JWT signature for web push using PHP

Question

I'm trying to send web push notifications using PHP. I have read about how to implement the web push protocol, for instance here. However, I think I don't really get the step where the author of this guide explains how to form the Authorization header. Using this library and given my VAPID keys created by an online generator, I tried the following:

use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Signer\Key;
use Lcobucci\JWT\Signer\Ecdsa\Sha256;

$signer = new Sha256();
$privateKey = new Key('<the generated private VAPID key>');
$time = time();

$token = (new Builder())->permittedFor('https://example.com')
                        ->expiresAt($time + 3600)
                        ->withHeader('alg', 'ES256')
                        ->withClaim('sub', 'mailto:someone@example.com')
                        ->getToken($signer, $privateKey);

What I'd like to get is something similar to <JWT Info>.<JWT Data>.<Signature> out of $token. However, I get an Error.

Fatal error: Uncaught InvalidArgumentException: It was not possible to parse your key, reason: error:0909006C:PEM ...

Does somebody know what I'm doing wrong here? Thanks a lot in advance!

I don't know what a VAPID key is, but your `$signer` works with ECDSA keys. Given what i got using your provided VAPID generator, I'm pretty sure this is not an ECDSA key. — rugolinifr, Aug 27 '20 at 19:55
In the [specification](https://tools.ietf.org/html/rfc8292#section-2), it says in section 2 that these keys _MUST be usable with the Elliptic Curve Digital Signature Algorithm (ECDSA) over the P-256 curve_. — alex-schuster, Aug 27 '20 at 22:22

score 1 · Accepted Answer · answered Aug 27 '20 at 23:49

1

Internally, the Lcobucci/jwt API uses both openssl_pkey_get_private() and openssl_pkey_get_public() functions.

According to the documentation, they expect PEM-encoded keys, and this is not what you supplied. Those kind of keys starts with a -------BEGIN prefix.

answered Aug 27 '20 at 23:49

rugolinifr

1,211
1
5
11

That's exactly right. The online generator gives us the "final version" of the key, which can be used with the most popular Node.js modules. We can create both a .pem file and VAPID keys in plain text files using the openssl commands I discovered [here](https://github.com/web-push-libs/web-push-php#authentication-vapid). – alex-schuster Aug 28 '20 at 18:59

JWT signature for web push using PHP

1 Answers1