验证由WSO2 APIM 1.9.0生成的JWT:什么是公钥? [英] validating a JWT generated by WSO2 APIM 1.9.0: what's the public key?

问题描述

我正在尝试做一些看似简单但由于缺乏专业知识而变得困难的事情.

我部署了没有安全性定制的APIM(不用担心，这不是生产性的！).因此只有 carbon.jks .

我根据IDS对具有SAML2的应用程序中的用户进行身份验证，然后将APIM与应用程序密码结合使用，以获取从SAML2令牌生成的用户令牌.我从APIM获得了一个OAuth令牌，该令牌用于在APIM中调用API. (请注意，由于一段时间前我在这里发表了另一篇文章，所以我设法解决了这个问题:-))

实现API的后端将收到JWT，并附带标头，用户信息和应用程序信息以及签名. 对于我的第一个测试，我编写了自己的"hello world"后端，该后端记录了JWT.

我使用了 http://jwt.io ，它可以毫无问题地读取我的JWT.但是它告诉我签名无效. 要使签名有效，我需要一个有效的公钥.

我不知道在哪里找到该密钥.

我已运行 WSO2carbon的RSA公钥中描述的命令行并生成了 .cert 文件.我已经检查了 portecle 中的 .cert 文件( http://portecle.sourceforge.net/)，但没有发现任何有趣的内容，但是在Windows中打开它却给了我一个公钥" 字段，该字段看起来像"30 81 89 02 81 81 00 94 a [...]"，很长，很明显是十六进制.

我在 http://jwt.io 中尝试了此方法，以及它的base64编码表示法，但没有成功

因为我想知道我的公钥在哪里，所以我也读到: 如何从WSO2 API管理器验证JWT (以及引用的链接 https://asankad.org/2013/12/05/获取证书用于签名-jwt/) 但是，所提供的代码仅靠一点点，甚至没有提及语言.我认为它是node.js，但没有有关libs或任何内容的信息.

以下是一些更精确的问题:

• WSO2 APIM仅提供 SHA256withRSA (这是 SHA2 IIUC的一种形式).我发现的 wso2carbon.jks 证书是 sha1 .所以我想这还是行不通的. APIM如何使用SHA1证书生成SHA256?
• WSO2 APIM仅提供 SHA256withRSA . http://jwt.io 在 RS256 和 HS256 之间进行选择strong>，一个使用密钥，另一个使用密钥(公共/私有).我猜我需要使用 RS256 吗? (但同样，我似乎唯一的密钥来自SHA1证书)
• 有人在我做的事情上成功吗?安装WSO2 APIM，生成JWT并针对 http://jwt.io 验证JWT，包括签名吗?
• 如果我使用诸如> https://github.com/tymondesigns/jwt-auth 验证JWT，它将起作用吗?有人告诉我该库不支持 SHA256 .
• 在APIM中，我正在租房，称为沙盒.如果我去超级租户 carbon ，我会看到 wso2carbon.jks .如果转到自己的租户清单，我会看到 sandbox.jks ，但是它是空的，并且在部署计算机上没有相应的文件.如何解决?租用JKS仅在使用时才存在，还是存储在数据库中而不是文件系统中?
• 我可以在公共论坛上显示多少令牌，JWT等? :-)(如果有帮助的话，我愿意分享！)

感谢任何提示！ (也许我需要的是默认的公共密钥，因为我正在使用默认的密钥库！)

解决方案

回答自己，以防有人遇到相同的问题.

两件事帮助了我

• 首先，要在jwt.io中进行验证，我需要通过运行以下命令来更改证书编码:openssl x509 -inform der -in somekey.cer -out somekey.pem
• 然后，我使用的是超级租户密钥库，而不是租用密钥库.我调查了一下，但在APIM VM上未找到任何租用密钥库.我不得不:
  1. 在APIM Carbon门户网站中以租户管理员身份登录
  2. 导航至配置/密钥库
  3. 有一个用于租用的密钥库(称为 sandbox1.jks )，单击公共密钥
  4. 保存下载的 sandbox1.cert 并使用上述命令将其转换为pem

生成的pem使用RS256在jwt.io上运行良好

希望这对其他人有帮助！

I'm trying to do something that seemed simple but ends up being difficult because I lack the expertise.

I have an APIM deployed with no customisation security-wise (don't worry, it's not production!). So it's only got carbon.jks.

I authenticate users in an application with SAML2 against an IDS, then use the APIM with an app secret for a user token generated from the SAML2 token. I get from the APIM an OAuth token which I use to call APIs in the APIM. (note that I managed to resolve this thanks to another post here some time ago :-) )

The backend that implements the APIs receives a JWT as a result, with header, user information and app information, and a signature. For my first tests I write my own "hello world" backend, that logs the JWT.

I use http://jwt.io which manages to read my JWT without any problem. But it tells me the signature is invalid. To make the signature valid I would need a valid public key.

I don't know where to find that key.

I have run the command line described in RSA Public Key of WSO2carbon and generated a .cert file. I have examined the .cert file in portecle (http://portecle.sourceforge.net/) but found nothing of interest, however opening it in Windows gave me a field "public key", which looks like "30 81 89 02 81 81 00 94 a[...]", quite long and obviously hex.

I tried this, and also its base64-encoded representation, in http://jwt.io but no success.

Because I was wondering where my public key is, I have also read: How to validate a JWT from WSO2 API Manager (and the referenced link https://asankad.org/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/ ) However the code provided is a bit on its own, with not even a mention of language. I assume it's node.js, but no info about libs or anything.

Here are some more precise questions:

• WSO2 APIM offers only SHA256withRSA (which is a flavor of SHA2 IIUC). wso2carbon.jks cert that I found were sha1. So I'm supposing that could not have worked anyway. How can APIM generate SHA256 with SHA1 certificates?
• WSO2 APIM offers only SHA256withRSA. http://jwt.io gives the choice between RS256 and HS256, one uses a key, the other a secret (public/private). I'm guessing I need to use RS256? (but again the only keys I have seem to come from SHA1 certs)
• has anyone succeeded in what I'm doing? Install WSO2 APIM, generate a JWT and validate the JWT against http://jwt.io, including signature?
• If I use a lib such as https://github.com/tymondesigns/jwt-auth to validate the JWT, will it work? I was told that this lib doesn't support SHA256.
• in the APIM I'm in a tenancy, called sandbox. If I go to the super-tenancy carbon I see wso2carbon.jks. If I go to my own tenancy's carbon I see sandbox.jks, but it's empty, and on the deployment machine there's no corresponding file. How does that work out, does the tenancy JKS exist only when used, or is it stored in the DB and not filesystem?
• how much can I show of my tokens, JWT etc on a public forum? :-) (if it helps to help me, I'm willing to share!)

Thanks for any tips! (maybe all I need is the default public key, seeing as I'm using the default keystore!)

解决方案

Answering myself in case anyone has the same issue.

Two things helped me out:

• first, to validate in jwt.io, I needed to change the cert encoding by running the following command: openssl x509 -inform der -in somekey.cer -out somekey.pem
• then I was using the super-tenant keystore instead of the tenancy keystore. I had looked into this but not found any tenancy keystore on the APIM VM. I had to:
  1. log in as tenant admin in APIM carbon portal
  2. navigate to configure / keystores
  3. there was a keystore for the tenancy (called sandbox1.jks), click on public key
  4. save the downloaded sandbox1.cert and convert it to pem using the above command

The resulting pem worked fine with jwt.io using RS256

Hope this helps others!

这篇关于验证由WSO2 APIM 1.9.0生成的JWT:什么是公钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！