Attempting to use Crypto APIs to verify JWT signature

I was able to make some headway with this, but I'm now at the point of calling Qc3VerifySignature and its returning CPF9DDA - "Unexpected return code &1." According to the doc, PEM certificates are ASCII encoded, which is the case... I'm retrieving the certificate data (PEM String) from the server that created the signature. I've tried using with the Header ('-----BEGIN CERTIFICATE-----') and Trailer ('-----END CERTIFICATE-----'), with and without carriage return/Linefeeds, made sure the data is using ASCII (verified in debug).

1) How can I retrieve the value of &1?
2) I'm assuming that parm 2 of the Create Key Context API should be set to 256... the doc states the Length of Key String should be "If key format is 6 (PEM certificate) then the key length will be the length specified in the certificate." The certificate shows 2048 bits, so I've tried 2048, 256 (bytes) and even the length of the entire certificate string, all with the same CPF9DDA as a result of calling the Verify Signature API.

Also, just to clarify, I'm using the ASCII values of the decoded signature as well as the string used to create the signature.

My data structure appears to be correct:

dcl-ds KEYD0600;
PemLength int(10);
PemReserved char(4) inz(x'00000000');
KeyString Char(2048);
END-DS;

At runtime, I'm setting PemLength to the length of the data read and populating KeyString with the data read prior to calling the API.

Any and all suggestions would be appreciated!

-----Original Message-----
From: RPG400-L <rpg400-l-bounces@xxxxxxxxxxxx> On Behalf Of Jon Paris
Sent: Friday, August 3, 2018 11:41 AM
To: Rpg400 Rpg400-L <rpg400-l@xxxxxxxxxxxx>
Subject: [EXTERNAL] Re: Attempting to use Crypto APIs to verify JWT signature

It would help us see what might be wrong if you show us your proto and data definitions Doug.


Jon Paris

www.partner400.com
www.SystemiDeveloper.com

On Aug 3, 2018, at 11:29 AM, Bak, Doug (LMF) <Doug.Bak@xxxxxxxxxxxxxx> wrote:

I'd like to be able to natively verify a JWT signature using the Crypto APIs, and after reading the API doc for Qc3VerifySignature, I'm not sure how to implement it. According to the doc, parm 1 is the signature, parm 3, I believe is the Base64URL encoded header and payload of the JWT. I'm at the point of receiving CPF9DDB - The key string or Diffie-Hellman parameter string is not valid.

Could someone familiar verify my understanding of the API doc please? Since the tokens are constructed in ASCII, I'm half thinking it's an encoding issue, but before I make too many assumptions, I wanted get other opinions.

Parms:
Signature - Base64Url decoded bytes of the JWT Signature. (Should be
Ascii?) Length of Signature - Length of the Signature string Input
Data - Base64URL encoded string of the JWT header and Payload
(Ascii?/Ebcdic?) Length of Input data - string length of Input data
Input Data Format - 'DATA0100'
Algorithm Description - DataStructure (ALGD0400)
PK Cipher Alg - 50 (RSA)
PKA Block Fmt - '1' (PKCS #1 Block type 1)
Reserved - x'000000'
Signing Hash - 3 (SHA-256)
Algorithm desc Format - 'ALGD0400'
Key desc - Data Structure (KEYD0200)
Key Type - 50 (RSA public)
Key String Len - Length of KeyString
Key Format - '1' (BER string) - Ascii?/Ebcdic?
Reserved - x'000000'
KeyString - BER
encoded x.509 certificate (I think this is the x5c value from the OpenID Connect JWKS info) Key desc Format - 'KEYD0200'
Crypto Provider '0'
Crypto Device Name - *null
Error Code

Thanks,
Doug
--
This is the RPG programming on the IBM i (AS/400 and iSeries)
(RPG400-L) mailing list To post a message email: RPG400-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.midrange.co
m_mailman_listinfo_rpg400-2Dl&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXT
WPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnO
Q8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=OdgJgGIyX2u5Q06gRDZI-N7CRNEfiMe
LqswOFyXgiyk&e= or email: RPG400-L-request@xxxxxxxxxxxx Before
posting, please take a moment to review the archives at
https://urldefense.proofpoint.com/v2/url?u=https-3A__archive.midrange.com_rpg400-2Dl&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=GHsi9cxBOcskrXsqKpQe-ISop2chO5jqDog6tN91nhk&e= .

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link:
https://urldefense.proofpoint.com/v2/url?u=http-3A__amzn.to_2dEadiD&d=
DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO
4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts0
5i-4&s=kcaXqGMBlNNsRgOJ5toMyiOnjziIdowkO-yPor74eBo&e=

--
This is the RPG programming on the IBM i (AS/400 and iSeries) (RPG400-L) mailing list To post a message email: RPG400-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.midrange.com_mailman_listinfo_rpg400-2Dl&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=OdgJgGIyX2u5Q06gRDZI-N7CRNEfiMeLqswOFyXgiyk&e=
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at https://urldefense.proofpoint.com/v2/url?u=https-3A__archive.midrange.com_rpg400-2Dl&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=GHsi9cxBOcskrXsqKpQe-ISop2chO5jqDog6tN91nhk&e= .

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://urldefense.proofpoint.com/v2/url?u=http-3A__amzn.to_2dEadiD&d=DwICAg&c=TRM22a2q2ENZDxdZ_Nz-0OCGEspXTWPuaB6Jil0RfKE&r=o-YzpsmRCPgZlWO4EB4wsOj50O0KPLUTK9BP-UzK-UQ&m=WKzmEnOQ8Iy3E088u3-CBsyXGLnSlYN5xDvpts05i-4&s=kcaXqGMBlNNsRgOJ5toMyiOnjziIdowkO-yPor74eBo&e=