์ค๋ ํ ๋ด์ฉ์ ์ด๋ ์ต๋๋ค.
JWT๊ฐ ๊ฐ์๊ธฐ ์ ๋์์?
- ๋ต, Line SDK๋ฅผ ์ฌ์ฉํ๋ ๋ฐฉ๋ฒ์ค 30์ผ ์ด์ ์ฌ์ฉํ ์ ์๋ access token์ ์ป๊ธฐ ์ํด์์
๋๋ค.
- ์ด๊ฑด ํน๋ณํ ์ํฉ์ ๋๋ต์ด๊ตฌ์.
- ๋๋ ๋๊ตฌ์ธ์ง(Authentication) ํ์ธ์, Persistent Storage๋ฅผ ์ฌ์ฉํ์ง ์๋ ๋ฐฉ๋ฒ์ค,
- ์์คํ ์ ๋ฑ๋ก๋ CRT๋ฅผ ์ด์ฉํด Signํ๊ณ , Expiry๋ฅผ ํฌํจํ ์ ๋ฌ๋ด์ฉ(Payload)์ ํฌ๋งท์ด ์ ์ฐํ
- API ์ธ์ฆ ๋งค์ปค๋์ฆ(API authentication mechanism) ์ด๊ธฐ ๋๋ฌธ์ ๋๋ค.
๊ทธ๋ฌ๋๊น, JWT๊ฐ ๋ญ๊ฐ์?
jwt๋ bearer token์ ๋๋ค. ์ด๋ค ๋ด์ฉ์ ๊ฐ์ง๋ ๋ฌธ์์ด์ด์์
- bear๋ ๊ณฐ, ์์ด๋ฅผ ๋ณ๋ค, ์ฐธ๋ค ์ด์ธ์๋
๊ฐ์ง๋ค
,๋ฐ์น๋ค
๋ผ๋ ๋ป๋ ์์ต๋๋ค. ์ฆ, ์ฌ๊ธฐ์๋๋ญ๊ฐ๋ฅผ ๋ค๊ณ ์๋ ๊ฒ
,๋ญ๊ฐ๋ฅผ ๊ฐ์ง๊ณ ์๋ ๊ฒ
์ด๋ ์๋ฏธ๋ก ์ฌ์ฉ๋ฉ๋๋ค. - ๊ฐ์ง๊ณ ์๋ ๋ฌผ๊ฑด์
์ง
์ผ๋ก ํํํ๊ธฐ๋ ํ๋๋ฐ, ์์ด๋ก๋payload
๋ผ๊ณ ํฉ๋๋ค. - ๊ทผ๋ฐ json ์คํธ๋ง์ ๊ฐ์ง๊ณ ์๊ธฐ ๋๋ฌธ์ jason web token์ด๋ผ๊ณ ๋ถ๋ฆ ๋๋ค.
- ์ฆ, bearer token์ด๋ผ๊ณ ํ๋ฉด, ์ด ํ ํฐ์ ํด์ํด๋ณด๋ฉด, ์ธ์ฆ์ ํ์ํ ์ ๋ณด๊ฐ ์๋ค.. ๋ผ๊ณ ํ๋ ์๋ฏธ๊ฐ ๋ฉ๋๋ค.
- ํน์ดํ ๊ฒ์ symmetric encryption์ ์ฌ์ฉํฉ๋๋ค. ๋ค. publick key, private key. ๊ทธ๊ฒ๋๋ค.
- ์๋ช ํ๋ฉด, ์๋ณธ ๋ฌธ์์ด๊ณผ hashํค๊ฐ ์์ฑ๋์ฃ ? ์ด ๋๊ฐ๋ฅผ ๋ฌถ์ด base64์ผ๋ก ์ธ์ฝ๋ฉํ ๋ฌธ์์ด์ ๋๋ค.
์๋ช ์ ๋ํ wikipedia ์ด๋ฏธ์ง๋ฅผ ์ฒจ๋ถํฉ๋๋ค.
์ธ์ฆ์ ๋ณต์ตํ๊ธฐ
์ธ์ฆ์๋ฅผ ๊ฐ๋์ฐ์๋ ๋ถ๋ค์ ์ํด, ์์ฃผ ์๋ ๊ฒ ๋ถํฐ ๋ณต์ตํ๊ณ ๊ฐ๋ฉด,
์ฐ์ GMU openssl์ ๋ค์๊ณผ ๊ฐ์ ์์๋ก ์ธ์ฆ์๋ฅผ ๋ง๋ค์ด store์ ์ ์ฅํฉ๋๋ค.
GMU openssl๊ณผ ์๋์ฐ์ฆ์ ๋ช
๋ น์ด๋ ๊ฐ๊ฐ ๋ค์๊ณผ ๊ฐ์ ๋ฐฉ๋ฒ์ผ๋ก ์ธ์ฆ์๋ฅผ ๋ง๋ญ๋๋ค.
์ฐ์ GMU openssl์
- key ๋ง๋ค๊ณ
- Subject๋ฃ์ด์ src๋ง๋ค๊ณ
- ์ธ์ฆ์์ธ crt๋ก ๋ง๋ค์ด์ store์ ์ ์ฅ
๋ฐ๋ฉด ์๋์ฐ์ฆ๋
- ํ ๋ฐฉ์ crt๋ง๋ค์ด์ store์ ์ ์ฅํ๊ณ
- key๊ฐ ํ์ํ๋ฉด ๊ฑฐ๊พธ๋ก crt์์์ ๊บผ๋ด์ด ์ด๋ค
symmetric ํค๋ ๋ณด๊ด ๋ฐฉ๋ฒ์ด ๋ช๊ฐ์ง๊ฐ ์๋๋ฐ,
- ์ฐ์ ์ธ์ฆ์๋ private key, public key ๋ ๋ค ๊ฐ์ง๊ณ ์์ ์ ์์ต๋๋ค.
- ๋ ์ค ํ๋๋ง ๊ฐ์ง๊ณ ์๋ ๊ฒฝ์ฐ๋ ์์ต๋๋ค.
- ์ํธํ ํฌ๋งท์ธ PKCS ํฌ๋งท์ค์ private key, public key๋ฅผ ๊ฐ์ง๊ณ ์๋ ํฌ๋งท๋ ์์ต๋๋ค.
- 12๋ฒ ํฌ๋งท์ ๋๋ค. ํ์ฅ์๋ ์ฃผ๋ก .pfx๋ฅผ ์ฌ์ฉํฉ๋๋ค.
- ssh-keygen ์ปค๋งจ๋๋ openssl ์ปค๋งจ๋๋ฅผ ์ด์ฉํ๋ฉด ํ์ผ๋ก ๊ฐ๊ฐ ๋ง๋ค ์๋ ์์ต๋๋ค.
- linux ์ ์ค์ ํ๋ค๋ณด๋ฉด ๋ก๊ทธ์ธ์ ์๋ตํ๊ธฐ ์ํด ssh-keygen ์ ์ข ์ข ์ฌ์ฉํ์ฃ ?
- ํ์ฅ์๋ public key๋
.pub
, private key๋.key
๋ฅผ ์ฃผ๋ก ์๋๋ค.
๋ด๊ฐ ๊ฐ์ง๊ณ ์๋ ์ธ์ฆ์๋?
์์๋ณด๋ ๋ช
๋ น์ด๋ dir cert:\CurrentUser\My
์
๋๋ค.
PS C:\Users\usr0100023\blog> dir cert:\CurrentUser\My
PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
AA3F29ACAB1A7F03B1A4F7A5599CAB88046190EF CN=5b80296b-f36a-47b1-bc60-1682acc7fb79
A942CDF8EBB3253F114A232D14F0164E13F7F28D CN=usr0100023, OU=User, OU=GMO Internet, DC=GMO, DC=LOCAL
๋๊ฐ๊ฐ ์๋ค์. ๋ญ์ง?
์ฒซ๋ฒ์งธ๋
PS C:\Users\usr0100023\blog> (dir cert:\CurrentUser\My)[0] | fl *
PSPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\AA3F29ACAB1A7F03B1A4
F7A5599CAB88046190EF
PSParentPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName : AA3F29ACAB1A7F03B1A4F7A5599CAB88046190EF
PSDrive : Cert
PSProvider : Microsoft.PowerShell.Security\Certificate
PSIsContainer : False
EnhancedKeyUsageList : {ใฏใฉใคใขใณใ่ช่จผ (1.3.6.1.5.5.7.3.2)}
DnsNameList : {5b80296b-f36a-47b1-bc60-1682acc7fb79}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId :
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Se
curity.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 2030/11/18 21:39:51
NotBefore : 2020/11/18 21:09:51
HasPrivateKey : True
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 3, 242...}
SerialNumber : 71383B952949ED8A46E1F5E62B4C14F8
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : AA3F29ACAB1A7F03B1A4F7A5599CAB88046190EF
Version : 3
Handle : 1664150703360
Issuer : DC=net + DC=windows + CN=MS-Organization-Access + OU=82dbaca4-3e81-46ca-9c73-0
950c1eaca97
Subject : CN=5b80296b-f36a-47b1-bc60-1682acc7fb79
์๋ 11์์ ๋ง๋ ๊ฑด๋ฐ 2๋ ์ง๋ฆฌ์ด๊ณ ,… Sharepoint์ ์ ์ํ๊ธฐ ์ํ ๊ฑด๊ฐ์?? PrivateKey๊ฐ ์์ด์.
๋๋ฒ์งธ๋?
PS C:\Users\usr0100023\blog> (dir cert:\CurrentUser\My)[1] | fl *
PSPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\A942CDF8EBB3253F114A
232D14F0164E13F7F28D
PSParentPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName : A942CDF8EBB3253F114A232D14F0164E13F7F28D
PSDrive : Cert
PSProvider : Microsoft.PowerShell.Security\Certificate
PSIsContainer : False
EnhancedKeyUsageList : {ใฏใฉใคใขใณใ่ช่จผ (1.3.6.1.5.5.7.3.2), ้ปๅญใกใผใซใฎไฟ่ญท (1.3.6.1.5.5.7.3.4),
ๆๅทๅใใกใคใซ ใทในใใ (1.3.6.1.4.1.311.10.3.4)}
DnsNameList : {usr0100023}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId : {2CB84403-A3E8-4CEE-989D-EB2DA05F8586}
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Se
curity.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 2022/11/10 13:31:33
NotBefore : 2020/11/10 13:21:33
HasPrivateKey : True
PrivateKey : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {48, 130, 7, 197...}
SerialNumber : 13000022798A2F44AE4D65CAC9000000002279
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : A942CDF8EBB3253F114A232D14F0164E13F7F28D
Version : 3
Handle : 1664152461536
Issuer : CN=GMOEPCA01-CA, DC=GMO, DC=LOCAL
Subject : CN=usr0100023, OU=User, OU=GMO Internet, DC=GMO, DC=LOCAL
์ด๊ฑด PrivateKey๊ฐ ์๋ค์. ์ด๊ฑธ๋ก JWT๋ฅผ ๋ง๋ค ์ ์์ ๊ฒ ๊ฐ์ต๋๋ค.
JWT ๋ชจ๋์ ์ค์นํฉ๋๋ค.
|
|
ํด๋ณผ๊น์?
PrivateKey์๋ Crt๋ก ์๋ช ํ๋ ค๋ค๋ฉด ์๋ฌ๋ฉ๋๋ค. ์๋ช ์ด๋ PrivateKey๋ก Hash๋ฅผ ๋ง๋๋ ๊ฒ์ด๊ฑฐ๋ ์
- $cert = (dir cert:\CurrentUser\My)[0]
- New-Jwt -Cert $cert -PayloadJson ‘{“token1”:“value1”,“token2”:“value2”}’
PS C:\Users\usr0100023\blog> $cert = (dir cert:\CurrentUser\My)[0]
PS C:\Users\usr0100023\blog> New-Jwt -Cert $cert -PayloadJson '{"token1":"value1","token2":"value2"}' -verbose
่ฉณ็ดฐ: Payload to sign: {"token1":"value1","token2":"value2"}
่ฉณ็ดฐ: Algorithm: RS256
่ฉณ็ดฐ: Signing certificate: CN=5b80296b-f36a-47b1-bc60-1682acc7fb79
There's no private key in the supplied certificate - cannot sign
็บ็ๅ ดๆ C:\Program Files\WindowsPowerShell\Modules\jwt\1.9.0\JWT.psm1:277 ๆๅญ:17
+ ... throw "There's no private key in the supplied certificate ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (There's no priv...e - cannot sign:String) [], RuntimeEx
ception
+ FullyQualifiedErrorId : There's no private key in the supplied certificate - cannot sign
๊ทธ๋ผ PrivateKey์๋ Crt๋ก ๋ง๋ค๋ฉด?
- $cert = (dir cert:\CurrentUser\My)[1]
- New-Jwt -Cert $cert -PayloadJson ‘{“token1”:“value1”,“token2”:“value2”}’ -verbose
PS C:\Users\usr0100023\blog> $cert = (dir cert:\CurrentUser\My)[1]
PS C:\Users\usr0100023\blog> New-Jwt -Cert $cert -PayloadJson '{"token1":"value1","token2":"value2"}' -verbose
่ฉณ็ดฐ: Payload to sign: {"token1":"value1","token2":"value2"}
่ฉณ็ดฐ: Algorithm: RS256
่ฉณ็ดฐ: Signing certificate: CN=usr0100023, OU=User, OU=GMO Internet, DC=GMO, DC=LOCAL
Signing with SHA256 and Pkcs1 padding failed using private key System.Security.Cryptography.RSACryptoServ
iceProvider
็บ็ๅ ดๆ C:\Program Files\WindowsPowerShell\Modules\jwt\1.9.0\JWT.psm1:282 ๆๅญ:25
+ ... catch { throw "Signing with SHA256 and Pkcs1 padding failed using ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Signing with SH...ServiceProvider:String) [], RuntimeEx
ception
+ FullyQualifiedErrorId : Signing with SHA256 and Pkcs1 padding failed using private key System.Secu
rity.Cryptography.RSACryptoServiceProvider
PS C:\Users\usr0100023\blog>
์คํจํ๋ค์. ์ ์๋์ง? ์๋ช ์ฉ์ด ์๋์ด์ ๊ทธ๋ฐ๊ฐ?
์๋ช ์ฉ์ผ๋ก ์ธ์ฆ์๋ฅผ ์๋ก ๋ง๋ค์ด์ ํด๋ณผ๊น์?
|
|
๋ต ์ฑ๊ณตํ์ต๋๋ค.
- Private Key, Public Key ๋ ๋ค ๊ฐ์ง๊ณ ์๋ ํฌ๋งท์ด ์ ๋ช ํ ๊ฒ์ด ํ๋ ์์ฃ ? PKCS 12๋ฒ ํฌ๋งท (.pfx ํ์ผํ์ฅ์)
- openssl๋ก ํ๋ ๊ฒฝ์ฐ์๋ ์ด๋ป๊ฒ ํ๋ ์ง๋ ๋ค์์ ๋ค๋ฃจ์ด ๋ณด๋ฉด ์ข๊ฒ ์ต๋๋ค.