Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

Create JWS Using Private Key on a Smart Card

See more JSON Web Signatures (JWS) Examples

Creates and validates a JSON Web Signature (JWS) using the private key associated with a certificate on a smart card.

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.PublicKey,
  Chilkat.Jws,
  Chilkat.Cert,
  Chilkat.JsonObject;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  cert: TCert;
  jwsProtHdr: TJsonObject;
  jws: TJws;
  signatureIndex: Integer;
  bIncludeBom: Boolean;
  payloadStr: string;
  jwsCompact: string;
  jws2: TJws;
  pubKey: TPublicKey;
  v: Integer;
  joseHeader: TJsonObject;

begin
  success := False;

  //  This requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  //  Load the certificate from a smart card.
  cert := TCert.Create;

  //  Set the smarcard PIN prior to loading
  cert.SmartCardPin := '123456';

  //  Detect the connected smartcard or USB security token and load the default certificate.
  success := cert.LoadFromSmartcard('');
  if (success = False) then
    begin
      WriteLn(cert.LastErrorText);
      Exit;
    end;

  //  Note: Chilkat provides many different ways to load a certificate from a smartcard or USB token,
  //  such as selecting a certificate if the card contains multiple certificates with private keys,
  //  or working with lower-level PKCS11 or ScMinidriver API's (both of which Chilkat provides).

  //  Create the JWS Protected Header
  jwsProtHdr := TJsonObject.Create;

  if (cert.IsEcdsa() = True) then
    begin
      jwsProtHdr.AppendString('alg','ES256');
    end
  else
    begin
      jwsProtHdr.AppendString('alg','RS256');
    end;

  jws := TJws.Create;

  //  Set the protected header:
  signatureIndex := 0;
  jws.SetProtectedHeader(signatureIndex,jwsProtHdr);

  //  Provide the private key via the certificate.
  //  This requires Chilkat v11.5.0 or greater.
  jws.SetSigningCert(signatureIndex,cert);

  //  Set the payload.
  bIncludeBom := False;
  payloadStr := 'In our village, folks say God crumbles up the old moon into stars.';
  jws.SetPayload(payloadStr,'utf-8',bIncludeBom);

  //  Create the JWS
  //  By default, the compact serialization is used.
  jwsCompact := jws.CreateJws();
  if (jws.LastMethodSuccess = False) then
    begin
      WriteLn(jws.LastErrorText);
      Exit;
    end;

  WriteLn('JWS: ' + jwsCompact);

  //  sample output:
  //  JWS: eyJhbGciOiJQUzI1NiJ9.SW4gb3VyIHZpbGxhZ2UsIGZvbGtzIHNheSBHb2QgY3J1bWJsZXMgdXAgdGhlIG9sZCBtb29uIGludG8gc3RhcnMu.TRWhwRo5dMv9-8OzrInfJTwmUGYgjLfHk8lqF072ND-FmLWEBnUTOpY8oJXp8FdWw2SalbdOeNlrtlJjwk4XK8Ql2iJ_2qMCtxsvLPhKBOqFoAF4aBvTOEDVJDxf0DaBSiydEEtfTVV2iwBcjWabu5J2XieR5y7QZQtuHsn7T3qKBvCcCejN3Y2oqAT3qMHvu1fTms1r_91wBn_K7Wjd9UkZ1n02qQcUHJznR_OF2BgN7_KWIDAF9ZS9keoju2NPpPelO4yxa2XUPnehY3G7dHKoCxUEQR4d2Xc5voqDASTVCDqQS4PVOZdvT3Ein6-SanAlCwbWBbkvT8g6-5PImQ

  //  Now load the JWS, validate, and recover the original text.
  jws2 := TJws.Create;

  //  Load the JWS.
  success := jws2.LoadJws(jwsCompact);

  pubKey := TPublicKey.Create;
  cert.GetPublicKey(pubKey);

  //  Set the public key used for validation.
  signatureIndex := 0;
  jws2.SetPublicKey(signatureIndex,pubKey);

  //  Validate the 1st (and only) signature at index 0..
  v := jws2.Validate(signatureIndex);
  if (v < 0) then
    begin
      //  Perhaps Chilkat was not unlocked or the trial expired..
      WriteLn('Method call failed for some other reason.');
      WriteLn(jws2.LastErrorText);
      Exit;
    end;
  if (v = 0) then
    begin
      WriteLn('Invalid signature.  The key was incorrect, the JWS was invalid, or both.');
      Exit;
    end;

  //  If we get here, the signature was validated..
  WriteLn('Signature validated.');

  //  Recover the original content:
  WriteLn(jws2.GetPayload('utf-8'));

  //  Examine the protected header:

  joseHeader := TJsonObject.Create;
  success := jws2.GetProtectedH(signatureIndex,joseHeader);
  if (success = False) then
    begin
      WriteLn(jws2.LastErrorText);
      Exit;
    end;

  joseHeader.EmitCompact := False;

  WriteLn('Protected (JOSE) header:');
  WriteLn(joseHeader.Emit());

  //  Output:

  //  	Signature validated.
  //  	In our village, folks say God crumbles up the old moon into stars.
  //  	Protected (JOSE) header:
  //  	{ 
  //  	  "alg": "RS256"
  //  	}


  cert.Free;
  jwsProtHdr.Free;
  jws.Free;
  jws2.Free;
  pubKey.Free;
  joseHeader.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.