受保护 Header JWS
Protected Header JWS
我正在努力理解 this blog post about JOSE。在关于 JWS 的部分,它说了以下内容:
Including the public key in the protected header would not only give
the server the ability the validate the signature, we will also be
sure that it is the correct one since the protected header is
integrity protected!
这就是示例 object 的样子:
{
"payload": "eyAKICAgICAgICAiZnJvbSI6ewogICAgICAgICAgICAibmFtZSI6ICJUaW0gWXNld3luIiwKICAgICAgICAgICAgImFjY291bnQiOiAiQ2hlY2tpbmcgYWNjb3VudCIKICAgICAgICB9LAogICAgICAgICJ0byI6ewogICAgICAgICAgICAibmFtZSI6ICJUaW0gWXNld3luIiwKICAgICAgICAgICAgImFjY291bnQiOiAiU2F2aW5ncyBhY2NvdW50IgogICAgICAgIH0sCiAgICAgICAgImFtb3VudCI6IDI1MAogICAgICAgICJjdXJyZW5jeSI6ICJFVVIiCiAgICB9",
"protected": "eyAKICAgICAgICAiYWxnIjogIlJTMjU2IgogICAgfQ==",
"header": {
"signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU01Q"
}
}
受保护的 header 是 base64url 编码:
{
"alg": "ES256"
}
我能找到的关于将 public 键放入其中的唯一参考是使用键 ID 字段 kid,如下所示:
{"alg":"RSA1_5","kid":"2011-04-29"}
post 指的是这个吗?或者它指的是其他东西(比如将整个 public 密钥放入受保护的 header 中,如:
{"alg":"RSA1_5","key":"somepublickeyhere"}
你走在正确的道路上。这篇文章大概指的是"jwk"header参数在RFC-7515中定义如下:
The "jwk" (JSON Web Key) Header Parameter is the public key that
corresponds to the key used to digitally sign the JWS. This key is
represented as a JSON Web Key.
JSON Web Key (JWK) 是 RFC-7517 中定义的 JOSE 的另一部分。它定义了如何以 JSON 格式表示加密密钥,以便它们可以传输,例如在 JWS header 中。 JWK 格式的 RSA 密钥可能如下所示:
{
"kty":"RSA",
"n": "0vx7 (...) DKgw",
"e":"AQAB",
"alg":"RS256",
"kid":"2011-04-29"
}
并且(受保护的)JWS header 携带密钥,如文章中所述,因此可能如下所示:
{
"alg": "RS256",
"jwk": {
"kty":"RSA",
"n": "0vx7 (...) DKgw",
"e":"AQAB",
"alg":"RS256",
"kid":"2011-04-29"
}
}
我正在努力理解 this blog post about JOSE。在关于 JWS 的部分,它说了以下内容:
Including the public key in the protected header would not only give the server the ability the validate the signature, we will also be sure that it is the correct one since the protected header is integrity protected!
这就是示例 object 的样子:
{
"payload": "eyAKICAgICAgICAiZnJvbSI6ewogICAgICAgICAgICAibmFtZSI6ICJUaW0gWXNld3luIiwKICAgICAgICAgICAgImFjY291bnQiOiAiQ2hlY2tpbmcgYWNjb3VudCIKICAgICAgICB9LAogICAgICAgICJ0byI6ewogICAgICAgICAgICAibmFtZSI6ICJUaW0gWXNld3luIiwKICAgICAgICAgICAgImFjY291bnQiOiAiU2F2aW5ncyBhY2NvdW50IgogICAgICAgIH0sCiAgICAgICAgImFtb3VudCI6IDI1MAogICAgICAgICJjdXJyZW5jeSI6ICJFVVIiCiAgICB9",
"protected": "eyAKICAgICAgICAiYWxnIjogIlJTMjU2IgogICAgfQ==",
"header": {
"signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU01Q"
}
}
受保护的 header 是 base64url 编码:
{
"alg": "ES256"
}
我能找到的关于将 public 键放入其中的唯一参考是使用键 ID 字段 kid,如下所示:
{"alg":"RSA1_5","kid":"2011-04-29"}
post 指的是这个吗?或者它指的是其他东西(比如将整个 public 密钥放入受保护的 header 中,如:
{"alg":"RSA1_5","key":"somepublickeyhere"}
你走在正确的道路上。这篇文章大概指的是"jwk"header参数在RFC-7515中定义如下:
The "jwk" (JSON Web Key) Header Parameter is the public key that corresponds to the key used to digitally sign the JWS. This key is represented as a JSON Web Key.
JSON Web Key (JWK) 是 RFC-7517 中定义的 JOSE 的另一部分。它定义了如何以 JSON 格式表示加密密钥,以便它们可以传输,例如在 JWS header 中。 JWK 格式的 RSA 密钥可能如下所示:
{
"kty":"RSA",
"n": "0vx7 (...) DKgw",
"e":"AQAB",
"alg":"RS256",
"kid":"2011-04-29"
}
并且(受保护的)JWS header 携带密钥,如文章中所述,因此可能如下所示:
{
"alg": "RS256",
"jwk": {
"kty":"RSA",
"n": "0vx7 (...) DKgw",
"e":"AQAB",
"alg":"RS256",
"kid":"2011-04-29"
}
}