JWT HS256 decryption and sha256 signature verification

A JWT (JSON Web Token) has three components separated by dots: a header, a payload, and a signature. The signature is an encrypted hash of the first two components using the key.

When a token is created, the server generates a header and payload, writes them to JSON format, and encodes them to a modified BASE64. This gives two strings that are concatenated through a dot. Then a signature is generated from the common string using the algorithm specified in the header. The signature is added via a dot, creating a complete token.

When receiving a request with a token, the server breaks the token into components, decrypts the header and determines the signature algorithm. The server then calculates the verification signature from the first two components of the token and compares it with the one specified in the token. If they match, the token is considered valid.

When using a symmetric algorithm, both servers know the same key - the server that generates the token and the server that verifies it. Asymmetric encryption allows tokens to be created on one server using a private key and verified on another server using the corresponding public key.

Token example:

$token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE 2MjM5MDIyfQ.qeDJnxS97205riRwowv_szvCv-h2IiPqAAnhFA214CI';

The secret key was encrypted with:

$key = 'private_key';< /p>

Let's look at the processing and verification of signatures:

<?php
$token = 'Given above';
$key = 'Given above';

// Separate our token for 3 variables
$jwtArr = array_combine(['header', 'payload', 'signature'], explode('.', $token));

// base64_decode($jwtArr['header']) - header
// {"alg":"HS256","typ":"JWT"}
//
// base64_decode($jwtArr['payload']) - body
// {"alg":"HS256","typ":"JWT"}
//
// $jwtArr['signature'] - signature based on the secret key, $key
// qeDJnxS97205riRwowv_szvCv-h2IiPqAAnhFA214CI

$calculatedHash = hash_hmac(
        'sha256',
        $jwtArr['header'] . '.' . $jwtArr['payload'],
        $key,
        true);

// sha256 amount, encoded in base64 and we bring to the full version
$calcSign = convertBase64UrlToBase64(base64_encode($calculatedHash));

// We bring to the full version the signature that was in the code
$unswerS = convertBase64UrlToBase64($jwtArr['signature']);

if ($calcSign === $unswerS) {
    die("The signature matches, the integrity is not broken");
} else {
    die("The signature did NOT match, the integrity is BROKEN");
}

// Converts the trimmed base64 to normal
function convertBase64UrlToBase64($input) {
    $remainder = \strlen($input) % 4;
    if ($remainder) {
        $padlen = 4 - $remainder;
        $input .= \str_repeat('=', $padlen);
    }
    return \strtr($input, '-_', '+/');
}

By calculating the SHA-256 hash of the combined first two parts of the token using the appropriate key, you can verify that this hash matches the first part of the token, thereby confirming that the first two parts have not changed.

Service for online jwt coding for tests.

Library with ready-made solutions firebase /php-jwt

Source