(Golang) JWT Signature Verification Issue

Question

I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.

What caught me off guard is the fact that I can enter multiple valid signatures.

For example, head over to http://jwt.io - enter MySuperSecretKey for the secret

This token is valid:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU

as well as this one:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV

In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.

Can anyone tell me what's going on here?

I think that is a security-related question, hence you can find a better answer in the [Security stackexchange section](http://security.stackexchange.com/) — user2340612, Mar 14 '16 at 08:01

davidkomer · Accepted Answer · 2016-03-14T10:41:41.343

5

It's the Base64 encoding of the signature which can have the last letter changed to certain targets without affecting the relevant bits.

Try popping both signatures into a base64->hex decoder and you'll get the same results. In fact at https://conv.darkbyte.ru/ both signatures get re-evaluated to base64 SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==

edited Mar 14 '16 at 10:41

answered Mar 14 '16 at 10:35

davidkomer

3,020
2
23
58

1

Thanks, that was it, very useful website btw.! – zeroc8 Mar 14 '16 at 11:26
Be careful where you paste your secrets. All conversion is done on the server side (https://conv.darkbyte.ru/). Check network log in Developer Tools... – David Jun 29 '22 at 11:54

(Golang) JWT Signature Verification Issue

1 Answers1