Hi,
As per the documentation (https://developer.apple.com/documentation/sign_in_with_apple/generate_and_validate_tokens), "after creating the JWT, sign it using the Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-256 curve and the SHA-256 hash algorithm".
OpenSSL seems to list 2 types for this kind of curve: secp256k1 and prime256v1.
What is the one matching Apple specs?
Thank you
OpenSSL seems to list 2 types for this kind of curve: secp256k1 and prime256v1. What is the one matching Apple specs?
I am assuming that it is prime256v1 as this refers to the public key embedded in your private key. However, do not take my word for it, you can verify this by checking the ASN.1 on your private key, or p8 file. One way to do this would be to use the asn1parse command with OpenSSL:
openssl asn1parse -in mykey.p8
0:d=0 hl=3 l= 135 cons: SEQUENCE
3:d=1 hl=2 l= 1 prim: INTEGER :00
6:d=1 hl=2 l= 19 cons: SEQUENCE
8:d=2 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
17:d=2 hl=2 l= 8 prim: OBJECT :prime256v1
27:d=1 hl=2 l= 109 prim: OCTET STRING [HEX DUMP]:3.....2
And the other way would be to use the dumpans1 tool to extract the asn1 from a binary representation of your key. This would print out a structure similar to the following:
0 135: SEQUENCE {
3 1: INTEGER 0
6 19: SEQUENCE {
8 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
17 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7)
: }
27 109: OCTET STRING, encapsulates {
29 107: SEQUENCE {
31 1: INTEGER 1
34 32: OCTET STRING
...
Now, the OCTET STRING sequences are redacted here for obvious reasons, but this should get you started.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Thanks a lot Matt