(Golang)JWT签名验证问题

huangapple go评论93阅读模式
英文:

(Golang) JWT Signature Verification Issue

问题

我正在尝试理解Golang中的JWT令牌。我正在使用github.com/dgrijalva/jwt-go

让我感到意外的是,我可以输入多个有效的签名。

例如,访问http://jwt.io

  • 输入MySuperSecretKey作为密钥

这个令牌是有效的:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU

以及这个令牌:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV

实际上,如果我将最后一个字母更改为V、W或X,我会得到一个"Signature Verified"的消息。

有人可以告诉我这里发生了什么吗?

英文:

I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.

What caught me off guard is the fact that I can enter multiple valid signatures.

For example, head over to http://jwt.io

  • enter MySuperSecretKey for the secret

This token is valid:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU

as well as this one:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV

In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.

Can anyone tell me what's going on here?

答案1

得分: 5

这是签名的Base64编码,可以将最后一个字母更改为特定目标而不影响相关位。

尝试将这两个签名都放入一个Base64转换为十六进制的解码器中,你将得到相同的结果。实际上,在https://conv.darkbyte.ru/上,这两个签名都重新评估为Base64编码的SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==。

英文:

It's the Base64 encoding of the signature which can have the last letter changed to certain targets without affecting the relevant bits.

Try popping both signatures into a base64->hex decoder and you'll get the same results. In fact at https://conv.darkbyte.ru/ both signatures get re-evaluated to base64 SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==

huangapple
  • 本文由 发表于 2016年3月12日 05:16:47
  • 转载请务必保留本文链接:https://go.coder-hub.com/35950072.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定