Geek Answers Handbook

How to check JSON token using RSA public key?

A new question is to keep this question specific and accurate.

I have Azure JWT and now I need to verify the signature in my application.

Microsoft's public keys can be found here:

https://login.windows.net/common/discovery/keys

How to use these keys to verify the signature? I can say that these are the public keys that I need, since the X5T header in the JWT matches those included in this public key list.

I use the PHP JWT library, but all I enter as the public key seems to fail.

supplied key param cannot be coerced into a public key

So, using the link above, which goes from there to PHP, the openssl_verify function as parameter three (the $ key in the example below)?

 $success = openssl_verify($msg, $signature, $key, 'SHA256')

Everything that I entered causes an error anyway.

Thanks,

+5
source share
1 answer

The problem is resolved.

It turns out that part of the X5C JSON array is a certificate, not a public key, so JSON decoding https://login.windows.net/common/discovery/keys and grabbing the X5C element and using openssl to get the public key works:

 $cert_object = openssl_x509_read($cert); $pkey_object = openssl_pkey_get_public(cert_object); $pkey_array = openssl_pkey_get_details($pkey_object); $publicKey = $pkey_array ['key'];

In this example, $ cert is the value of X5C. However, this alone is not enough, since it is not encoded for the X509. So what I did was create a new file in the windows called certificate.cer, open it in notepad and put the X5C value there. Then, by double-clicking on the octet in the windows, going to the details tab and clicking "copy to file", the certificate export wizard opens.

Export in X509 format and upload to the server.

 $cert = file_get_contents('Certificates/Public/public.cer');

Job! There is probably an easier way, but it works.

+8
source

More articles:


All Articles