Golang包jwt-go使用RSA密钥。如何存储公钥并如何从令牌中获取它?

huangapple go评论103阅读模式
英文:

Golang package jwt-go with rsa key. How to put the public key and how to get it from the token?

问题

我正在尝试使用golang中的jwt-go包使用rsa密钥生成令牌。

这里有一篇博客解释了如何做到这一点,但是该代码将始终验证所有令牌,因为它使用存储在服务器上的公钥,而不是从令牌中获取公钥。如何将完整的公钥放入令牌中?我尝试了以下代码:

var secretKey, _ = rsa.GenerateKey(rand.Reader, 1024)
token := jwt.New(jwt.SigningMethodRS256)
token.Claims["username"] = "victorsamuelmd"
token.Claims["N"] = secretKey.PublicKey.N
token.Claims["E"] = secretKey.PublicKey.E

tokenString, err := token.SignedString(secretKey)

nt, err := jwt.Parse(tokenString, func(t *jwt.Token) (interface{}, error) {
    // 这里我需要从令牌中恢复公钥
    // 但是N是一个big.Int,而令牌将N存储为int64
})

对不起,我的英语不好。谢谢。
1: https://sendgrid.com/blog/tokens-tokens-intro-json-web-tokens-jwt-go/

英文:

I'm trying to generate a token with a rsa key using the jwt-go package in golang.

Here there is a blog explaining how to do it but that code will always be validating all tokens because is using the public key stored in the server and is not obtaining it from the token. How do you put the complete public key in the token? I was trying this:

var secretKey, _ = rsa.GenerateKey(rand.Reader, 1024)
token := jwt.New(jwt.SigningMethodRS256)
token.Claims["username"] = "victorsamuelmd"
token.Claims["N"] = secretKey.PublicKey.N
token.Claims["E"] = secretKey.PublicKey.E

tokenString, err := token.SignedString(secretKey)

nt, err := jwt.Parse(tokenString, func(t *jwt.Token) (interface{}, error) {
	// here I need to recover the public key from the token
    // but N is a big.Int and the token stores N as int64
})

Sorry about my english. Thanks.
1: https://sendgrid.com/blog/tokens-tokens-intro-json-web-tokens-jwt-go/

答案1

得分: 3

我认为将公钥存储在声明中并不是一个好主意,因为我们可以使用该密钥在技术上验证JWT,但这意味着它不再是一个已签名的JWT。如果任何人都可以使用自己的私钥生成JWT并将公钥存储在JWT中,我们无法确定签名者是谁。

无论如何,您可以将公钥转换为PEM格式,它只是一个字符串,并将其存储在声明中。在客户端,您也可以简单地将其解析回公钥格式。示例代码如下:

privateKey, _ := rsa.GenerateKey(rand.Reader, 1024)
bytes, _ := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
pem := pem.EncodeToMemory(&pem.Block{
	Type:  "RSA PUBLIC KEY",
	Bytes: bytes,
})
claim["publickey"] = string(pem)

pem := []byte(claims["publickey"].(string))
return jwt.ParseRSAPublicKeyFromPEM(pem)

jwtdgrijalva's jwt-go

英文:

I think storing the public key in the claims is not good idea because we can verify the JWT with that key technically, but it means it is not a signed JWT anymore. If anyone can generate the JWT with their own private key and storing the public key in JWT, we cannot sure who is signer.

Anyway, you can convert the public key into PEM format which is just a string, and store it in claims. In client side, you can also simply parse it again into public key format. The sample code is below:

privateKey, _ := rsa.GenerateKey(rand.Reader, 1024)
bytes, _ := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
pem := pem.EncodeToMemory(&pem.Block{
	Type:  "RSA PUBLIC KEY",
	Bytes: bytes,
})
claim["publickey"] = string(pem)

and

pem := []byte(claims["publickey"].(string))
return jwt.ParseRSAPublicKeyFromPEM(pem)

jwt is dgrijalva's jwt-go.

huangapple
  • 本文由 发表于 2015年3月20日 10:57:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/29158646.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定