0

am using jose library provided in http://jwt.io site, am trying to create jwt token using this library, but the generated token is saying invalid signature when pasted in http://jwt.io site and also when trying curl apple developer connect 401 unauthorized response! i don`t what is causing the issue.

// Create the Claims, which will be the content of the JWT
        JwtClaims claims = new JwtClaims();
        claims.setIssuer("69a6de78-7188-47e3-e053-5b8c7c11a4d1");  // who creates the token and signs it
        claims.setAudience("appstoreconnect-v1"); // to whom the token is intended to be sent
        claims.setExpirationTimeMinutesInTheFuture(20); // time when the token will expire (10 minutes from now)
        claims.setIssuedAtToNow();
        claims.setGeneratedJwtId(); // a unique identifier for the token
     // Generate an EC key pair, which will be used for signing and verification of the JWT, wrapped in a JWK
        EllipticCurveJsonWebKey senderJwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);
        // Give the JWK a Key ID (kid), which is just the polite thing to do
        senderJwk.setKeyId("-----BEGIN PRIVATE KEY-----\n" + 
                "*******************" + 

                "-----END PRIVATE KEY-----");
       // So we first create a JsonWebSignature object.
        JsonWebSignature jws = new JsonWebSignature();
        // The payload of the JWS is JSON content of the JWT Claims
        jws.setPayload(claims.toJson());
        // The JWT is signed using the sender's private key
        jws.setKey(senderJwk.getPrivateKey());
        // Set the Key ID (kid) header because it's just the polite thing to do.
        // We only have one signing key in this example but a using a Key ID helps
        // facilitate a smooth key rollover process
        jws.setKeyIdHeaderValue(senderJwk.getKeyId());
        // Set the signature algorithm on the JWT/JWS that will integrity protect the claims
        jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
        jws.setHeader("typ","jwt");
        // Sign the JWS and produce the compact serialization, which will be the inner JWT/JWS
        // representation, which is a string consisting of three dot ('.') separated
        // base64url-encoded parts in the form Header.Payload.Signature
        String outJwt = jws.getCompactSerialization();
        // Now you can do something with the JWT. Like send it to some other party
        // over the clouds and through the interwebs.
        System.out.println("JWT: " + outJwt);

curl -v -H 'Authorization: Bearer [signed token]' "https://api.appstoreconnect.apple.com/v1/apps"

RAVIBHARATHI PK
  • 91
  • 1
  • 13

1 Answers1

0

I'm not familiar with the library, but it looks like you are signing the token with a new, randomly generated key each time you run the code:

EllipticCurveJsonWebKey senderJwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);

It looks like you are also setting the key ID to be a base-64 encoded private key (perhaps the one you intended to use?). The key ID isn't the key, it's just something that can be used to look it up in a key store, for example (According to Apple, the key ID for their API should be "Your private key ID from App Store Connect").

So I'd guess the reason you're getting an "invalid signature" error is because you are signing the token with a new key each time, and not the one you are using to verify it.

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
  • i think what you say is correct , but how can i use my private key to sign the token. i couldn't pass my private key as private key type to the set private key function used in the function. it couldn't declare my private key as private key type. – RAVIBHARATHI PK Apr 04 '19 at 05:17
  • That's really a different question. You want to know how to load an encoded key in Java. Try searching the site for suitable answers. For example I found [this one](https://stackoverflow.com/questions/22963581/reading-elliptic-curve-private-key-from-file-with-bouncycastle). – Shaun the Sheep Apr 04 '19 at 17:04