我试图理解this blog post about JOSE 。在关于JWS的部分,它说了以下内容:
Including the public key in the protected header would not only give the server the ability the validate the signature, we will also be sure that it is the correct one since the protected header is integrity protected!
这就是示例对象的样子:
{
"payload": "eyAKICAgICAgICAiZnJvbSI6ewogICAgICAgICAgICAibmFtZSI6ICJUaW0gWXNld3luIiwKICAgICAgICAgICAgImFjY291bnQiOiAiQ2hlY2tpbmcgYWNjb3VudCIKICAgICAgICB9LAogICAgICAgICJ0byI6ewogICAgICAgICAgICAibmFtZSI6ICJUaW0gWXNld3luIiwKICAgICAgICAgICAgImFjY291bnQiOiAiU2F2aW5ncyBhY2NvdW50IgogICAgICAgIH0sCiAgICAgICAgImFtb3VudCI6IDI1MAogICAgICAgICJjdXJyZW5jeSI6ICJFVVIiCiAgICB9",
"protected": "eyAKICAgICAgICAiYWxnIjogIlJTMjU2IgogICAgfQ==",
"header": {
"signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU01Q"
}
}
protected header 是以下内容的 base64url 编码:
{
"alg": "ES256"
}
我能找到的将公钥放入其中的唯一引用是使用 key id 字段kid,如下所示:
{"alg":"RSA1_5","kid":"2011-04-29"}
这就是帖子所指的内容吗?或者它指的是其他东西(比如将整个公钥放入 protected header 中,如下所示:
{"alg":"RSA1_5","key":"somepublickeyhere"}
最佳答案
你走在正确的道路上。这篇文章可能指的是 RFC-7515 中定义的 "jwk" header 参数。如下:
The "jwk" (JSON Web Key) Header Parameter is the public key that corresponds to the key used to digitally sign the JWS. This key is represented as a JSON Web Key.
JSON Web Key (JWK) 是 RFC-7517 中定义的 JOSE 的另一部分。它定义了如何以 JSON 格式表示加密 key ,以便可以传输它们,例如在 JWS header 中。 JWK 格式的 RSA key 可能如下所示:
{
"kty":"RSA",
"n": "0vx7 (...) DKgw",
"e":"AQAB",
"alg":"RS256",
"kid":"2011-04-29"
}
如文章中所述,带有 key 的( protected )JWS header 可能如下所示:
{
"alg": "RS256",
"jwk": {
"kty":"RSA",
"n": "0vx7 (...) DKgw",
"e":"AQAB",
"alg":"RS256",
"kid":"2011-04-29"
}
}
关于json - protected header JWS,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52747701/