use*_*724 21 java jwt google-http-client java-security
我最后一小时面临OAuth2 JWT令牌验证异常(所以没有人可以访问我的应用程序):
java.security.SignatureException:签名长度不正确:得到256但是期望128.我正在使用google-http-client 1.20.0和Java 1.7.0.到目前为止相同的配置 - 任何想法?
Stacktrace
java.security.SignatureException: Signature length not correct: got 256 but was expecting 128
at sun.security.rsa.RSASignature.engineVerify(Unknown Source) ~[na:1.7.0_45]
at java.security.Signature$Delegate.engineVerify(Unknown Source) ~[na:1.7.0_45]
at java.security.Signature.verify(Unknown Source) ~[na:1.7.0_45]
at com.google.api.client.util.SecurityUtils.verify(SecurityUtils.java:164) ~[google-http-client-1.20.0.jar:1.20.0]
Run Code Online (Sandbox Code Playgroud)
同样的问题,我在我的项目中添加了GoogleIdTokenVerifier的源代码并更改了方法:
public boolean verify(GoogleIdToken googleIdToken) throws GeneralSecurityException, IOException {
// check the payload
if (!super.verify(googleIdToken)) {
return false;
}
// verify signature
for (PublicKey publicKey : publicKeys.getPublicKeys()) {
try {
if (googleIdToken.verifySignature(publicKey)) {
return true;
}
} catch (Exception e) {
System.err.println("Verify Token:" + e);
}
}
return false;
}
Run Code Online (Sandbox Code Playgroud)
只是处理异常,第二个证书工作正常.
编辑:如果你想让它更干净,你可以像Erik-z建议的那样进行子类化:
编辑2:我无法使用下面的代码使其工作,我将坚持上面的丑陋黑客.
package com.my.project.package;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import com.google.api.client.auth.openidconnect.IdTokenVerifier;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
// Remember to remove this class later by making it deprecated
@Deprecated
public class GoogleIdTokenVerifier2 extends GoogleIdTokenVerifier {
// Add constructors as needed
public GoogleIdTokenVerifier2(HttpTransport transport, JsonFactory jsonFactory) {
super(transport, jsonFactory);
}
@Override
public boolean verify(GoogleIdToken googleIdToken) throws GeneralSecurityException, IOException {
// check the payload
if (!((IdTokenVerifier)this).verify(googleIdToken)) {
return false;
}
// verify signature
for (PublicKey publicKey : getPublicKeysManager().getPublicKeys()) {
try {
if (googleIdToken.verifySignature(publicKey)) {
return true;
}
} catch (Exception e) {
System.err.println("Verify Token:" + e);
}
}
return false;
}
}
Run Code Online (Sandbox Code Playgroud)
不要认为这是最终的解决方案,但临时的解决办法绝对有效,就是将验证者的受众改为tokenId.
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory).setAudience(Arrays.asList(clientId)).build();
Run Code Online (Sandbox Code Playgroud)
至
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
.setAudience(Arrays.asList(tokenResponse.getIdToken())).build();
Run Code Online (Sandbox Code Playgroud)
| 归档时间: |
|
| 查看次数: |
4218 次 |
| 最近记录: |