dth2331 2016-03-11 21:16

浏览 323

已采纳

（Golang）JWT签名验证问题

I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.

What caught me off guard is the fact that I can enter multiple valid signatures.

For example, head over to http://jwt.io - enter MySuperSecretKey for the secret

This token is valid:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU

as well as this one:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV

In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.

Can anyone tell me what's going on here?

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dongyanjing5975 2016-03-14 10:35
关注
It's the Base64 encoding of the signature which can have the last letter changed to certain targets without affecting the relevant bits.

Try popping both signatures into a base64->hex decoder and you'll get the same results. In fact at https://conv.darkbyte.ru/ both signatures get re-evaluated to base64 SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

悬赏问题

¥15 交替优化波束形成和ris反射角使保密速率最大化
¥15 树莓派与pix飞控通信
¥15 自动转发微信群信息到另外一个微信群
¥15 outlook无法配置成功
¥30 这是哪个作者做的宝宝起名网站
¥60 版本过低apk如何修改可以兼容新的安卓系统
¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
¥50 有数据，怎么建立模型求影响全要素生产率的因素
¥50 有数据，怎么用matlab求全要素生产率
¥15 TI的insta-spin例程