to the encrypted file containing the shares, not the vslue of the secret. The secret is randomly generated and not stored at all, only via the shares.
generate-jwt_2-shares creates a jwt, taking two of the shares in as arg 1 and arg 2.
validate-jwt-2_shares validates a jwt against any two shares of the same secret, taking three arguments. Arg 1 being the jwt to validate, arg 2 and 3 being any shares of the shamir's secret sharing secret.