dth2331 2016-03-11 21:16
浏览 323
已采纳

(Golang)JWT签名验证问题

I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.

What caught me off guard is the fact that I can enter multiple valid signatures.

For example, head over to http://jwt.io - enter MySuperSecretKey for the secret

This token is valid:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU

as well as this one:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV

In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.

Can anyone tell me what's going on here?

  • 写回答

1条回答 默认 最新

  • dongyanjing5975 2016-03-14 10:35
    关注

    It's the Base64 encoding of the signature which can have the last letter changed to certain targets without affecting the relevant bits.

    Try popping both signatures into a base64->hex decoder and you'll get the same results. In fact at https://conv.darkbyte.ru/ both signatures get re-evaluated to base64 SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

    报告相同问题?

    悬赏问题

    • ¥15 vue+element 生成table
    • ¥15 实验 4 FIFO 算法和 LRU 算法-C 程序实现
    • ¥30 电脑画面同步投屏,通过同wifi的方式投屏方法,接收投屏端不需要安装第三方软件,
    • ¥15 有偿拼接大疆精灵4RGB影像
    • ¥15 MATLAB特殊符号
    • ¥15 Arduino实现音频混响
    • ¥15 cuda.jit加速报错
    • ¥15 Octave 安装工具箱出错 Only Win32 target is supported!
    • ¥15 docker save的不能在另一台设备运行
    • ¥15 Unity Animation Rigging使用问题