TOP | DOWNLOADS-|-
CODE
Script source code is here.
DESCRIPTION
This script is to verify JWT(JSON Web Token) or JWS(JSON Web Signature) file or string using KJUR.jws.JWS.verifyJWT() method. It has following features:
- HS256/384/512,RS256/384/512,PS256/384/512,ES256/384 signature algorithm support
- string, hexadecimal and Base64URL passcode support for HS* signatures
- JWS and JWT validation
- JWT/JWS signature can be provided by a file or a string argument.
- Verbose mode for validation in detail.
USAGE
Basic JWS validation
To verify JWS(JSON Web Signature) or signature of JWT(JSON Web Token), you need to specify public key or HMAC password. For RS*, PS* and ES* signatures, you can specify public key by '-k' option as following:
% jwtverify -k rsa1.pem aaa.jws
This JWT/JWS is valid.
For an invalid signature, following message will be shown.
% jwtverify -k rsa2.pem aaa.jws
This JWT/JWS is *NOT* valid.
To verify HS* hmac JWS signature, there are four ways to specify hmac password using password type '-t' and password '-p' option.
- -t utf8 -p aaa (specify password 'aaa' by UTF-8 string)
- -t hex -p 616161 (specify password '616161' (i.e. aaa) by hexadecimal string
- -t b64 -p YWFh (specify password 'YWFh' (i.e. aaa) by Base64 encoded string
- -t b64u -p YWFh (specify password 'YWFh' (i.e. aaa) by Base64URL encoded string
For example, to verify HS256 JWS signature with password '616161' in hexadecimal string, command will be following:
% jwtverify -t hex -p 616161 aaa.jws
Password type "-t utf8" and password "-p passwd" is default. When the password is "passwd" for JWS, you can omit options:
% jwtverify aaa.jws (when password is string "passwd")
This JWT/JWS is valid.
When HMAC password is string "test", then you can omit "-t utf8" option:
% jwtverify -p test aaa.jws
JWT validation
For JWT validation, this script will do extra check about following payload properties:
- --verify_at: time relation among validation time, 'nbf', 'exp' and 'iat' properties
- --accept_iss: acceptable 'iss' property
- --accept_sub: acceptable 'sub' property
The '-v' (verbose) option can be specified to see JSON header, JSON payload and what kind of check is done.
% jwtverify -v \
--accept_iss https://jwt-idp.example.com \
--accept_sub mailto:mike@example.com,mailto:joe@example.com \
--verify_at 20050101000000Z -p passwd aaa.jwt
*** HEADER ***
{
"alg": "HS256",
"typ": "JWT"
}
*** PAYLOAD ***
{
"iss": "https://jwt-idp.example.com",
"sub": "mailto:mike@example.com",
"nbf": 946684800,
"exp": 1262304000,
"iat": 946684800,
"jti": "id123456",
"typ": "https://example.com/register",
"aud": "http://foo1.com"
}
*** JWT/JWS VALIDATION RESULT ***
- on: JWS signature validation
- on: check acceptable signature algorithm
- on: verify at "20050101000000Z"
- on: check iss in "https://jwt-idp.example.com"
- on: check sub in "mailto:mike@example.com,mailto:joe@example.com"
This JWT/JWS is valid.
COMMAND LINE HELP
Script supports '-h' or '--help' option for help:
% jwtverify -h
Usage: jwtverify [options] <JWT/JWS file or string to verify>
verify JWT/jWS file or string
Options:
-h, --help output usage information
-V, --version output the version number
-t, --passtype <utf8|hex|b64|b64u> Hmac(HS*) pass type
-p, --pass <pass> Hmac(HS*) password in specfied type
-k, --pubkey <file> public key file (ex. PKCS#8 PEM or JWK)
-v, --verbose show header and payload
--accept_iss <iss1,...> check iss is in the iss list (ex. a@a.com,b@b.com)
--accept_sub <sub1,...> check sub is in the sub list (ex. a@a.com,b@b.com)
--verify_at <YYYYMMDDHHmmSSZ> verify at specified UTC time(ex. 20151123235959Z)