JWT公钥与私钥签名验证-有什么区别? [英] JWT public key vs private key signature validation -- what is the difference?
问题描述
我正在使用该库 node-jwks-rsa 来获取JWT来自auth0 jwks.json文件的密钥,以验证在身份验证实际上来自我的身份验证提供程序之后,我的应用程序检索到的id_token.
I am using this library, node-jwks-rsa, to fetch JWT keys from my auth0 jwks.json file in order to verify that the id_token my application retrieves after authentication is actually coming from my auth provider.
在后台,它使用这种方法来构建公钥PEM
Under the hood it uses this method to build a public key PEM
export function certToPEM(cert) {
cert = cert.match(/.{1,64}/g).join('\n');
cert = `-----BEGIN CERTIFICATE-----\n${cert}\n-----END CERTIFICATE-----\n`;
return cert;
}
(将x50c用作.jwks文件中的参数).
(Using the x50c as argument from the .jwks file).
然后与 jsonwebtoken 结合使用,以验证JWT(id_token)是否为有效.
which I then use in combination with jsonwebtoken to verify that the JWT(id_token) is valid.
这种验证方法与根据jwks.json文件的模数和指数生成私钥(RSA)并将其用于验证有何不同? (例如,请参见此库)
How is this method of verification different from generating a private key(RSA) from the modulus and exponent of the jwks.json file and using it for verification instead? (as example see this library)
此外,这里还具有演示功能,可根据mod和指数生成PEM(摘自 http://stackoverflow.com/questions/18835132/xml-to-pem-in-node-js )
Additionally here is function as demonstration that generates a PEM from a mod and exponent (taken from http://stackoverflow.com/questions/18835132/xml-to-pem-in-node-js)
export function rsaPublicKeyToPEM(modulusB64, exponentB64) {
const modulus = new Buffer(modulusB64, 'base64');
const exponent = new Buffer(exponentB64, 'base64');
const modulusHex = prepadSigned(modulus.toString('hex'));
const exponentHex = prepadSigned(exponent.toString('hex'));
const modlen = modulusHex.length / 2;
const explen = exponentHex.length / 2;
const encodedModlen = encodeLengthHex(modlen);
const encodedExplen = encodeLengthHex(explen);
const encodedPubkey = '30' +
encodeLengthHex(modlen + explen + encodedModlen.length / 2 + encodedExplen.length / 2 + 2) +
'02' + encodedModlen + modulusHex +
'02' + encodedExplen + exponentHex;
const der = new Buffer(encodedPubkey, 'hex')
.toString('base64');
let pem = `-----BEGIN RSA PUBLIC KEY-----\n`;
pem += `${der.match(/.{1,64}/g).join('\n')}`;
pem += `\n-----END RSA PUBLIC KEY-----\n`;
return pem;
};
上述 jsonwebtoken 库可以使用任一方法验证JWT,但是为什么呢?如果这两种验证方法都可以验证JWT签名,为什么它们都存在?他们之间的权衡是什么?一个比另一个更安全吗?我应该使用哪个进行最充分的验证?
The aforementioned jsonwebtoken library can verify a JWT using either -- but why? If both of these verification methods can validate a JWT signature why do they both exist? What are the tradeoffs between them? Is one more secure than the other? Which should I use to verify most fully?
推荐答案
使用RSA非对称密钥对,将JWT与私钥进行签名,并与公共进行验证.您无法使用私钥验证数字签名
Using a RSA assymetric key pair, the JWT is signed with the private key and verified with the public. You can not verify a digital signature with the private key
模数和指数是公钥的组成部分,您可以使用它来构建PEM格式的公钥,PEM格式是用DER二进制格式编码的公钥(模数和指数)的base64表示形式.您可以使用PEM,DER或模数和指数,因为它们包含相同的信息
Modulus and exponent are the components of the public key and you can use it to build the public key in PEM format, which is a base64 representation of the public key (modulus and exponent) encoded in DER binary format. You can use PEM, DER or modulus and exponent because the contain the same information
但是任何人都无法使用模数和指数来构建私钥.他将需要专用的RSA元素,该元素必须保密,以便没有人可以为您签名.
But anybody can't build the private key with modulus and exponent. He would need the private RSA elements, which must be kept secret so that no one can sign for you.
这篇关于JWT公钥与私钥签名验证-有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
