C
C#9mo ago
Florian Voß

❔ ✅ JWT signatures not working

string jwtMessage = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0";
string publicKey = @"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
mwIDAQAB
-----END PUBLIC KEY-----";
string privateKey = @"PLACEHOLDER, private key same pem format"; 
string jwtSignature;
using (var rsa = RSA.Create())
{
    rsa.ImportFromPem(privateKey);
    jwtSignature = Base64UrlEncoder.Encode(rsa.SignData(Encoding.UTF8.GetBytes(jwtMessage), HashAlgorithmName.SHA256, RSASignaturePadding.Pss));
}
using (var rsa = RSA.Create())
{    
    rsa.ImportFromPem(publicKey);
    var signatureBytes = Encoding.UTF8.GetBytes(Base64UrlEncoder.Decode(jwtSignature));
    var data = Encoding.UTF8.GetBytes(jwtMessage);

    // Verify the created signature using jwtMessage fails, output is false
    Console.WriteLine(rsa.VerifyData(data, signatureBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pss));
}
string jwtMessage = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0";
string publicKey = @"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
+qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
mwIDAQAB
-----END PUBLIC KEY-----";
string privateKey = @"PLACEHOLDER, private key same pem format"; 
string jwtSignature;
using (var rsa = RSA.Create())
{
    rsa.ImportFromPem(privateKey);
    jwtSignature = Base64UrlEncoder.Encode(rsa.SignData(Encoding.UTF8.GetBytes(jwtMessage), HashAlgorithmName.SHA256, RSASignaturePadding.Pss));
}
using (var rsa = RSA.Create())
{    
    rsa.ImportFromPem(publicKey);
    var signatureBytes = Encoding.UTF8.GetBytes(Base64UrlEncoder.Decode(jwtSignature));
    var data = Encoding.UTF8.GetBytes(jwtMessage);

    // Verify the created signature using jwtMessage fails, output is false
    Console.WriteLine(rsa.VerifyData(data, signatureBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pss));
}
I took the public and private key as well as the jwtMessage from sample data on jwt.io. I created my own siganture for the token using the private key from their, and tried to verify the signature using the matching public key I took from there. What am I doing wrong?
4 Replies
Florian Voß
Florian Voß9mo ago
I also tried RSASignaturePadding.Pkcs1, output stays false
Florian Voß
Florian Voß9mo ago
No description
Florian Voß
Florian Voß9mo ago
jwtMessage is equal to base64UrlEncode(header) + "." + base64UrlEncode(payload) 
using (var rsa = RSA.Create())
{
    rsa.ImportFromPem(publicKey);
    Console.WriteLine(rsa.VerifyData(Encoding.UTF8.GetBytes(jwtMessage), Base64UrlEncoder.DecodeBytes(jwtSignature), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
}
using (var rsa = RSA.Create())
{
    rsa.ImportFromPem(publicKey);
    Console.WriteLine(rsa.VerifyData(Encoding.UTF8.GetBytes(jwtMessage), Base64UrlEncoder.DecodeBytes(jwtSignature), HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1));
}
This code works, I had to take decoded signature but encoded message together with Pkcs1 padding
Accord
Accord9mo ago
Looks like nothing has happened here. I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server
More Posts
❔ I don´t understand this line of code at all (random char letter)Hi, I am finding it really hard to understand how its possible to randomize a letter like this: Ran❔ How do i get the api with geojson?Need to get api with json❔ I'm very new, still learning, I don't know understand what's wrong with thisThis is what I'm trying to do: "This is an example!" ==> "sihT si na !elpmaxe"❔ aspButton need to click twice to trigger the actionmy aspButton, whenever I press the button, it doest postback, but the statement code in event doesnt❔ Setting up cookie auth with .NET 7 Api. HttpContext does not have a definition for SignInAsyncInstantiating a new object failed?Hi, I have a very simple class called InvItem that takes three parameters: `itemNo`, `description`, ❔ Entry API for dictionaries?Rust has this nifty API called `Entry` which allows one to write code such as: ```rust map.entry(c) ❔ LLVM problem with creating number```cs public (Context, LLVMValueRef) VisitNumber(Context ctx, NumberAST expr) { LLVMTypeRef type❔ ComboBox | When in ComboBox1 "A" selected then show in combobox2 "B"Hello everyone, im from Germany so sorry for my bad english. I need "Short"-Help, I´ve got 4 comboBo❔ Where to store files in N-Tier API ProjectGuys I am working on a demo n-tier architecture project I need to implement file uploads and for now