Hen*_*ips 1 java token azure-active-directory
我在Azure Portal免费订阅上获得访问令牌,标题为:
{
"typ": "JWT",
"alg": "RS256",
"x5t": "7_Zuf1tvkwLxYaHS3q6lUjUYIGw",
"kid": "7_Zuf1tvkwLxYaHS3q6lUjUYIGw"
}
所以我从这里得到x5c 并放
-----开始证书----- MIIDBTCCAe ...... cNpO9oReBUsX -----结束证书-----
ze7xq1zGljQihJgcNpO9oReBUsX
在https://jwt.io/中,签名已验证。
但是,当我尝试使用JDK1.8用jjwt和jose4j验证签名时,按照此 refrence中的步骤进行操作,我得到了下面的异常信息
PublicKey publicKey = keyFactory.generatePublic(keySpec);
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = -96)
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:204)
at java.base/java.security.KeyFactory.generatePublic(KeyFactory.java:352)
at com.ipscape.api.v1_0.external.other.JwtExample.decodeJwt(JwtExample.java:41)
at com.ipscape.api.v1_0.external.other.JwtExample.main(JwtExample.java:72)
Caused by: java.security.InvalidKeyException: IOException: ObjectIdentifier() -- data isn't an object ID (tag = -96)
at java.base/sun.security.x509.X509Key.decode(X509Key.java:396)
at java.base/sun.security.x509.X509Key.decode(X509Key.java:401)
at java.base/sun.security.rsa.RSAPublicKeyImpl.<init>(RSAPublicKeyImpl.java:86)
at java.base/sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:297)
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:200)
使用jose4j的代码:
String publicKeyPEM =
"MIIDBTCCAe2gAwIBAgIQE7nbxEiAlqhFdKnsKV+nuTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTE4MDYyMTAwMDAwMFoXDTIwMDYyMTAwMDAwMFowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1cxvfI3wPu1HFGZL6wnSHfcqX6DlvezLF1wbqUs6/DS5GhxtvHk6+9nKyNuCjznkEKql6bTIgnUbvTPr0UUKa3hezq/D9nkGu4qX8LVONVWkb53mjnN45lnVfOLh6VQ7J8/9Ut/ybbnhcn2a12vWiR0c6899TgtRp+i0bkT9dYl+3/wfP8+bBqmolwno7yojv/DxMz86mzhS7lW6mS9zzYtdsy6IHcF2P9XIac2TaP0efUpLrQY81wuTE3gUh2s6j7tqNH7aKK2PNAuxXtyGtZ9r+bg0gMrDXXVKJylQO9m4Z5J0vuz8xgCElLg3uJPOI8q/j0YrLe5rHy67ACg0MCAwEAAaMhMB8wHQYDVR0OBBYEFDnSNW3pMmrshl3iBAS4OSLCu/7GMA0GCSqGSIb3DQEBCwUAA4IBAQAFs3C5sfXSfoi7ea62flYEukqyVMhrDrpxRlvIuXqL11g8KEXlk8pS8gEnRtU6NBeHhMrhYSuiqj7/2jUT1BR3zJ2bChEyEpIgOFaiTUxq6tXdpWi/M7ibf8O/1sUtjgYktwJlSL6FEVAMFH82TxCoTWp2g5i2lmZQ7KxiKhG+Vl9nw1bPX57hkWWhR7Hpes0MbpGNZI2IEpZSjNG1IWPPOBcaOh4ed2WBQcLcaTuAaELlaxanQaC0B3029To80MnzpZuadaul3+jN7JQg0MpHdJJ8GMHAWe/IjXc0evJNhVUcKON41hzTu0R+Sze7xq1zGljQihJgcNpO9oReBUsX";
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(Base64.getDecoder().decode(publicKeyPEM.getBytes()));
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
PublicKey publicKey = keyFactory.generatePublic(keySpec);
JwtConsumer jwtConsumer = new JwtConsumerBuilder()
.setRequireExpirationTime()
.setVerificationKey(publicKey)
.build();
x5c是(X.509)证书,不是公共密钥。实际上,如果需要的话,它是由一系列证书组成的链,尽管此示例是单个自签名证书。证书的PEM标头行和尾行在全部大写形式中应显示“ BEGIN CERTIFICATE”和“ END CERTIFICATE”,并且base64应该添加换行符,这与JWT格式(base64但不是 PEM)不同。
读取证书使用java.security.cert.CertificateFactory。(这也可以处理一条链,就像它调用PkiPath的一系列证书或标准的(通常称为p7b或p7c的)(琐碎的)PKCS7消息一样。)要么为其提供正确的 PEM格式,要么为其提供正确的二进制文件/ DER格式;后者更容易,因为它只是JWT x5c格式的base64解码(就像现在所做的那样,在将其放入错误的keyspec中,但java.util.Base64.Decoder不需要base64字节之前,它可以使用String)。如果只需要pubkey,则可以从证书中获取。做类似的事情:
String certb64 = "...";
byte[] certder = Base64.getDecoder().decode(certb64);
InputStream certstream = new ByteArrayInputStream (certder);
Certificate cert = CertificateFactory.getInstance("X.509").generateCertificate(certstream);
PublicKey key = cert.getPublicKey();
| 归档时间: |
|
| 查看次数: |
1667 次 |
| 最近记录: |