Fork me on GitHub
Ben Hammond15:09:44

I'm trying to understand how to manually verify a JWT from its jwks public key properties I have a ~/.well-known/jwks.json that looki like

and I am trying to plug those key properties into
      (.generatePublic (KeyFactory/getInstance "RSA")
                        (biginteger (.decode (java.util.Base64/getUrlDecoder) n))
                        (biginteger (.decode (Base64/getUrlDecoder) e)))) nil))
but the modulus is coming out negative (and it is supposed to be a Base64urlUInt putting an .abs on does not seem to help tells me the signature is good, so what am I missing? how do I decode a a jwks modulus into a positive BigInteger?

Ben Hammond15:09:51

oh theres an arity-2 BigInteger constructor

public BigInteger(int signum, byte[] magnitude, int off, int len) {

Ben Hammond15:09:52

that was indeed my problem...

Ben Hammond15:09:10

my next question is > is it possible to cajole the Cognito User Pool App signing key into signing my customized JWT?

Ben Hammond15:09:47

I had a small hope that I could plug the > Cognito App Client Secret into an RSAPrivateKeySpec as the private Exponent but it does not does appear to work...

Ben Hammond12:10:53

I have concluded that it is not