Signature Verification

Table of Contents

• Public Key Files
• Public Key File Location
  • Relative Paths under Linux
  • Relative Paths under Windows

See also

RFC 7518 — JSON Web Algorithms (JWA)

Xentara only accepts signed JWTs. To be able to verify the signature of the token, the public signing key of the issuer must be copied to the host on which Xentara is running.

Xentara supports the following signature algorithms:

Name	Description
PS256	RSASSA-PSS using SHA-256 and MGF1 with SHA-256
PS384	RSASSA-PSS using SHA-384 and MGF1 with SHA-384
PS512	RSASSA-PSS using SHA-512 and MGF1 with SHA-512
ES256	ECDSA using P-256 and SHA-256
ES256K	ECDSA using secp256k1 and SHA-256
ES384	ECDSA using P-384 and SHA-384
ES512	ECDSA using P-521 and SHA-512
EdDSA	EdDSA, using either Curve25519 or Curve448
RS256	RSASSA-PKCS1-v1_5 using SHA-256
RS384	RSASSA-PKCS1-v1_5 using SHA-384
RS512	RSASSA-PKCS1-v1_5 using SHA-512
HS256	HMAC using SHA-256
HS384	HMAC using SHA-384
HS512	HMAC using SHA-512

Public Key Files

The public key files for the issuers must be PEM files containing the public key. PEM files are text files.

A PEM encoded public key file looks like this:

-----BEGIN PUBLIC KEY-----
VGhpcyBpcyBub3QgYSByZWFsIHB1YmxpYyBrZXkuIEl0IGlzIEFJIGdlbmVyYXRlZCBub25zZW5z
ZS4gQXMgeW91IGNhbiBzZWUsIGl0IGlzIGEgc2VxdWVuY2Ugb2YgcmFuZG9tIGxldHRlcnMgYW5k
IG51bWJlcnMgdGhhdCBhcmUgdmVyeSBzaW1pbGFyIHRvIHRoZSBhY3R1YWwgcHVibGljIGtleS4g
SXQgaXMgcmVhbGx5IG9ubHkgZ29vZCBpZiB5b3UgZG9u4oCZdCB3YW50IGFueW9uZSB0byBzZWUg
dGhlIGFjdHVhbCBwdWJsaWMga2V5Lg==
-----END PUBLIC KEY-----

Public Key File Location

The location of the public key file for each OAuth 2.0 issuer must be configured in the Xentara OAuth 2.0 configuration file. The path can be absolute or relative. If is is absolute, then the specified path will be used as-is. If is is relative, then the key file will be searched for at the locations described below.

Relative Paths under Linux

If the public key path is a simple file name or a relative path under Linux, Xentara looks for the public key file in the following locations, in order:

• ${HOME}/.config/xentara/oauth2/keys/<public key path>
• /etc/xdg/xentara/oauth2/keys/<public key path>

You can specify additional search directories on the command line using the option --config-dir=<path>, where <path> is be the path to a directory to search. You can specify this option more than once to add multiple directories to the search path. The additional directories are searched in the order they appear on the command line, before the default directories listed above.

Note

The equal signs can be omitted from options to facilitate file name completion when using the bash shell. This means that you can write --config-dir <path> instead of --config-dir=<path>.

You can override the searched directories as described in the XDG Base Directory Specification.

Relative Paths under Windows

If the public key path is a simple file name or a relative path under Windows, Xentara looks for the public key file in the following locations, in order:

• %LOCALAPPDATA%\Xentara\OAuth2\Keys\<public key path>
• %ProgramData%\Xentara\OAuth2\Keys\<public key path>

You can specify additional search directories on the command line using the option -ConfigDir <path>, where <path> is be the path to a directory to search. You can specify this option more than once to add multiple directories to the search path. The additional directories are searched in the order they appear on the command line, before the default directories listed above.