如何使用在线工具手动验证JWT签名 [英] How to manually validate a JWT signature using online tools
问题描述
据我了解,这是验证JWT
签名的简单过程.但是,当我使用一些在线工具为我完成此操作时,它就不匹配了.如何在不使用JWT库的情况下手动验证JWT
签名?我需要一种快速的方法(使用可用的在线工具)来演示此操作.
From what I can understand, it's a straight forward process to validate a JWT
signature. But when I use some online tools to do this for me, it doesn't match. How can I manually validate a JWT
signature without using a JWT library? I'm needing a quick method (using available online tools) to demo how this is done.
我在 https://jwt.io/#debugger-io 上创建了JWT
带有以下信息:
I created my JWT
on https://jwt.io/#debugger-io with the below info:
- 算法:
HS256
- 秘密:
hONPMX3tHWIp9jwLDtoCUwFAtH0RwSK6
- 标题:
- Algorithm:
HS256
- Secret:
hONPMX3tHWIp9jwLDtoCUwFAtH0RwSK6
- Header:
{
"alg": "HS256",
"typ": "JWT"
}
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
- 秘密值更改为上方
- 已检查"秘密base64编码(无论是否已检查,仍会获得不同的值)
- Secret value changed to above
- "Checked" secret base64 encoded (whether this is checked or not, still get a different value)
JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.wDQ2mU5n89f2HsHm1dluHGNebbXeNr748yJ9kUNDNCA
手动JWT
签名验证尝试:
Manual JWT
signature verification attempt:
使用 base64UrlEncode计算器( http://www.simplycalc. com/base64url-encode.php 或 https://www.base64encode.org/)
如果我: (不是网站上的实际价值,请修改以显示该工具最终为我构建的内容)
base64UrlEncode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9") + "." + base64UrlEncode("eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ")
我得到:
ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5.ZXlKemRXSWlPaUl4TWpNME5UWTNPRGt3SWl3aWJtRnRaU0k2SWtwdmFHNGdSRzlsSWl3aWFXRjBJam94TlRFMk1qTTVNREl5ZlE=
注意:如果我应该对已经编码的值进行编码,或者按原样使用已经编码的值,我会感到困惑.
NOTE: there's some confusion on my part if I should be encoding the already encoded values, or use the already encoded values as-is.
(即使用base64UrlEncode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9") + "." + base64UrlEncode("eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ")
和"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ"
).
无论我应该做什么,最终结果仍然与签名不匹配.我倾向于我不要重新编码编码后的值,不管这是真的还是假的.
Regardless on which I should do, the end result still doesn't match the signature. I'm leaning towards that I should NOT re-encode the encoded value, whether that's true or not.
然后使用 HMAC Generator计算器( https://codebeautify.org/hmac-生成器或 https://www.freeformatter.com/hmac-generator .html#ad-output )
(不是网站的实际价值,经过修改以显示这些工具最终将为我构建的东西)
HMACSHA256(
"ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5.ZXlKemRXSWlPaUl4TWpNME5UWTNPRGt3SWl3aWJtRnRaU0k2SWtwdmFHNGdSRzlsSWl3aWFXRjBJam94TlRFMk1qTTVNREl5ZlE=",
"hONPMX3tHWIp9jwLDtoCUwFAtH0RwSK6"
)
哪个会吸引我:
a2de322575675ba19ec272e83634755d4c3c2cd74e9e23c8e4c45e1683536e01
与JWT
的签名部分不匹配:
wDQ2mU5n89f2HsHm1dluHGNebbXeNr748yJ9kUNDNCAM
!= a2de322575675ba19ec272e83634755d4c3c2cd74e9e23c8e4c45e1683536e01
目的:
我需要确认这一点的原因是为了证明无需解码JWT
即可验证JWT
未被篡改的能力.
The reason I'm needing to confirm this is to prove the ability to validate that the JWT
hasn't been tampered with, without decoding the JWT
.
我的客户的Web界面不需要解码JWT
,因此不需要他们安装 jwt软件包.他们只需要做一个简单的验证就可以确认JWT
未被篡改(但是不太可能被篡改),然后再存储JWT
供以后的API调用.
My clients web interface doesn't need to decode the JWT
, so there's no need for them to install a jwt package for doing that. They just need to do a simple validation to confirm the JWT
hasn't been tampered with (however unlikely that may be) before they store the JWT
for future API calls.
推荐答案
这都是格式和编码的问题.
It's all a matter of formats and encoding.
在 https://jwt.io 上,您会根据您的输入值和密码获得此令牌:
On https://jwt.io you get this token based on your input values and secret:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.3pIaKksiX9Zv8Jg-hWbrD24VhL36hBIFaNpA4fVx29M
我们要证明签名:
3pIaKksiX9Zv8Jg-hWbrD24VhL36hBIFaNpA4fVx29M
是正确的.
签名是经过Base64url编码的HMAC-SHA256哈希. (如 RFC7515 中所述)
The signature is a HMAC-SHA256 hash that is Base64url encoded. (as described in RFC7515)
使用在线HMAC生成器来计算哈希值时为
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
秘密
hONPMX3tHWIp9jwLDtoCUwFAtH0RwSK6
您得到
de921a2a4b225fd66ff0983e8566eb0f6e1584bdfa84120568da40e1f571dbd3
结果为
,它是HMAC-SHA256值,但不是Base64url编码的.该哈希是大量的十六进制字符串表示形式.
as result, which is a HMAC-SHA256 value, but not Base64url encoded. This hash is a hexadecimal string representation of a large number.
要将其与 https://jwt.io 中的值进行比较,您需要将其值转换为十六进制字符串表示形式返回一个数字,然后Base64url对其进行编码.
To compare it with the value from https://jwt.io you need to convert the value from it's hexadecimal string representation back to a number and Base64url encode it.
以下脚本正在执行此操作,并且还使用crypto-js计算其自身的哈希值.这也可以让您在没有JWT库的情况下进行验证.
The following script is doing that and also uses crypto-js to calculate it's own hash. This can also be a way for you to verify without JWT libraries.
var CryptoJS = require("crypto-js");
// the input values
var base64Header = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
var base64Payload = "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ";
var secret = "hONPMX3tHWIp9jwLDtoCUwFAtH0RwSK6";
// two hashes from different online tools
var signatureJWTIO = "3pIaKksiX9Zv8Jg-hWbrD24VhL36hBIFaNpA4fVx29M";
var onlineCaluclatedHS256 = "de921a2a4b225fd66ff0983e8566eb0f6e1584bdfa84120568da40e1f571dbd3";
// hash calculation with Crypto-JS.
// The two replace expressions convert Base64 to Base64url format by replacing '+' with '-'
// and stripping the '=' padding
var base64Signature = CryptoJS.HmacSHA256(base64Header + "." + base64Payload , secret).toString(CryptoJS.enc.Base64).replace(/\+/g,'-').replace(/\=+$/m,'');
// converting the online calculated value to Base64 representation
var base64hash = new Buffer(onlineCaluclatedHS256, 'hex').toString('base64').replace(/\+/g,'-').replace(/\=+$/m,'');
// the results:
console.log("Signature from JWT.IO : " + signatureJWTIO);
console.log("NodeJS calculated hash : " + base64Signature);
console.log("online calulated hash (converted) : " + base64hash);
结果是:
Signature from JWT.IO : 3pIaKksiX9Zv8Jg-hWbrD24VhL36hBIFaNpA4fVx29M
NodeJS calculated hash : 3pIaKksiX9Zv8Jg-hWbrD24VhL36hBIFaNpA4fVx29M
online calulated hash (converted) : 3pIaKksiX9Zv8Jg-hWbrD24VhL36hBIFaNpA4fVx29M
完全相同!
结论:
由不同的在线工具计算出的值都是正确的,但由于格式和编码不同,因此无法直接进行比较. 上面显示的一个小脚本可能是一个更好的解决方案.
The values calculated by the different online tools are all correct but not directly comparable due to different formats and encodings. A little script as shown above might be a better solution.
这篇关于如何使用在线工具手动验证JWT签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!