C
C#15mo ago
Florian Voß

❔ ✅ JWT signatures not working

string jwtMessage = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0";
string publicKey = @"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
mwIDAQAB
-----END PUBLIC KEY-----";
string privateKey = @"PLACEHOLDER, private key same pem format"; 
string jwtSignature;
using (var rsa = RSA.Create())
{
    rsa.ImportFromPem(privateKey);
    jwtSignature = Base64UrlEncoder.Encode(rsa.SignData(Encoding.UTF8.GetBytes(jwtMessage), HashAlgorithmName.SHA256, RSASignaturePadding.Pss));
}
using (var rsa = RSA.Create())
{    
    rsa.ImportFromPem(publicKey);
    var signatureBytes = Encoding.UTF8.GetBytes(Base64UrlEncoder.Decode(jwtSignature));
    var data = Encoding.UTF8.GetBytes(jwtMessage);

    // Verify the created signature using jwtMessage fails, output is false
    Console.WriteLine(rsa.VerifyData(data, signatureBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pss));
}
string jwtMessage = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0";
string publicKey = @"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
mwIDAQAB
-----END PUBLIC KEY-----";
string privateKey = @"PLACEHOLDER, private key same pem format"; 
string jwtSignature;
using (var rsa = RSA.Create())
{
    rsa.ImportFromPem(privateKey);
    jwtSignature = Base64UrlEncoder.Encode(rsa.SignData(Encoding.UTF8.GetBytes(jwtMessage), HashAlgorithmName.SHA256, RSASignaturePadding.Pss));
}
using (var rsa = RSA.Create())
{    
    rsa.ImportFromPem(publicKey);
    var signatureBytes = Encoding.UTF8.GetBytes(Base64UrlEncoder.Decode(jwtSignature));
    var data = Encoding.UTF8.GetBytes(jwtMessage);

    // Verify the created signature using jwtMessage fails, output is false
    Console.WriteLine(rsa.VerifyData(data, signatureBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pss));
}
I took the public and private key as well as the jwtMessage from sample data on jwt.io. I created my own siganture for the token using the private key from their, and tried to verify the signature using the matching public key I took from there. What am I doing wrong?
4 Replies
Florian Voß
Florian VoßOP15mo ago
I also tried RSASignaturePadding.Pkcs1, output stays false
Florian Voß
Florian VoßOP15mo ago
No description
Florian Voß
Florian VoßOP15mo ago
jwtMessage is equal to base64UrlEncode(header) + "." + base64UrlEncode(payload) 
using (var rsa = RSA.Create())
{
    rsa.ImportFromPem(publicKey);
    Console.WriteLine(rsa.VerifyData(Encoding.UTF8.GetBytes(jwtMessage), Base64UrlEncoder.DecodeBytes(jwtSignature), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
}
using (var rsa = RSA.Create())
{
    rsa.ImportFromPem(publicKey);
    Console.WriteLine(rsa.VerifyData(Encoding.UTF8.GetBytes(jwtMessage), Base64UrlEncoder.DecodeBytes(jwtSignature), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
}
This code works, I had to take decoded signature but encoded message together with Pkcs1 padding
Accord
Accord15mo ago
Looks like nothing has happened here. I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server