如何验证在其 headers 中具有 "crit" 值的 JWSObject?

How can I validate a JWSObject that has a "crit" value in its headers?

我正在尝试按照 JOSE 标准使用我在 java 中的 private/public 密钥编写一些代码来签署和验证有效负载。为此,我需要使用 PS256 加密算法。

我正在使用 connect2id 的库 Nimbus JOSE + JWT. I'm able to get to the point where I can sign a payload with a private key I load from the file system, and I can also validate it. However as part of my requirements, my header needs to have a "crit" value (explained as part of RFC-7515)。

我的问题如下:一旦我在 header 中有一个“crit”值,我的令牌验证就会失败(即使“crit”数组中的值存在于我的 jws header,按标准要求)。如果我去掉“crit”,那么签名就被正确验证了。

// create RSA key used for signing. 
RSAKey rsaJWK = new RSAKey.Builder(pub)
  .privateKey(priv)
  .keyUse(KeyUse.SIGNATURE)
  .algorithm(JWSAlgorithm.PS256)
  .keyID("KeyID")
  .build();

// Create RSA-signer with the private key
JWSSigner signer = new RSASSASigner(rsaJWK);

// setting critical values to be used in jws header
Set crit = new HashSet();
crit.add("myHeader");

// setting additional parameters for the jws header
Map myParams = new HashMap();
myParams.put("myHeader", false);

// build the jws header with all the values needed
JWSHeader jwsHeader = new JWSHeader.Builder(JWSAlgorithm.PS256)
  .type(JOSEObjectType.JOSE)
  .contentType("application/json")
  .keyID("KeyID")
  .criticalParams(crit)
  .customParams(myParams)
  .build();


// build the jws object with the header we created above and a static payload for now
JWSObject jwsObject = new JWSObject(jwsHeader, new Payload("{\"message\":\"In RSA we trust!!!\"}"));

// sign the payload
jwsObject.sign(signer);

// print out the token
String s = jwsObject.serialize();
System.out.println("Your token:" + s);



// To parse the JWS and verify it, e.g. on client-side
JWSObject jwsValObj = JWSObject.parse(s);

JWSVerifier verifier = new RSASSAVerifier(pub);

// verify the signature of the parsed token
boolean sigval = jwsValObj.verify(verifier);
System.out.println("Signature Validation passed: " + String.valueOf(sigval)); 

我希望签名得到正确验证,因为“crit”中的值存在于给定的令牌中。 一旦我删除带有 .criticalParams(crit) 的行,验证就会顺利通过。

有人可以帮我解决这个问题吗?我是误会了什么还是漏掉了一些明显的细节?

以下RFC 7515关键headers必须被应用程序理解,因此您需要指示图书馆将它们推迟到应用程序进行处理

查看RSASSAVerifier源码,尝试修改

JWSVerifier verifier = new RSASSAVerifier(pub);

JWSVerifier verifier = new RSASSAVerifier(pub, crit);