我正在尝试解码STIR/SHAKEN HS256 JSON Web令牌。
我试过使用Jose.NET库:
string token = "eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tL1RlY2hub2xvZ3lfSW5ub3ZhdGlvbl9MYWJfNTk5SiJ9.eyJhdHRlc3QiOiJCIiwiZGVzdCI6eyJ0biI6WyIxNDc5MjM5OTcwMyJdfSwiaWF0IjoxNjU5NTIxNDU5LCJvcmlnIjp7InRuIjoiMTQ2OTUwMTYwNzAifSwib3JpZ2lkIjoiOTIzNDIxOTgtMTMxNC0xMWVkLWExM2QtYmRjMWMxZDI4ODg4In0.8RF_eaVKeGGyjet4lujwPz0J_XBdtwkSKrnrOq7-pA6ODtJPD1parLgimEpDUyzSravtTaxuACxBz4yrKtMZgw";
string x = Jose.JWT.Decode(token, Nothing, JweAlgorithm.PBES2_HS256_A128KW);
它给出一个错误
Jose.InvalidAlgorithmException:"传递给Decode方法的算法类型与标头中的算法类型不匹配。">
正在上尝试上面的令牌https://jwt.io/调试器工作并返回以下内容:
标题:算法;令牌类型
{
"alg": "ES256",
"ppt": "shaken",
"typ": "passport",
"x5u": "https://cr.sansay.com/Technology_Innovation_Lab_599J"
}
有效载荷:数据
{
"attest": "B",
"dest": {
"tn": [
"14792399703"
]
},
"iat": 1659521459,
"orig": {
"tn": "14695016070"
},
"origid": "92342198-1314-11ed-a13d-bdc1c1d28888"
}
令牌实际上是用ES256算法签名的,而不是HS256算法。公钥证书是在X5U-声明的标头中给出的URL中提供的,该URL是指向X.509证书的URL。为了简化下面的演示,我将证书保存为文件名x509.pem。
以下是一个简单的演示(基于Jose JWT GitHub repo:中的示例
using Jose;
using System;
using System.Security.Cryptography.X509Certificates;
namespace JoseJWTES256X509Test
{
class Program
{
static void Main(string[] args)
{
string token = "eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jci5zYW5zYXkuY29tL1RlY2hub2xvZ3lfSW5ub3ZhdGlvbl9MYWJfNTk5SiJ9.eyJhdHRlc3QiOiJCIiwiZGVzdCI6eyJ0biI6WyIxNDc5MjM5OTcwMyJdfSwiaWF0IjoxNjU5NTIxNDU5LCJvcmlnIjp7InRuIjoiMTQ2OTUwMTYwNzAifSwib3JpZ2lkIjoiOTIzNDIxOTgtMTMxNC0xMWVkLWExM2QtYmRjMWMxZDI4ODg4In0.8RF_eaVKeGGyjet4lujwPz0J_XBdtwkSKrnrOq7-pA6ODtJPD1parLgimEpDUyzSravtTaxuACxBz4yrKtMZgw";
var publicKey = new X509Certificate2("x509.pem").GetECDsaPublicKey();
string payload = Jose.JWT.Decode(token, publicKey, JwsAlgorithm.ES256);
Console.WriteLine(payload);
}
}
}
因此,将验证令牌并打印有效载荷。如果验证失败,Decode-函数将抛出异常。
附带说明一下:Decode-函数实际上在解码之前验证签名,这就是它所需要的密钥。对于实际解码,不需要密钥,因为有效载荷只是Base64Url编码的。这就是为什么https://jwt.io也可以在不知道密钥的情况下解码令牌。