Re: Attempting to use Crypto APIs to verify JWT signature

Thanks for the reply Jon... The proto and data structures definitions as well as a snippet of the API call is included below.

At this point, I'm just trying to prove that it will or will not work, so the strings are hard-coded in the call right now. Once I get the code working, the program will be receiving the data in web service calls. The strings below are partially copied to show what I'm trying to do.

dcl-pr VerifySig extpgm('QC3VFYSG');
Sig char(1024) const;
SigLen int(10) const;
InpData char(1024) const;
InpDataLen int(10) const;
InpDataFormat char(8) const;
AlgorithmDesc char(100) const;
AlgDescFormatName char(8) const;
KeyDesc Char(2048) const;
KeyDescFormatName char(8) const;
CryptoProvider Char(1) const;
CryptoDevice char(10) const;
ErrorCode char(10);
END-PR;

dcl-ds ALGD0400;
PKCipher int(10) inz(50);
PKABlock char(1) inz('1');
Reserved char(3) inz(x'000000');
SignHash int(10) inz(3);
END-DS;

dcl-ds KEYD0200;
KeyType int(10) inz(50);
KeyStrLen int(10) inz(2768);
KeyFormat char(1) inz('1');
Reserved1 char(3) inz(x'000000');
KeyString char(1036);
END-DS;

Verifysig(
'5257686a617a4974636b45774f574e4b656d786d56564a6f524531774c56646a57473166644639'
+ '6b624331314d45317361544e6c654752324d556834574468704e7a64344e565a6d526c424e4e6e'
: 911
: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZ'
+ 'nF1RSIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJub25jZSI6IjYzNjA3M'
: 601
: 'DATA0100'
: ALGD0400
: 'ALGD0400'
: KEYD0200
: 'KEYD0200'
: '0'
: CryptoDev
: ErrStr);

*inlr = *on;


-----Original Message-----
From: RPG400-L <rpg400-l-bounces@xxxxxxxxxxxx> On Behalf Of Jon Paris
Sent: Friday, August 3, 2018 11:41 AM
To: Rpg400 Rpg400-L <rpg400-l@xxxxxxxxxxxx>
Subject: [EXTERNAL] Re: Attempting to use Crypto APIs to verify JWT signature

It would help us see what might be wrong if you show us your proto and data definitions Doug.


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Aug 3, 2018, at 11:29 AM, Bak, Doug (LMF) <Doug.Bak@xxxxxxxxxxxxxx> wrote:

I'd like to be able to natively verify a JWT signature using the Crypto APIs, and after reading the API doc for Qc3VerifySignature, I'm not sure how to implement it. According to the doc, parm 1 is the signature, parm 3, I believe is the Base64URL encoded header and payload of the JWT. I'm at the point of receiving CPF9DDB - The key string or Diffie-Hellman parameter string is not valid.

Could someone familiar verify my understanding of the API doc please? Since the tokens are constructed in ASCII, I'm half thinking it's an encoding issue, but before I make too many assumptions, I wanted get other opinions.

Parms:
Signature - Base64Url decoded bytes of the JWT Signature. (Should be
Ascii?) Length of Signature - Length of the Signature string Input
Data - Base64URL encoded string of the JWT header and Payload
(Ascii?/Ebcdic?) Length of Input data - string length of Input data
Input Data Format - 'DATA0100'
Algorithm Description - DataStructure (ALGD0400)
PK Cipher Alg - 50 (RSA)
PKA Block Fmt - '1' (PKCS #1 Block type 1)
Reserved - x'000000'
Signing Hash - 3 (SHA-256)
Algorithm desc Format - 'ALGD0400'
Key desc - Data Structure (KEYD0200)
Key Type - 50 (RSA public)
Key String Len - Length of KeyString
Key Format - '1' (BER string) - Ascii?/Ebcdic?
Reserved - x'000000'
KeyString - BER
encoded x.509 certificate (I think this is the x5c value from the OpenID Connect JWKS info) Key desc Format - 'KEYD0200'
Crypto Provider '0'
Crypto Device Name - *null
Error Code

Thanks,
Doug
--
This is the RPG programming on the IBM i (AS/400 and iSeries)
(RPG400-L) mailing list To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.midrange.co
m_mailman_listinfo_rpg400-2Dl&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXT
WPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnO
Q8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=OdgJgGIyX2u5Q06gRDZI-N7CRNEfiMe
LqswOFyXgiyk&e= or email: RPG400-L-request@xxxxxxxxxxxx Before
posting, please take a moment to review the archives at
https://urldefense.proofpoint.com/v2/url?u=https-3A__archive.midrange.com_rpg400-2Dl&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=GHsi9cxBOcskrXsqKpQe-ISop2chO5jqDog6tN91nhk&e= .

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link:
https://urldefense.proofpoint.com/v2/url?u=http-3A__amzn.to_2dEadiD&d=
DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO
4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts0
5i-4&s=kcaXqGMBlNNsRgOJ5toMyiOnjziIdowkO-yPor74eBo&e=

--
This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L) mailing list To post a message email: RPG400-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.midrange.com_mailman_listinfo_rpg400-2Dl&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=OdgJgGIyX2u5Q06gRDZI-N7CRNEfiMeLqswOFyXgiyk&e=
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at https://urldefense.proofpoint.com/v2/url?u=https-3A__archive.midrange.com_rpg400-2Dl&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=GHsi9cxBOcskrXsqKpQe-ISop2chO5jqDog6tN91nhk&e= .

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://urldefense.proofpoint.com/v2/url?u=http-3A__amzn.to_2dEadiD&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=kcaXqGMBlNNsRgOJ5toMyiOnjziIdowkO-yPor74eBo&e=