1

I have to encrypt the payload using ES256 algorithm. Also have to use kid in JWK as described in below code. I am using the jose libraries for creating signature. Below is the code:

var jose = require("node-jose");

async function a1(){
    try {
    const keystore = [
  {
    kty: 'EC',
    kid: '6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1',
    use: 'sig',
    alg:'ES256'
  }
]
const ks = await jose.JWK.asKeyStore(keystore);
const rawKey = ks.get(keystore[0].kid)
const key =  await jose.JWK.asKey(rawKey);

const payload =JSON.stringify({"sub": "1234567890",  "name": "Eric D.",  "role": "admin","iat": 1516239022});
    
const token =await jose.JWS.createSign({alg: "ES256", format: 'compact'}, key).update(payload, "utf8").final();

    }catch (err) {
    console.log(err);
  }
    
}
a1();

But I am getting error:

unsupported algorithm.

Please let me know why is this issue coming.

jps
  • 20,041
  • 15
  • 75
  • 79
priyanka mane
  • 35
  • 1
  • 5
  • You're you're trying to use the key id as the private key? Your code isn't making much sense. Nowhere are you importing a key. From the docs: // where input is either a: // * String serialization of a JSON JWK/(base64-encoded) PEM/(binary-encoded) DER // * Buffer of a JSON JWK/(base64-encoded) PEM/(binary-encoded) DER – Andrew Gillis Jul 09 '21 at 15:48
  • 1
    *encrypt the payload using ES256 algorithm* - your code will not encrypt the payload. The palyoad is just base64url encoded and easily decodable. ES256 is a signature algorithm and you're just creating a signed token here. – jps Jul 09 '21 at 15:57

1 Answers1

3

The alg parameter ({alg: 'ES256'}) is correct but the provided JWK is not complete, it's missing some parameters.

You have to provide the curve (crv), x and y coordinates (x, y) and ECC Private Key (d).

  const keystore = [
  {
    kty: 'EC',
    kid: '6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1',
    use: 'sig',
    alg:'ES256',
    crv: "P-256",
    x  : "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
    y  : "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI",
    d  : "0g5vAEKzugrXaRbgKG0Tj2qJ5lMP4Bezds1_sTybkfk"    
  }]

The values for x, y, and d in the above example are taken from this article, but usally you have to generate your own key, which is also described in the linked article or by using an online key generator.

The result will be a signed token:

eyJhbGciOiJFUzI1NiIsImtpZCI6IjZkODU4MTAyNDAyZGJiZWIwZjliYjcxMWUzZDEzYTEyMjk2ODQ3OTJkYjQ5NDBkYjBkMGU3MWMwOGNhNjAyZTEifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkVyaWMgRC4iLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjJ9.gmVcj7rcENUDesVOSKRzvcMbxT_3zf2Sz771pdy3E1t4P-aKFxV1Vkcry2gvoQ1k11xvE0RSs3jYa13qsjFAzg

Note: the token is a signed token, the payload is not encrypted. If you need/require payload encryption, consider creating an encrypted token (JWE).

jps
  • 20,041
  • 15
  • 75
  • 79
  • Hi , What is X and y in the d in the code. From which file do i need to extract these values? – priyanka mane Jul 12 '21 at 10:51
  • in your code you try to load a key from a keystore that you filled with your own key, but the key is incomplete. The x and y coordinates and the private key d are the parameters that define the key. See [here](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.1). The values I used are just copied from an example, but usually you have to generate a key, e.g. with a key generator like [this](https://mkjwk.org/) or as described in the article to which I linked in my answer. – jps Jul 12 '21 at 13:05
  • Hi this got worked but if you decode this token 'eyJhbGciOiJFUzI1NiIsImtpZCI6IjZkODU4MTAyNDAyZGJiZWIwZjliYjcxMWUzZDEzYTEyMjk2ODQ3OTJkYjQ5NDBkYjBkMGU3MWMwOGNhNjAyZTEifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkVyaWMgRC4iLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjJ9.f45ii0ysM1Z9XayRuc8UsFpIzRgqdXr17IBtSgKi-Grap_uc1uvj7rzkUOwse4-PZhJJhCpeBzKAktmeKzrYiw' in https://jwt.io/ site , you can see in the header x,y,d, parameters are not added. the error is "can't find key with 'kid' = 6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1 in issuer set" . What is the issuer set? – priyanka mane Jul 12 '21 at 14:17
  • the key parameters are usually not part of the token header, esp. not the private key. Where did you see that error "can't find key with 'kid' = 6d...e1 in issuer set"? jwt.io can't verify the signature because you neither provided the public key in the field in the right column, nor does it know where to get a key with the keyId from. But all this is already beyond the scope of the original question. If the original question is solved, kindly click on the checkmark left of the answer to accept it and the ask a new question. – jps Jul 12 '21 at 15:14