为什么删除证书的某些字符后 jwt.io 显示签名有效?
今天,我已经使用 jwt.io 验证了 JWT 访问令牌。
访问令牌使用 RS256 算法并经过数字签名。
为了验证签名,我将包含 -----BEGIN CERTIFICATE----- 和 -----END CERTIFICATE----- 的证书放入 BOX1 中:
RSASHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
BOX1,
BOX2
)
执行此操作后,状态从红色变为“无效”正如预期的那样,“签名”变为蓝色“签名已验证”。
然后我不小心删除了证书的一个字符,导致状态为蓝色“签名已验证”。
这让我很好奇,所以我做了一些简单的实验:
- 删除一些字符后,它变成红色的“无效签名”。
- 删除更多字符后,它再次变为蓝色“签名已验证”。
这适用于证书的最后 7 行(证书为 18 行 x 64 个字符)。在前 11 行中,删除一个字符会导致永久“无效签名”。
jwt.io 的这种行为是特定的吗? 或者,从证书中删除特定字符是否会导致签名仍然有效?
Today, I have verified an JWT access token with jwt.io.
The access token is using algorithm RS256 and is digitally signed.
To verify the signature, I have put the certificate including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- in BOX1:
RSASHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
BOX1,
BOX2
)
After doing this, the status goes from red "Invalid Signature" to blue "Signature Verified" as expected.
I then accidentally deleted a character of the certificate, which left the status in blue "Signature Verified".
This made me curious, so I did some simple experiments:
- After deleting some characters, it changes to red "Invalid Signature".
- After deleting some more characters, it changes again to blue "Signature Verified".
This works on the last 7 lines of the certificate (certificate is 18 lines x 64 characters). In the first 11 lines, deleting a character leads to a permanently "Invalid Signature".
Is this behaviour jwt.io specific?
Or, is it expected that deleting specific characters out of a certificate leads to a still valid signature?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不,这不是 jwt.io 特定的。首先,证书中的数据本身使用 ASN.1 构建,然后使用 DER 编码为二进制。如果将您的 Base 64 粘贴到 ASN.1 解码器(例如此处 或者例如使用
openssl asn1parse。证书中的大部分数据都是 tbsCertificate 结构的一部分,其中 TBS 代表“待签名”。对证书的该部分进行的任何更改都会导致失败,因为这是已签名的证书的部分。当然,这假设证书的签名确实经过验证。通常情况就是这样除非证书是明确信任的。
如果您更改签名本身,那么签名验证当然也可能会失败。但请注意,签名本身也经过编码,并且签名元数据的更改可能不会导致失败。该签名出现在证书的末尾。
您可能需要发布更改后的证书。否则我们无法判断验证过程中是否出现错误或者更改只是表面的。
No, this is not jwt.io specific. First of all, the data in certificates themselves are structured using ASN.1, then encoded as binary using DER. You can see the certificate structure if you paste your base 64 into an ASN.1 decoder such as the one found here or by e.g. using
openssl asn1parse.Most of the data found in a certificate is part of the
tbsCertificatestructure, where TBS stands for "to be signed". Any change to that part of the certificate should result in failure as this is the part of the certificate that has been signed. This of course assumes that the signature of the certificate is indeed verified. That's generally the case unless the certificate is trusted explicitly.If you change the signature itself then the signature verification will likely fail as well of course. But note that the signature itself is also encoded, and changes in the meta-data of the signature may not introduce a failure. This signature is present at the end of the certificate.
You may need to post the changed certificate. Otherwise we cannot tell if there is an error during verification or that the changes were only superficial.