无法使用 x5c (x509) 公共证书验证 JWT
[英]Cannot Verify JWT Using x5c (x509) public Certificate
问题描述
UPDATED I'm trying to verify a JWT access token programmatically using the x5c / x509 public key value below.
更新我正在尝试使用下面的 x5c / x509 公钥值以编程方式验证 JWT 访问令牌。 I can get this working by plugging the token and x5c values into external web sites but not programmatically using JavaScript / jsrsasign.我可以通过将令牌和 x5c 值插入外部网站而不是使用 JavaScript / jsrsasign 以编程方式来实现这一点。 Any suggestions would be greatly appreciated.任何建议将不胜感激。
Here is the the OIDC provider's public JSON Web Key Set.这是 OIDC 提供商的公共 JSON Web 密钥集。
{
"keys": [
{
"kty": "RSA",
"kid": "server",
"use": "sig",
"alg": "RS256",
"n": "gLZO9w1OT_SWO-KbqiU0k3HevHggiY70XbDqgE1YaqhD-MwFUWNudExzF3oB28NYWYg5v6CJY0F-pUNtgukDM6ARDlh0n4xIvBRlnUnCTCx7pYOjpfXbTv49tlXmh4-ddh8EeQBLrF92u5UYs0tnZd8843mvYWohUNH1X1hM08-hpk7xCiy4XdwbeSlH757D2d5E0J0dGtZ744-dB2ZRCw2Vms_mk4Yyny4ifx2j2gIhikbb7WGmsTR2sWrtuhgZ_EBNUvrD0O54xbhQNTTFQ1pi9UZxo_gYc5Gp5fLcSOK6SDBKXbDS5hhy1vFyoa0xdgFv-xpem7YzmkKqzfjC9w",
"e": "AQAB",
"x5c": [
"MIIDMDCCAhigAwIBAgIEFIopYzANBgkqhkiG9w0BAQsFADBaMQkwBwYDVQQGEwAxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYDVQQKEwAxCTAHBgNVBAsTADEhMB8GA1UEAxMYZmNpc2Rldi5pY2UuaWJtY2xvdWQuY29tMB4XDTE4MTAwMTE4MTYyOFoXDTI4MDkyODE4MTYyOFowWjEJMAcGA1UEBhMAMQkwBwYDVQQIEwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxITAfBgNVBAMTGGZjaXNkZXYuaWNlLmlibWNsb3VkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIC2TvcNTk/0ljvim6olNJNx3rx4IImO9F2w6oBNWGqoQ/jMBVFjbnRMcxd6AdvDWFmIOb+giWNBfqVDbYLpAzOgEQ5YdJ+MSLwUZZ1Jwkwse6WDo6X1207+PbZV5oePnXYfBHkAS6xfdruVGLNLZ2XfPON5r2FqIVDR9V9YTNPPoaZO8QosuF3cG3kpR++ew9neRNCdHRrWe+OPnQdmUQsNlZrP5pOGMp8uIn8do9oCIYpG2+1hprE0drFq7boYGfxATVL6w9DueMW4UDU0xUNaYvVGcaP4GHORqeXy3EjiukgwSl2w0uYYctbxcqGtMXYBb/saXpu2M5pCqs34wvcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAdtN9znA9a6luPAQurcQn8kJBlllslRWsNPMhPWpMtYaMLx6JhmDICGbaYZBGUboedwnUaEk6tE2b+EVlUE/tnaKVJms2cmCCFExQQrTHmRfFI/Vi/esVqAnz1E2dB61LMnQ2AeebXAZ/C7hRt1uXVboXr5Zokppr4FRS9QsjSK4dhcXxhfglTKJOPZ4dkSexhe6hybpL8XdGhoyf2SyNXCy5iYX0zQ5BmJaLimOcJyasZ/A7/YgsVbQyAe6Ubno6/sIUuOZ+J+snZsBSLViqcftGVPUkIWamv/yNQcEJrDWa4C+sr+9Yb7uFjuj4gDY0jvGkGmu53g0K8Vks+IfAdQ=="
],
"x5t#S256": "nTAGJuFFrm-vNBdkLVNmuePwTmlXr0T87IppgJPRT9k"
}
]
}
Here is the code I'm using to verify the access token with the x5c.这是我用来通过 x5c 验证访问令牌的代码。 I'm under the impression I should be using the x5c value, but if there is another way that is fine with me.我的印象是我应该使用 x5c 值,但如果有另一种适合我的方法。 Just need to verify the token with the above values under keys.只需要在keys下用上面的值验证token。
// break line every 64 characters.
x5cValue = x5cValue.replace(/(.{64})/g, "$1\n");
// base64 decode
var x5cValueAtob = atob(x5cValue);
// Add Begin / END certificate
x5cValue = "-----BEGIN CERTIFICATE-----\n" + x5cValueAtob + "\n-----END CERTIFICATE-----";
var decoded = KJUR.jws.JWS.verify(accessTokenJson, rawContent, ["RS256"]);
Should I be adding the BEGIN / END PUBLIC KEY strings to the x5c value before / after base64 decode?我应该在 base64 解码之前/之后将 BEGIN / END PUBLIC KEY 字符串添加到 x5c 值中吗? yes, thanks to Adam是的,感谢亚当
Do I need to process the x5c value before verify?在验证之前是否需要处理 x5c 值?
Returned response - decoded: false返回的响应 - 解码:false
Thank you in advance.先感谢您。
2 个解决方案
解决方案1
2 2019-03-19 09:40:15
This answer may not help you to answer all your questions, but I have to write it to improve the solution security.这个答案可能无法帮助您回答所有问题,但我必须写它以提高解决方案的安全性。
I'm under the impression I should be using the x5c value,
Do I need to process the x5c value before verify?
From the security point of view - do not use the x5c certificate to validate the signature directly.从安全的角度来看 -不要使用 x5c 证书直接验证签名。 In that case anybody could just provide its own certificate and spoof any identity.在这种情况下,任何人都可以提供自己的证书并欺骗任何身份。
The purpose if the x5t / x5t#S256 header is to identify the signer - check you trust the certificate provided by x5c or x5t#S256 (or its issuer) under the specified iss , only then you should validate the signature. x5t / x5t#S256 标头的目的是识别签名者 - 检查您是否信任指定iss下由 x5c 或 x5t#S256(或其颁发者)提供的证书,然后才应验证签名。 The x5t headers enables your service to validate token from multiple IdP (identity providers / token issuers) or enable renewing the signer's certificate without loosing trust of the serice providers. x5t 标头使您的服务能够验证来自多个 IdP(身份提供商/令牌颁发者)的令牌或启用更新签名者的证书,而不会失去对服务提供商的信任。
If you trust only a single identity provider using a single certificate, you may just directly use the provider's certificate without doing anything with the provided header.如果您仅信任使用单个证书的单个身份提供者,则可以直接使用提供者的证书,而无需对提供的标头执行任何操作。
For the solution - seems Adam is right in the comments, I as well suggest you use the KEYUTIL to load/parse the certificate对于解决方案 - 似乎 Adam 在评论中是正确的,我也建议您使用KEYUTIL加载/解析证书
解决方案2
0 2020-04-02 21:42:58
I spent a day scratching my head and finally got it working like我花了一天时间挠头,终于让它像
public static PublicKey getPublicKey(String x5c) throws CertificateException, IOException {
System.out.println(" x5c ="+x5c);
String stripped = x5c.replaceAll("-----BEGIN (.*)-----", "");
stripped = stripped.replaceAll("-----END (.*)----", "");
stripped = stripped.replaceAll("\r\n", "");
stripped = stripped.replaceAll("\n", "");
stripped.trim();
System.out.println(" stripped ="+stripped);
byte[] keyBytes = Base64.decode(stripped);
CertificateFactory fact = CertificateFactory.getInstance("X.509");
X509Certificate cer = (X509Certificate) fact.generateCertificate(new ByteArrayInputStream(keyBytes));
return cer.getPublicKey();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.