A way to get the public key of a RS256 JWT from its headers and payload?

hmngwn

7/26/23, 2:33 PM

I have a RS256 JWT, I'd like to find out its public key. Because I know the header, payload and I have the encrypted signature, is there a way to obtain the public key that made the signature from these elements?

0 + 0

jwt

dave_thompson_085

7/27/23, 3:16 AM

Signatures are not encrypted, and are generated with the private key not the public key. They are _verified_ with the public key, and for a JWS (including a signed JWT) that key is usually either included in or identified by the header; see [rfc7515 section 6](https://datatracker.ietf.org/doc/html/rfc7515#section-6)

Score:1

Crypto

Maarten Bodewes

7/27/23, 4:02 PM

RS256 is defined as "RSASSA-PKCS1-v1_5 using SHA-256", i.e. an RSA PKCS#1 v1.5 signature. You can therefore find a method of obtaining the modulus here. Note that you'd first have to perform the deterministic PKCS#1 v1.5 encoding on the payload itself to get to the $m$ within the question / answers.

If the public exponent is large & random then you're probably out of luck, but that's not common at all. Instead, the public exponent is usually small, often the value 0x010001 / 65537 - the fifth prime of Fermat, also known as F4. JWT only hints to use F4; it doesn't seem to explicitly require a specific or small exponent to be used.

0 + 0

Maarten Bodewes

7/27/23, 4:09 PM

Note that I'm presuming that the signature is not actually encrypted. Saying that signature generation is encryption with a private key (for RSA) is a [**common mistake**](https://crypto.stackexchange.com/q/15997/1172) which I'm trying to fight (and loosing, because of all the terribly bad learning material out there).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: A way to get the public key of a RS256 JWT from its headers and payload?

TH: วิธีรับรหัสสาธารณะของ RS256 JWT จากส่วนหัวและเพย์โหลด

RO: O modalitate de a obține cheia publică a unui RS256 JWT din anteturile și sarcina utilă?

RU: Способ получить открытый ключ RS256 JWT из его заголовков и полезной нагрузки?

VI: Cách lấy khóa công khai của RS256 JWT từ tiêu đề và tải trọng của nó?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.