问题描述
我想验证一些来自 Microsoft 的 JWT 的签名.我正在使用 Spring-Boot、JJWT 库和以下端点:https://login.microsoftonline.com/common/discovery/v2.0/keys
I'm wanting to verify the signature of some JWTs from Microsoft. I'm using Spring-Boot, the JJWT library and following endpoint: https://login.microsoftonline.com/common/discovery/v2.0/keys
端点返回一个 JSON 公钥数组.这是数组中的一个示例.
The endpoint returns an array of JSON public keys. Here is one example from the array.
{
"kty": "RSA",
"use": "sig",
"kid": "9FXDpbfMFT2SvQuXh846YTwEIBw",
"x5t": "9FXDpbfMFT2SvQuXh846YTwEIBw",
"n": "kvt1VmR4nwkNM8jMU0wmj2gSS8NznbOt2pZI6Z7HQT_esF7W19GZR7Y72Xo1i5zXRDM9o3GeTIjBrnr3yy41Q_EaUQ7C-b-Hmg94Vy7EBZyBhi_mznz0dYWs2MIXwR86Nni9TmgTXvjgTPF2YGJoZt4TwcMFefW8rijCVyNrCBA0XspDouNJavvG0BEMXYigoThFjLRXS5U3h4BDfNZFZZS3dyliNOXfgRn2k7oITz8h_ueiPvmDRFh38AeQgx1cELhKWc3P5ugtttraSwgH7nP2NUguO9nCrHuL6TZ-KWpmRWZqwH-jYKFQVt3CDpzwNM6XJL-oHbl1x-gI3YYX5w",
"e": "AQAB",
"x5c": [
"MIIDBTCCAe2gAwIBAgIQZSAeaqWig4BHC1ksmNNcgjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE3MDUwNjAwMDAwMFoXDTE5MDUwNzAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJL7dVZkeJ8JDTPIzFNMJo9oEkvDc52zrdqWSOmex0E/3rBe1tfRmUe2O9l6NYuc10QzPaNxnkyIwa5698suNUPxGlEOwvm/h5oPeFcuxAWcgYYv5s589HWFrNjCF8EfOjZ4vU5oE1744EzxdmBiaGbeE8HDBXn1vK4owlcjawgQNF7KQ6LjSWr7xtARDF2IoKE4RYy0V0uVN4eAQ3zWRWWUt3cpYjTl34EZ9pO6CE8/If7noj75g0RYd/AHkIMdXBC4SlnNz+boLbba2ksIB+5z9jVILjvZwqx7i+k2filqZkVmasB/o2ChUFbdwg6c8DTOlyS/qB25dcfoCN2GF+cCAwEAAaMhMB8wHQYDVR0OBBYEFGKpXQNrF5IoxS6bL4F92+gxOJlIMA0GCSqGSIb3DQEBCwUAA4IBAQA3HgW5SoHlvvQVxqqi+mtscDZLhNfe13iG/nx8Er5il82b79RVydNs+f9sYxc4T4ctnrZu7x5e7jInJedNdAlrPorBdw+SfvKJsmiNndXugMew1FlcQTQVIFDCbziaJav8rKyMxPfeKkc1aixbajWZkKg6OPmmJn2ceTocbn8PMQy20xNvcWUwgF5FZZIuPqu6feOLJcUIYw+0JFZ265xka30QXpmytcIxajIzpD4PRdCIBuVSqgXacAs4t4+w+OhnosD72yvXck8M4GwX1j+vcuyw0yhDGNMmqsHWP7H3jnJiGDrKhhdVyplzDhTfv2Whbv/dIDn+meLE3yyC5yGL"
],
"issuer": "https://login.microsoftonline.com/{tenantid}/v2.0"
}
在 JJWT 中,我实现了 SigningKeyResolver 接口,我需要返回一个 RSAPublicKey 实例来进行验证.我遇到的问题是从 JSON 正确创建该密钥.
In JJWT I've implemented the SigningKeyResolver interface and I am required to return an instance of RSAPublicKey to do the verification. The issue I'm having is creating that Key correctly from the JSON.
我是否从模数和指数开始?
Do I start with the Modulus and Exponent?
BigInteger modulus = new BigInteger(1, Base64.decodeBase64(jsonKey.getN()));
BigInteger exponent = new BigInteger(1, Base64.decodeBase64(jsonKey.getE()));
publicKey = KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(modulus, exponent));
我是否从 x5c 开始,生成一个 X509Certificate 对象并从那里提取 PublicKey?
Do I start with the x5c, generate an X509Certificate object and pull the PublicKey from there?
CertificateFactory factory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) factory
.generateCertificate(new ByteArrayInputStream(
DatatypeConverter.parseBase64Binary(jsonKey.getX5c())));
publicKey = (RSAPublicKey)cert.getPublicKey();
这两种方法都被证明是徒劳的.
Both approaches have proved fruitless.
如果我从模数和指数生成 RSAPublicKey,我应该能够打印 Base64Binary 编码的密钥以匹配 x5c 属性吗?也许这不是我应该验证的方式.
If I generated the RSAPublicKey from the modulus and exponent should I be able to print the Base64Binary encoded key to match the x5c property? Maybe that's not how I should be validating.
我可能误解了如何使用它.
与往常一样,我们也欢迎任何文档.
As always, any documentation is appreciated as well.
推荐答案
x5c
包含认证链.链的第一个证书必须与 JWK 中其他值表示的密钥值匹配,在本例中为 n
和 e
,因此从 x5c[0]
和 n
和 e
构建的必须完全相同
x5c
contains the certification chain. The first certificate of the chain must match with the key value represented by the other values in the JWK, in this case n
and e
, therefore the public key extracted from x5c[0]
and the one built with n
and e
must be exactly the same
JWK 值在 base64url 中编码,而不是在 base64 中.改变
JWK values are encoded in base64url, not in base64. Change
BigInteger modulus = new BigInteger(1, Base64.decodeBase64(jsonKey.getN()));
BigInteger exponent = new BigInteger(1, Base64.decodeBase64(jsonKey.getE()));
与
BigInteger modulus = new BigInteger(1, Base64.getUrlDecoder().decode(jsonKey.getN()));
BigInteger exponent = new BigInteger(1, Base64.getUrlDecoder().decode(jsonKey.getE()));
这篇关于使用公钥端点验证 JWT 签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!