0

OK, so I have a Back-end Java service that is generating JWTs using the jose4j library. This is already in production and we have several other Java services that are verifying these tokens and it all works just fine. I'm now trying to create a NodeJS service and it also needs to verify the JWTs that are being generating by the original Java Service. Here is the Java code using jose4j to generate a token.

public static HmacKey getKey() throws UnsupportedEncodingException, NoSuchAlgorithmException {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        md.update(Vars.SECRET_KEY.getBytes("UTF-8"));
        byte[] key = md.digest();
        return new HmacKey(key);
    }
public String buildJwt(){
JwtClaims claims = new JwtClaims();
            claims.setIssuer(issuer == null ? Vars.NETD_ISSUER : issuer);
            claims.setExpirationTimeMinutesInTheFuture(timeToLiveInMinutes);
            claims.setGeneratedJwtId();
            claims.setIssuedAtToNow();
            claims.setNotBeforeMinutesInThePast(2);
            claims.setSubject(subject);
JsonWebSignature jws = new JsonWebSignature();
            // Add the Claims payload to the JWS
            jws.setPayload(claims.toJson());
            jws.setKey(getKey());
            jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.HMAC_SHA256);
            jwt = jws.getCompactSerialization();
}

Here is the NodeJS code where I'm attempting to validate the JWT.

let decoded = await jwt.verify(token, Buffer.from(config.signature));

The config.signature and the Vars.SECRET_KEY are the same values. But this results in a 'invalid signature'.

{ JsonWebTokenError: invalid signature
    at C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\jsonwebtoken\verify.js:122:19
    at getSecret (C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\jsonwebtoken\verify.js:76:14)
    at Object.module.exports [as verify] (C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\jsonwebtoken\verify.js:80:10)
    at Object.validateOriForVendor (C:\Users\jmiles\code\nodeJS\NetDGateway\src\utils.js:37:33)
    at getCaseDetail (C:\Users\jmiles\code\nodeJS\NetDGateway\src\operations.js:94:29)
    at Layer.handle [as handle_request] (C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\express\lib\router\layer.js:95:5)
    at next (C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\express\lib\router\route.js:137:13)
    at Route.dispatch (C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\express\lib\router\route.js:112:3)
    at Layer.handle [as handle_request] (C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\express\lib\router\layer.js:95:5)
    at C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\express\lib\router\index.js:281:22
    at param (C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\express\lib\router\index.js:354:14)
    at paramCallback (C:\Users\jmiles\code\nodeJS\NetDGateway\node_modules\express\lib\router\index.js:401:21)
    at oriHelper (C:\Users\jmiles\code\nodeJS\NetDGateway\src\operations.js:234:5) name: 'JsonWebTokenError', message: 'invalid signature' }
Jacob Miles
  • 196
  • 1
  • 2
  • 13

1 Answers1

0

I was able to get the jsonwebtoken to validate it if I change the getKey method to the following.

public static HmacKey getKey() throws UnsupportedEncodingException {
        return new HmacKey(Vars.SECRET_KEY.getBytes("UTF-8"));
    }

and then change the validation call for jsonwebtoken to the following.

let decoded = await jwt.verify(token, config.signature, config.jwtOptions);

So that the verify function is taking a string instead of a Buffer.from()

This is not ideal as now I need to do a pull request for a service that is already in production. And doing this change will require that all existing JWTs will become invalid.

Jacob Miles
  • 196
  • 1
  • 2
  • 13