JWT 计算签名 SHA256withRSA [英] JWT Computing the Signature SHA256withRSA

问题描述

我正在努力

<块引用>

使用 SHA256withRSA 对输入的 UTF-8 表示进行签名(也称为 RSASSA-PKCS1-V1_5-SIGN，具有 SHA-256 哈希函数)与从 API 控制台获取的私钥.输出将是一个字节数组.

所以让我们将 Header 和 Claim 集合放入数组中

{"alg":"RS256","typ":"JWT"}.{"iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com","范围":"https://www.googleapis.com/auth/prediction","aud":"https://accounts.google.com/o/oauth2/token",exp":1328554385，"iat":1328550785}

就像服务帐户:计算签名

<块引用>

JSON 网络签名 (JWS) 是指导为 JWT 生成签名的机制.签名的输入是以下内容的字节数组:

{Base64url 编码 标头}.{Base64url 编码 声明集}

所以我构建数组只是为了测试

 $seg0 = 数组(alg" =>"RS256",类型" =>JWT");$seg1 = 数组(iss" =>"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",范围" =>"https://www.googleapis.com/auth/prediction",aud"=>"https://accounts.google.com/o/oauth2/token",exp"=>1328554385，"iat" =>1328550785);$segs = 数组(json_encode($seg0),带斜线(json_encode($seg1)));$segments = 数组(rtrim(strtr(base64_encode($segs[0]), '+/', '-_'), '='),rtrim(strtr(base64_encode($segs[1]), '+/', '-_'), '='),);

给了.前 2 个数组编码成功.

输出eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU1NDM4NSwiaWF0IjoxMzI4NTUwNzg1fQ

我继续对签名进行编码

<块引用>

签名必须是 Base64url 编码的.然后签名是与."字符连接到 Base64url 的末尾输入字符串的表示.结果是 JWT.这应该如下:
{Base64url 编码 标头}.{Base64url 编码 声明集}.{Base64url 编码 签名}

 $signature = makeSignedJwt($segments);//$signature = makeSignedJwt($segs);echo $signature .'<br/><br/>';$segments[] = rtrim(strtr(base64_encode($signature), '+/', '-_'), '=');echo '
';print_r($segments);echo '</pre>';函数 makeSignedJwt($segments){$data = implode('.', $segments);if (!openssl_sign($data, $signature, privateKey, "sha256")){exit("无法签署数据");}返回 $signature;}输出大批([0] =>eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9[1] =>eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU1NDM4NSwiaWF0IjoxMzI4NTUwNzg1fQ[2] =>xFS6iZdJku5RKJ5_XdH3W5A8e9V3wsaFeQhAXoJtuxzW-xvqZq1CdEJJAo60VvK1UFONElVf_pthezEyz-eyWsoRGVZFibUQBaKXLI8eR28eFlaCAKH7h8RxP18eFlaCAKH9R8RxP18eFlaCAKH9R8RxP1KW-xvqZq1CdEJJAo60VvK1UFONElVf_pthezEyz-eyWso)
一定是遗漏了什么..
解决方案
我不确定您的问题是什么，但以下对我有用:
//辅助函数函数 base64url_encode($data) {返回 rtrim(strtr(base64_encode($data), '+/', '-_'), '=');}//Google 创建 JWT 的文档:https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests//{Base64url 编码的 JSON 头}$jwtHeader = base64url_encode(json_encode(array(alg" =>"RS256",类型" =>JWT")));//{Base64url 编码的 JSON 声明集}$现在=时间()；$jwtClaim = base64url_encode(json_encode(array(iss" =>"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",范围" =>"https://www.googleapis.com/auth/prediction",aud"=>"https://www.googleapis.com/oauth2/v4/token",exp"=>现在$ 3600，"iat" =>$现在)));//签名的基本字符串:{Base64url编码的JSON头}.{Base64url编码的JSON声明集}openssl_sign($jwtHeader.".".$jwtClaim,$jwtSig，$your_private_key_from_google_api_console，sha256WithRSA加密");$jwtSig = base64url_encode($jwtSig);//{Base64url 编码的 JSON 标头}.{Base64url 编码的 JSON 声明集}.{Base64url 编码的签名}$jwtAssertion = $jwtHeader.".".$jwtClaim.".".$jwtSig;
I'm trying to

  
Sign the UTF-8 representation of the input using SHA256withRSA (also
  known as RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function) with
  the private key obtained from the API console. The output will be a
  byte array.
so let's take Header and Claim set and put them into array
{"alg":"RS256","typ":"JWT"}.
{
  "iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
  "scope":"https://www.googleapis.com/auth/prediction",
  "aud":"https://accounts.google.com/o/oauth2/token",
  "exp":1328554385,
  "iat":1328550785
}
just like Service Account: Computing the Signature

  
JSON Web Signature (JWS) is the specification that guides the
  mechanics of generating the signature for the JWT. The input for the signature is the byte array of the following content:
  
  
{Base64url encoded header}.{Base64url encoded claim set}
so I build array just to test that
  $seg0 = array(
    "alg" => "RS256",
    "typ" => "JWT"
  );
  $seg1 = array(
    "iss" => "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
    "scope" => "https://www.googleapis.com/auth/prediction",
    "aud" => "https://accounts.google.com/o/oauth2/token",
    "exp" => 1328554385,
    "iat" => 1328550785
  );

  $segs = array(
    json_encode($seg0),
    stripslashes(json_encode($seg1))
  );
  $segments = array(
    rtrim(strtr(base64_encode($segs[0]), '+/', '-_'), '='),
    rtrim(strtr(base64_encode($segs[1]), '+/', '-_'), '='),
  );
Here it is. THe first 2 arrays encode successful.
Output
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU1NDM4NSwiaWF0IjoxMzI4NTUwNzg1fQ
I go forward and encode the signature

  
The signature must then be Base64url encoded. The signature is then
  concatenated with a ‘.’ character to the end of the Base64url
  representation of the input string. The result is the JWT. It should
  be the following:

      {Base64url encoded header}.{Base64url encoded claim set}.{Base64url encoded signature}


  $signature = makeSignedJwt($segments);
  //$signature = makeSignedJwt($segs);
  echo $signature .'<br /><br />';
  $segments[] = rtrim(strtr(base64_encode($signature), '+/', '-_'), '=');
  echo '<pre>'; print_r($segments); echo '</pre>';  

function makeSignedJwt($segments)
{
    $data = implode('.', $segments);
    if (!openssl_sign($data, $signature, privateKey, "sha256"))
    {
        exit("Unable to sign data");
    }
    return $signature;
}

Output
    Array
(
    [0] => eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
    [1] => eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU1NDM4NSwiaWF0IjoxMzI4NTUwNzg1fQ
    [2] => xFS6iZdJku5RKJ5_XdH3W5A8e9V3wsaFeQhAXoJtuxzW-xvqZq1CdEJJAo60VvK1UFONElVf_pthezEyz-eyWsoRGVZFibUQBaKXLI8eR28eFlaCAKH7bKh820uR7IwuRx4xr8MPmnC8so9u9TEY153gkU6Mz9e--pQPlcLlGY
)
Must be missing something..
解决方案
I'm not sure what your question is, but the following worked for me:
//helper function
function base64url_encode($data) { 
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '='); 
}

//Google's Documentation of Creating a JWT: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests

//{Base64url encoded JSON header}
$jwtHeader = base64url_encode(json_encode(array(
    "alg" => "RS256",
    "typ" => "JWT"
)));
//{Base64url encoded JSON claim set}
$now = time();
$jwtClaim = base64url_encode(json_encode(array(
    "iss" => "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
    "scope" => "https://www.googleapis.com/auth/prediction",
    "aud" => "https://www.googleapis.com/oauth2/v4/token",
    "exp" => $now + 3600,
    "iat" => $now
)));
//The base string for the signature: {Base64url encoded JSON header}.{Base64url encoded JSON claim set}
openssl_sign(
    $jwtHeader.".".$jwtClaim,
    $jwtSig,
    $your_private_key_from_google_api_console,
    "sha256WithRSAEncryption"
);
$jwtSig = base64url_encode($jwtSig);

//{Base64url encoded JSON header}.{Base64url encoded JSON claim set}.{Base64url encoded signature}
$jwtAssertion = $jwtHeader.".".$jwtClaim.".".$jwtSig;


                        
这篇关于JWT 计算签名 SHA256withRSA的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！