I'm trying to get my head around JWT tokens in Golang. I'm using github.com/dgrijalva/jwt-go.
What caught me off guard is the fact that I can enter multiple valid signatures.
For example, head over to http://jwt.io - enter MySuperSecretKey for the secret
This token is valid:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaU
as well as this one:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0NTc3MzAyODMsInVzZXIiOiJ1c2VyMSJ9.SxshVL42DUH9e7jXUblbB_bTwKxhe4jo70DrvbQMlaV
In fact, if I change the last letter to V, W or X, I get a "Signature Verfied" message.
Can anyone tell me what's going on here?
It's the Base64 encoding of the signature which can have the last letter changed to certain targets without affecting the relevant bits.
Try popping both signatures into a base64->hex decoder and you'll get the same results. In fact at https://conv.darkbyte.ru/ both signatures get re-evaluated to base64 SxshVL42DUH9e7jXUblbBbTwKxhe4jo70DrvbQMlaQ==