验证 WSO2 APIM 1.9.0 生成的 JWT:什么是公钥? [英] validating a JWT generated by WSO2 APIM 1.9.0: what's the public key?

问题描述

我正在尝试做一些看似简单但最终变得困难的事情，因为我缺乏专业知识.

I'm trying to do something that seemed simple but ends up being difficult because I lack the expertise.

我部署的 APIM 没有自定义安全性(别担心，这不是生产！).所以它只有 carbon.jks.

I have an APIM deployed with no customisation security-wise (don't worry, it's not production!). So it's only got carbon.jks.

我使用 SAML2 针对 IDS 对应用程序中的用户进行身份验证，然后将 APIM 与应用程序机密一起用于从 SAML2 令牌生成的用户令牌.我从 APIM 获得了一个 OAuth 令牌，我用它来调用 APIM 中的 API.(请注意，由于前段时间的另一篇文章，我设法解决了这个问题:-))

I authenticate users in an application with SAML2 against an IDS, then use the APIM with an app secret for a user token generated from the SAML2 token. I get from the APIM an OAuth token which I use to call APIs in the APIM. (note that I managed to resolve this thanks to another post here some time ago :-) )

实现 API 的后端收到 JWT 作为结果，其中包含标头、用户信息和应用信息以及签名.对于我的第一个测试，我编写了自己的hello world"后端，记录了 JWT.

The backend that implements the APIs receives a JWT as a result, with header, user information and app information, and a signature. For my first tests I write my own "hello world" backend, that logs the JWT.

我使用 http://jwt.io 可以毫无问题地读取我的 JWT.但它告诉我签名无效.为了使签名有效，我需要一个有效的公钥.

I use http://jwt.io which manages to read my JWT without any problem. But it tells me the signature is invalid. To make the signature valid I would need a valid public key.

我不知道在哪里可以找到那个钥匙.

我已运行 RSA 公钥的 WSO2carbon 中描述的命令行并生成.cert 文件.我检查了 portecle (http:///portecle.sourceforge.net/)，但没有发现任何感兴趣的内容，但是在 Windows 中打开它给了我一个字段 "public key"，看起来像 "30 81 89 0281 81 00 94 a[...]"，很长，显然是十六进制的.

I have run the command line described in RSA Public Key of WSO2carbon and generated a .cert file. I have examined the .cert file in portecle (http://portecle.sourceforge.net/) but found nothing of interest, however opening it in Windows gave me a field "public key", which looks like "30 81 89 02 81 81 00 94 a[...]", quite long and obviously hex.

我在 http://jwt.io 中尝试了这个，以及它的 base64 编码表示，但没有成功.

I tried this, and also its base64-encoded representation, in http://jwt.io but no success.

因为我想知道我的公钥在哪里，所以我还阅读了:如何从 WSO2 API Manager 验证 JWT(以及引用的链接 https://asankad.org/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/)然而，提供的代码有点独立，甚至没有提及语言.我假设它是 node.js，但没有关于库或任何东西的信息.

Because I was wondering where my public key is, I have also read: How to validate a JWT from WSO2 API Manager (and the referenced link https://asankad.org/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/ ) However the code provided is a bit on its own, with not even a mention of language. I assume it's node.js, but no info about libs or anything.

这里有一些更精确的问题:

Here are some more precise questions:

• WSO2 APIM 仅提供 SHA256withRSA(这是一种 SHA2 IIUC).我发现的 wso2carbon.jks 证书是 sha1.所以我想这无论如何都行不通.APIM 如何生成带有 SHA1 证书的 SHA256?
• WSO2 APIM 仅提供 SHA256withRSA.http://jwt.io 提供 RS256 和 HS256 之间的选择strong>，一个使用密钥，另一个使用秘密(公共/私人).我猜我需要使用 RS256?(但我唯一的密钥似乎来自 SHA1 证书)
• 有没有人成功地完成了我正在做的事情?安装 WSO2 APIM，生成 JWT 并针对 http://jwt.io 验证 JWT，包括签名?
• 如果我使用一个库，例如 https://github.com/tymondesigns/jwt-auth 来验证 JWT，它会起作用吗?有人告诉我这个库不支持 SHA256.
• 在 APIM 中，我处于一个名为 sandbox 的租户中.如果我去超级租赁 carbon 我会看到 wso2carbon.jks.如果我去我自己的租户的 carbon 我看到 sandbox.jks，但它是空的，并且在部署机器上没有相应的文件.这是如何解决的，租赁 JKS 是仅在使用时才存在，还是存储在数据库中而不是文件系统中?
• 我可以在公共论坛上展示多少我的代币、JWT 等?:-)(如果对我有帮助，我愿意分享！)

• WSO2 APIM offers only SHA256withRSA (which is a flavor of SHA2 IIUC). wso2carbon.jks cert that I found were sha1. So I'm supposing that could not have worked anyway. How can APIM generate SHA256 with SHA1 certificates?
• WSO2 APIM offers only SHA256withRSA. http://jwt.io gives the choice between RS256 and HS256, one uses a key, the other a secret (public/private). I'm guessing I need to use RS256? (but again the only keys I have seem to come from SHA1 certs)
• has anyone succeeded in what I'm doing? Install WSO2 APIM, generate a JWT and validate the JWT against http://jwt.io, including signature?
• If I use a lib such as https://github.com/tymondesigns/jwt-auth to validate the JWT, will it work? I was told that this lib doesn't support SHA256.
• in the APIM I'm in a tenancy, called sandbox. If I go to the super-tenancy carbon I see wso2carbon.jks. If I go to my own tenancy's carbon I see sandbox.jks, but it's empty, and on the deployment machine there's no corresponding file. How does that work out, does the tenancy JKS exist only when used, or is it stored in the DB and not filesystem?
• how much can I show of my tokens, JWT etc on a public forum? :-) (if it helps to help me, I'm willing to share!)

感谢您的任何提示！(也许我只需要默认公钥，因为我使用的是默认密钥库！)

Thanks for any tips! (maybe all I need is the default public key, seeing as I'm using the default keystore!)

推荐答案

回答自己以防万一有人遇到同样的问题.

Answering myself in case anyone has the same issue.

有两件事帮助了我:

• 首先，要在 jwt.io 中进行验证，我需要通过运行以下命令来更改证书编码:openssl x509 -inform der -in somekey.cer -out somekey.pem
• 然后我使用的是超级租户密钥库而不是租户密钥库.我对此进行了调查，但没有在 APIM VM 上找到任何租赁密钥库.我不得不:

• first, to validate in jwt.io, I needed to change the cert encoding by running the following command: openssl x509 -inform der -in somekey.cer -out somekey.pem
• then I was using the super-tenant keystore instead of the tenancy keystore. I had looked into this but not found any tenancy keystore on the APIM VM. I had to:

1. 在 APIM carbon 门户中以租户管理员身份登录
2. 导航到配置/密钥库
3. 有一个用于租赁的密钥库(称为 sandbox1.jks)，点击公钥
4. 保存下载的 sandbox1.cert 并使用上述命令将其转换为 pem

1. log in as tenant admin in APIM carbon portal
2. navigate to configure / keystores
3. there was a keystore for the tenancy (called sandbox1.jks), click on public key
4. save the downloaded sandbox1.cert and convert it to pem using the above command

生成的 pem 使用 RS256 与 jwt.io 配合良好

The resulting pem worked fine with jwt.io using RS256

希望这对其他人有所帮助！

Hope this helps others!

这篇关于验证 WSO2 APIM 1.9.0 生成的 JWT:什么是公钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！