使用RSA公钥验证JWT签名PHP

Question

在PHP中，我试图使用AWS的RSA公钥（我从https://cognito-identity.amazonaws.com/.well-known/jwks_uri的模数/指数生成）来验证AWS auth令牌（从getOpenIdTokenForDeveloperIdentity返回的JWT）。关键开始于相应的页眉/页脚-----BEGIN RSA PUBLIC KEY-----等。我已经看过几个PHP库，如Emarref\Jwt\Jwt，但是我得到错误：error:0906D06C:PEM routines:PEM_read_bio:no start line。这一切归结到基本的PHP功能：openssl_verify。

我已经看过php.net/manual for openssl-verify，但我仍然不清楚参数的详细信息。所需的算法是RS512。

我能够使用node.js验证JWT令牌没有问题（相同的密钥和令牌）。为此，我使用了库：https://github.com/auth0/node-jsonwebtoken

不知道为什么这在PHP中不起作用。我不能使用RSA公钥吗？

function verifyKey($public_key) { 
    $jwt = new Emarref\Jwt\Jwt(); 

    $algorithm = new Emarref\Jwt\Algorithm\Rs512(); 
    $factory = new Emarref\Jwt\Encryption\Factory(); 
    $encryption = $factory->create($algorithm); 
    $encryption->setPublicKey($public_key); 
    $context = new Emarref\Jwt\Verification\Context($encryption); 
    $token = $jwt->deserialize($authToken); 

    try { 
    $jwt->verify($token, $context); 
    } catch (Emarref\Jwt\Exception\VerificationException $e) { 
    debug($e->getMessage()); 
    } 
} 

Answer 1

难道你试图用另一个PHP库：https://github.com/Spomky-Labs/jose

// File test.php 
require_once __DIR__.'/vendor/autoload.php'; 

use Jose\Checker\ExpirationChecker; 
use Jose\Checker\IssuedAtChecker; 
use Jose\Checker\NotBeforeChecker; 
use Jose\Factory\KeyFactory; 
use Jose\Factory\LoaderFactory; 
use Jose\Factory\VerifierFactory; 
use Jose\Object\JWKSet; 
use Jose\Object\JWSInterface; 

// We create a JWT loader. 
$loader = LoaderFactory::createLoader(); 

// We load the input 
$jwt = $loader->load($input); 

if (!$jws instanceof JWSInterface) { 
    die('Not a JWS'); 
} 

// Please note that at this moment the signature and the claims are not verified 

// To verify a JWS, we need a JWKSet that contains public keys (from RSA key in your case). 
// We create our key object (JWK) using a RSA public key 
$jwk = KeyFactory::createFromPEM('-----BEGIN RSA PUBLIC KEY-----...'); 

// Then we set this key in a keyset (JWKSet object) 
// Be careful, the JWKSet object is immutable. When you add a key, you get a new JWKSet object. 
$jwkset = new JWKSet(); 
$jwkset = $jwkset->addKey($jwk); 


// We create our verifier object with a list of authorized signature algorithms (only 'RS512' in this example) 
// We add some checkers. These checkers will verify claims or headers. 
$verifier = VerifierFactory::createVerifier(
    ['RS512'], 
    [ 
     new IssuedAtChecker(), 
     new NotBeforeChecker(), 
     new ExpirationChecker(), 
    ] 
); 

$is_valid = $verifier->verify($jws, $jwkset); 

// The variable $is_valid contains a boolean that indicates the signature is valid or not. 
// If a claim is not verified (e.g. the JWT expired), an exception is thrown. 

//Now you can use the $jws object to retreive all claims or header key/value pairs 

Answer 2

我能得到这个库的工作。不过，我必须使用KeyFactory :: createFromValues而不是KeyFactory :: createFromPEM来构建密钥。谢谢！