JSON Web Tokens from Oscript

HF_PSPC · 2021-11-03T17:39:30+00:00

There was an error rendering this rich post.

Hi,

Bit of an edge case, but is anyone using Oscript to generate JSON Web Tokens (JWT's)? I ask because there is a particular service I want to write a token for from oscript that requires SHA-256 as the encryption. I noticed that if I call Security.Encrypt() passing Security.SHA256 as the encryption method, the drop-in dies. I further noticed that in $Kernel.Cipher.Encrypt() that the SHA256 is not a valid encryption algorithm. Any particular reason? If it's just not going to work, I will probably have to use Java Objects to do it.

-Hugh

Find more posts tagged with

Comments

Nizar Ghazal

Isn't SHA256 a one-way hash, so you don't provide a key? The built-in is probably erroring out with a LibOTSecBuiltin error if you try to provide a key with SHA256, I'd guess.

Your hashing would be something like:

String yourNewValue = Security.Hash( yourOldValue, Security.SHA256 )

But if you wanted to encrypt something:

String yourNewValue = Security.Encrypt( yourOldValue, 'SuperSecretKey', Security.AES_128_ECB )

I guess our docs aren't super clear as to which are hash types versus encryption types... :-)

Curtis G Hanson

Any word on this? I'm looking at the OScript Security class and I don't see anything for signing a message. Like @HF_PSPC above, I need to sign a message with a private key (using the RSA SHA256 digital signature algorithm). I don't see an option to pass a key alongside a SHA256 encryption algorithm.

HF_PSPC

I've found a number of libraries on Git hub that do this in Java. It's a simple enough manner to simply put the libraries in your module ojlib directory and call the appropriate functions from a JavaObject (or at least it should be). I already use JavaObjects extensively to call the Apache HTTP Client library (and given how finicky the RestClient object is, I will continue to do so).

-Hugh

Curtis G Hanson

Thanks for the advice. I'll take a look at going that route as well. JavaObjects has been my go to as well ever since diving into OScript. I appreciate the help.

HFCDev

BTW, I got this working in Oscript calling the library from this project https://github.com/jwtk/jjwt

It seems to work, when I test the generated tokens and signature against this diagnostic/debuggins JWT site: https://jwt.io/

For those doing a lot of Java in Oscript, what are you doing to pull over Maven or Gradle dependencies? The above project on Git Hub gives the Maven and Gradle dependencies in the readme.md. I was able to get compiled Jar files by creating a Maven project then locating where the Jars are, and moving them to my module ojlib directory. It feels a little clumsy of an approach though.

-Hugh