Javascript Object Signing and Encryption (JOSE) library

Server Smalltalk Guide : Javascript Object Signing and Encryption (JOSE) library : Javascript Object Signing and Encryption (JOSE) library

Description

Supports JSON Web Signature (JWS), JSON Web Key (JWK) and JSON Web Token (JWT). For JWT examples and docs, see class comment of the separate SstSecurityJWTApp.

Unsupported / unimplemented features

Json Web Encryption (JWE)
Nested JWT
ES* signing algorithms

Supported JSON Web Algorithms

Signing algorithms for JWS

HS256 HMAC using SHA-256
HS384 HMAC using SHA-384
HS512 HMAC using SHA-512
RS256 RSASSA-PKCS1-v1_5 using SHA-256
RS384 RSASSA-PKCS1-v1_5 using SHA-384
RS512 RSASSA-PKCS1-v1_5 using SHA-512
none

Example Usage

Decode and verify a JWS

| encoded jws jwk keyStore |
"Create a JsonWebSignature from an encoded string (a compact JWS serialization)"
encoded :='eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw'.
jws := encoded asJws. 

"Extract the payload"
payload := jws unverifiedPayload.
Transcript
    cr;
    show: ('Content of jws: %1' bindWith: payload content asString);
    show: ('Protected parameters: %1' bindWith: payload protectedHeader asJsonString).

"Create a JsonWebKey for verifying the signature"
jwk := SstJwk fromJson: '{
  "kty":"RSA",
  "n":"ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddxHmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMsD1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSHSXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ",
  "e":"AQAB",
  "d":"Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97IjlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYTCBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLhBOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ",
  "p":"4BzEEOtIpmVdVEZNCqS7baC4crd0pqnRH_5IB3jw3bcxGn6QLvnEtfdUdiYrqBdss1l58BQ3KhooKeQTa9AB0Hw_Py5PJdTJNPY8cQn7ouZ2KKDcmnPGBY5t7yLc1QlQ5xHdwW1VhvKn-nXqhJTBgIPgtldC-KDV5z-y2XDwGUc",
  "q":"uQPEfgmVtjL0Uyyx88GZFF1fOunH3-7cepKmtH4pxhtCoHqpWmT8YAmZxaewHgHAjLYsp1ZSe7zFYHj7C6ul7TjeLQeZD_YwD66t62wDmpe_HlB-TnBA-njbglfIsRLtXlnDzQkv5dTltRJ11BKBBypeeF6689rjcJIDEz9RWdc",
  "dp":"BwKfV3Akq5_MFZDFZCnW-wzl-CCo83WoZvnLQwCTeDv8uzluRSnm71I3QCLdhrqE2e9YkxvuxdBfpT_PI7Yz-FOKnu1R6HsJeDCjn12Sk3vmAktV2zb34MCdy7cpdTh_YVr7tss2u6vneTwrA86rZtu5Mbr1C1XsmvkxHQAdYo0",
  "dq":"h_96-mK1R_7glhsum81dZxjTnYynPbZpHziZjeeHcXYsXaaMwkOlODsWa7I9xXDoRwbKgB719rrmI2oKr6N3Do9U0ajaHF-NKJnwgjMd2w9cjz3_-kyNlxAr2v4IKhGNpmM5iIgOS1VZnOZ68m6_pbLBSp3nssTdlqvd0tIiTHU",
  "qi":"IYd7DHOhrWvxkwPQsRM2tOgrjbcrfvtQJipd-DlcxyVuuM9sQLdgjVk2oy26F0EmpScGLq2MowX7fhd_QJQ3ydy5cY7YIBi87w93IKLEdfnbJtoOPLUW0ITrJReOgo1cq9SbsxYawBgfp_gh6A5603k2-ZQwVK0JKSHuLFkuQ3U"}'.
keyStore := SstJwkStore new addKey: jwk; yourself.

"Verify the signature"
(jws verifyWith: keyStore)
    then:[:verified | Transcript cr; show: ('Signature verified: %1' bindWith: verified asString) ].

Create a JWS

| builder jwk jws |
builder := SstJwsBuilder new.
"Set the content"
builder contentString: 'It is me'.
"Set some protected header"
builder protectedHeaderParameter: 'createdAt' value: DateAndTime now sstHTTPDateString.
"Add a key to sign, you can add multiple keys for different recipients"
jwk := SstJwk fromJson: '{
    "kty": "oct",
    "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"}'.
builder addRecipientWith: jwk algorithm: 'HS256'.
"Build the JWS"
jws := builder build.
"output the compact serialization"
Transcript show: ('jws compact serialization: %1' bindWith: jws asCompactString).
"output the json serialization"
Transcript show: ('jws json serialization:%1' bindWith: (jws asJsonString: true)).

Class Methods

_PRAGMA_NlsCatJose

  %%PRAGMA DECLARE
    (name: NlsCatJose isPool: true pragma: 'NLS jose')
    (pool: NlsCatJose declarations: (
        (name: MxJose1 comment: 'JWE not supported yet')
        (name: MxJose2 comment: 'Not a valid compact string serialization of a JWE or JWS.')
        (name: MxJose3 comment: 'Not a valid json serialization of a JWE or JWS.')
        (name: MxJose4 comment: 'JWS uses no supported algorithm.')
        (name: MxJose5 comment: 'No applicable keys found in store')
        (name: MxJose6 comment: 'Payload decryption/verification failed')
        (name: MxJose7 comment: 'Unable to decrypt/verify the payload: %1.')
        (name: MxJose8 comment: 'Jws with alg=

loaded

No comment

localize

  Localize the receiver application to the default messages locale.
    This method MUST reset any strings that are being 
    cached by the application or its classes. This must be done after 
    the relocalizeTo: line.

stringClass

  Answers the default string class for JOSE infrastructure

Instance Methods

None

Last modified date: 01/15/2026