So I'm using KMS to sign JWT token. However I have been unable to verify the signature using the SDK. The snippet (in node) is as follows.
let token_components = {
header: base64url(JSON.stringify(headers)),
payload: base64url(JSON.stringify(payload)),
};
let message = Buffer.from(token_components.header + "." + token_components.payload)
let res1 = await kms.sign({
KeyId: 'arn:xxx',
Message: message,
SigningAlgorithm: 'RSASSA_PKCS1_V1_5_SHA_256',
MessageType: 'RAW'
}).promise()
token_components.signature = res1.Signature.toString("base64")
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/=/g, '')
let res2 = await kms.verify({
KeyId: 'arn:xxx',
Message: message,
Signature: token_components.signature,
SigningAlgorithm: 'RSASSA_PKCS1_V1_5_SHA_256',
MessageType: 'RAW'
}).promise()
With third party library the signature produced from sign can be verified using public key. But using KMS SDK the kms.verify method always fails with invalid signature exception. Referring from the documentation I think it should work as message and signature need to be either in Buffer (node's byte array) or String encoded in Base64. I'm not sure what went wrong and any help is greatly appreciated.
Edited by: inmyth on Mar 5, 2021 7:27 AM
Edited by: inmyth on Mar 5, 2021 7:28 AM
AWS OFFICIALAktualisiert vor 3 Jahren
This comment helped a lot. In NodeJs you would need to get the signature first as byte array: const signatureArray = Uint8Array.from(Buffer.from(token_components.signature, 'base64'))
and then pass it to verify method as Signature: Buffer.from(signatureArray ),