This page shows how to use CryptoSys PKI to create and validate a JSON Web Signature (JWS)
using RSASSA-PKCS1-v1_5 SHA-256 {"alg":"RS256"}.
It includes sample code in C# and VBA.
JSON Web Signature (JWS) is described in RFC 7515 JSON Web Signature (JWS). RFC 7515 explains the process clearly. There is a good, detailed example in Appendix A.2.
Here is sample code in both C# and VBA that uses test data from Appendix A.2 of RFC 7515.
string jwsSignature = Sig.SignData(b, jwsPriKey, "", SigAlgorithm.Rsa_Sha256, Sig.SigOptions.Default, Sig.Encoding.Base64url);where
b is a byte array representing the JWS Signing Input
and jwsPriKey is a string containing the RSA private key represented in JSON Web Key (JWK).
int n = Sig.VerifyData(jwsSignature, b, jwsPubKey, SigAlgorithm.Rsa_Sha256);where a return value of zero means the signature is valid.
Dim strJwsSignature As String
nChars = SIG_SignData("", 0, abData(0), nDataLen, strJwsPriKey, "", strAlgName, PKI_ENCODE_BASE64URL)
strJwsSignature = String(nChars, " ")
nChars = SIG_SignData(strJwsSignature, Len(strJwsSignature), abData(0), nDataLen, strJwsPriKey, "", strAlgName, PKI_ENCODE_BASE64URL)
where abData is a byte array of length nDataLen representing the JWS Signing Input,
strJwsPriKey is a string containing the RSA private key represented in JSON Web Key (JWK),
and strAlgName = "sha256WithRSAEncryption".
Dim nRet As Long nRet = SIG_VerifyData(strJwsSignature, abData(0), nDataLen, strJwsPubKey, strAlgName, 0)where a return value of zero means the signature is valid.
The input to be signed is a concatenation of the JWS Protected Header and JWS Payload both encoded in base64url and separated by a period '.' character.
The header is a JSON object that must at a minimum contain the signing algorithm, e.g. {"alg":"RS256"}.
The JWS Payload does not need to be a JSON object.
BASE64URL(UTF8(JWS Protected Header) || '.' || BASE64URL(JWS Payload)
where || denotes concatenation.
The JWS signature is computed over the JWS Signing Input using, in this case, the RSA private key with the RSASSA-PKCS1-v1_5 SHA-256 algorithm.
The JWS signature is encoded with base64url BASE64URL(JWS Signature)
The complete JWS representation is called a JWS Compact Serialization and is a concatenation of the three values
Header.Payload.Signature with period ('.') characters between the parts, all parts encoded in base64url.
BASE64URL(UTF8(JWS Protected Header) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS signature)
Example (whitespace is only for display)
eyJhbGciOiJSUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt cGxlLmNvbS9pc19yb290Ijp0cnVlfQ . cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7 AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4 BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K 0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqv hJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrB p0igcN_IoypGlUPQGe77Rw
eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw
RS256 meaning the RSASSA-PKCS1-v1_5 SHA-256 algorithm.Header.Payload) and the JWS Signature.Base64url encoding is defined in [RFC7515] to use the URL- and filename-safe character set in section 5 of [RFC4648] with all trailing "=" characters omitted. The base64url character set is identical to base64 except "+" (plus sign, U+002B) is replaced by "-" (hyphen-minus, U+002D), and "/" (slash, U+002F) by "_" (underscore, U+005F).
To contact us or comment on this page, please send us a message.
This page first published 21 January 2020. Last updated 21 January 2020.
