From c5214428f873ea124eb848a14907ac7a6dd210aa Mon Sep 17 00:00:00 2001 From: Shulhan Date: Sun, 18 Sep 2022 03:16:20 +0700 Subject: all: add script jwt-decode.sh The script decode JWT with optional secret to check for signature. --- Makefile | 4 +++ README | 3 +++ bin/jwt-decode.sh | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 80 insertions(+) create mode 100755 bin/jwt-decode.sh diff --git a/Makefile b/Makefile index cc38f44..0577255 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,7 @@ install: install -d $(DESTDIR)/usr/bin install bin/chmod-x.sh $(DESTDIR)/usr/bin/ install bin/git-update-all.sh $(DESTDIR)/usr/bin/ + install bin/jwt-decode.sh $(DESTDIR)/usr/bin/ install bin/tmux-session.sh $(DESTDIR)/usr/bin/ install bin/wg-activate.sh $(DESTDIR)/usr/bin/ @@ -19,3 +20,6 @@ uninstall: rm -f $(DESTDIR)/etc/bash_completion.d/tmux-session rm -f $(DESTDIR)/usr/bin/wg-activate.sh rm -f $(DESTDIR)/usr/bin/tmux-session.sh + rm -f $(DESTDIR)/usr/bin/jwt-decode.sh + rm -f $(DESTDIR)/usr/bin/git-update-all.sh + rm -f $(DESTDIR)/usr/bin/chmod-x.sh diff --git a/README b/README index 4fd3a5f..2a9b6c6 100644 --- a/README +++ b/README @@ -11,6 +11,9 @@ may not an executable. *git-update-all.sh*:: Script fetch the latest commits from all git repositories under a directory. +*jwt-decode.sh*:: +Script to decode JWT with optional secret to check for signature. + *tmux-session.sh*:: Script to open new tmux session with start directory based on configuration in `~/.tmux.session`. diff --git a/bin/jwt-decode.sh b/bin/jwt-decode.sh new file mode 100755 index 0000000..5e47adf --- /dev/null +++ b/bin/jwt-decode.sh @@ -0,0 +1,73 @@ +#!/bin/sh +## SPDX-FileCopyrightText: 2022 M. Shulhan +## SPDX-License-Identifier: GPL-3.0-or-later + +## depends=(jq openssl) + +## Script to decode JWT. +## +## Usage: +## +## $ jwt_decode.sh $token [$secret] +## +## The $secret argument is optional, if its given it will check the signature +## is matched or not. + +base64_decode() { + len=$((${#1} % 4)) + case $len in + 2) + str="$1"'==' ;; + 3) + str="$1"'=' ;; + *) + str="$1" ;; + esac + echo -n $str | openssl enc -d -a -A +} + +jwt=$1 +secret=$2 + +if [[ -z $jwt ]]; then + echo "Missing token" + exit 1 +fi + +header_b64=$(echo -n $jwt | cut -d '.' -f 1) +header=$(base64_decode "$header_b64") + +payload_b64=$(echo -n $jwt | cut -d '.' -f 2) +payload=$(base64_decode "$payload_b64") + +sign=$(echo -n $jwt | cut -d '.' -f 3) + +expired_at=$(echo $PAY | jq '.exp') +if [[ -n "$expired_at" ]]; then + expired_at=$(date -d @${expired_at} --rfc-3339=seconds) +fi + +issued_at=$(echo $PAY | jq '.iat') +if [[ -n "$issued_at" ]]; then + issued_at=$(date -d @${issued_at} --rfc-3339=seconds) +fi + +echo "Header: $header" +echo "Payload: $payload" +echo "Issued at: $issued_at" +echo "Expired at: $expired_at" + +## Check the signature using secret. +if [[ -n "$secret" ]]; then + got_sign=$(echo -n "$header_b64"."$payload_b64" \ + | openssl dgst -sha256 -hmac secret -binary | base64) + got_sign=${got_sign%=} + + if [[ "$sign" == "$got_sign" ]]; then + echo "Signature: PASS" + else + echo "Signature: FAIL" + fi +else + echo "Signature: SKIP" +fi -- cgit v1.3