在PHP中,我正在尝试使用AWS的RSA公钥(我从https://cognito-identity.amazonaws.com/.well-known/jwks_uri处的模数/指数生成)来验证AWS身份验证令牌(从getOpenIdTokenForDeveloperIdentity返回的JWT)。密钥以适当的页眉/页脚-----BEGIN RSA PUBLIC KEY-----等开头。我查看了一些PHP库,如Emarref\Jwt\Jwt,但是我收到错误:error:0906D06C:PEM routines:PEM_read_bio:no start line。这一切都归结为基本的php函数:openssl_verify。
我已经查看了php.net / manual for openssl-verify,但我仍然不清楚参数细节。所需算法为RS512。
我能够使用node.js验证JWT令牌,没有任何问题(相同的密钥和令牌)。为此我使用了库:https://github.com/auth0/node-jsonwebtoken
不确定为什么这在PHP中不起作用。我可以不使用RSA公钥吗?
function verifyKey($public_key) {
$jwt = new Emarref\Jwt\Jwt();
$algorithm = new Emarref\Jwt\Algorithm\Rs512();
$factory = new Emarref\Jwt\Encryption\Factory();
$encryption = $factory->create($algorithm);
$encryption->setPublicKey($public_key);
$context = new Emarref\Jwt\Verification\Context($encryption);
$token = $jwt->deserialize($authToken);
try {
$jwt->verify($token, $context);
} catch (Emarref\Jwt\Exception\VerificationException $e) {
debug($e->getMessage());
}
}
答案 0 :(得分:0)
您可以尝试使用其他PHP库:https://github.com/Spomky-Labs/jose
// File test.php
require_once __DIR__.'/vendor/autoload.php';
use Jose\Checker\ExpirationChecker;
use Jose\Checker\IssuedAtChecker;
use Jose\Checker\NotBeforeChecker;
use Jose\Factory\KeyFactory;
use Jose\Factory\LoaderFactory;
use Jose\Factory\VerifierFactory;
use Jose\Object\JWKSet;
use Jose\Object\JWSInterface;
// We create a JWT loader.
$loader = LoaderFactory::createLoader();
// We load the input
$jwt = $loader->load($input);
if (!$jws instanceof JWSInterface) {
die('Not a JWS');
}
// Please note that at this moment the signature and the claims are not verified
// To verify a JWS, we need a JWKSet that contains public keys (from RSA key in your case).
// We create our key object (JWK) using a RSA public key
$jwk = KeyFactory::createFromPEM('-----BEGIN RSA PUBLIC KEY-----...');
// Then we set this key in a keyset (JWKSet object)
// Be careful, the JWKSet object is immutable. When you add a key, you get a new JWKSet object.
$jwkset = new JWKSet();
$jwkset = $jwkset->addKey($jwk);
// We create our verifier object with a list of authorized signature algorithms (only 'RS512' in this example)
// We add some checkers. These checkers will verify claims or headers.
$verifier = VerifierFactory::createVerifier(
['RS512'],
[
new IssuedAtChecker(),
new NotBeforeChecker(),
new ExpirationChecker(),
]
);
$is_valid = $verifier->verify($jws, $jwkset);
// The variable $is_valid contains a boolean that indicates the signature is valid or not.
// If a claim is not verified (e.g. the JWT expired), an exception is thrown.
//Now you can use the $jws object to retreive all claims or header key/value pairs
答案 1 :(得分:0)
我能够让这个库工作。但是我必须使用KeyFactory :: createFromValues而不是KeyFactory :: createFromPEM来构建密钥。谢谢!