I’m using RSA keys to generate JWT tokens. Up until now, we had no problems at all, and it all worked like a charm. Using PS512 as the algorithm. The client (in Perl, using Crypt::JWT) generates a token with it’s private key, adds that to the http Authorization header, and the server takes the JWT token, uses the corresponding public key to validate it.
Now, we want to to use the SSH Agent to generate the signature (because we can’t extract the private key from the SSH Agent). The SSH Agent uses a SHA1 digest of the message and then signs with RSA, which is not supported by JWT, as it would seem.
The question is, then: how can I use the SSH Agent to provide for either a key to give to the JWT library, either a way to use the JWT library to verify a signature generated by the SSH Agent. If at all possible. I’ve tried with RS256 as the algorithm and many others, but obviously it cannot work, since the signature is performed with sha1 as a digest.