diff options
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | README | 3 | ||||
| -rwxr-xr-x | bin/jwt-decode.sh | 73 |
3 files changed, 80 insertions, 0 deletions
@@ -7,6 +7,7 @@ install: install -d $(DESTDIR)/usr/bin install bin/chmod-x.sh $(DESTDIR)/usr/bin/ install bin/git-update-all.sh $(DESTDIR)/usr/bin/ + install bin/jwt-decode.sh $(DESTDIR)/usr/bin/ install bin/tmux-session.sh $(DESTDIR)/usr/bin/ install bin/wg-activate.sh $(DESTDIR)/usr/bin/ @@ -19,3 +20,6 @@ uninstall: rm -f $(DESTDIR)/etc/bash_completion.d/tmux-session rm -f $(DESTDIR)/usr/bin/wg-activate.sh rm -f $(DESTDIR)/usr/bin/tmux-session.sh + rm -f $(DESTDIR)/usr/bin/jwt-decode.sh + rm -f $(DESTDIR)/usr/bin/git-update-all.sh + rm -f $(DESTDIR)/usr/bin/chmod-x.sh @@ -11,6 +11,9 @@ may not an executable. *git-update-all.sh*:: Script fetch the latest commits from all git repositories under a directory. +*jwt-decode.sh*:: +Script to decode JWT with optional secret to check for signature. + *tmux-session.sh*:: Script to open new tmux session with start directory based on configuration in `~/.tmux.session`. diff --git a/bin/jwt-decode.sh b/bin/jwt-decode.sh new file mode 100755 index 0000000..5e47adf --- /dev/null +++ b/bin/jwt-decode.sh @@ -0,0 +1,73 @@ +#!/bin/sh +## SPDX-FileCopyrightText: 2022 M. Shulhan <ms@kilabit.info> +## SPDX-License-Identifier: GPL-3.0-or-later + +## depends=(jq openssl) + +## Script to decode JWT. +## +## Usage: +## +## $ jwt_decode.sh $token [$secret] +## +## The $secret argument is optional, if its given it will check the signature +## is matched or not. + +base64_decode() { + len=$((${#1} % 4)) + case $len in + 2) + str="$1"'==' ;; + 3) + str="$1"'=' ;; + *) + str="$1" ;; + esac + echo -n $str | openssl enc -d -a -A +} + +jwt=$1 +secret=$2 + +if [[ -z $jwt ]]; then + echo "Missing token" + exit 1 +fi + +header_b64=$(echo -n $jwt | cut -d '.' -f 1) +header=$(base64_decode "$header_b64") + +payload_b64=$(echo -n $jwt | cut -d '.' -f 2) +payload=$(base64_decode "$payload_b64") + +sign=$(echo -n $jwt | cut -d '.' -f 3) + +expired_at=$(echo $PAY | jq '.exp') +if [[ -n "$expired_at" ]]; then + expired_at=$(date -d @${expired_at} --rfc-3339=seconds) +fi + +issued_at=$(echo $PAY | jq '.iat') +if [[ -n "$issued_at" ]]; then + issued_at=$(date -d @${issued_at} --rfc-3339=seconds) +fi + +echo "Header: $header" +echo "Payload: $payload" +echo "Issued at: $issued_at" +echo "Expired at: $expired_at" + +## Check the signature using secret. +if [[ -n "$secret" ]]; then + got_sign=$(echo -n "$header_b64"."$payload_b64" \ + | openssl dgst -sha256 -hmac secret -binary | base64) + got_sign=${got_sign%=} + + if [[ "$sign" == "$got_sign" ]]; then + echo "Signature: PASS" + else + echo "Signature: FAIL" + fi +else + echo "Signature: SKIP" +fi |