PHP :用JWK验证JWS (x5c)
上下文:我想用Payconiq实现支付。支付完成后,Payconiq会调用我的API给出支付信息(状态等)。
我使用Symfony和web-token/jwt-bundle来验证JWS。
1/ i使用'base64_decode‘从令牌中获取报头(令牌格式类似: header.payload.signature,有效负载为空)
2/我从URL获取json JWK :似乎总是使用的JWK是这样的:
{
"kty": "EC",
"use": "sig",
"x5t#S256": "******************",
"crv": "P-256",
"kid": "kid.2021",
"alg": "ES256",
"x5c": [],
"x": *******,
"y": *******3/我想用这个JWK验证签名。我有:
$serializerManager = new JWSSerializerManager([new CompactSerializer(),]);
$jws = $serializerManager->unserialize($token);
$isVerified = $jwsVerifier->verifyWithKey($jws, $jwk, 0, $payload);(公共函数verifyWithKey(JWS $jws,JWK $jwk,int $signature,?string $detachedPayload = null):bool)
My payload: Payconiq发送的body请求(支付信息)。
$isVerified始终为false。
我不知道问题是来自我的有效负载还是我使用库的方式(文档显示了一个使用JWK的示例,比如
{
"kty": "oct",
"k": "dzI6nbW4OcNF-AtfxGAmuyz7IpHRudBI0WgGjZWgaRJt6prBn3DARXgUR8NVwKhfL43QBIU2Un3AvCGCHRgY4TbEqhOi8-i98xxmCggNjde4oaW6wkJ2NgM3Ss9SOX9zS3lcVzdCMdum-RwVJ301kbin4UtGztuzJBeg5oVN00MGxjC2xWwyI0tgXVs-zJs5WlafCuGfX1HrVkIf5bvpE0MQCSjdJpSeVao6-RSTYDajZf7T88a2eVjeW31mMAg-jzAWfUrii61T_bYPJFOXW8kkRWoa1InLRdG6bKB9wQs9-VdXZP60Q4Yuj_WZ-lO7qV9AEFrUkkjpaDgZT86w2g'
}有一个"k“键,结果是ok (isVerified = true)。
但是对于没有"k“和"x5c”的JWK,isVerified仍然是false。
谁能帮帮我?
回答 1
Stack Overflow用户
发布于 2021-10-22 20:00:02
看起来验证失败是因为您忘记在$jwsVerifier对象中设置适当的签名算法(ES256)。
下面找一个有效的例子。请使用您的数据更改JWK和TOKE值。
use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Core\JWK;
use Jose\Component\Signature\Algorithm\ES256;
use Jose\Component\Signature\Serializer\CompactSerializer;
use Jose\Component\Signature\JWSVerifier;
$jwk = JWK::createFromJson('{"kty":"EC","crv":"P-256","x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU","y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"}');
$token = 'eyJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q';
$serializerManager = new CompactSerializer();
$jws = $serializerManager->unserialize($token);
$algorithmManager = new AlgorithmManager([new ES256()]);
$jwsVerifier = new JWSVerifier($algorithmManager);
$isVerified = $jwsVerifier->verifyWithKey($jws, $jwk, 0);
if ($isVerified) {
var_dump('Signature is valid');
} else {
var_dump('Signature is NOT valid!');
}如果有效负载与令牌分离,您可以将其设置为verifyWithKey方法的第四个参数。请注意,它不应该是base64编码的。
<?php
use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Core\JWK;
use Jose\Component\Signature\Algorithm\ES256;
use Jose\Component\Signature\Serializer\CompactSerializer;
use Jose\Component\Signature\JWSVerifier;
$jwk = JWK::createFromJson('{"kty":"EC","crv":"P-256","x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU","y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"}');
$token = 'eyJhbGciOiJFUzI1NiJ9..DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q';
$payload = base64_decode('eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ');
$serializerManager = new CompactSerializer();
$jws = $serializerManager->unserialize($token);
$algorithmManager = new AlgorithmManager([new ES256()]);
$jwsVerifier = new JWSVerifier($algorithmManager);
$isVerified = $jwsVerifier->verifyWithKey($jws, $jwk, 0, $payload);
if ($isVerified) {
var_dump('Signature is valid');
} else {
var_dump('Signature is NOT valid!');
}https://stackoverflow.com/questions/69675552
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号