更新时间:2023-02-15 08:19:17
第一个例子
https://中的模数和指数(
以 n
和 e
) login.microsoftonline.com/common/discovery/keys base64url
编码,而不是 base64
,所以解码它们的代码应该是
Modulus and Exponent (n
and e
) in https://login.microsoftonline.com/common/discovery/keys
are encoded in base64url
and not in base64
, so the code to decode them should be
byte[] modulusBytes = Base64.getUrlDecoder().decode(n);
BigInteger modulusInt = new BigInteger(1, modulusBytes);
不要使用旧的 com.sun.misc.BASE64Decoder
如果JWT已签名,则不应使用 JWTParser.plaintextJwt()
。根据文档
If the JWT is signed you should not use JWTParser.plaintextJwt()
. According to documentation
plaintextJwt:紧凑的序列化无符号明文JWT字符串
plaintextJwt: a compact serialized unsigned plaintext JWT string
改为使用 parseClaimsJws
或 parsePlaintextJws
。第二种方法,仅当有效负载是字符串非JSON
Use instead parseClaimsJws
or parsePlaintextJws
. The second method only if the payload is a string non-JSON
第二个示例
第二个例子基本上是正确的。我假设 X509CertUtils.parse(certChain)
类似于
The second example is basically right. I assume X509CertUtils.parse(certChain)
is similar to
InputStream in = new ByteArrayInputStream(certChain);
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(in);
证书的模数和指数与解码的模数和指数相同,因此公钥是等价的
Modulus and exponent of the certificate are the same that the decoded, so public key is equivalent
链接中有两个类似的证书,请同时检查两者。您应该能够验证签名。如果没有,则令牌未使用这些密钥签名
There are two similar certificates in the link, check both. You should be able to validate the signature. If not, then the token is not signed with those keys