2021 Feb 11 1:25 PM
Hello ABAP Crypto Enthusiasts,
I'm looking for an ABAP functionality that would be able to verify this JWT (JSON Web Token, of course not valid anymore 🙂 😞
eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vMDdmYzE5YWJ0cmlhbC5hdXRoZW50aWNhdGlvbi5ldTEwLmhhbmEub25kZW1hbmQuY29tL3Rva2VuX2tleXMiLCJraWQiOiJkZWZhdWx0LWp3dC1rZXktMTY5NzAzNzA5MiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI2M2FiZjU1YzNiYTg0OWI1ODIzMjFiMDBlNGM1ZDg5ZCIsImV4dF9hdHRyIjp7ImVuaGFuY2VyIjoiWFNVQUEiLCJzdWJhY2NvdW50aWQiOiIzNjZhZTIzOC00M2YxLTQ2YTctOGEyZC00Nzg0MWIzODJmNDEiLCJ6ZG4iOiIwN2ZjMTlhYnRyaWFsIn0sInhzLnN5c3RlbS5hdHRyaWJ1dGVzIjp7InhzLnJvbGVjb2xsZWN0aW9ucyI6WyJLeW1hQWRtaW4iLCJTdWJhY2NvdW50IEFkbWluaXN0cmF0b3IiLCJMYXVuY2hwYWRfQWRtaW4iLCJTQVAgV2ViIEFuYWx5dGljcyBhZG1pbiIsImJvb2tzaG9wLXVzZXIiLCJ-czRoX1NBUF9CUl9QUklDSU5HX1NQRUNJQUxJU1QiXX0sImdpdmVuX25hbWUiOiJHcmVnb3IiLCJ4cy51c2VyLmF0dHJpYnV0ZXMiOnt9LCJmYW1pbHlfbmFtZSI6IldvbGYiLCJzdWIiOiIzYWIyNzhjYS1jMTBlLTQyNmUtODI1NC0zZmJiYzFiN2NlZDYiLCJzY29wZSI6WyJvcGVuaWQiLCJ1YWEudXNlciJdLCJjbGllbnRfaWQiOiJzYi1IVE1MNVVzZXJBUElmb3JDRiF0NzIwOTQiLCJjaWQiOiJzYi1IVE1MNVVzZXJBUElmb3JDRiF0NzIwOTQiLCJhenAiOiJzYi1IVE1MNVVzZXJBUElmb3JDRiF0NzIwOTQiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6IjNhYjI3OGNhLWMxMGUtNDI2ZS04MjU0LTNmYmJjMWI3Y2VkNiIsIm9yaWdpbiI6InNhcC5kZWZhdWx0IiwidXNlcl9uYW1lIjoiZ3JlZ29yLndvbGZAZ21haWwuY29tIiwiZW1haWwiOiJncmVnb3Iud29sZkBnbWFpbC5jb20iLCJhdXRoX3RpbWUiOjE2MTI5NzAzMjcsInJldl9zaWciOiJkYzA0MWVkYyIsImlhdCI6MTYxMjk3MDMyNywiZXhwIjoxNjEzMDEzNTI3LCJpc3MiOiJodHRwczovLzA3ZmMxOWFidHJpYWwuYXV0aGVudGljYXRpb24uZXUxMC5oYW5hLm9uZGVtYW5kLmNvbS9vYXV0aC90b2tlbiIsInppZCI6IjM2NmFlMjM4LTQzZjEtNDZhNy04YTJkLTQ3ODQxYjM4MmY0MSIsImF1ZCI6WyJ1YWEiLCJvcGVuaWQiLCJzYi1IVE1MNVVzZXJBUElmb3JDRiF0NzIwOTQiXX0.at86qRBUeBUDj81WmD37-YQnoNX2ujuPfEmMe9PKVrdlblArU2r_j-MGGAEwRvITmr-73siL4VAb9s-i1kP5x309F7HkmwH0RqiVGGtnLeKf8HLWGW0ceJF8cVvgqKxXMRhI23WN6jS4EQ2wFhCO1nALgGpuDLsJ4TQV-XZhNZXksxQpR_pAIVkxWkjdOXeup7cq7O19WqVex7xGHJN_9vzb8HB2SdvQxbCl3YspljnJ5Z1Z10XC6AsQDYiP-l60-VzmR_8GA3O7sO_13PruFVXkDaa5YSO_XfLiXxTZH3PtBjnLgW0mOclhJTYMmgQtwH7ATfn5S36IFWWLh9o0_g
the Public Key for this token is:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtBT8yKkqmpEdeM3HHKhd
z5kKSjpSHAbuByU66L7u9RcLzx56ESQPhUye+6BVWK/WrKFyPhgI8vbE5Nu9j4JM
e4V1vdufc/3QSoEXBruHUO2ZhC0s7GvNKQQbgbUpYFhGcUZLtusWZSeOkNV5N18n
eil3rdvPn8JLDMP77FN1KqIjpNopJB4+gpC0NJ2KJc4cM0N6WeX1U/9Cy+IaZjvt
5RO7+YJLeABYnp/4e8LcKULgMG9FtAGoCruX2u+S0e2eiAgEoDAGxi0pkVQp4eg0
12lzJetTfQAVQw5zn+vTwC8c0tG6gmu2S8OsHxeMlrZOJrLBTc8MPi0yGtDvNjLb
mQIDAQAB
-----END PUBLIC KEY-----
When you decode the token you find that it uses the algorithm: RS256. This algorythm uses:
SIG-ALGORITHMS: RSASSA with Padding Mode: PKCS1-v1_5 and SHA-256 as the hash function. To check the signature I would basically need a way to use i.e. SAPCRYPTOLIB or an ABAP implementation of this method:
lars.hvam pointed me to his abapPGP project, which re-uses the AES project. But it seems they do not implement this method.
Maybe wolfgang.janzen or frank.buchholz can provide some input.
Best regards
Gregor
2021 Feb 11 4:09 PM
it's been about three years that I did actual crypto with ABAP. The AES project looks similar, but honestly, I dont remember whether I actually tried/used it or something different - I did AES, but I have no access to the docs anymore, nor the code.
As a side note: don't rely on "alg" field in the JWT header (Check out Meet the "none" Algorithm)
Would be cool if the ABAP stack could provide JWT based authentication layer (similarly to SAML and x509)
And would be cool if ABAP would provide a straight away way to use cryptography methods.
2022 Feb 22 10:43 AM
Dear Mr. Robert Stefanov,
I have the same scenario and still cannot verify correctly.
Could you show me some example on how to use FM SSFW_KRN_VERIFY.
Been trying to use it but still no luck, would be really helpful if you can show me some example.
here is my post :
https://answers.sap.com/questions/13590628/how-to-use-fm-ssfw-krn-verify-to-verify-rsa-sha256.html
thanks & Regards,
Joeky Hartanto