drux41001 2015-06-20 09:32
浏览 927
已采纳

与公钥和私钥以及JWT相关的混乱

I'm trying out JWT (JSON Web Tokens) in a Go web service. Here's what I've done so far:

package jwt

import(
    "fmt"
    "net/http"
    "github.com/gorilla/mux"
    "github.com/dgrijalva/jwt-go"
    "io/ioutil"
)

var privateKey []byte
var publicKey []byte 

func JSONWebTokensHandler(w http.ResponseWriter, r * http.Request){

    // Create the token
    encodeToken := jwt.New(jwt.SigningMethodHS256)
    // Set some claims
    encodeToken.Claims["Latitude"] = "25.000"
    encodeToken.Claims["Longitude"] = "27.000"
    // Sign and get the complete encoded token as a string
    tokenString, err := encodeToken.SignedString(privateKey)

    decodeToken, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {

        if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
            return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
        }

        return publicKey,nil
    })

    if decodeToken.Valid {

        fmt.Fprintf(w,"Lat:  %s, Lng: %s",decodeToken.Claims["Latitude"],decodeToken.Claims["Longitude"])

    }  else {

        fmt.Fprintf(w,"Couldn't handle this token: %s", err)

    }

}

func init(){

    privateKey,_ = ioutil.ReadFile("demo.rsa")
    publicKey,_ = ioutil.ReadFile("demo.rsa.pub")

    r := mux.NewRouter()
    r.HandleFunc("/jwt",JSONWebTokensHandler).Methods("GET")
    http.Handle("/", r)

}

Now if my understanding is correct, A token that is encoded using a private key can be decoded using the public key. That is what I've presumed in the code above however when I run the code I get the error:

Couldn't handle this token: signature is invalid

If I use the same key for encoding and decoding, then the code works.

What I'd like to know is, is there something wrong with my understanding or in the code?

  • 写回答

3条回答 默认 最新

  • drjyvoi734793 2015-06-20 09:41
    关注

    The JWT isn't signed using an asymmetric cipher like RSA. It uses a HMAC, which uses a single, secret key. Indeed, the point here is not to prove to someone else that you signed the token. It's to prove to yourself that you signed it, and thus forbid anyone who doesn't have your secret key to modify the token.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?