diff --git a/scripts/generate-keys.ps1 b/scripts/generate-keys.ps1 new file mode 100644 index 0000000..36438bb --- /dev/null +++ b/scripts/generate-keys.ps1 @@ -0,0 +1,30 @@ +# generate-keys.ps1 +# Generates RSA 2048 key pair for JWT RS256 signing +# Requires: PowerShell 7+ (pwsh) +# Usage: pwsh -File scripts/generate-keys.ps1 +# Keys are written to src/api/SIGCM2.Api/keys/ (gitignored) + +$keysDir = Join-Path $PSScriptRoot "..\src\api\SIGCM2.Api\keys" +$keysDir = [System.IO.Path]::GetFullPath($keysDir) + +if (-not (Test-Path $keysDir)) { + New-Item -ItemType Directory -Path $keysDir | Out-Null +} + +$privatePath = Join-Path $keysDir "private.pem" +$publicPath = Join-Path $keysDir "public.pem" + +$rsa = [System.Security.Cryptography.RSA]::Create(2048) +$priv = $rsa.ExportRSAPrivateKeyPem() +$pub = $rsa.ExportRSAPublicKeyPem() +$rsa.Dispose() + +Set-Content -Path $privatePath -Value $priv -Encoding UTF8 -NoNewline +Set-Content -Path $publicPath -Value $pub -Encoding UTF8 -NoNewline + +Write-Host "RSA 2048 key pair generated:" +Write-Host " Private: $privatePath" +Write-Host " Public: $publicPath" +Write-Host "" +Write-Host "IMPORTANT: These files are gitignored. Regenerate on each dev machine." +Write-Host "For production: set env vars JWT__PrivateKey and JWT__PublicKey (PEM content)." diff --git a/src/api/SIGCM2.Api/keys/README.md b/src/api/SIGCM2.Api/keys/README.md new file mode 100644 index 0000000..22b26d6 --- /dev/null +++ b/src/api/SIGCM2.Api/keys/README.md @@ -0,0 +1,28 @@ +# JWT RSA Keys + +This directory holds the RSA 2048 key pair used for JWT RS256 signing. + +## Files (gitignored) + +- `private.pem` — RSA private key (NEVER commit this) +- `public.pem` — RSA public key (NEVER commit this) +- `.gitkeep` — keeps this directory tracked in git + +## Regenerate keys + +Run from the repo root (requires PowerShell 7 / pwsh): + +```powershell +pwsh -File scripts/generate-keys.ps1 +``` + +## Production + +In production, set these environment variables instead of files: + +``` +JWT__PrivateKey= +JWT__PublicKey= +``` + +The API's `RsaKeyLoader` checks environment variables first, falls back to files.