如何在没有x5c的情况下从jwks验证JWT的签名 [英] How to validate signature of JWT from jwks without x5c

问题描述

我有一个JWT安全令牌，需要通过jwks端点进行验证. jwks中的数据如下:

I have a JWT security token which I need to verify via jwks endpoint. Data in jwks looks like:

{
  "keys": [
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "alg": "RS256",
      "n": "......",
      "kid": "2132132-b1e6-47e7-a30f-1831942f74bd"
    },
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "alg": "RS256",
      "n": "......",
      "kid": "tsp-app-a"
    },
    {
      "kty": "RSA",
      "e": "AQAB",
      "use": "sig",
      "alg": "RS256",
      "n": ".....",
      "kid": "tsp-app-b"
    }
  ]
}

我尝试了一种第三方api，但它似乎依赖于本例中不存在的x5c密钥.

I have tried one third party api but it looks like it is dependent on x5c key which isn't present in my case.

我的代码是:

public static bool Validate(JwtSecurityToken jsonToken)
        {
            bool result = false;
            try
            {
                var headers = Jose.JWT.Headers<JWTHeader>(jsonToken.RawData);
                var payload = Jose.JWT.Payload<JWTPayload>(jsonToken.RawData);

                string jwk = "";
                using (HttpClient cli = new HttpClient())
                {
                    jwk = cli.GetStringAsync(MyclientUrlforWellknownjson).Result;
                }

                var jwkinfo = JsonSerializer.Deserialize<JWKS>(jwk);
                //Find right key. Match kid and alg,  (To be changed later. It is possible that there are multiple x5c elements in key)
                var jwkkey = (from item in jwkinfo.keys where item.kid == headers.kid && item.alg == headers.alg select item).SingleOrDefault();

                //If key was found then load its public key
                System.Security.Cryptography.X509Certificates.X509Certificate2 cert = null;
                if (jwkkey != null)
                {
                    //Get public key from well known information
                    byte[] key = System.Text.Encoding.ASCII.GetBytes(jwkkey.x5c[0]); //??todo 
                    //Create cert                   
                    cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(key);
                }

                var o = Jose.JWT.Decode(jsonToken.RawData, cert.PublicKey.Key);


            }
            catch (Exception ex)
            {

            }
            return result;
        }

如何在不使用x5c的情况下通过jwks验证JWT?

How can I validate a JWT via jwks without x5c?

推荐答案

使用x5c只是一种方法，但是您也可以使用参数e(公共指数)和n(模数)来检索公钥. )，也记录在 jose-jwt github页面中:

Using x5c is just one way, but you can also retrieve the public key with the parameters e (public exponent) and n (modulus), which is also documented on the jose-jwt github page:

//If kid was found then load public key
if (jwkkey != null)
{
    RSACryptoServiceProvider key = new RSACryptoServiceProvider();
    key.ImportParameters(new RSAParameters
    {
        Modulus = Base64Url.Decode(jwkkey.n),
        Exponent = Base64Url.Decode(jwkkey.e)
    });
}

// get the public key as Base64Url encoded string, e.g. to use it on jwt.io
var pubkey = Base64Url.Encode(key.ExportRSAPublicKey());

var o = Jose.JWT.Decode(jsonToken.RawData, key);

您还可以再次将公共密钥导出为Base64Url编码的字符串，如上面的代码所示，然后稍后使用该密钥在

You can also export the public key as Base64Url encoded string again as shown in the code above, and later use that key to manually verify your token on https://jwt.io

这篇关于如何在没有x5c的情况下从jwks验证JWT的签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！