-
-
Notifications
You must be signed in to change notification settings - Fork 645
/
jwtverify
executable file
·162 lines (142 loc) · 4.74 KB
/
jwtverify
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/usr/bin/env node
/*
* jwtverify - verify JWT/JWS file or string
*
* Copyright (c) 2015-2016 Kenji Urushima ([email protected])
*
* This software is licensed under the terms of the MIT License.
* https://kjur.github.io/jsrsasign/license
*
* The above copyright and license notice shall be
* included in all copies or substantial portions of the Software.
*
* Please use '-h' option for this script usage.
* ---------------------------------------------------------
* DESCRIPTION
* This script verifies a JWT(JSON Web Token) file.
*
* USAGE
* % jwtverify a1.jwt -k pub.pem
* This JWT/JWS is valid.
* % jwtverify a1.jwt -k pub.pem -v # verbose mode
* *** HEADER ***
* {
* "alg": "ES256",
* "cty": "JWT"
* }
* *** PAYLOAD ***
* {
* "age": 21
* }
* *** JWT/JWS VALIDATION RESULT ***
* - on: JWS signature validation
* - on: check acceptable signature algorithm
* - on: verify at current time
* This JWT/JWS is valid.
*
* % jwtverify a2.jwt -p secret -t utf8 # for HS256 at jwt.io
* % jwtverify a3.jwt -v --verifyat 20050101000000Z -p secret
* % jwtverify a4.jwt -v --accept_iss http://aaa.com/ -p secret
* % jwtverify a5.jwt -v --accept_sub mailto:[email protected] -p secret
*/
var program = require('commander');
var rs = require('jsrsasign');
var rsu = require('jsrsasign-util');
var path = require('path');
var JWS = rs.jws.JWS;
program
.version('1.0.2 (2016-Nov-05)')
.usage('[options] <JWT/JWS file or string to verify>')
.description('verify JWT/jWS file or string')
.option('-t, --passtype <utf8|hex|b64|b64u>', 'Hmac(HS*) pass type', 'utf8')
.option('-p, --pass <pass>', 'Hmac(HS*) password in specfied type', 'passwd')
.option('-k, --pubkey <file>', 'public key file (ex. PKCS#8 PEM or JWK)')
.option('-v, --verbose', 'show header and payload')
.option('--accept_iss <iss1,...>', 'check iss is in the iss list (ex. [email protected],[email protected])')
.option('--accept_sub <sub1,...>', 'check sub is in the sub list (ex. [email protected],[email protected])')
.option('--verify_at <YYYYMMDDHHmmSSZ>', 'verify at specified UTC time(ex. 20151123235959Z)')
.parse(process.argv);
if (program.args.length !== 1)
throw "wrong number of arguments";
var jwt;
try {
var inFile = program.args[0];
jwt = rsu.readFile(inFile);
} catch(ex) {
jwt = program.args[0]; // as string
}
//console.log(jwt);
var pass;
var pubKeyObj;
var acceptField = {};
if (! JWS.inArray(program.passtype, ['utf8', 'hex', 'b64', 'b64u']))
throw "unsupported HS* password type: " + program.passtype;
if (program.passtype !== undefined && program.pass !== undefined) {
pass = {};
pass[program.passtype] = program.pass;
}
if (program.pubkey !== undefined) {
var pubKeyPEM = rsu.readFile(program.pubkey);
pubKeyObj = rs.KEYUTIL.getKey(pubKeyPEM);
}
/*
* set acceptField
*/
if (pass !== undefined)
acceptField.alg = ['HS256', 'HS384', 'HS512'];
if (pubKeyObj !== undefined)
acceptField.alg = ['RS256', 'RS384', 'RS512',
'PS256', 'PS384', 'PS512',
'ES256', 'ES384', 'ES512'];
if (program.verify_at !== undefined)
acceptField.verifyAt = rs.KJUR.jws.IntDate.getZulu(program.verify_at);
if (program.accept_iss !== undefined)
acceptField.iss = program.accept_iss.split(",");
if (program.accept_sub !== undefined)
acceptField.sub = program.accept_sub.split(",");
/*
* show header and payload
*/
if (program.verbose) {
var a = jwt.split(".");
var pHeader = rs.KJUR.jws.JWS.readSafeJSONString(rs.b64utoutf8(a[0]));
var pClaim = rs.KJUR.jws.JWS.readSafeJSONString(rs.b64utoutf8(a[1]));
var sHeader = JSON.stringify(pHeader, null, " ");
var sClaim = JSON.stringify(pClaim, null, " ");
console.log("*** HEADER ***");
console.log(sHeader);
console.log("*** PAYLOAD ***");
console.log(sClaim);
}
/*
* show result
*/
if (program.verbose)
console.log("*** JWT/JWS VALIDATION RESULT ***");
var isValid;
if (pubKeyObj !== undefined) {
//console.log("pubKeyObj defined");
isValid = rs.jws.JWS.verifyJWT(jwt, pubKeyObj, acceptField);
} else {
//console.log("pass defined");
isValid = rs.jws.JWS.verifyJWT(jwt, pass, acceptField);
}
if (program.verbose) {
console.log(' - on: JWS signature validation');
if (acceptField.alg !== undefined)
console.log(' - on: check acceptable signature algorithm');
if (program.verify_at === undefined) {
console.log(' - on: verify at current time');
} else {
console.log(' - on: verify at %j', program.verify_at);
}
if (acceptField.iss != undefined)
console.log(' - on: check iss in %j', program.accept_iss);
if (acceptField.sub != undefined)
console.log(' - on: check sub in %j', program.accept_sub);
}
if (isValid) {
console.log('This JWT/JWS is valid.');
} else {
console.log('This JWT/JWS is *NOT* valid.');
}