java异步验证签名失败,验证Azure AD令牌签名失败JAVA

最新推荐文章于 2021-03-10 16:40:16 发布
最新推荐文章于 2021-03-10 16:40:16 发布
阅读量588 收藏
点赞数
文章标签: java异步验证签名失败

I am struggling to validate an Azure AD token signature.

When I look up the correct key description in the "jwks_uri" field under

I check the belonging key data .

I try to use the "n" - modulus and "e" fields to generate the public key for the signature validation I end up with an error:

BASE64Decoder decoder = new BASE64Decoder();

byte[] modulusBytes = decoder.decodeBuffer(n);

byte[] exponentBytes = decoder.decodeBuffer(e);

BigInteger modulusInt = new BigInteger(1, modulusBytes);

BigInteger exponentInt = new BigInteger(1, exponentBytes);

try {

KeyFactory keyFactory = KeyFactory.getInstance("RSA");

RSAPublicKeySpec publicSpec = new RSAPublicKeySpec(modulusInt, exponentInt);

RSAPublicKey pubKey = (RSAPublicKey)keyFactory.generatePublic(publicSpec);

Jwt c = Jwts.parser().setSigningKey(pubKey).parsePlaintextJwt(token);

} catch (Exception ex) {

ex.printStackTrace();

}

Console:

io.jsonwebtoken.SignatureException: Unable to verify RSA signature using configured PublicKey. Signature length not correct: got 256 but was expecting 246

at io.jsonwebtoken.impl.crypto.RsaSignatureValidator.isValid(RsaSignatureValidator.java:50)

at io.jsonwebtoken.impl.crypto.DefaultJwtSignatureValidator.isValid(DefaultJwtSignatureValidator.java:47)

at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:351)

at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)

at io.jsonwebtoken.impl.DefaultJwtParser.parsePlaintextJwt(DefaultJwtParser.java:503)

at com.ge.hc.pfh.poc.ams.filter.JwtFilter.doFilter(JwtFilter.java:120)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at com.ge.hc.pfh.poc.ams.filter.ApiOriginFIlter.doFilter(ApiOriginFIlter.java:28)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at com.ge.hc.pfh.poc.ams.filter.MDCFilter.doFilter(MDCFilter.java:34)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:89)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)

at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)

at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)

at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)

I tried another approach to use the "x5c" filed which is a base 64 encoded cert chain:

byte[] certChain = Base64.getDecoder().decode(x5c);

X509Certificate cert = X509CertUtils.parse(certChain);

PublicKey pubKeyNew = cert.getPublicKey();

Claims claims3 = Jwts.parser()

.setSigningKey(pubKeyNew)

.parseClaimsJws(token).getBody();

I end up with an other error:

io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.

at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:354)

at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)

at io.jsonwebtoken.impl.DefaultJwtParser.parsePlaintextJwt(DefaultJwtParser.java:503)

at com.ge.hc.pfh.poc.ams.filter.JwtFilter.doFilter(JwtFilter.java:106)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at com.ge.hc.pfh.poc.ams.filter.ApiOriginFIlter.doFilter(ApiOriginFIlter.java:28)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at com.ge.hc.pfh.poc.ams.filter.MDCFilter.doFilter(MDCFilter.java:34)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:89)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)

at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)

at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)

at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)

at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:745)

Would anyone know what I am doing wrong?

Thanks.

解决方案

First example

Modulus and Exponent (n and e) in https://login.microsoftonline.com/common/discovery/keys are encoded in base64url and not in base64, so the code to decode them should be

byte[] modulusBytes = Base64.getUrlDecoder().decode(n);

BigInteger modulusInt = new BigInteger(1, modulusBytes);

Do not use old com.sun.misc.BASE64Decoder

If the JWT is signed you should not use JWTParser.plaintextJwt(). According to documentation

plaintextJwt: a compact serialized unsigned plaintext JWT string

Use instead parseClaimsJws or parsePlaintextJws. The second method only if the payload is a string non-JSON

Second example

The second example is basically right. I assume X509CertUtils.parse(certChain) is similar to

InputStream in = new ByteArrayInputStream(certChain);

CertificateFactory certFactory = CertificateFactory.getInstance("X.509");

X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);

Modulus and exponent of the certificate are the same that the decoded, so public key is equivalent

There are two similar certificates in the link, check both. You should be able to validate the signature. If not, then the token is not signed with those keys

红豆小漫
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
microsoft.graph 中国服邮箱发送失败问题,如何解决??
**My Coding Family**
07-29 825
🏆本文收录于《CSDN问答解惑-专业版》专栏,主要记录项目实战过程中的Bug之前因后果及提供真实
Java ras签名报长度错误,RSA SignatureException:签名长度不正确
weixin_39616416的博客
02-27 1102
I am having issues signing an rsa signature. I have a signature that has been encrypted with a private key. I have an issue when trying to validate it with the public key however. I get the following ...
java.security.SignatureException: Signature length not correct】的解决办法
热门推荐
老张的便利贴
03-31 1万+
错误信息 对接某家公司的接口,涉及String转ASCII,验签时候报错。 java.security.SignatureException: Signature length not correct: got 344 but was expecting 256 错误原因 签名长度不正确:实际值为344,但期望值为256 在生成签名的时候,用的是 Base64.encodeBase64Strin...
Java ras签名报长度错误_Rsa2验签报错【java.security.SignatureException: Signature length not correct】的解决办法...
weixin_31362539的博客
02-27 1051
在进行RSA2进行验签的时候,报了以下错误:java.security.SignatureException: Signature length not correct: got 344 but was expecting 256at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189)at java.security....
支付宝异步回调 报Signature length not correct: got,0 but was expecting 256
alsdiuhfeircn的博客
01-18 6559
网上查到的绝大数是 got 128 255 啥的,got 0 原因显然就不是因为支付宝公钥填错了导致验签失败 。 这个问题是你在支付请求时的参数 在异步回调验签时被改动了。很恐怖吧,数据被人改动了。。其实出现问题的绝大多数情况是,在从支付宝官方的查询异步通知的数据获取信息拿到本地测试时,动了subject 或者 body内容的代码(比如乱码)此时就会报get 0 错误。官方给出的有total_a...
RSA2验签遭遇异常,请检查公钥格式是否正确。Signature length not correct: got 257 but was expecting 256
qq_44660343的博客
03-10 8617
首先说明一下我所遇见的情况 阿里支付宝支付回调的时候我使用request.getParameterMap() 获取不到参数,目前还不知道是啥原因,有知道的可以在评论区留言。 所以我使用的是request.getInputStream() 取参数然后将其转换为amp 注意转换的时候, hashMap.put(strings[0],URLDecoder.decode(strings[1],"UTF-8")); 需要对数值进行 url_decode 我一开始是对全部参数进行了解码,在使用了 = 进行切割 发现
Microsoft.Azure.ActiveDirectory.GraphClient.dll
01-18
使用这个库,开发者可以更方便地在.NET应用程序中集成Azure AD的身份验证和授权功能,实现高效且安全的数据操作。 三、主要功能 1. **身份验证**:库支持OAuth2.0协议,能够处理令牌获取和刷新,确保安全的身份验证...
PyPI 官网下载 | azure-kusto-data-0.0.1.tar.gz
02-11
此外,"azure-kusto-data"库与其他Azure服务如Azure AD集成良好,可以利用Azure AD令牌进行身份验证,这符合现代云服务的安全标准。开发者可以通过设置认证参数,如`aad_token`或`client_id`、`client_secret`、`...
azure-mvc:Azure MVC源代码-mvc source code
03-24
5. **安全性**:检查身份验证和授权机制,如OAuth、JWT令牌Azure AD集成。 6. **性能优化**:注意任何缓存策略、异步操作或优化数据库查询的地方。 7. **持续集成/持续部署(CI/CD)**:如果有,查看项目的CI/CD配置...
jwt:使用jwks端点的JWT验证程序
05-15
智威汤逊 另一个jwt验证程序...。我只是找不到与jwks_uris一起使用的验证程序。
开源项目-Azure-Samples-azure-sdk-for-go-samples.zip
10-09
1. **身份验证**:了解如何使用Azure AD进行身份验证,获取访问令牌,这是与Azure服务交互的基础。 2. **资源管理**:通过示例,学习如何创建、更新、查询和删除Azure资源,如虚拟机、存储账户和网络资源。 3. **...
IDEA SignatureException: Signature length not correct: got 256 but was expecting 512
weixin_48175298的博客
05-27 3818
使用JB Acount激活IDEA报错解决方案 问题描述:安装IDEA,使用JB Account激活报错:java.security.cert.CertificateException: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512 解决方案: 1. 在IDEA界面依次点击:File -> Settings -> Appearance &
RSA验签:java.security.SignatureException: Signature length not correct: got 269 but was expecting 256
u010980938的专栏
11-28 4721
对接第三方业务,对方使用私钥生成签名值,本地在验签的时候,发生异常 java.security.SignatureException: Signature length not correct: got 269 but was expecting 256 at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:211) at java.security.Signature$Delegate.engineVerify(Signat
java异步验证签名失败_支付宝异步回调验证签名的那些走过的坑
weixin_29045001的博客
02-27 736
今天做支付宝接口回调这块,不得不说,弄的我焦头烂额,翻了很多陈年旧帖,试了无数种解决坑的方案,在我成功解决的一瞬间,觉得非常有必要记录一下这些坑。签名验证错误的检查顺序(这里是基于使用官方给的demo,自己封装的请绕道):1:检查一下你使用的验证签名的方法是否正确?bool signVerified = AlipaySignature.RSACheckV1(dic, alipay_public_k...
Java解密net解密对接_RSA .NET加密Java解密
weixin_31111107的博客
02-28 356
我正在尝试使用RSA算法在.NET中加密字符串,并在Java中解密结果。目前,我已经可以做相反的事情(用Java加密,用.NET解密)。这里有我的代码可以实际工作(JAVA加密):byte[] modulusBytes = Base64.decode("2rRVVVFJRbH/wAPDtnwZwu+nxU+AZ6uXxh/sW+AMCBogg7vndZsnRiHoLttYYPqOyOhfgaBOQ...
c rsa java_Android C、C++与javaRSA互通
weixin_39772566的博客
02-15 208
public class RSAUtils {//加密算法RSApublic static final String KEY_ALGORITHM = "RSA";//获取公钥的keyprivate static final String PUBLIC_KEY = "RSAPublicKey";//获取私钥的keyprivate static final String PRIVATE_KEY = "...
Rsa2验签报错【java.security.SignatureException: Signature length not correct】的解决办法
weixin_34008805的博客
04-28 5568
在进行RSA2进行验签的时候,报了以下错误: java.security.SignatureException: Signature length not correct: got 344 but was expecting 256 at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) at java...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值