为什么openssl生成的签名与pyjwt生成的签名看起来不同
我试图验证使用PyJWT创建的JWT签名,但失败了。如果签名是使用openssl命令创建的,那么它就可以工作 我有两个脚本 使用PyJWT和PyOpenSSL创建JWT的Python脚本。如果成功,它会在stdout上抛出JWT Bash脚本,它执行两个实验为什么openssl生成的签名与pyjwt生成的签名看起来不同,openssl,jwt,Openssl,Jwt,我试图验证使用PyJWT创建的JWT签名,但失败了。如果签名是使用openssl命令创建的,那么它就可以工作 我有两个脚本 使用PyJWT和PyOpenSSL创建JWT的Python脚本。如果成功,它会在stdout上抛出JWT Bash脚本,它执行两个实验 运行Python脚本并捕获JWT。解码报头、有效负载部分。构造要签名的消息。使用openssl命令创建签名(使用dgst),使用公钥验证 从JWT中,解码heder、有效载荷和签名部分。使用openssl命令验证JWT使用公钥创建的签名
- 运行Python脚本并捕获JWT。解码报头、有效负载部分。构造要签名的消息。使用openssl命令创建签名(使用dgst),使用公钥验证
- 从JWT中,解码heder、有效载荷和签名部分。使用openssl命令验证JWT使用公钥创建的签名
- 我使用urlsafe b64编码
- 我使用openssldgst命令创建输入消息的散列,该消息经过签名
- 移动数据时使用echo-n
#!/bin/bash
function create_true_digest {
data_file=$1
digest_file=$2
echo "Creating SHA256 digest for $data_file"
ls -l $data_file
cat $data_file
echo
openssl dgst -sha256 $data_file | cut -d" " -f2 | xxd -r -p > $digest_file
echo "digest stored in $digest_file"
cat ${digest_file} | base64 -w 0 | sed 's/+/-/g' | sed 's/\//_/g' > ${digest_file}.base64
echo "Base64 encoded digest stored in ${digest_file}.base64"
ls -l ${digest_file}
cat ${digest_file}.base64
echo
echo "............................................................"
}
function create_digest {
create_true_digest $1 $2
}
function sign_data {
data_file=$1
pvtkey_file=$2
signature_file=$3
echo "Signing $data_file with $pvtkey_file"
ls -l $data_file
openssl dgst -sha256 -sign $pvtkey_file -out $signature_file $data_file
#openssl dgst -sha256 -sign $pvtkey_file -binary -out $signature_file $data_file
echo "Signature stored in $signature_file"
cat $signature_file | base64 -w 0 | sed 's/+/-/g' | sed 's/\//_/g' > ${signature_file}.base64
echo "Base64 encoded signature stored in ${signature_file}.base64"
ls -l ${signature_file} ${signature_file}.base64
echo "............................................................"
}
function verify_signature {
signature_file=$1
pubkey_file=$2
data_file=$3
echo "Verifying signature $signature_file with $pubkey_file against $data_file"
openssl dgst -sha256 -verify $pubkey_file -signature $signature_file $data_file
echo "............................................................"
}
function experiment_1 {
echo "Experiment 1: This experiment accepts a message to verify"
echo " It uses openssl commands to generate a signature and verifies it"
echo
message_to_verify=$1
#message_to_verify="{\"alg\":\"RS256\",\"typ\":\"JWT\"}.{}"
pvtkey_file=$2
pubkey_file=$3
data_file="sign_data.txt"
rm -f $data_file
echo -n $message_to_verify > $data_file
echo "Data stored in $data_file"
digest_file="data_digest.bin"
rm -f $digest_file
rm -f ${digest_file}.base64
create_digest $data_file $digest_file
signature_file="signature_r.bin"
rm -f $signature_file
rm -f ${signature_file}.base64
sign_data $data_file $pvtkey_file $signature_file
verify_signature $signature_file $pubkey_file $data_file
echo "............................................................"
}
function experiment_2 {
echo "Experiment 2: This experiment accepts a message to verify and signature to verify against"
echo " It uses openssl commands to verify the signature against the message"
message_to_verify=$1
signature=$2 # keep it encoded
pubkey_file=$3
data_file="sign_data.txt"
rm -f $data_file
echo -n $message_to_verify > $data_file
echo "Data stored in $data_file"
cat $data_file
echo
signature_file="signature_r.bin"
rm -f $signature_file
rm -f ${signature_file}.base64
echo -n $signature | sed 's/-/+/g' | sed 's/_/\//g' | base64 -di >$signature_file
echo "Signature stored in $signature_file"
cat $signature_file | base64 -w 0 | sed 's/+/-/g' | sed 's/\//_/g' > ${signature_file}.base64
echo "Base64 encoded signature stored in ${signature_file}.base64"
ls -l ${signature_file} ${signature_file}.base64
verify_signature $signature_file $pubkey_file $data_file
echo "............................................................"
}
if [ $# -lt 2 ]
then
echo "Usage: $0 <private key file> <public key file>"
exit
fi
pvtkey_file=$1
pubkey_file=$2
# Get Base64URL encoded JWT
# Need python 2.7, PyJWT, PyOpenSSL
JWT=`/usr/local/software/python/python2/bin/python jwttest.py $pvtkey_file $pubkey_file`
# Split parts
echo "Ignore base64 warnings..."
header=`echo -n $JWT | cut -d"." -f1 | sed 's/-/+/g' | sed 's/_/\//g' | base64 -di`
payload=`echo -n $JWT | cut -d"." -f2 | sed 's/-/+/g' | sed 's/_/\//g' | base64 -di`
signature=`echo -n $JWT | cut -d"." -f3` # decoding will be done by routines
message_to_verify="${header}.${payload}"
experiment_1 $message_to_verify $pvtkey_file $pubkey_file
experiment_2 $message_to_verify $signature $pubkey_file
#/bin/bash
函数create\u true\u digest{
数据文件=$1
摘要文件=$2
echo“为$data\u文件创建SHA256摘要”
ls-l$data\u文件
cat$data\u文件
回声
openssl dgst-sha256$data_文件| cut-d”“-f2 | xxd-r-p>$digest_文件
echo“摘要存储在$digest\u文件中”
cat${digest\u file}base64-w 0 | sed's/+/-/g'| sed's/\/\ug'>${digest\u file}.base64
echo“存储在${digest_file}.Base64中的Base64编码摘要”
ls-l${digest_file}
cat${digest_file}.base64
回声
回音“………………”
}
函数create_digest{
创建\u真实\u摘要$1$2
}
函数符号数据{
数据文件=$1
pvtkey_文件=$2
签名文件=$3
echo“使用$pvtkey\u文件对$data\u文件进行签名”
ls-l$data\u文件
openssl dgst-sha256-签名$pvtkey_文件-输出$signature_文件$data_文件
#openssl dgst-sha256-签名$pvtkey_文件-二进制-输出$signature_文件$data_文件
echo“存储在$Signature\u文件中的签名”
cat$signature\u file | base64-w 0 | sed's/+/-/g'| sed's/\/\ug'>${signature\u file}.base64
echo“Base64编码信号”
#!/bin/bash
function create_true_digest {
data_file=$1
digest_file=$2
echo "Creating SHA256 digest for $data_file"
ls -l $data_file
cat $data_file
echo
openssl dgst -sha256 $data_file | cut -d" " -f2 | xxd -r -p > $digest_file
echo "digest stored in $digest_file"
cat ${digest_file} | base64 -w 0 | sed 's/+/-/g' | sed 's/\//_/g' > ${digest_file}.base64
echo "Base64 encoded digest stored in ${digest_file}.base64"
ls -l ${digest_file}
cat ${digest_file}.base64
echo
echo "............................................................"
}
function create_digest {
create_true_digest $1 $2
}
function sign_data {
data_file=$1
pvtkey_file=$2
signature_file=$3
echo "Signing $data_file with $pvtkey_file"
ls -l $data_file
openssl dgst -sha256 -sign $pvtkey_file -out $signature_file $data_file
#openssl dgst -sha256 -sign $pvtkey_file -binary -out $signature_file $data_file
echo "Signature stored in $signature_file"
cat $signature_file | base64 -w 0 | sed 's/+/-/g' | sed 's/\//_/g' > ${signature_file}.base64
echo "Base64 encoded signature stored in ${signature_file}.base64"
ls -l ${signature_file} ${signature_file}.base64
echo "............................................................"
}
function verify_signature {
signature_file=$1
pubkey_file=$2
data_file=$3
echo "Verifying signature $signature_file with $pubkey_file against $data_file"
openssl dgst -sha256 -verify $pubkey_file -signature $signature_file $data_file
echo "............................................................"
}
function experiment_1 {
echo "Experiment 1: This experiment accepts a message to verify"
echo " It uses openssl commands to generate a signature and verifies it"
echo
message_to_verify=$1
#message_to_verify="{\"alg\":\"RS256\",\"typ\":\"JWT\"}.{}"
pvtkey_file=$2
pubkey_file=$3
data_file="sign_data.txt"
rm -f $data_file
echo -n $message_to_verify > $data_file
echo "Data stored in $data_file"
digest_file="data_digest.bin"
rm -f $digest_file
rm -f ${digest_file}.base64
create_digest $data_file $digest_file
signature_file="signature_r.bin"
rm -f $signature_file
rm -f ${signature_file}.base64
sign_data $data_file $pvtkey_file $signature_file
verify_signature $signature_file $pubkey_file $data_file
echo "............................................................"
}
function experiment_2 {
echo "Experiment 2: This experiment accepts a message to verify and signature to verify against"
echo " It uses openssl commands to verify the signature against the message"
message_to_verify=$1
signature=$2 # keep it encoded
pubkey_file=$3
data_file="sign_data.txt"
rm -f $data_file
echo -n $message_to_verify > $data_file
echo "Data stored in $data_file"
cat $data_file
echo
signature_file="signature_r.bin"
rm -f $signature_file
rm -f ${signature_file}.base64
echo -n $signature | sed 's/-/+/g' | sed 's/_/\//g' | base64 -di >$signature_file
echo "Signature stored in $signature_file"
cat $signature_file | base64 -w 0 | sed 's/+/-/g' | sed 's/\//_/g' > ${signature_file}.base64
echo "Base64 encoded signature stored in ${signature_file}.base64"
ls -l ${signature_file} ${signature_file}.base64
verify_signature $signature_file $pubkey_file $data_file
echo "............................................................"
}
if [ $# -lt 2 ]
then
echo "Usage: $0 <private key file> <public key file>"
exit
fi
pvtkey_file=$1
pubkey_file=$2
# Get Base64URL encoded JWT
# Need python 2.7, PyJWT, PyOpenSSL
JWT=`/usr/local/software/python/python2/bin/python jwttest.py $pvtkey_file $pubkey_file`
# Split parts
echo "Ignore base64 warnings..."
header=`echo -n $JWT | cut -d"." -f1 | sed 's/-/+/g' | sed 's/_/\//g' | base64 -di`
payload=`echo -n $JWT | cut -d"." -f2 | sed 's/-/+/g' | sed 's/_/\//g' | base64 -di`
signature=`echo -n $JWT | cut -d"." -f3` # decoding will be done by routines
message_to_verify="${header}.${payload}"
experiment_1 $message_to_verify $pvtkey_file $pubkey_file
experiment_2 $message_to_verify $signature $pubkey_file