(PureBasic) Create JWS Using Private Key on a Smart Card

See more JSON Web Signatures (JWS) Examples

Creates and validates a JSON Web Signature (JWS) using the private key associated with a certificate on a smart card.

Chilkat PureBasic Module Download Chilkat PureBasic Module

IncludeFile "CkJws.pb"
IncludeFile "CkCert.pb"
IncludeFile "CkPrivateKey.pb"
IncludeFile "CkJsonObject.pb"
IncludeFile "CkPublicKey.pb"

Procedure ChilkatExample()

    ; This requires the Chilkat API to have been previously unlocked.
    ; See Global Unlock Sample for sample code.

    ; Load the certificate from a smart card.
    cert.i = CkCert::ckCreate()
    If cert.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    success.i = CkCert::ckLoadFromSmartcard(cert,"")
    If success = 0
        Debug CkCert::ckLastErrorText(cert)
        CkCert::ckDispose(cert)
        ProcedureReturn
    EndIf

    ; Note: Chilkat provides many different ways to load a certificate from a smartcard or USB token,
    ; such as selecting a certificate if the card contains multiple certificates with private keys,
    ; or working with lower-level PKCS11 or ScMinidriver API's (both of which Chilkat provides).

    ; If the associated private key was present on the smartcard, then you can simply
    ; get it from the Chilkat cert object:
    privKey.i = CkCert::ckExportPrivateKey(cert)
    If CkCert::ckLastMethodSuccess(cert) = 0
        Debug CkCert::ckLastErrorText(cert)
        CkCert::ckDispose(cert)
        ProcedureReturn
    EndIf

    ; You can check the key type to make sure it's RSA.
    ; This will output "rsa" if the key is RSA.
    Debug "Key type = " + CkPrivateKey::ckKeyType(privKey)

    ; Create the JWS Protected Header
    jwsProtHdr.i = CkJsonObject::ckCreate()
    If jwsProtHdr.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    CkJsonObject::ckAppendString(jwsProtHdr,"alg","RS256")

    jws.i = CkJws::ckCreate()
    If jws.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    ; Set the protected header:
    signatureIndex.i = 0
    CkJws::ckSetProtectedHeader(jws,signatureIndex,jwsProtHdr)

    ; Set the RSA key:
    CkJws::ckSetPrivateKey(jws,signatureIndex,privKey)

    ; Set the payload.
    bIncludeBom.i = 0
    payloadStr.s = "In our village, folks say God crumbles up the old moon into stars."
    CkJws::ckSetPayload(jws,payloadStr,"utf-8",bIncludeBom)

    ; Create the JWS
    ; By default, the compact serialization is used.
    jwsCompact.s = CkJws::ckCreateJws(jws)
    If CkJws::ckLastMethodSuccess(jws) <> 1
        Debug CkJws::ckLastErrorText(jws)
        CkPrivateKey::ckDispose(privKey)

        CkCert::ckDispose(cert)
        CkJsonObject::ckDispose(jwsProtHdr)
        CkJws::ckDispose(jws)
        ProcedureReturn
    EndIf

    Debug "JWS: " + jwsCompact

    ; sample output:
    ; JWS: eyJhbGciOiJQUzI1NiJ9.SW4gb3VyIHZpbGxhZ2UsIGZvbGtzIHNheSBHb2QgY3J1bWJsZXMgdXAgdGhlIG9sZCBtb29uIGludG8gc3RhcnMu.TRWhwRo5dMv9-8OzrInfJTwmUGYgjLfHk8lqF072ND-FmLWEBnUTOpY8oJXp8FdWw2SalbdOeNlrtlJjwk4XK8Ql2iJ_2qMCtxsvLPhKBOqFoAF4aBvTOEDVJDxf0DaBSiydEEtfTVV2iwBcjWabu5J2XieR5y7QZQtuHsn7T3qKBvCcCejN3Y2oqAT3qMHvu1fTms1r_91wBn_K7Wjd9UkZ1n02qQcUHJznR_OF2BgN7_KWIDAF9ZS9keoju2NPpPelO4yxa2XUPnehY3G7dHKoCxUEQR4d2Xc5voqDASTVCDqQS4PVOZdvT3Ein6-SanAlCwbWBbkvT8g6-5PImQ

    ; Now load the JWS, validate, and recover the original text.
    jws2.i = CkJws::ckCreate()
    If jws2.i = 0
        Debug "Failed to create object."
        ProcedureReturn
    EndIf

    ; Load the JWS.
    success = CkJws::ckLoadJws(jws2,jwsCompact)

    rsaPubKey.i = CkPrivateKey::ckGetPublicKey(privKey)
    CkPrivateKey::ckDispose(privKey)

    ; Set the RSA public key used for validation.
    signatureIndex = 0
    CkJws::ckSetPublicKey(jws2,signatureIndex,rsaPubKey)
    CkPublicKey::ckDispose(rsaPubKey)

    ; Validate the 1st (and only) signature at index 0..
    v.i = CkJws::ckValidate(jws2,signatureIndex)
    If v < 0
        ; Perhaps Chilkat was not unlocked or the trial expired..
        Debug "Method call failed for some other reason."
        Debug CkJws::ckLastErrorText(jws2)
        CkCert::ckDispose(cert)
        CkJsonObject::ckDispose(jwsProtHdr)
        CkJws::ckDispose(jws)
        CkJws::ckDispose(jws2)
        ProcedureReturn
    EndIf

    If v = 0
        Debug "Invalid signature.  The RSA key was incorrect, the JWS was invalid, or both."
        CkCert::ckDispose(cert)
        CkJsonObject::ckDispose(jwsProtHdr)
        CkJws::ckDispose(jws)
        CkJws::ckDispose(jws2)
        ProcedureReturn
    EndIf

    ; If we get here, the signature was validated..
    Debug "Signature validated."

    ; Recover the original content:
    Debug CkJws::ckGetPayload(jws2,"utf-8")

    ; Examine the protected header:
    joseHeader.i = CkJws::ckGetProtectedHeader(jws2,signatureIndex)
    If CkJws::ckLastMethodSuccess(jws2) <> 1
        Debug "No protected header found at the given index."
        CkCert::ckDispose(cert)
        CkJsonObject::ckDispose(jwsProtHdr)
        CkJws::ckDispose(jws)
        CkJws::ckDispose(jws2)
        ProcedureReturn
    EndIf

    CkJsonObject::setCkEmitCompact(joseHeader, 0)

    Debug "Protected (JOSE) header:"
    Debug CkJsonObject::ckEmit(joseHeader)
    CkJsonObject::ckDispose(joseHeader)

    ; Output:

    ; 	Signature validated.
    ; 	In our village, folks say God crumbles up the old moon into stars.
    ; 	Protected (JOSE) header:
    ; 	{ 
    ; 	  "alg": "RS256"
    ; 	}


    CkCert::ckDispose(cert)
    CkJsonObject::ckDispose(jwsProtHdr)
    CkJws::ckDispose(jws)
    CkJws::ckDispose(jws2)


    ProcedureReturn
EndProcedure