如何使用 JWK 验证 JWT for ES256 alg?
How to Validate JWT using JWK for ES256 alg?
我有 JWT 作为
var signedJwt = "eyJhbGciOiJFUzI1NiIsImtpZCI6IjZjNTUxNmUxLTkyZGMtNDc5ZS1hOGZmLTVhNTE5OTJlMDAwMSIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1OTY3MzA4ODMsInJlcXVlc3RfYm9keV9zaGEyNTYiOiI4NDMyODhkMWMxYmM0NzhlMTBhOTM2NWQ1YjIzY2U5ZWZlY2E2ZjdkYjA3NDQ3Y2JmNjU4YTg3ZjEzZjI1ZjJmIn0.3yQY6gtNq0lQlx6eNLO_3coGqf2VkX2CBRWam9Lz0dcVvr8h4LkYfuZMwQf1fzZ_XXHEV_o17LciyBC-O72UUw"
然后我得到一个 public 密钥作为:
{
"alg": "ES256",
"created_at": 1560466143,
"crv": "P-256",
"expired_at": null,
"kid": "6c5516e1-92dc-479e-a8ff-5a51992e0001",
"kty": "EC",
"use": "sig",
"x": "35lvC8uz2QrWpQJ3TUH8t9o9DURMp7ydU518RKDl20k",
"y": "I8BuXB2bvxelzJAd7OKhd-ZwjCst05Fx47Mb_0ugros"
}
我正在尝试使用 C# 中的 Jose 库进行解码
var claims = Jose.JWT.Decode(signedJwt, publicKey, JwsAlgorithm.ES256);
每次我得到一个错误:
EcdsaUsingSha algorithm expects key to be of either CngKey or ECDsa types.
我假设我使用密钥的方式不正确,但我找不到任何方法将 json 密钥转换为 pem 或任何有效的。
您可以从 JWK 创建 EccKey 类型的密钥,例如
这个:
using Jose;
using Microsoft.AspNetCore.WebUtilities;
using Security.Cryptography;
using System;
using System.Text.Json;
namespace josejwttest
{
public class JWK
{
public string alg { get; set; }
public int? created_at { get; set; }
public string crv { get; set; }
public int? expired_at { get; set; }
public string kid { get; set; }
public string kty { get; set; }
public string use { get; set; }
public string x { get; set; }
public string y { get; set; }
}
class Program
{
static void Main(string[] args)
{
var signedJwt = "eyJhbGciOiJFUzI1NiIsImtpZCI6IjZjNTUxNmUxLTkyZGMtNDc5ZS1hOGZmLTVhNTE5OTJlMDAwMSIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1OTY3MzA4ODMsInJlcXVlc3RfYm9keV9zaGEyNTYiOiI4NDMyODhkMWMxYmM0NzhlMTBhOTM2NWQ1YjIzY2U5ZWZlY2E2ZjdkYjA3NDQ3Y2JmNjU4YTg3ZjEzZjI1ZjJmIn0.3yQY6gtNq0lQlx6eNLO_3coGqf2VkX2CBRWam9Lz0dcVvr8h4LkYfuZMwQf1fzZ_XXHEV_o17LciyBC-O72UUw";
var jwkJson = "{\"alg\": \"ES256\",\"created_at\": 1560466143, \"crv\": \"P -256\", \"expired_at\": null, \"kid\": \"6c5516e1-92dc-479e-a8ff-5a51992e0001\", \"kty\": \"EC\", \"use\": \"sig\", \"x\": \"35lvC8uz2QrWpQJ3TUH8t9o9DURMp7ydU518RKDl20k\", \"y\": \"I8BuXB2bvxelzJAd7OKhd-ZwjCst05Fx47Mb_0ugros\"}";
var jwk = JsonSerializer.Deserialize<JWK> (jwkJson);
var publicECCKey = EccKey.New(WebEncoders.Base64UrlDecode(jwk.x), WebEncoders.Base64UrlDecode(jwk.y)) ;
var claims = Jose.JWT.Decode(signedJwt, publicECCKey, JwsAlgorithm.ES256);
}
}
}
x和y是在jwk中编码的Base64Url,所以需要使用Base64Url解码器将其转换为byte[]。我使用了 Base64UrlDecode,但您当然可以使用任何其他解决方案。
我有 JWT 作为
var signedJwt = "eyJhbGciOiJFUzI1NiIsImtpZCI6IjZjNTUxNmUxLTkyZGMtNDc5ZS1hOGZmLTVhNTE5OTJlMDAwMSIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1OTY3MzA4ODMsInJlcXVlc3RfYm9keV9zaGEyNTYiOiI4NDMyODhkMWMxYmM0NzhlMTBhOTM2NWQ1YjIzY2U5ZWZlY2E2ZjdkYjA3NDQ3Y2JmNjU4YTg3ZjEzZjI1ZjJmIn0.3yQY6gtNq0lQlx6eNLO_3coGqf2VkX2CBRWam9Lz0dcVvr8h4LkYfuZMwQf1fzZ_XXHEV_o17LciyBC-O72UUw"
然后我得到一个 public 密钥作为:
{
"alg": "ES256",
"created_at": 1560466143,
"crv": "P-256",
"expired_at": null,
"kid": "6c5516e1-92dc-479e-a8ff-5a51992e0001",
"kty": "EC",
"use": "sig",
"x": "35lvC8uz2QrWpQJ3TUH8t9o9DURMp7ydU518RKDl20k",
"y": "I8BuXB2bvxelzJAd7OKhd-ZwjCst05Fx47Mb_0ugros"
}
我正在尝试使用 C# 中的 Jose 库进行解码
var claims = Jose.JWT.Decode(signedJwt, publicKey, JwsAlgorithm.ES256);
每次我得到一个错误:
EcdsaUsingSha algorithm expects key to be of either CngKey or ECDsa types.
我假设我使用密钥的方式不正确,但我找不到任何方法将 json 密钥转换为 pem 或任何有效的。
您可以从 JWK 创建 EccKey 类型的密钥,例如
这个:
using Jose;
using Microsoft.AspNetCore.WebUtilities;
using Security.Cryptography;
using System;
using System.Text.Json;
namespace josejwttest
{
public class JWK
{
public string alg { get; set; }
public int? created_at { get; set; }
public string crv { get; set; }
public int? expired_at { get; set; }
public string kid { get; set; }
public string kty { get; set; }
public string use { get; set; }
public string x { get; set; }
public string y { get; set; }
}
class Program
{
static void Main(string[] args)
{
var signedJwt = "eyJhbGciOiJFUzI1NiIsImtpZCI6IjZjNTUxNmUxLTkyZGMtNDc5ZS1hOGZmLTVhNTE5OTJlMDAwMSIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1OTY3MzA4ODMsInJlcXVlc3RfYm9keV9zaGEyNTYiOiI4NDMyODhkMWMxYmM0NzhlMTBhOTM2NWQ1YjIzY2U5ZWZlY2E2ZjdkYjA3NDQ3Y2JmNjU4YTg3ZjEzZjI1ZjJmIn0.3yQY6gtNq0lQlx6eNLO_3coGqf2VkX2CBRWam9Lz0dcVvr8h4LkYfuZMwQf1fzZ_XXHEV_o17LciyBC-O72UUw";
var jwkJson = "{\"alg\": \"ES256\",\"created_at\": 1560466143, \"crv\": \"P -256\", \"expired_at\": null, \"kid\": \"6c5516e1-92dc-479e-a8ff-5a51992e0001\", \"kty\": \"EC\", \"use\": \"sig\", \"x\": \"35lvC8uz2QrWpQJ3TUH8t9o9DURMp7ydU518RKDl20k\", \"y\": \"I8BuXB2bvxelzJAd7OKhd-ZwjCst05Fx47Mb_0ugros\"}";
var jwk = JsonSerializer.Deserialize<JWK> (jwkJson);
var publicECCKey = EccKey.New(WebEncoders.Base64UrlDecode(jwk.x), WebEncoders.Base64UrlDecode(jwk.y)) ;
var claims = Jose.JWT.Decode(signedJwt, publicECCKey, JwsAlgorithm.ES256);
}
}
}
x和y是在jwk中编码的Base64Url,所以需要使用Base64Url解码器将其转换为byte[]。我使用了 Base64UrlDecode,但您当然可以使用任何其他解决方案。