jwt validate

mgreenish

I've been working on jwt validate for some time without success. I tried back in September without luck. I've tried again today, pretty much all day, and without luck.

I generate a JWT in php and validate it on jwt.io but when I try to recreate it in QT, I really don't get the same result. My jwt is as follows:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJtaWtlLmdyZWVuaXNoQGFkZGhhcHRpY3MuY29tIiwiZGF0YSI6eyJjaWQiOiI3MDY4NTQ1NDY1Njc2ODY4NDU2OTY4NjU2NjQ1NTM1MjUyNTM0NTU3NTA0OTY2NDU3MDU3NTY3MDU1NjY3MDU1NTU1MDUzNTAiLCJsaWNfaWQiOiJzOXhhbGIiLCJtb2R1bGVzIjoxfSwiZXhwIjoiMjAxOS0wMi0wOVQxMToxODoyNy0wNTowMCIsImlhdCI6IjIwMTgtMDItMDlUMTE6MTg6MjctMDU6MDAiLCJpc3MiOiJBZGQgSGFwdGljcyJ9.bNWCqNRCGMA8ppQLlurNyLHXLnAjx1vz2-zOvSMDiDA

In QT, I have the following code:

    QStringList jwt_elements = jwt.split( "." );    // split by parts
    QString b64Header = jwt_elements.at(0);    // save header
    QString b64Payload = jwt_elements.at(1);   // save payload
    QString b64Signature = jwt_elements.at(2);   // save signature

    QString b64message = b64Header + "." + b64Payload;  // reassemble header & payload for verification

    QString signature = QString( QMessageAuthenticationCode::hash( b64message.toUtf8(), QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ) );    // generate signature with my secret
    signature.replace( "=", "");
    signature.replace( "+\\", "-_" );

    return ! b64Signature.compare( signature );

Unfortunately, the function always returns false. When I debug, the signature I generated looks nothing like the signature that is part of the jwt; it has lots of non-ASCII characters it it.

Is this not the right way to verify a jwt?

VRonin

Is JWT_SECRET base64?

P.S.
Why do you use QStrings instead of QByteArrays? You are just adding useless overhead

mgreenish

@VRonin JWT_SECRET is not base64; I've simplified everything as much as possible.
I started with QByteArray's then switched from QByteArray to QString in case my error is somehow related to that, but it seems not

mgreenish

Thanks to an online SH256 encoding & encrypting tool that spits output in various formats, it seems I need to further base64 encode the signature. The code becomes:

QString signature = QString( QMessageAuthenticationCode::hash( b64message.toUtf8(), QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ) );
    signature.replace( "=", "");
    signature.replace( "+\\", "-_" );
    signature = QString( signature.toUtf8().toBase64() );

    return ! b64Signature.compare( signature );

The online tool spits out a result the matches the original signature but my code doesn't. It's close, much closer, but not quite there:

"bNWC77+977+9Qhjvv70877+977+9C++/ve+/ve+/vcix77+9LnAj77+9W++/ve+/ve+/vc69IwPvv70w"

instead of the correct

bNWCqNRCGMA8ppQLlurNyLHXLnAjx1vz2-zOvSMDiDA

mgreenish

So the final correct solution is

    QStringList jwt_elements = jwt.split( "." );
    QByteArray b64Signature = jwt_elements.at(2).toUtf8();
    QByteArray b64message = jwt_elements.at(0).toUtf8() + "." + jwt_elements.at(1).toUtf8();
    QByteArray signature = QMessageAuthenticationCode::hash( b64message, QString(JWT_SECRET).toUtf8(), QCryptographicHash::Sha256 ).toBase64();
    signature.replace( "=", "");
    signature.replace( "+\\", "-_" );

    return ! b64Signature.operator ==( signature );

So my basic problem was that I wasn't base64 encoding the result of the hash.