step crypto jws sign

Name

step crypto jws sign -- create a signed JWS data structure

Usage

step crypto jws sign [- | <filename>]
[--alg=<algorithm>] [--jku=<jwk-url>] [--jwk] [--typ=<type>]
[--cty=<content-type>] [--key=<file>] [--jwks=<jwks>] [--kid=<kid>]
[--password-file=<file>] [--x5c-cert=<file>] [--x5c-key=<file>]
[--x5t-cert=<file>] [--x5t-key=<file>]

Description

step crypto jws sign generates a signed JSON Web Signature (JWS) by computing a digital signature or message authentication code for an arbitrary payload. By default, the payload to sign is read from STDIN and the JWS will be written to STDOUT.

For examples, see step help crypto jws.

Options

--alg=algorithm, --algorithm=algorithm The signature or MAC algorithm to use. Algorithms are case-sensitive strings defined in RFC7518. The selected algorithm must be compatible with the key type. This flag is optional. If not specified, the "alg" member of the JWK is used. If the JWK has no "alg" member then a default is selected depending on the JWK key type. If the JWK has an "alg" member and the "alg" flag is passed the two options must match unless the '--subtle' flag is also passed.

algorithm is a case-sensitive string and must be one of:

  • HS256: HMAC using SHA-256 (default for "oct" key type)

  • HS384: HMAC using SHA-384

  • HS512: HMAC using SHA-512

  • RS256: RSASSA-PKCS1-v1_5 using SHA-256 (default for "RSA" key type)

  • RS384: RSASSA-PKCS1-v1_5 using SHA-384

  • RS512: RSASSA-PKCS1-v1_5 using SHA-512

  • ES256: ECDSA using P-256 and SHA-256 (default for "EC" key type)

  • ES384: ECDSA using P-384 and SHA-384

  • ES512: ECDSA using P-521 and SHA-512

  • PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256

  • PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384

  • PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512

  • EdDSA: EdDSA signature algorithm

--jku=jwk-url The "jku" (JWK Set URL) Header Parameter is a URI that refers to a resource for a set of JSON-encoded public keys, one of which corresponds to the key used to digitally sign the JWS. The keys MUST be encoded as a JWK Set (JWK). The protocol used to acquire the resource MUST provide integrity protection; an HTTP GET request to retrieve the JWK Set MUST use Transport Layer Security (TLS); and the identity of the server MUST be validated. Use of jwk-url is optional.

--jwk=jwk The "jwk" (JSON Web Key) Header Parameter is the public key that corresponds to the key used to digitally sign the JWS. This key is represented as a JSON Web Key (JWK). Use of jwk is optional.

--typ=type, --type=type The "typ" (type) Header Parameter is used by JWS applications to declare the media type of this complete JWS. This is intended for use by the application when more than one kind of object could be present in an application data structure that can contain a JWS; the application can use this value to disambiguate among the different kinds of objects that might be present. It will typically not be used by applications when the kind of object is already known. This parameter is ignored by JWS implementations; any processing of this parameter is performed by the JWS application. Use of type is optional.

The "typ" value "JOSE" can be used by applications to indicate that this object is a JWS or JWE using the JWS Compact Serialization or the JWE Compact Serialization. The "typ" value "JOSE+JSON" can be used by applications to indicate that this object is a JWS or JWE using the JWS JSON Serialization or the JWE JSON Serialization. Other type values can also be used by applications.

--cty=content-type The "cty" (content type) Header Parameter is used by JWS applications to declare the media type of the secured content (the payload). This is intended for use by the application when more than one kind of object could be present in the JWS Payload; the application can use this value to disambiguate among the different kinds of objects that might be present. It will typically not be used by applications when the kind of object is already known. This parameter is ignored by JWS implementations; any processing of this parameter is performed by the JWS application. Use of content-type is optional.

--key=file, --x5c-key=file, --x5t-key=file The file containing the key with which to sign the JWS. JWSs can be signed using a private JWK (or a JWK encrypted as a JWE payload) or a PEM encoded private key (or a private key encrypted using the modes described on RFC 1423 or with PBES2+PBKDF2 described in RFC 2898).

--jwks=jwks The JWK Set containing the key to use to sign the JWS. The jwks argument should be the name of a file. The file contents should be a JWK Set or a JWE with a JWK Set payload. The --jwks flag requires the use of the --kid flag to specify which key to use.

--kid=kid The ID of the key used to sign the JWS. The kid argument is a case-sensitive string. When used with '--jwk' the kid value must match the "kid" member of the JWK. When used with --jwks (a JWK Set) the kid value must match the "kid" member of one of the JWKs in the JWK Set.

--password-file=file The path to the file containing the password to encrypt or decrypt the private key.

--x5c-cert=chain Certificate (chain) in PEM format to store in the 'x5c' header of a JWT.

--x5t-cert=file Certificate file in PEM format to use for the 'x5t' header of a JWS or JWT