Sign and verify JWS (json web signature) with Ed25519 KeyPair

Question

I want to sign a JWS (json web signature) with a private key generated through Ed25519 on a clients device. Then send this signature to my backend and verify it with the public key. To get familiar with the procedure I want to try to sign and verify a JWS in node js.
Both my private and public key are already generated and are available in base58. This is my current attempt at signing a JWT with an Ed25519 privateKey:

const { SignJWT } = require("jose/jwt/sign");
const bs50 = require("bs58");

async function main() {
  const publicBase58 = "A77GCUCZ7FAuXVMKtwwXyFhMa158XsaoGKHYNnJ1q3pv";
  const privateKeyBase58 = "BE1VM7rTRJReLsTLLG4JMNX5ozcp7qpmMuRht9zB1UjU";

  const publicKeyBuffer = bs50.decode(publicBase58);
  const privateKeyBuffer = bs50.decode(privateKeyBase58);

  const publicKey = new Uint8Array(publicKeyBuffer);
  const privateKey = new Uint8Array(privateKeyBuffer);

  const jwt = await new SignJWT({
    subject: "uuid",
  })
    .setProtectedHeader({ alg: "EdDSA" })
    .setExpirationTime("2h")
    .sign(privateKey);

  console.log(jwt);
}

Error: TypeError: Key must be one of type KeyObject or CryptoKey. Received an instance of Uint8Array

When trying to use the sign() function I get the error above because my privateKey is of type Uint8Array, the only accepted types are KeyObject or CryptoKey but I don't know how I can convert my Uint8Arrays into KeyObjects or CryptoKeys.

I got some code snippets from this answer

Answer 1

You need your keys in a format that Node.js recognizes. KeyObject create*Key APIs recognize and the key is supported in - for Ed25519 keys that is, assuming Node.js >= 16.0.0:

• PEM/DER in SPKI for public keys
• PEM/DER in PKCS8 for private keys
• JWK for both public and private keys

Here's a snippet that uses DER.

import { SignJWT, jwtVerify } from "jose"
import bs58 from "bs58"
import { createPrivateKey, createPublicKey } from "crypto"

(async function main() {
  const publicBase58 = "A77GCUCZ7FAuXVMKtwwXyFhMa158XsaoGKHYNnJ1q3pv";
  const privateKeyBase58 = "BE1VM7rTRJReLsTLLG4JMNX5ozcp7qpmMuRht9zB1UjU";

  let publicKey = bs58.decode(publicBase58);
  let privateKey = bs58.decode(privateKeyBase58);

  publicKey = createPublicKey({
    key: Buffer.concat([Buffer.from("302a300506032b6570032100", "hex"), publicKey]),
    format: "der",
    type: "spki",
  });

  privateKey = createPrivateKey({
    key: Buffer.concat([
      Buffer.from("302e020100300506032b657004220420", "hex"),
      privateKey,
    ]),
    format: "der",
    type: "pkcs8",
  })

  const jwt = await new SignJWT({
    subject: "uuid",
  })
    .setProtectedHeader({ alg: "EdDSA" })
    .setExpirationTime("2h")
    .sign(privateKey);

  console.log(await jwtVerify(jwt, publicKey))
})()

Here's one that uses JWK.

import { SignJWT, jwtVerify } from "jose"
import bs58 from "bs58"
import { createPrivateKey, createPublicKey } from "crypto"

(async function main() {
  const publicBase58 = "A77GCUCZ7FAuXVMKtwwXyFhMa158XsaoGKHYNnJ1q3pv";
  const privateKeyBase58 = "BE1VM7rTRJReLsTLLG4JMNX5ozcp7qpmMuRht9zB1UjU";

  let publicKey = bs58.decode(publicBase58);
  let privateKey = bs58.decode(privateKeyBase58);

  publicKey = createPublicKey({
    key: {
      kty: "OKP",
      crv: "Ed25519",
      x: publicKey.toString("base64url")
    },
    format: "jwk"
  });

  privateKey = createPrivateKey({
    key: {
      kty: "OKP",
      crv: "Ed25519",
      x: publicKey.toString("base64url"),
      d: privateKey.toString("base64url"),
    },
    format: "jwk"
  })

  const jwt = await new SignJWT({
    subject: "uuid",
  })
    .setProtectedHeader({ alg: "EdDSA" })
    .setExpirationTime("2h")
    .sign(privateKey);

  console.log(await jwtVerify(jwt, publicKey))
})()