I am struggeling to make a working signature of a certificate which will be used later in a JWT in an RPG-program.
We use this version of openssl: "OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)"
First I create a cert.pem and a key.pem which is also the private key with this openssl command:
openssl req -newkey rsa-pss -new -nodes -x509 -days 3650 -pkeyopt rsa_keygen_bits:4096 -sigopt rsa_pss_saltlen:32 -keyout key.pem -out cert.pem
This is how the certificate has to be created. Then I enter the infomation on screen (Country, State,Name, Email,etc.).
Now I create the Signature with this commands:
cd /test && printf "%s" "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJDdXN0b21lSUQiLCJzdWIiOiJDdXN0b21lcklEIiwiYXVkIjoiaHR0cHM6Ly90ZXN0LmNvbSIsImlhdCI6MTczOTI2NjIyOSwiZXhwIjoxNzM5MjY2NTI5LCJuYmYiOjE3MzkyNTYxNjksImp0aSI6IjEyMzQ1NiJ9"
| openssl dgst -sha256 -binary -sign "key.pem" -out "signature.bin" && openssl enc -base64 -A -in "signature.bin"
| tr -d '\n=' | tr '+/' '-_' > "signature.bin"
in the printf command there is the JWT-Header and the JWT-Payload. Those are example informations and are correct according to jwt.io. On the website I copied also the private key and the public key and it says, Valid Signature.
But if I use the "cat signature.bin" command and copy the string to jwt.io: I get the "Invalid Signature" error and the message: Seems Your JWT-Signature was not encoded correctly. Same with token.dev Debugger: "Signature verification failed".
What am I missing?
I used this tutorial:
Someone on r/IBMi was able to figure out, what was wrong. In short, the RSA-PSS in generating the cert.pem was the issue. In the documentation for the API it explicitly shows this command and explicitly says multiple times use the RSA256.
Therefore, I selected the RS256 option on jwt.io and ofc that has the wrong format. And that was it. Here the Thread of the reddit to figure out what was wrong: r/IBMi