0

I need to work on a validation token for an api on my project. The api part is done and it works, but the token verification doesn't.

I follow this website proposition : https://www.baeldung.com/java-jwt-token-decode.

Here the code i'm using :

        //delete the "bearer" word on my token, Also Authorization  = token
        String withoutBearer = Authorization.substring(7);

        //split the token
        String[] chunks = withoutBearer.split("\\.");

        //decode each part of the splitted token    
        Base64.Decoder decoder = Base64.getUrlDecoder();        
        String header = new String(decoder.decode(chunks[0]));
        String payload = new String(decoder.decode(chunks[1]));
        
        //using RS256 Algorithm
        SignatureAlgorithm sa = SignatureAlgorithm.RS256;

        //secretKey = the public key i used to verify the signature
        SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), sa.getJcaName());

        String tokenWithoutSignature = chunks[0] + "." + chunks[1];
        String signature = chunks[2];

        if (validator.isValid(tokenWithoutSignature, signature)){
            //my api code no use here
        }

using this code, i got an error asking me to use RSAPublic (or Secret) key instead of SecretKeySpec.

But when i try to use RSAPublicKey with the correct key, i got several type of error, like :

  • java.security.spec.InvalidKeySpecException: Only RSAPublicKeySpec and X509EncodedKeySpec supported for RSA public keys
  • java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format

do you have any solution to give me please ?

or my second solution is :

        /*solution 2 */
        //"my key" is not the key i used, i got it from azure link and, i tried it on jwt.io, it validated
        String signatureKey = "my key"
        X509EncodedKeySpec spec = new X509EncodedKeySpec(signatureKey.getBytes());
        KeyFactory kf = KeyFactory.getInstance("RSA");
        RSAPublicKey pubkey = (RSAPublicKey) kf.generatePublic(spec);
            
        DefaultJwtSignatureValidator validator = new DefaultJwtSignatureValidator(sa, pubkey);
Taylor
  • 1
  • 1
  • It depends on what signing algorithm was used (the `alg` value in the header) and what key you have (which of course should match with the alg). Please update the question with that information. And generally there is no need to do all the stuff (splitting and decoding the token, etc.) manually. Use a proper [JWT lib](https://jwt.io/libraries) instead. – jps Apr 26 '22 at 09:35
  • i'm sorry if i wasn"t clear enaugh. On jwt.io i can see that my alg value is : "alg": "RS256", that's why i used RS256 on my Signature Algorithm. thank you, i will look on that part. – Taylor Apr 26 '22 at 09:47
  • sorry, missed the `//using RS256 Algorithm` part in the middle of your code. Still the question is if you have a proper RSA public key. According to the error it's either not a RSA key at all or at least not in the right format. – jps Apr 26 '22 at 10:02
  • I tried this : String signatureKey = "my key" X509EncodedKeySpec spec = new X509EncodedKeySpec(signatureKey.getBytes()); KeyFactory kf = KeyFactory.getInstance("RSA"); RSAPublicKey pubkey = (RSAPublicKey) kf.generatePublic(spec); DefaultJwtSignatureValidator validator = new DefaultJwtSignatureValidator(sa, secretKeySpec2); and i got : java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: invalid key format i don't know where i got wrong. what kind of format does the key expect ? – Taylor Apr 26 '22 at 10:51
  • Please edit your question to add the code. Code in comments is hard to read. Still not sure about the key, "my Key" is certainly a placeholder for the real key that you don't show here. [This](https://stackoverflow.com/questions/24223275/when-to-use-x509encodedkeyspec-vs-rsapublickeyspec) might help you to see how to laod your key. – jps Apr 26 '22 at 11:22
  • i'm sorry i edit it now. it should be more easy to read. Also i gonna look on the link you shared. thank you. – Taylor Apr 26 '22 at 12:03

0 Answers0