智能健康卡令牌验证失败
Validation of Smart Health Card token fails
我正在编写下面的代码来获取 jwt 令牌,我想用它来验证
SMART Health Cards Validation SDK
var jose = require("node-jose");
const {JWS} = require("node-jose");
async function a1(){
try {
const keystore={
keys: [
{
kty: 'EC',
d: 'gLkNmSBFWR67hEu62eVfVWhFbLGl309jOszsocqbexE',
use: 'sig',
crv: 'P-256',
kid: '6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1',
x: '5R2yrryD1ztBYnyKyQF5r5kzPUjnVnmR5pMe7H9ykNU',
y: 'VaqqjG0N2rSuijP9P9QiOjX4XEhIl8k8fzA6FZTSMhY',
alg: 'ES256'
}
]
}
const ks = await jose.JWK.asKeyStore(keystore);
const rawKey = ks.get(keystore.keys[0].kid)
const key = await jose.JWK.asKey(rawKey);
const payload =JSON.stringify({ "iss" : "https://spec.smarthealth.cards/examples/issuer", "sub": "1234567890", "name": "John Doe", "iat": 1516239022});
const token =await jose.JWS.createSign( {format: 'compact'},key).update(payload, "utf8").final();
console.log(token);
}catch (err) {
console.log(err);
}
}
a1();
我正在获取令牌:
eyJhbGciOiJFUzI1NiIsImtpZCI6IjZkODU4MTAyNDAyZGJiZWIwZjliYjcxMWUzZDEzYTEyMjk2ODQ3OTJkYjQ5NDBkYjBkMGU3MWMwOGNhNjAyZTEifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkVyaWMgRC4iLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjJ9.dbjb9YHFCWaFYGQYyGDDL1iFvqk1Ed9k3-PAhVx4NtvFml1q0VcpW854IXW_J47f6Vf1otm2WeftVQHjY3K4vg
当我使用这个命令时:
node . --path C:\Users\User\Documents\Saguaro\health-cards-validation-SDK-main\jws.text --type jws
在 sdk 文件中,出现以下错误:
Error
│ · JWS header missing 'zip' property.
│ · Error inflating JWS payload. Did you use raw DEFLATE compression?
│ incorrect header check
│ · JWS verification failed: can't find key with 'kid' = 6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1 in issuer set
请告诉我什么是发行人集以及如何将孩子值放入发行人集中。
另外,放气压缩是什么意思以及如何解决这个问题。
请注意:以上为伪代码
你基本上有两个主要错误:
第一个(我将这两条消息算作一个错误的一部分)
· JWS header missing 'zip' property.
· Error inflating JWS payload. Did you use raw DEFLATE compression?
表示您的令牌格式不正确。
智能健康卡require a compressed payload, using the DEFLATE (see RFC1951) algorithm, and a "zip" header with the value "DEF" to show that the payload is compressed, something I have only seen defined in the JWE RFC,但不适用于 JWS。大多数 JWT 库可能不为签名令牌提供压缩负载,node-jose 也只支持 JWE,因此必须手动完成。
为此,您可以使用 zlib 压缩有效负载并手动添加一个 "zip":"DEF" 到 header:
const zlib = require("zlib");
...
const payload = "{...}" // very long payload, see example in https://mikkel.ca/blog/digging-into-quebecs-proof-of-vaccination/
const payloadBuf = zlib.deflateRawSync(payload)
const token =await jose.JWS.createSign({alg: 'ES256', fields: { zip: 'DEF' }, format: 'compact'}, key).update(payloadBuf, "utf8").final();
第二个错误是:
JWS verification failed: can't find key with 'kid' = 6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1 in issuer set
这意味着为了验证您的令牌,需要由给定的 keyId (kid) 标识的 public 密钥,并且该密钥应在您的“发行者集”中提供。
根据 linked documentation 验证器工具有一个参数
-k, --jwkset <key> path to trusted issuer key set
进一步描述为:a JSON Web Key (JWK) Set, encoding the issuer public signing key
所以基本上你必须将你的密钥库作为 JWKS (JSON Web Key Set) 存储在一个文件中(例如 issuerPublicKeys.json)
如下所示,并在参数中提供该文件的路径。在验证您的令牌期间,验证器将从令牌 header 中读取 kid 并尝试在提供的密钥集中找到相应的密钥。
{
"keys":
[
{
"kty": "EC",
"kid": "6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1",
"use": "sig",
"alg": "ES256",
"crv": "P-256",
"x" : "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
"y" : "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI"
}
]
}
注意:不包括 d 值(私钥),您只应显示 public 密钥。
我下载了package, added some more required data to the payload (example found here),测试了一下,首先出现了上面提到的错误,提供参数--jwkset issuerPublicKeys.json:
后错误消失了
node . --path jws.txt --type jws --jwkset issuerPublicKeys.json
也就是说,可以使用 public 密钥验证 jwt!
密钥集本身也可以被验证:
node . --type jwkset --path issuerPublicKeys.json
使用当前值,结果将是:
Validate Key-Set
│
└─ Error
·
key[6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1]: >'kid' does not match thumbprint in issuer key. expected: a7qE0Y0DyqeOFFREIQSLKfu5WlbckdxVXKFasfcI-Dg, actual:
6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1
Validation completed
提到的指纹与孩子相同。因此,当您将 kid 替换为值“a7qE0Y0DyqeOFFREIQSLKfu5WlbckdxVXKFasfcI-Dg”时,错误消失:
Validate Key-Set
Validation completed
我正在编写下面的代码来获取 jwt 令牌,我想用它来验证 SMART Health Cards Validation SDK
var jose = require("node-jose");
const {JWS} = require("node-jose");
async function a1(){
try {
const keystore={
keys: [
{
kty: 'EC',
d: 'gLkNmSBFWR67hEu62eVfVWhFbLGl309jOszsocqbexE',
use: 'sig',
crv: 'P-256',
kid: '6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1',
x: '5R2yrryD1ztBYnyKyQF5r5kzPUjnVnmR5pMe7H9ykNU',
y: 'VaqqjG0N2rSuijP9P9QiOjX4XEhIl8k8fzA6FZTSMhY',
alg: 'ES256'
}
]
}
const ks = await jose.JWK.asKeyStore(keystore);
const rawKey = ks.get(keystore.keys[0].kid)
const key = await jose.JWK.asKey(rawKey);
const payload =JSON.stringify({ "iss" : "https://spec.smarthealth.cards/examples/issuer", "sub": "1234567890", "name": "John Doe", "iat": 1516239022});
const token =await jose.JWS.createSign( {format: 'compact'},key).update(payload, "utf8").final();
console.log(token);
}catch (err) {
console.log(err);
}
}
a1();
我正在获取令牌:
eyJhbGciOiJFUzI1NiIsImtpZCI6IjZkODU4MTAyNDAyZGJiZWIwZjliYjcxMWUzZDEzYTEyMjk2ODQ3OTJkYjQ5NDBkYjBkMGU3MWMwOGNhNjAyZTEifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkVyaWMgRC4iLCJyb2xlIjoiYWRtaW4iLCJpYXQiOjE1MTYyMzkwMjJ9.dbjb9YHFCWaFYGQYyGDDL1iFvqk1Ed9k3-PAhVx4NtvFml1q0VcpW854IXW_J47f6Vf1otm2WeftVQHjY3K4vg
当我使用这个命令时:
node . --path C:\Users\User\Documents\Saguaro\health-cards-validation-SDK-main\jws.text --type jws
在 sdk 文件中,出现以下错误:
Error
│ · JWS header missing 'zip' property.
│ · Error inflating JWS payload. Did you use raw DEFLATE compression?
│ incorrect header check
│ · JWS verification failed: can't find key with 'kid' = 6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1 in issuer set
请告诉我什么是发行人集以及如何将孩子值放入发行人集中。 另外,放气压缩是什么意思以及如何解决这个问题。 请注意:以上为伪代码
你基本上有两个主要错误:
第一个(我将这两条消息算作一个错误的一部分)
· JWS header missing 'zip' property.
· Error inflating JWS payload. Did you use raw DEFLATE compression?
表示您的令牌格式不正确。
智能健康卡require a compressed payload, using the DEFLATE (see RFC1951) algorithm, and a "zip" header with the value "DEF" to show that the payload is compressed, something I have only seen defined in the JWE RFC,但不适用于 JWS。大多数 JWT 库可能不为签名令牌提供压缩负载,node-jose 也只支持 JWE,因此必须手动完成。
为此,您可以使用 zlib 压缩有效负载并手动添加一个 "zip":"DEF" 到 header:
const zlib = require("zlib");
...
const payload = "{...}" // very long payload, see example in https://mikkel.ca/blog/digging-into-quebecs-proof-of-vaccination/
const payloadBuf = zlib.deflateRawSync(payload)
const token =await jose.JWS.createSign({alg: 'ES256', fields: { zip: 'DEF' }, format: 'compact'}, key).update(payloadBuf, "utf8").final();
第二个错误是:
JWS verification failed: can't find key with 'kid' = 6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1 in issuer set
这意味着为了验证您的令牌,需要由给定的 keyId (kid) 标识的 public 密钥,并且该密钥应在您的“发行者集”中提供。
根据 linked documentation 验证器工具有一个参数
-k, --jwkset <key> path to trusted issuer key set
进一步描述为:a JSON Web Key (JWK) Set, encoding the issuer public signing key
所以基本上你必须将你的密钥库作为 JWKS (JSON Web Key Set) 存储在一个文件中(例如 issuerPublicKeys.json)
如下所示,并在参数中提供该文件的路径。在验证您的令牌期间,验证器将从令牌 header 中读取 kid 并尝试在提供的密钥集中找到相应的密钥。
{
"keys":
[
{
"kty": "EC",
"kid": "6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1",
"use": "sig",
"alg": "ES256",
"crv": "P-256",
"x" : "SVqB4JcUD6lsfvqMr-OKUNUphdNn64Eay60978ZlL74",
"y" : "lf0u0pMj4lGAzZix5u4Cm5CMQIgMNpkwy163wtKYVKI"
}
]
}
注意:不包括 d 值(私钥),您只应显示 public 密钥。
我下载了package, added some more required data to the payload (example found here),测试了一下,首先出现了上面提到的错误,提供参数--jwkset issuerPublicKeys.json:
node . --path jws.txt --type jws --jwkset issuerPublicKeys.json
也就是说,可以使用 public 密钥验证 jwt!
密钥集本身也可以被验证:
node . --type jwkset --path issuerPublicKeys.json
使用当前值,结果将是:
Validate Key-Set
│
└─ Error
·
key[6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1]: >'kid' does not match thumbprint in issuer key. expected: a7qE0Y0DyqeOFFREIQSLKfu5WlbckdxVXKFasfcI-Dg, actual:
6d858102402dbbeb0f9bb711e3d13a1229684792db4940db0d0e71c08ca602e1
Validation completed
提到的指纹与孩子相同。因此,当您将 kid 替换为值“a7qE0Y0DyqeOFFREIQSLKfu5WlbckdxVXKFasfcI-Dg”时,错误消失:
Validate Key-Set
Validation completed