JSON Web Signatures, using Node.JS and JOSE(s)

The last time I had my head up, about four years ago, JSON Web Tokens (JWT) defined by RFC 7519 were all the rage. What I didn’t know was that there’s an earlier RFC 7515 for JSON Web Signatures (JWS). JWS lets you sign data (confusingly perhaps, bytes not JSON) and get the signed result as fairly clean JSON data.

These two standards — plus a number of related ones — are collectively known as JOSE: JSON Object Signing and Encryption.

There are two NPM packages that implement JOSE for Node.JS: jose and node-jose. The first has no external dependencies and is popular; the latter is provided by CISCO, and has some very useful functions like decoding PEM files.

For my own development, because of these useful helper functions I’m likely to be going with the latter, but both are straight forward to use.

Here’s an example how to sign a document using jose.

And here’s an example of signing with node-json (I didn’t use the alg bit here but it’s straightforward to add):

Finally, if you are using node-jose and you need to covert a PEM file into usable data, here’s how to do that (the original code nucleus from here; if you need to make some sample PEM files, I’ve got you covered):