Validating RS256 signature with PHP

915 Views Asked by php-ryan At 04 January 2022 at 22:59

I am having trouble verifying an RS256 signature in PHP from a JWT.

I have

$to_verify = substr(Cookie::get('CF_Authorization'), 0, strrpos(Cookie::get('CF_Authorization'), "."));

$signature = base64_decode(explode('.', Cookie::get('CF_Authorization'))[2]);

return openssl_verify($to_verify, $signature, $cert, 'RSA-SHA256'));

Part of my problem is I don't know what is the most correct algorithm to use the header says "alg": "RS256". So is that:

OPENSSL_ALGO_SHA256
"SHA256"
"sha256"
"RSA-SHA256"
"sha256WithRSAEncryption"
Something else?

I've tried all of those from the php docs that sounds like they could be right, but not matter what I try it always returns 0 (not verified) but according to jwt.io the jwt, signature, and public key I am testing with is valid.

I'm not sure what I am doing wrong.

Original Q&A

There are 1 best solutions below

php-ryan On 05 January 2022 at 01:10

I was able to find some close-ish implementations after much more searching and figured it out.

First, the algorithm needed to be set to "SHA256".

Second, Instead of base64_decode I needed to so a slightly modified decoding, which I found a function for in an open source implementation

private function safeUrlDecode($input)
{
    $remainder = strlen($input) % 4;
    if ($remainder) {
        $pad = 4 - $remainder;
        $input .= str_repeat('=', $pad);
    }

    return base64_decode(strtr($input, '-_', '+/'));
}

These two together, and now it works.

Validating RS256 signature with PHP

There are 1 best solutions below

Related Questions in PHP

Related Questions in OPENSSL

Related Questions in RSA-SHA256

Trending Questions

Popular # Hahtags

Popular Questions