smallstep_full_white

step crypto jws

Name

step crypto jws -- sign and verify data using JSON Web Signature (JWS)

Usage

step crypto jws <subcommand> [arguments] [global-flags] [subcommand-flags]

Description

JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures.

Examples

Create a signed JWS of a message using an Ed25519 private JWK (with line breaks for display purposes only):

$ echo -n message | step crypto jws sign --key ed25519.priv.json
eyJhbGciOiJFZERTQSIsImtpZCI6IjlxaVFZUFU3SHJTOXBYdXpYYzc1WGctMXc5c0JGM2lXVld2cDhieE5oc28ifQ
.
bWVzc2FnZQ
.
ZlJvznC3iE4zhwmnCL74UtHXEUs6pb62vf38GFBLbFMKnIFiOGpAFcNv3es-WvPHYfyIIClAjwCfe505gxz5BQ

Verify and display the message using the public key:

$ echo $TOKEN | step crypto jws verify --key ed25519.pub.json
message

Verify and display a JSON representation of the token, the message is base64 encoded in the payload:

$ echo $TOKEN | step crypto jws verify --key ed25519.pub.json --json
{
  "header": {
    "alg": "EdDSA",
    "kid": "9qiQYPU7HrS9pXuzXc75Xg-1w9sBF3iWVWvp8bxNhso"
  },
  "payload": "bWVzc2FnZQ",
  "signature": "ZlJvznC3iE4zhwmnCL74UtHXEUs6pb62vf38GFBLbFMKnIFiOGpAFcNv3es-WvPHYfyIIClAjwCfe505gxz5BQ"
}

Inspect the content of the JWS without verifying it:

$ echo $TOKEN | step crypto jws inspect --insecure
message

$ echo $TOKEN | step crypto jws inspect --insecure --json
{
  "header": {
    "alg": "EdDSA",
    "kid": "9qiQYPU7HrS9pXuzXc75Xg-1w9sBF3iWVWvp8bxNhso"
  },
  "payload": "bWVzc2FnZQ",
  "signature": "ZlJvznC3iE4zhwmnCL74UtHXEUs6pb62vf38GFBLbFMKnIFiOGpAFcNv3es-WvPHYfyIIClAjwCfe505gxz5BQ"
}

Using a JSON message using an P-256 curve and adding the content type json:

$ echo -n {"dns":"https://dns.example.com"} | step crypto jws sign --key p256.priv.json --cty json
eyJhbGciOiJFUzI1NiIsImN0eSI6Impzb24iLCJraWQiOiJWOTNBLVloN0JodzFXMkUwaWdGY2l2aUp6WDRQWFBzd29WZ3JpZWhtOUNvIn0
.
eyJkbnMiOiJodHRwczovL2Rucy5leGFtcGxlLmNvbSJ9
.
ZI8q75r3PCXeu-Tubw7bHiDGxloPpAHV2hNfEp9N4WM2r3Wsk5uFhAkBTVIqryPtxmAgfRHGnE3hj-3Dp9nZmA

$ echo $TOKEN | step crypto jws verify --key p256.pub.json
{"dns":"https://dns.example.com"}

$ echo $TOKEN | step crypto jws verify --key p256.pub.json --json
{
  "header": {
    "alg": "ES256",
    "cty": "json",
    "kid": "V93A-Yh7Bhw1W2E0igFciviJzX4PXPswoVgriehm9Co"
  },
  "payload": "eyJkbnMiOiJodHRwczovL2Rucy5leGFtcGxlLmNvbSJ9",
  "signature": "ZI8q75r3PCXeu-Tubw7bHiDGxloPpAHV2hNfEp9N4WM2r3Wsk5uFhAkBTVIqryPtxmAgfRHGnE3hj-3Dp9nZmA"
}

Commands

NameUsage
signcreate a signed JWS data structure
inspectreturn the decoded JWS without verification
verifyverify a signed JWS data structure and return the payload