3

I have a RS256 JWT, I'd like to find out its public key. Because I know the header, payload and I have the encrypted signature, is there a way to obtain the public key that made the signature from these elements?

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
hmngwn
  • 33
  • 4
  • 1
    Signatures are not encrypted, and are generated with the private key not the public key. They are verified with the public key, and for a JWS (including a signed JWT) that key is usually either included in or identified by the header; see rfc7515 section 6 – dave_thompson_085 Mar 27 '22 at 03:16

1 Answers1

2

RS256 is defined as "RSASSA-PKCS1-v1_5 using SHA-256", i.e. an RSA PKCS#1 v1.5 signature. You can therefore find a method of obtaining the modulus here. Note that you'd first have to perform the deterministic PKCS#1 v1.5 encoding on the payload itself to get to the $m$ within the question / answers.

If the public exponent is large & random then you're probably out of luck, but that's not common at all. Instead, the public exponent is usually small, often the value 0x010001 / 65537 - the fifth prime of Fermat, also known as F4. JWT only hints to use F4; it doesn't seem to explicitly require a specific or small exponent to be used.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • Note that I'm presuming that the signature is not actually encrypted. Saying that signature generation is encryption with a private key (for RSA) is a common mistake which I'm trying to fight (and loosing, because of all the terribly bad learning material out there). – Maarten Bodewes Mar 27 '22 at 16:09