JWTの生成/検証/改ざん検出をコマンドラインでやってみる(共通鍵暗号方式編)
準備
JWT の header と payload を JSON 形式で用意します。
JWT Header: jwt-header-plaintext.json
{
"alg": "HS256",
"typ": "JWT"
}
JWT Payload: jwt-payload-plaintext.json
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022
}
JWT 生成
cat jwt-header-plaintext.json | jq -c | base64 | tr '+/' '-_' | tr -d '=' | tee jwt-header.txt
cat jwt-payload-plaintext.json | jq -c | base64 | tr '+/' '-_' | tr -d '=' | tee jwt-payload.txt
printf '%s.%s' "$(cat jwt-header.txt)" "$(cat jwt-payload.txt)" | tee jwt-header-payload.txt
cat jwt-header-payload.txt | openssl dgst -binary -sha256 -hmac "a-string-secret-at-least-256-bits-long" | openssl base64 -A | tr '+/' '-_' | tr -d '=' | tee jwt-signature.txt
printf '%s.%s.%s' "$(cat jwt-header.txt)" "$(cat jwt-payload.txt)" "$(cat jwt-signature.txt)" | tee jwt.txt
JWT 検証
cat jwt.txt | cut -d. -f1,2 | tr -d '\n' | tee jwt-header-payload-when-verified.txt
cat jwt-header-payload-when-verified.txt | openssl dgst -binary -sha256 -hmac "a-string-secret-at-least-256-bits-long" | openssl base64 -A | tr '+/' '-_' | tr -d '=' | tee jwt-signature-when-verified.txt
diff jwt-signature.txt jwt-signature-when-verified.txt && echo "VERIFIED" || echo "INVALID"
JWT 改ざん検出
cat jwt-payload-plaintext.json | jq -c '.sub = "attacker"' | base64 | tr '+/' '-_' | tr -d '=' | tee jwt-payload-tampered.txt
printf '%s.%s.%s' "$(cat jwt-header.txt)" "$(cat jwt-payload-tampered.txt)" "$(cat jwt-signature.txt)" | tee jwt-tampered.txt
cat jwt-tampered.txt | cut -d. -f1,2 | tr -d '\n' | tee jwt-header-payload-tampered-when-verified.txt
cat jwt-header-payload-tampered-when-verified.txt | openssl dgst -binary -sha256 -hmac "a-string-secret-at-least-256-bits-long" | openssl base64 -A | tr '+/' '-_' | tr -d '=' | tee jwt-signature-tampered-when-verified.txt
diff jwt-signature.txt jwt-signature-tampered-when-verified.txt && echo "VERIFIED" || echo "INVALID"