Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

KMS Signature as part of JWT Sign flow

0

Hi, has anyone came across a NodeJs implementation on token signing with KMS and jsonwebtoken?

I managed to use the method outlined here: https://repost.aws/questions/QUMj3eDD6sRXWWaZizjTVktw/cannot-verify-kms-signed-message

but now I wanted to try the below (leveraging jsonwebtoken library) but keep getting "error:1E08010C:DECODER routines::unsupported".

I believe the error is due to base64url.encode(Buffer.from(res.Signature)) not being in proper format as RS256, though I d think otherwise. Is there a way to pass KMS signing signture as secretOrPrivateKey of the jsonwebtoken sign method?

import * as jwt from 'jsonwebtoken'
import { KMSClient, SignCommand } from '@aws-sdk/client-kms';
import base64url from 'base64url';

 //handler omitted..

async function sign(headers, payload, keyId) {

    payload.iat = Math.floor(Date.now() / 1000);

    const tomorrow = new Date()
    tomorrow.setDate(tomorrow.getDate() + 1)
    payload.exp = Math.floor(tomorrow.getTime() / 1000);

    let token_components = {
        header: base64url(JSON.stringify(headers)),
        payload: base64url(JSON.stringify(payload)),
    };

    let message = Buffer.from(token_components.header + "." + token_components.payload)

    const input = {
      KeyId: keyId,
      Message: message,
      SigningAlgorithm: "RSASSA_PKCS1_V1_5_SHA_256",
      MessageType: 'RAW'
    };
    const command = new SignCommand(input);
    const res = await kmsClient.send(command);

    return = await jwt.sign({
        payload
    }, **base64url.encode(Buffer.from(res.Signature))**, {
        algorithm: 'RS256'
    })
  
}
Themen
ServerlosKalkulation
Tags
AWS Lambda
Sprache
English
profile picture
EXPERTE
Antonio_Lagrotteria
gefragt vor 7 Monaten829 Aufrufe
2 Antworten
0

Hi Antonio,

Are those solutions to your question ?

Best,

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 7 Monaten
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat
  • Antonio_Lagrotteria EXPERTE
    vor 7 Monaten

    I saw both of them, but first one does not seem to be working correctly and second articleis a different language implementation. Tried to "translate" it into Javascript but didnt work.

0

Ciao Antonio,

try this instead:

const AWS = require('aws-sdk');
const jwt = require('jsonwebtoken');

const kms = new AWS.KMS({ region: 'your-region' });

async function signTokenWithKMS(payload) {
    // Sign the payload using KMS
    const params = {
        KeyId: 'your-kms-key-id',
        Message: JSON.stringify(payload),
        MessageType: 'RAW',
        SigningAlgorithm: 'RSASSA_PKCS1_V1_5_SHA_256' // or any other suitable algorithm
    };

    const { Signature } = await kms.sign(params).promise();

    // Convert the KMS signature into a format compatible with jsonwebtoken
    const base64EncodedSignature = Signature.toString('base64');

    return base64EncodedSignature;
}

async function generateJWTToken(payload) {
    try {
        const signature = await signTokenWithKMS(payload);

        // Use the converted signature with jsonwebtoken
        const token = jwt.sign(payload, signature, { algorithm: 'RS256' });
        return token;
    } catch (error) {
        console.error('Error generating JWT token:', error);
        throw error;
    }
}

// Example usage
const payload = { user: 'user123', role: 'admin' };
generateJWTToken(payload)
    .then(token => console.log('Generated JWT token:', token))
    .catch(error => console.error('Error generating JWT token:', error));

Differences are:

  • The "new" implementation uses the aws-sdk package instead of @aws-sdk/client-kms. This simplifies the dependency management as it relies on the standard AWS SDK for JavaScript/Node.js.
  • In the "new" implementation, the signing operation is performed directly through the kms.sign() method from aws-sdk. This eliminates the need to create a SignCommand object explicitly.
  • In the "new" implementation, the signature returned by the KMS service is converted to a base64 encoded string, which is then passed as the private key parameter to the jsonwebtoken.sign() function. This is different from the "old" implementation, where the signature is directly encoded using base64url.encode(Buffer.from(res.Signature)).
  • Error handling might differ between the two implementations, but it's not explicitly shown in the provided code snippets. These differences highlight a shift in how the KMS signing operation is integrated into the JWT token generation process, moving towards a more streamlined approach by leveraging the capabilities of the aws-sdk and jsonwebtoken libraries directly.
profile picture
EXPERTE
Giovanni Lauria
beantwortet vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt