【发布时间】:2021-12-07 18:45:45
【问题描述】:
我正在尝试创建 JWT,然后使用 AWS KMS 节点 API 对其进行验证。 下面是我的代码,代表了我对 AWS 文档的理解。 但是调用 KMS verify 会抛出 KMSInvalidSignatureException
process.env.AWS_REGION = '...';
process.env.AWS_ACCOUNT_ID = '...';
process.env.AWS_PROFILE = '...';
process.env.KEY_ID = '...id of RSA 2048 bytes key stored in AWS KMS...';
const aws = require('aws-sdk');
const kms = new aws.KMS();
const base64url = require('base64url');
async function createToken() {
const iat = Math.floor(Date.now() / 1000);
const tomorrow = new Date()
tomorrow.setDate(tomorrow.getDate() + 1)
const exp = Math.floor(tomorrow.getTime() / 1000);
const header = base64url.encode(JSON.stringify({
alg: 'RS256',
typ: 'JWT'
}));
const payload = base64url.encode(JSON.stringify({
iat,
exp,
code: '123'
}));
const message = Buffer.from(`${header}.${payload}`);
const signResponse = await kms.sign({
KeyId: process.env.KEY_ID,
Message: message,
MessageType: 'RAW',
SigningAlgorithm: 'RSASSA_PKCS1_V1_5_SHA_256'
}).promise();
const signature = signResponse.Signature.toString('base64')
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/=/g, '');
return `${header}.${payload}.${signature}`;
}
async function verifyToken(token) {
const [header, payload, signature] = token.split('.');
const message = Buffer.from(`${header}.${payload}`);
return await kms.verify({
KeyId: process.env.KEY_ID,
Message: message,
MessageType: 'RAW',
Signature: signature,
SigningAlgorithm: 'RSASSA_PKCS1_V1_5_SHA_256'
}).promise();
}
async function main() {
const token = await createToken();
const verification = await verifyToken(token);
console.log(verification);
}
main();
我做错了什么?
【问题讨论】:
标签: node.js jwt amazon-kms