RE: base64 URL decode - for jwt -- MIDRANGE-L

For what it’s worth, character fields defined as CCSID(*HEX) don’t do any conversions.

Dcl-s Variable Char(32760) Ccsid(*HEX);

Example with HmacSHA512:
Dcl-s toSign varchar(4096) Ccsid(*utf8);
Dcl-s oneTimeSecret varchar(128) Ccsid(*utf8);
Dcl-s Key Char(64) Ccsid(*hex);
Dcl-s encoded_key char(4096);

…
Load string toSign
Load string oneTimeSecret
…

Key = HmacSHA512( toSign : oneTimeSecret );

len = base64_encode( %Addr( Key ) : %Size( Key ) : %Addr( encoded_key ) : %Size( encoded_key ) );

accessKey = shared +':' + %Subst( encoded_key : 1 : len );
….
Headers += 'Authorization: AccessKey ' + AccessKey + LE;

// --------------------------------------------------
// Procedure name: HmacSHA512
// Purpose: generate HMAC hash from input
// To account for CCSID conversions, this procedure assumes
// all input is already in the desired CCSID.
// Returns: HMAC Hash
// Parameter: message raw character stream
// Parameter: passphrase raw character stream
// --------------------------------------------------
Dcl-Proc HmacSHA512;
Dcl-Pi *N Char(64) Ccsid(*Hex);
message Varchar(32767) Const Ccsid(*Hex);
passphrase Varchar(128) Const Ccsid(*Hex);
End-pi;
Dcl-ds Qc3_Format_ALGD0500_T Qualified Template;
Hash_Alg Int(10);
End-ds;

Dcl-ds Qc3_Format_KEYD0200_T Qualified Template;
Key_Type Int(10);
Key_String_Len Int(10);
Key_Format Char(1);
Reserved1 Char(3);
Key_String Char(128) Ccsid(*hex);
End-ds;

// Qc3CalculateHMAC Caculate the HMAC.
// It is important to note that "datatohash" is CCSID(*HEX) so the system
// doesn't "Help" us by converting the data into CCSID 37 prior to the call.
// The Key String is also defined as CCSID(*HEX) so that it isn't converted either.
// This allows us to pass strings that have already been set to our desired ccsid.
Dcl-Pr GetHMAC ExtProc('Qc3CalculateHMAC');
datatohash Char(32767) const options(*varsize) ccsid(*hex);
pinDataLen Int(10) const;
pinFormat Char(8) const;
palgDesc Char(32767) OPTIONS(*VARSIZE) Const;
palgDescFmt Char(8) const;
pkeyDesc Char(32767) const options(*varsize);
pkeyDescFmt Char(8) const;
pcryptoProv Char(1) const;
pcryptoDev Char(10) const;
pHMAC Char(64) options(*varsize);
pErrorCode Char(32767) options(*varsize);
End-Pr;
// FROM:: /COPY QSYSINC/H,QC3CCI
Dcl-c Qc3_MD5 1 ;
Dcl-c Qc3_SHA1 2 ;
Dcl-c Qc3_SHA256 3 ;
Dcl-c Qc3_SHA384 4 ;
Dcl-c Qc3_SHA512 5 ;
Dcl-c Qc3_MD2 6 ;
Dcl-c Qc3_SHA224 7 ;
Dcl-c Qc3_SHA3_224 8 ;
Dcl-c Qc3_SHA3_256 9 ;
Dcl-c Qc3_SHA3_384 11 ;
Dcl-c Qc3_SHA3_512 12 ;
// Length of HMAX defined by algorithm.
// MD5 16 bytes
// SHA-1 20 bytes
// SHA-256 32 bytes
// SHA-384 48 bytes
// SHA-512 64 bytes
Dcl-ds alg likeds(Qc3_Format_ALGD0500_T);
Dcl-DS KeyFormat Likeds(Qc3_Format_KEYD0200_T);
// Dcl-s lkeydata_p pointer inz(%Addr(Keyformat.Key_String));
// Dcl-s lkeydata Char(1000) Ccsid(*UTF8) based(lkeydata_p);
Dcl-ds Errords Likeds(Apierrords);
Dcl-s Outhash char(64) Ccsid(*Hex);

//var key = cryptojs.HmacSHA512(toSign, oneTimeSecret);

OutHash = *Allx'00';
KeyFormat = *Allx'00';
KeyFormat.Key_Type = Qc3_SHA512;
KeyFormat.Key_String_Len = %Len(passphrase);
// The Minimum key length is defined based on the type of HASH.
// For Qc3_SHA512 the minimum is 64
If KeyFormat.Key_String_Len < 64;
KeyFormat.Key_String_Len = 64;
Endif;
KeyFormat.Key_Format= '0';
// This allows the key to be padded with NULs
KeyFormat.Key_String = *Allx'00';
%Subst( KeyFormat.Key_String : 1 : %Len(passphrase) ) = passphrase;

Errords = *AllX'00';
Errords.Bytespass = %Size(Errords);

alg.Hash_Alg = Qc3_SHA512;
Callp GetHMAC(
message
: %Len(message)
: 'DATA0100'
: alg
: 'ALGD0500'
: KeyFormat
: 'KEYD0200'
: '0'
: ''
: Outhash
: Errords );

Return OutHash;

End-proc;

--
Chris Hiebert
Lead Software Developer
Disclaimer: Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.

From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Daniel Gross
Sent: Wednesday, March 5, 2025 12:49 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: base64 URL decode - for jwt

In the end I even had a overlapping DS where a "binary" character field was overlapped with an UTF-8 character field, because I didn't find a way to "move" the value without mixing it up - but I think that was only the SHA-256 API.