Hi Guys. As you may know, RSA 256 is the only algorithm available to sign with the JWT key.

Apple using ES256 algorithm and certificate that ends with p8 that available to download from their site.

If you'd like to use Apple's API services in SN and you need to sign the JWT key, you may find this article interesting.

A script in SN that calls the Mid server script include and sends Apple's parameters from SN to the mid server:

var jsProbe = new JavascriptProbe('YOUR MID SERVER NAME');
jsProbe.setName("ANY NAME THE ECC");
jsProbe.addParameter("certificate","YOUR CERTIFICATE P8 STRING");
jsProbe.addParameter("kid",'KEY ID');
jsProbe.addParameter("teamId",'TEAM ID');
jsProbe.setJavascript("var remoteFileImport = new appleConnect(); remoteFileImport.getSignedToken()"); //Name of the mid server script include and the executed method
jsProbe.create();

This script will generate an output record in the ECC table for the mid server with the name you have chosen.

Mid server script include:

Name: appleConnect

var appleConnect= Class.create();
appleConnect.prototype = {
    initialize : function() {

        this.certificate = probe.getParameter("certificate");
        this.kid = probe.getParameter("kid");
        this.teamId = probe.getParameter("teamId");
    },

    getSignedToken : function (){

        var privateKeyPEM =this.certificate.replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "").replaceAll("\\s", "");
        var keyBytes =  Packages.java.util.Base64.getDecoder().decode(privateKeyPEM);
        var keyFactory = Packages.java.security.KeyFactory.getInstance("EC");
        var PKCS8EncodedKeySpec = Packages.java.security.spec.PKCS8EncodedKeySpec;
        var key = keyFactory.generatePrivate(new PKCS8EncodedKeySpec(keyBytes));
        var timestamp = new Packages.java.util.Date();
        var exp = new Packages.java.util.Date(timestamp.getTime()+2000*60); //the expiration time for the token. you can change it to the time you'd like but be aware of apple's limit     
        var header = new Packages.com.nimbusds.jose.JWSHeader
        .Builder(Packages.com.nimbusds.jose.JWSAlgorithm.ES256)
        .keyID(this.kid)
        .build();

        var claimsSet = Packages.com.nimbusds.jwt.JWTClaimsSet.Builder()
        .issuer(this.teamId)  
        .issueTime(timestamp)  
        .expirationTime(exp)  
        .audience("appstoreconnect-v1")               
        .build();  

        var  signedJWT = new Packages.com.nimbusds.jwt.SignedJWT(header, claimsSet);
        var signer = new Packages.com.nimbusds.jose.crypto.ECDSASigner(key);  
        signedJWT.sign(signer);  
        var token = signedJWT.serialize();  

        return token;
    },

};

The script will return the generated token to the input ECC record.

Important note:

1. you need to add 3 JAR files to use the libraries inside the script include:

1. JSON-smart-2.3.jar
2. accessors-smart-1.2.jar
3. nimbus-jose-jwt-8.10.jar

It might a little bit of time for SN to upload and update the mid server with these files, so be patient if you'll get errors when you call the methods that use them.

If you like this article, please hit the like button.

Have fun!

Labels: