Rsa
驗證 JWT 只需對公鑰進行少量更改,為什麼?
我試圖使用以下公鑰在 JWT.io 上驗證以下 JWT:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJFVS5FT1JJLk5MODEyNDU4ODM3IiwiYXVkIjoiRVUuRU9SSS5OTDIxOTA0ODExMyIsImNsaWVudF9pZCI6IkVVLkVPUkkuTkwyMTkwNDgxMTMiLCJleHAiOjE1NjUyNTg1MzEsIm5iZiI6MTU2NTI1NDkzMSwiaWF0IjoxNTY1MjU0OTMxLCJzY29wZSI6WyJpU0hBUkUiXX0.uD3Y0QKQMM6fy3th7ceuFbqHLwsWWfJxK-HvA0cCZL2ZMiRko6tiuyrg7uci5aDIs4qpFsKMzBj_RJLGz3phLp9ViBMfHDav2nPpwkJjXZpUVJ3IFl9HjSlMRo2Ggiizl99GSWk-kIr0nTF8VbWeOY62-y14bJIWxl31JSUezyBc7jKqnDt7dZboO1QaO4oEpbj2YuBKkjJno02vnJX6c4pnfyWdOqe7RWrP_upnV3GdLgWaG2pCBvIPYejqlzQjcwBWZ6TBRanG9sNye-9jn1-4KFMQ_Q_3VV-3Xi97U8RwsyXUEuSq_41J5mT25V1JRSB822lDRqnjysL9HskJMA
鑰匙
-----BEGIN CERTIFICATE----- MIID8zCCAtugAwIBAgIINUOGwbq0IfAwDQYJKoZIhvcNAQELBQAwPDE6MDgGA1UEAwwxVEVTVCBpU0hBUkUgRVUgSXNzdWluZyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBHNTAeFw0xOTA3MjQxMTQ4MDJaFw0yMTA3MjMxMTQ4MDJaMH8xEDAOBgNVBAMMB0lOTk9QQVkxHDAaBgNVBAUTE0VVLkVPUkkuTkw4MTI0NTg4MzcxFzAVBgNVBAsMDkZ1biBEZXBhcnRtZW50MRMwEQYDVQQKDApJTk5PUEFZIEJWMRIwEAYDVQQHDAlBbXN0ZXJkYW0xCzAJBgNVBAYTAk5MMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyI3mSTlTr3aGACMewLMFomVm3E6OvUku3xjHvNm0Ji/fzkoyLVQLEEVz6mtmEj5W0qYeCBJi+tKxmT+MEBNPc22TFCCtCPxUEov9NEeIK6Ku+GU700Qj3wY1hB/mZqw4JH22jxLOOSU01Vga/GFADF0TuWCVhOu7CJxCy64uuH5IcIB+bdgzwbkoQMQQ5WtKSO3hbI7mNG78akmZ3UDxU4ZkS9NhCamu5PBrdQWc5JWwooENLGBtqTaVXZBRyDoLq4SJ6pr+yKScyMp9LEe/Uc2hUKnoq7G5VpJaEfUehKS3kEbL+6thvsRf0eFz7HcqXMUyETAfcBf336TRG5HIWQIDAQABo4G1MIGyMB8GA1UdIwQYMBaAFG3FZYnL35FU0Ws8twKlLs2KaJAdMCcGA1UdJQQgMB4GCCsGAQUFBwMCBggrBgEFBQcDBAYIKwYBBQUHAwEwNwYIKwYBBQUHAQMEKzApMAgGBgQAjkYBATAIBgYEAI5GAQQwEwYGBACORgEGMAkGBwQAjkYBBgIwHQYDVR0OBBYEFLCpV8Zrw1FYM3jdGpmOVVgkMY0mMA4GA1UdDwEB/wQEAwIGwDANBgkqhkiG9w0BAQsFAAOCAQEAbJ08bV7+zfFsWsjZR106H8bQGCGWOM47KeNi5/qROI0AVWPkSm63OiyYMGFJNxxEdUL8E8Tpkuy7mc5JmvZYOoLNrpb4HH8OAS0Q4EzKNW2uA2LiLWFaokiLGZDJgwEaLHhaFaGrCg2yOu2NdWOeojC23STJ0Jkb4TdySNsd6K8RJ0BeYqSazLU5BJBiWxM4pL5hNNYQa1BWbmWSTFcku+wfcoir+7Lp57IxW0w6MTaJM9tsMlZZ+QMZtTEkcm1QiALxSctdABjf1fylbwrnlievFKFuCzlrlgN+WDVnyAAUgOXirtgRXGzfpJD8lqGXAmAtcesnNxKfrd4eux6Gfg== -----END CERTIFICATE-----
它驗證!好的!但是,我正在測試它是否仍然可以進行一些小的修改。例如,如果我從證書(‘Gfg’)中刪除最後三個字元,它仍然會驗證!或者,如果我對證書中的某些字元進行小改動(即,將“R”更改為“S”或將“3”更改為“4”),它也會進行驗證。
為什麼會這樣?它與RS256算法或JWT有關嗎?我原以為證書值必須非常精確才能驗證私鑰!
證書不僅僅是一個公鑰,更改公鑰當然會阻止驗證,但您所做的大部分事情都不會改變這一點。您上面的證書還包含以下資訊: 通用名稱:INNOPAY 組織:INNOPAY BV 組織單位:Fun Department 地區:阿姆斯特丹 國家:NL 有效期:2019 年 7 月 24 日 有效期至:2021 年 7 月 23 日 序列號:3838059474068972016 (0x354386c1bab421f0)
更改可能會使證書無效並使其上的任何簽名無效。但令牌驗證應保持不變。