RSA or HMAC

This covers the two parts of the challenge. The challenge is related to the CVE-2017-11424 key confusion vulnerability in pyJWT. This is somewhat hinted by the challenge’s description of a “patch” to enable the exploit. Looking at the commit, we see that one of the newly added invalid_strings is '-----BEGIN RSA PUBLIC KEY-----'. This implies that we can leverage the public key for some forging. Combined with this line from the source code:...