How are the standard algorithms for JWT aligned with the OpenSSL dgst?

Question

I currently use OpenSSL dgst -sha256 [...] for a JWT header which has alg: RS256. There are eleven JWT algorithms one can pick from on the official JSON Web Token website:

• HS256
• HS384
• HS512
• RS256
• etc.

The options for OpenSSL dgst however are only: -sha256, -sha384, -sha512.

As the JWT algorithms have various prefixes (HS, RS, ES, PS), I am wondering whether the available OpenSSL algorithms are applied in disregard of the prefix, as long the bit length is correct. For example, RS256 = -sha256 is as valid as HS256 = -sha256.

Answer 1

The JWT is encoded in a JSON Web Signature (JWS) as defined in RFC 7515 "JSON Web Signature (JWS)". Those "eleven JWT algorithms" that you mentioned, refer to the signature algorithm used for the JWS. Their values are defined in 3.1 "alg" (Algorithm) Header Parameter Values for JWS of RFC 7518 "JSON Web Algorithms (JWA)":

   +--------------+-------------------------------+--------------------+
   | "alg" Param  | Digital Signature or MAC      | Implementation     |
   | Value        | Algorithm                     | Requirements       |
   +--------------+-------------------------------+--------------------+
   | HS256        | HMAC using SHA-256            | Required           |
   | HS384        | HMAC using SHA-384            | Optional           |
   | HS512        | HMAC using SHA-512            | Optional           |
   | RS256        | RSASSA-PKCS1-v1_5 using       | Recommended        |
   |              | SHA-256                       |                    |
   | RS384        | RSASSA-PKCS1-v1_5 using       | Optional           |
   |              | SHA-384                       |                    |
   | RS512        | RSASSA-PKCS1-v1_5 using       | Optional           |
   |              | SHA-512                       |                    |
   | ES256        | ECDSA using P-256 and SHA-256 | Recommended+       |
   | ES384        | ECDSA using P-384 and SHA-384 | Optional           |
   | ES512        | ECDSA using P-521 and SHA-512 | Optional           |
   | PS256        | RSASSA-PSS using SHA-256 and  | Optional           |
   |              | MGF1 with SHA-256             |                    |
   | PS384        | RSASSA-PSS using SHA-384 and  | Optional           |
   |              | MGF1 with SHA-384             |                    |
   | PS512        | RSASSA-PSS using SHA-512 and  | Optional           |
   |              | MGF1 with SHA-512             |                    |
   | none         | No digital signature or MAC   | Optional           |
   |              | performed                     |                    |
   +--------------+-------------------------------+--------------------+

So these algorithms include more than just digest algorithms; they are combined with (asymmetric) signing algorithms. In most cases, OpenSSL is able to figure out which algorithm to use for the latter, because that information is stored in the private key that you feed it via the -sign option as part of the command. If you check out the openssl dgst manual, it mentions:

When signing a file, dgst will automatically determine the algorithm (RSA, ECC, etc) to use for signing based on the private key's ASN.1 info.

Looking at the different JWA algorithms, I see some caveats:

• There is no particular file format to capture HMAC keys so for the HS types of algorithms you need to use the HMAC-related parameters to openssl dgst, as documented in the manual. The question Explanation of -hmac flag in open SSL may be helpful.
• Quickly scanning the manual, I do not see any option to change the padding when running openssl dgst. If that is true then you may not be able to use it for the PS types of algorithms because those use RSA signatures with PSS padding (as opposed to the "default" PKCS padding).