我使用以下命令生成了jwt密钥(RSA密钥:私有和公共)
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout -out public.key
[之后,我创建了一个名为private2.key
的文件,我给它提供了相同的private.key
内容(唯一的区别是我删除了除第一个和最后一个之外的所有换行符]
而且,我创建了一个名为public2.key
的文件,我给它提供了相同的public.key
内容(唯一的区别是我删除了除第一个和最后一个之外的所有换行符]
private.key:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAy6fZ1JmG4BX02R2Odj/zso7hJwq7qsTZs6SVcNdiHeDxCRT5
UQvTO/qxSIips89iyDTahPjFaquTvmF+oTTOXqA80SYtE8JK2r2/QJ9te5je/7jB
8yxrRsp5heZ4uQv9yThygvOTItuHDN+w4Le2QReegunRDnbfTrsogwUmVAyam4qF
iBDx3zEoTp98H4lRYB4Mpekt0Z2fh8q4g1vBaJLSc+Vc8MXLXsuQTNZ0x61fV7p9
3ewJAHlSxNYRdEFuhNMjU7hp2DR6zQqqyEWslFyq0JW6pd7hHjuCSoBcW5e4lrEg
ZgLspbWbl0rlIOQFizy+IJumXKDmM90WHp2v9wIDAQABAoIBAQDDiSmw4qeJSAuK
2sIJ72VAr8amAbwmPlL4FLIXYfUm0u8a1TR8CGqMUCsfhXfK2PfzWivlOCX0QUDd
riYzCcyLNjauaYUmT4onc7/JgElSPnj99prhrGhj08vSMHMA2O6W4Mexy8Qd18FX
Lv9ZA4rN/KuI7o524NOPeEtxYORoFOslq02PBBuPxTToRs2f++px1HOkLQBt+Mkn
Lqh/gK+0w4CD3JDc/yM2jH4z8jZw8E33vmMGdj59mjhsVlgvOine0mvZnJRU9BWS
sgdtHwnbBIuQBkiXaMWgY83rrP/hSCCcCcKUNyUgxtlWwMcSZrM/gkt2tts7EkRD
e8evVvMhAoGBAO0leVSvjQ8NVqNQajV+o6Z58j2WVTOFG4qZWhuQA4O0oNT4Gcf4
w+DYLQKntmwQ9ShWciw/f0nJCTknCSo0TVmIl5yhJVtudWlIosMw6YerpK7VW+6x
J53ZkHn+6EGgBEYuJjHXFw+vY3VnOmsqO3yCON2oUtw2RA1/tLkiJqZzAoGBANvY
wa5e8dHpdqVKQX1YZFkA1O8y20lDNgGZNz/8qiY21kmMiVAXsTK9wWiF7Uys/jp0
btwWY3u/MHpzP/zz0OTcOJ5b9u+NVcSYzF6FrUGGpOrb9Oh124x2UCKL9exsz8xJ
av4PGfof8uhPGxRSav+DqbmrY+jqVuz1Dn3YnqttAoGAJPPF6DBCpqnJakFJi3Rk
Q7iUyov2UsTW+c3TgJ/8LDWlKgpO2h4lR4/n05YWkthBmzt9Ju/uAa1VxpYSk4T6
2Iy0My/ZBlo76V/sHMYuXXmde7C7VoI8ThhsrtXNkwxAHj9qrDF74nHN6algLPqz
sj8IZWGpJ689A21217I+m4kCgYA21VdpgHDcJFjdXSn8c4GD2XtCtfKP0V21BFwN
b52YrnDAI3dULLSbrUyCH3VSfItkVQoZhtQFV2hmAjzhgIaHro3IobNziFLuGBZR
NRJDl6umkHoDSPIblJ7kHviVoYYqs90lxOp7wmA5pRFh/jSFyncYwjDHNTu9Glok
9VSN+QKBgDdjjMY41JU21fv2FWvKCwHXJwRSFVT8HNlMC0H9k6x2SZAmhNBtfIlU
xY5I5Cnsmkvw2zNxhS2conLAElKqoVSUprv6BvjW+p80dXisctfMTpv/2YM/o0Fs
Iu1ySS+kMK9OAb2kqz9uL38srfN5zdp3FNLrMaE4uRBei8y51D1/
-----END RSA PRIVATE KEY-----
private2.key:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAy6fZ1JmG4BX02R2Odj/zso7hJwq7qsTZs6SVcNdiHeDxCRT5UQvTO/qxSIips89iyDTahPjFaquTvmF+oTTOXqA80SYtE8JK2r2/QJ9te5je/7jB8yxrRsp5heZ4uQv9yThygvOTItuHDN+w4Le2QReegunRDnbfTrsogwUmVAyam4qFiBDx3zEoTp98H4lRYB4Mpekt0Z2fh8q4g1vBaJLSc+Vc8MXLXsuQTNZ0x61fV7p93ewJAHlSxNYRdEFuhNMjU7hp2DR6zQqqyEWslFyq0JW6pd7hHjuCSoBcW5e4lrEgZgLspbWbl0rlIOQFizy+IJumXKDmM90WHp2v9wIDAQABAoIBAQDDiSmw4qeJSAuK2sIJ72VAr8amAbwmPlL4FLIXYfUm0u8a1TR8CGqMUCsfhXfK2PfzWivlOCX0QUDdriYzCcyLNjauaYUmT4onc7/JgElSPnj99prhrGhj08vSMHMA2O6W4Mexy8Qd18FXLv9ZA4rN/KuI7o524NOPeEtxYORoFOslq02PBBuPxTToRs2f++px1HOkLQBt+MknLqh/gK+0w4CD3JDc/yM2jH4z8jZw8E33vmMGdj59mjhsVlgvOine0mvZnJRU9BWSsgdtHwnbBIuQBkiXaMWgY83rrP/hSCCcCcKUNyUgxtlWwMcSZrM/gkt2tts7EkRDe8evVvMhAoGBAO0leVSvjQ8NVqNQajV+o6Z58j2WVTOFG4qZWhuQA4O0oNT4Gcf4w+DYLQKntmwQ9ShWciw/f0nJCTknCSo0TVmIl5yhJVtudWlIosMw6YerpK7VW+6xJ53ZkHn+6EGgBEYuJjHXFw+vY3VnOmsqO3yCON2oUtw2RA1/tLkiJqZzAoGBANvYwa5e8dHpdqVKQX1YZFkA1O8y20lDNgGZNz/8qiY21kmMiVAXsTK9wWiF7Uys/jp0btwWY3u/MHpzP/zz0OTcOJ5b9u+NVcSYzF6FrUGGpOrb9Oh124x2UCKL9exsz8xJav4PGfof8uhPGxRSav+DqbmrY+jqVuz1Dn3YnqttAoGAJPPF6DBCpqnJakFJi3RkQ7iUyov2UsTW+c3TgJ/8LDWlKgpO2h4lR4/n05YWkthBmzt9Ju/uAa1VxpYSk4T62Iy0My/ZBlo76V/sHMYuXXmde7C7VoI8ThhsrtXNkwxAHj9qrDF74nHN6algLPqzsj8IZWGpJ689A21217I+m4kCgYA21VdpgHDcJFjdXSn8c4GD2XtCtfKP0V21BFwNb52YrnDAI3dULLSbrUyCH3VSfItkVQoZhtQFV2hmAjzhgIaHro3IobNziFLuGBZRNRJDl6umkHoDSPIblJ7kHviVoYYqs90lxOp7wmA5pRFh/jSFyncYwjDHNTu9Glok9VSN+QKBgDdjjMY41JU21fv2FWvKCwHXJwRSFVT8HNlMC0H9k6x2SZAmhNBtfIlUxY5I5Cnsmkvw2zNxhS2conLAElKqoVSUprv6BvjW+p80dXisctfMTpv/2YM/o0FsIu1ySS+kMK9OAb2kqz9uL38srfN5zdp3FNLrMaE4uRBei8y51D1/
-----END RSA PRIVATE KEY-----
public.key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy6fZ1JmG4BX02R2Odj/z
so7hJwq7qsTZs6SVcNdiHeDxCRT5UQvTO/qxSIips89iyDTahPjFaquTvmF+oTTO
XqA80SYtE8JK2r2/QJ9te5je/7jB8yxrRsp5heZ4uQv9yThygvOTItuHDN+w4Le2
QReegunRDnbfTrsogwUmVAyam4qFiBDx3zEoTp98H4lRYB4Mpekt0Z2fh8q4g1vB
aJLSc+Vc8MXLXsuQTNZ0x61fV7p93ewJAHlSxNYRdEFuhNMjU7hp2DR6zQqqyEWs
lFyq0JW6pd7hHjuCSoBcW5e4lrEgZgLspbWbl0rlIOQFizy+IJumXKDmM90WHp2v
9wIDAQAB
-----END PUBLIC KEY-----
public2.key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy6fZ1JmG4BX02R2Odj/zso7hJwq7qsTZs6SVcNdiHeDxCRT5UQvTO/qxSIips89iyDTahPjFaquTvmF+oTTOXqA80SYtE8JK2r2/QJ9te5je/7jB8yxrRsp5heZ4uQv9yThygvOTItuHDN+w4Le2QReegunRDnbfTrsogwUmVAyam4qFiBDx3zEoTp98H4lRYB4Mpekt0Z2fh8q4g1vBaJLSc+Vc8MXLXsuQTNZ0x61fV7p93ewJAHlSxNYRdEFuhNMjU7hp2DR6zQqqyEWslFyq0JW6pd7hHjuCSoBcW5e4lrEgZgLspbWbl0rlIOQFizy+IJumXKDmM90WHp2v9wIDAQAB
-----END PUBLIC KEY-----
[当我使用private.key
或private2.key
生成jwt并使用public.key
或public2.key
进行验证时,我获得了成功的结果
const fs = require('fs');
const jwt = require('jsonwebtoken');
const privateKey = fs.readFileSync('./private.key');
const publicKey = fs.readFileSync('./public.key');
const privateKey2 = fs.readFileSync('./private2.key');
const publicKey2 = fs.readFileSync('./public2.key');
const token = jwt.sign({foo: 'bar'}, privateKey, {algorithm: 'RS256'});
console.log(jwt.verify(token, publicKey)); // RESULT IS: { foo: 'bar', iat: 1580192807 }
console.log(jwt.verify(token, publicKey2)); // RESULT IS: { foo: 'bar', iat: 1580192807 }
const token2 = jwt.sign({foo: 'bar'}, privateKey2, {algorithm: 'RS256'});
console.log(jwt.verify(token2, publicKey)); // RESULT IS: { foo: 'bar', iat: 1580192807 }
console.log(jwt.verify(token2, publicKey2)); // RESULT IS: { foo: 'bar', iat: 1580192807 }
我的问题是:从科学上讲是“从jwt密钥中删除除第一行和最后一个行以外的所有换行符(RSA密钥:私有和公共)”不会影响jwt,这样安全吗(请提供引用来证明您的答案)
所以我可以做到(舒适的感觉)
。env
JWT_PRIVATE_KEY=MIIEowIBAAKCAQEAy6fZ1JmG4BX02R2Odj/zso7hJwq7qsTZs6SVcNdiHeDxCRT5UQvTO/qxSIips89iyDTahPjFaquTvmF+oTTOXqA80SYtE8JK2r2/QJ9te5je/7jB8yxrRsp5heZ4uQv9yThygvOTItuHDN+w4Le2QReegunRDnbfTrsogwUmVAyam4qFiBDx3zEoTp98H4lRYB4Mpekt0Z2fh8q4g1vBaJLSc+Vc8MXLXsuQTNZ0x61fV7p93ewJAHlSxNYRdEFuhNMjU7hp2DR6zQqqyEWslFyq0JW6pd7hHjuCSoBcW5e4lrEgZgLspbWbl0rlIOQFizy+IJumXKDmM90WHp2v9wIDAQABAoIBAQDDiSmw4qeJSAuK2sIJ72VAr8amAbwmPlL4FLIXYfUm0u8a1TR8CGqMUCsfhXfK2PfzWivlOCX0QUDdriYzCcyLNjauaYUmT4onc7/JgElSPnj99prhrGhj08vSMHMA2O6W4Mexy8Qd18FXLv9ZA4rN/KuI7o524NOPeEtxYORoFOslq02PBBuPxTToRs2f++px1HOkLQBt+MknLqh/gK+0w4CD3JDc/yM2jH4z8jZw8E33vmMGdj59mjhsVlgvOine0mvZnJRU9BWSsgdtHwnbBIuQBkiXaMWgY83rrP/hSCCcCcKUNyUgxtlWwMcSZrM/gkt2tts7EkRDe8evVvMhAoGBAO0leVSvjQ8NVqNQajV+o6Z58j2WVTOFG4qZWhuQA4O0oNT4Gcf4w+DYLQKntmwQ9ShWciw/f0nJCTknCSo0TVmIl5yhJVtudWlIosMw6YerpK7VW+6xJ53ZkHn+6EGgBEYuJjHXFw+vY3VnOmsqO3yCON2oUtw2RA1/tLkiJqZzAoGBANvYwa5e8dHpdqVKQX1YZFkA1O8y20lDNgGZNz/8qiY21kmMiVAXsTK9wWiF7Uys/jp0btwWY3u/MHpzP/zz0OTcOJ5b9u+NVcSYzF6FrUGGpOrb9Oh124x2UCKL9exsz8xJav4PGfof8uhPGxRSav+DqbmrY+jqVuz1Dn3YnqttAoGAJPPF6DBCpqnJakFJi3RkQ7iUyov2UsTW+c3TgJ/8LDWlKgpO2h4lR4/n05YWkthBmzt9Ju/uAa1VxpYSk4T62Iy0My/ZBlo76V/sHMYuXXmde7C7VoI8ThhsrtXNkwxAHj9qrDF74nHN6algLPqzsj8IZWGpJ689A21217I+m4kCgYA21VdpgHDcJFjdXSn8c4GD2XtCtfKP0V21BFwNb52YrnDAI3dULLSbrUyCH3VSfItkVQoZhtQFV2hmAjzhgIaHro3IobNziFLuGBZRNRJDl6umkHoDSPIblJ7kHviVoYYqs90lxOp7wmA5pRFh/jSFyncYwjDHNTu9Glok9VSN+QKBgDdjjMY41JU21fv2FWvKCwHXJwRSFVT8HNlMC0H9k6x2SZAmhNBtfIlUxY5I5Cnsmkvw2zNxhS2conLAElKqoVSUprv6BvjW+p80dXisctfMTpv/2YM/o0FsIu1ySS+kMK9OAb2kqz9uL38srfN5zdp3FNLrMaE4uRBei8y51D1/
JWT_PUBLIC_KEY=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy6fZ1JmG4BX02R2Odj/zso7hJwq7qsTZs6SVcNdiHeDxCRT5UQvTO/qxSIips89iyDTahPjFaquTvmF+oTTOXqA80SYtE8JK2r2/QJ9te5je/7jB8yxrRsp5heZ4uQv9yThygvOTItuHDN+w4Le2QReegunRDnbfTrsogwUmVAyam4qFiBDx3zEoTp98H4lRYB4Mpekt0Z2fh8q4g1vBaJLSc+Vc8MXLXsuQTNZ0x61fV7p93ewJAHlSxNYRdEFuhNMjU7hp2DR6zQqqyEWslFyq0JW6pd7hHjuCSoBcW5e4lrEgZgLspbWbl0rlIOQFizy+IJumXKDmM90WHp2v9wIDAQAB
index.js
require('dotenv').config();
const jwt = require('jsonwebtoken');
const privateKey = `-----BEGIN RSA PRIVATE KEY-----\n${process.env.JWT_PRIVATE_KEY}\n-----END RSA PRIVATE KEY-----`;
const publicKey = `-----BEGIN PUBLIC KEY-----\n${process.env.JWT_PUBLIC_KEY}\n-----END PUBLIC KEY-----`;
const token = jwt.sign({foo: 'bar'}, privateKey, {algorithm: 'RS256'});
console.log(jwt.verify(token, publicKey)); // RESULT IS: { foo: 'bar', iat: 1580192822 }
理论上,答案是否-您不能总是删除换行符。这仅仅是因为RFC 1421定义了必须包含换行符的情况:
由字符对
<CR><LF>
分隔的文本行的长度不能超过1000个字符。
以上声明在Section 4.3 of RFC 1421中,定义了PEM格式的文档。
但是,实际上答案通常是[[是]]:在解析PEM格式的对象时,许多常见的实现都相当宽松,并且允许文本长度过长。具体来说,OpenSSL和Golang PEM实现允许此操作(或至少长度超过1000个字符)。尝试在删除了换行符的证书上运行此命令-成功:
openssl x509 -text -noout -in certificate.crt
不用担心这个问题,而是将证书存储在应用程序外部。它们应该是配置值,并存储在应用程序的外部。更好的是,将此问题委托给专门用于解决此问题的技术-Azure具有Key Vault,AWS具有Certificate Manager和KMS。您应该做什么?