Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

KMS Signature as part of JWT Sign flow

0

Hi, has anyone came across a NodeJs implementation on token signing with KMS and jsonwebtoken?

I managed to use the method outlined here: https://repost.aws/questions/QUMj3eDD6sRXWWaZizjTVktw/cannot-verify-kms-signed-message

but now I wanted to try the below (leveraging jsonwebtoken library) but keep getting "error:1E08010C:DECODER routines::unsupported".

I believe the error is due to base64url.encode(Buffer.from(res.Signature)) not being in proper format as RS256, though I d think otherwise. Is there a way to pass KMS signing signture as secretOrPrivateKey of the jsonwebtoken sign method?

import * as jwt from 'jsonwebtoken'
import { KMSClient, SignCommand } from '@aws-sdk/client-kms';
import base64url from 'base64url';

 //handler omitted..

async function sign(headers, payload, keyId) {

    payload.iat = Math.floor(Date.now() / 1000);

    const tomorrow = new Date()
    tomorrow.setDate(tomorrow.getDate() + 1)
    payload.exp = Math.floor(tomorrow.getTime() / 1000);

    let token_components = {
        header: base64url(JSON.stringify(headers)),
        payload: base64url(JSON.stringify(payload)),
    };

    let message = Buffer.from(token_components.header + "." + token_components.payload)

    const input = {
      KeyId: keyId,
      Message: message,
      SigningAlgorithm: "RSASSA_PKCS1_V1_5_SHA_256",
      MessageType: 'RAW'
    };
    const command = new SignCommand(input);
    const res = await kmsClient.send(command);

    return = await jwt.sign({
        payload
    }, **base64url.encode(Buffer.from(res.Signature))**, {
        algorithm: 'RS256'
    })
  
}
Temas
Sin servidorCálculo
Etiquetas
AWS Lambda
Idioma
English
profile picture
EXPERTO
Antonio_Lagrotteria
preguntada hace 7 meses823 visualizaciones
2 Respuestas
0

Hi Antonio,

Are those solutions to your question ?

Best,

Didier

profile pictureAWS
EXPERTO
Didier_Durand
respondido hace 7 meses
profile picture
EXPERTO
Giovanni Lauria
revisado hace un mes
  • Antonio_Lagrotteria EXPERTO
    hace 7 meses

    I saw both of them, but first one does not seem to be working correctly and second articleis a different language implementation. Tried to "translate" it into Javascript but didnt work.

0

Ciao Antonio,

try this instead:

const AWS = require('aws-sdk');
const jwt = require('jsonwebtoken');

const kms = new AWS.KMS({ region: 'your-region' });

async function signTokenWithKMS(payload) {
    // Sign the payload using KMS
    const params = {
        KeyId: 'your-kms-key-id',
        Message: JSON.stringify(payload),
        MessageType: 'RAW',
        SigningAlgorithm: 'RSASSA_PKCS1_V1_5_SHA_256' // or any other suitable algorithm
    };

    const { Signature } = await kms.sign(params).promise();

    // Convert the KMS signature into a format compatible with jsonwebtoken
    const base64EncodedSignature = Signature.toString('base64');

    return base64EncodedSignature;
}

async function generateJWTToken(payload) {
    try {
        const signature = await signTokenWithKMS(payload);

        // Use the converted signature with jsonwebtoken
        const token = jwt.sign(payload, signature, { algorithm: 'RS256' });
        return token;
    } catch (error) {
        console.error('Error generating JWT token:', error);
        throw error;
    }
}

// Example usage
const payload = { user: 'user123', role: 'admin' };
generateJWTToken(payload)
    .then(token => console.log('Generated JWT token:', token))
    .catch(error => console.error('Error generating JWT token:', error));

Differences are:

  • The "new" implementation uses the aws-sdk package instead of @aws-sdk/client-kms. This simplifies the dependency management as it relies on the standard AWS SDK for JavaScript/Node.js.
  • In the "new" implementation, the signing operation is performed directly through the kms.sign() method from aws-sdk. This eliminates the need to create a SignCommand object explicitly.
  • In the "new" implementation, the signature returned by the KMS service is converted to a base64 encoded string, which is then passed as the private key parameter to the jsonwebtoken.sign() function. This is different from the "old" implementation, where the signature is directly encoded using base64url.encode(Buffer.from(res.Signature)).
  • Error handling might differ between the two implementations, but it's not explicitly shown in the provided code snippets. These differences highlight a shift in how the KMS signing operation is integrated into the JWT token generation process, moving towards a more streamlined approach by leveraging the capabilities of the aws-sdk and jsonwebtoken libraries directly.
profile picture
EXPERTO
Giovanni Lauria
respondido hace un mes

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante