Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is ciphertext generated using different key encryption the same? 为什么使用不同的key 加密 生成出来的密文一样 #415

Closed
cnsyear opened this issue Nov 25, 2018 · 1 comment
Closed

Why is ciphertext generated using different key encryption the same? 为什么使用不同的key 加密 生成出来的密文一样 #415

cnsyear opened this issue Nov 25, 2018 · 1 comment
Labels
duplicate

Comments

@cnsyear
Copy link

cnsyear commented Nov 25, 2018

I have two keys: secret and secret2. The generated ciphertext is the same.
我有两个key 分别是 secret 和 secret2,生成后的密文一样.
Here is my test for advice.
下面是我的测试,请指教!

import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;

/**
 * @Description: 測試
 * @Author: 趙小傑~~
 * @Date: 2018/11/25 11:18
 */
public class TestJJWTIssues {
   //Here are two different keys
    public static String secret="abcde";
    public static String secret2="abcdef";

    public static void main(String[] args) {
        Date date = new Date(System.currentTimeMillis() + 604800 * 1000);

        Map<String,Object> claimsMap = new HashMap<String,Object>();
        claimsMap.put("username","helloworld");

        String token = Jwts.builder()
                .setClaims(claimsMap)
                .setExpiration(date)
                .signWith(SignatureAlgorithm.HS512, secret) //采用什么算法是可以自己选择的,不一定非要采用HS512
                .compact();


        String token2 = Jwts.builder()
                .setClaims(claimsMap)
                .setExpiration(date)
                .signWith(SignatureAlgorithm.HS512, secret2) //采用什么算法是可以自己选择的,不一定非要采用HS512
                .compact();

        System.out.println(token);
        System.out.println(token2);

        if ( token.contentEquals(token2)){
            System.out.println( "validate ok!"  );
        }else{
            System.out.println( "validate fail!"  );
        }

    }
}

The output is
输出的结果是

eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjE1NDM3MjA4ODIsInVzZXJuYW1lIjoiaGVsbG93b3JsZCJ9.GadJ06kj14I-tPXXaO1JhSSb_Kr9vNfJ5xebeiua83ujVA-p6Un686eGpdJeWa2mbsByBzTbej9ZYScBn02WgA
eyJhbGciOiJIUzUxMiJ9.eyJleHAiOjE1NDM3MjA4ODIsInVzZXJuYW1lIjoiaGVsbG93b3JsZCJ9.GadJ06kj14I-tPXXaO1JhSSb_Kr9vNfJ5xebeiua83ujVA-p6Un686eGpdJeWa2mbsByBzTbej9ZYScBn02WgA
validate ok!
@lhazlewood
Copy link
Contributor

Closing as a duplicate of #211 #269 #324 #362 #405

.signWith(SignatureAlgorithm, base64EncodedKey) requires the second argument to be Base64, not a plaintext password. You appear to be using the API incorrectly.

Additionally abcde and abcdef are not valid signing keys - you must be using an old version of JJWT. The latest stable version of JJWT (0.10.5 at the time of this comment) goes through more lengths to ensure you correctly use Base64 and/or proper key lengths. You can't just change appended characters of Base64 and always expect different results.

Please see #211 for an explanation why.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lhazlewood @cnsyear