Signing and verifying JWTs with ECDSA
You can process JWTs using Elliptic Curve Digital Signature Algorithm (ECDSA). This uses asymmetric keys with a private key for signing and a public key for verifying. The public key allows anyone to verify a JWT but only the provider can create them. ECDSA is recommended over RSA since it uses smaller keys, requires less processing power and produces smaller signatures.
Step 1: Create your elliptic curve keys
Elliptic curve keys can be generated through Apple, OpenSSL or using BlueECC.
For simplicity you can use the following pre-generated keys.
Add the following EC PEM strings (Or strings you have generated) to your App
extension:
static let privateKey = """
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIJX+87WJ7Gh19sohyZnhxZeXYNOcuGv4Q+8MLge4UkaZoAoGCCqGSM49
AwEHoUQDQgAEikc5m6C2xtDWeeAeT18WElO37zvFOz8p4kAlhvgIHN23XIClNESg
KVmLgSSq2asqiwdrU5YHbcHFkgdABM1SPA==
-----END EC PRIVATE KEY-----
"""
static let publicKey = """
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEikc5m6C2xtDWeeAeT18WElO37zvF
Oz8p4kAlhvgIHN23XIClNESgKVmLgSSq2asqiwdrU5YHbcHFkgdABM1SPA==
-----END PUBLIC KEY-----
"""
Step 2: Create your JWTSigner
The JWTSigner
is used to sign a JWT
instance and produce a signed JWT string.
Inside the App
extension, create an ECDSA JWTSigner
by providing the private key:
@available(OSX 10.13, *)
static let jwtSigner = JWTSigner.es256(privateKey: Data(privateKey.utf8))
ECDSA algorithms such as
es256
use BlueECC, which is only available on macOS 10.13 or newer. When using them you will need to us@available
to handle cases where the operating system version is not high enough.
Step 3: Create your JWTVerifier
The JWTVerifier
is used to verify a signed JWT string. This ensures the signature was generated using the corresponding private key and the JWT has not been changed.
Inside the App
extension, we create an ECDSA JWTVerifier
by providing the public key:
@available(OSX 10.13, *)
static let jwtVerifier = JWTVerifier.es256(publicKey: Data(publicKey.utf8))
Now you can return to the JSON Web Token Authentication guide.