如何使用带有RSA私钥的RS256在C＃中创建加密的JWT

我知道这篇文章很老了，但我花了很长时间才想到这一点，所以我想我会分享。

要测试我使用OpenSSL创建了RSA密钥：

 openssl genrsa -out privateKey.pem 512 openssl rsa -in privateKey.pem -pubout -out publicKey.pem 

您将需要以下2个nuget包：

1. https://github.com/dvsekhvalnov/jose-jwt
2. http://www.bouncycastle.org/csharp/

测试代码

 public static void Test() { string publicKey = File.ReadAllText(@"W:\Dev\Temp\rsa_keys\publicKey.pem"); string privateKey = File.ReadAllText(@"W:\Dev\Temp\rsa_keys\privateKey.pem"); var claims = new List(); claims.Add(new Claim("claim1", "value1")); claims.Add(new Claim("claim2", "value2")); claims.Add(new Claim("claim3", "value3")); var token = CreateToken(claims, privateKey); var payload = DecodeToken(token, publicKey); } 

创建令牌

  public static string CreateToken(List claims, string privateRsaKey) { RSAParameters rsaParams; using (var tr = new StringReader(privateRsaKey)) { var pemReader = new PemReader(tr); var keyPair = pemReader.ReadObject() as AsymmetricCipherKeyPair; if (keyPair == null) { throw new Exception("Could not read RSA private key"); } var privateRsaParams = keyPair.Private as RsaPrivateCrtKeyParameters; rsaParams = DotNetUtilities.ToRSAParameters(privateRsaParams); } using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider()) { rsa.ImportParameters(rsaParams); Dictionary payload = claims.ToDictionary(k => k.Type, v => (object)v.Value); return Jose.JWT.Encode(payload, rsa, Jose.JwsAlgorithm.RS256); } } 

解码令牌

  public static string DecodeToken(string token, string publicRsaKey) { RSAParameters rsaParams; using (var tr = new StringReader(publicRsaKey)) { var pemReader = new PemReader(tr); var publicKeyParams = pemReader.ReadObject() as RsaKeyParameters; if (publicKeyParams == null) { throw new Exception("Could not read RSA public key"); } rsaParams = DotNetUtilities.ToRSAParameters(publicKeyParams); } using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider()) { rsa.ImportParameters(rsaParams); // This will throw if the signature is invalid return Jose.JWT.Decode(token, rsa, Jose.JwsAlgorithm.RS256); } } 

我发现https://jwt.io/是一个很好的资源来测试你的令牌

如果要使用证书，可以使用此方法通过指纹检索它

 private X509Certificate2 GetByThumbprint(string Thumbprint) { var localStore = new X509Store(StoreName.My, StoreLocation.LocalMachine); localStore.Open(OpenFlags.ReadOnly); return localStore.Certificates//.Find(X509FindType.FindByKeyUsage, X509KeyUsageFlags.DigitalSignature, false) .Find(X509FindType.FindByThumbprint, Thumbprint, false) .OfType().First(); } 

然后：

 private JwtSecurityToken GenerateJWT() { var securityKey = new Microsoft.IdentityModel.Tokens.X509SecurityKey(GetByThumbprint("YOUR-CERT-THUMBPRINT-HERE")); var credentials = new Microsoft.IdentityModel.Tokens.SigningCredentials(securityKey, "RS256"); var JWTHeader = new JwtHeader(credentials); var payload = new JwtPayload { { "iss", "Issuer-here"}, { "exp", (Int32)(DateTime.UtcNow.AddHours(1).Subtract(new DateTime(1970, 1, 1))).TotalSeconds}, { "iat", (Int32)(DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalSeconds} }; var token = new JwtSecurityToken(JWTHeader, payload); return token; } 

GetRSAPrivateKey仅在.NET 4.6中可用。 请参阅下面的URL。

https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.rsacertificateextensions.getrsaprivatekey(v=vs.110).aspx

如果使用公共证书和.NET 4.6，则可以使用以下方法进行解码：

 string token = "eyJhbGciOiJSUzI1NiIsInR...."; string certificate = "MIICnzCCAYcCBgFd2yEPx...."; var publicKey = new X509Certificate2(Convert.FromBase64String(certificate )).GetRSAPublicKey(); string decoded = JWT.Decode(token, publicKey, JwsAlgorithm.RS256); 

1. RS256是一种签名算法，而不是加密算法
2. 使用公钥进行加密

3. 以下是创建加密JWT的代码：

    var cert = new X509Certificate2(".\\key.cer"); var rsa = (RSACryptoServiceProvider) cert.PublicKey.Key; var payload = new Dictionary() { {"sub", "mr.x@contoso.com"}, {"exp", 1300819380} }; var encryptedToken = JWT.Encode( payload, rsa, JweAlgorithm.RSA_OAEP, JweEncryption.A256CBC_HS512, null);