1. Brian Campbell Avatar Brian Campbell
  2. Untitled project
  3. jose4j
  4. Issues

Signature verification fails using crv: "P-256", kty: "EC"

Issue #128 resolved
Stefan Norberg created an issue

Hi,

I'm trying to verify a JSON JWS document here: https://fedscim-poc.skolfederation.se/md/skolfederation-fedscim-0_1.json

using the key here: https://fedscim-poc.skolfederation.se/jwks

The signature verifies using the python verifier here: https://github.com/kirei/scim-fed-auth/blob/master/tools/verify.py

I'm using the following code to verify the JWS - what am I doing wrong?

Thanks!

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.VerificationJwkSelector;
import org.jose4j.jws.JsonWebSignature;
import org.junit.Assert;
import org.junit.Test;

import java.net.URL;
import java.util.Scanner;

public class JWSUtilTest {

    private static ObjectMapper mapper = new ObjectMapper();

    @Test
    public void parse() throws Exception {
        String keys = new Scanner(new URL("https://fedscim-poc.skolfederation.se/jwks").openStream(), "UTF-8").useDelimiter("\\A").next();
        String meta = new Scanner(new URL("https://fedscim-poc.skolfederation.se/md/skolfederation-fedscim-0_1.json").openStream(), "UTF-8").useDelimiter("\\A").next();
        JsonWebSignature jws = parseJSONSerialization(meta);
        jws.setKnownCriticalHeaders("exp");
        JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(keys);
        VerificationJwkSelector jwkSelector = new VerificationJwkSelector();
        JsonWebKey jwk = jwkSelector.select(jws, jsonWebKeySet.getJsonWebKeys());
        jws.setKey(jwk.getKey());
        Assert.assertTrue("Verification failed", jws.verifySignature());
    }


    /**
     * Utility to convert JSON serialization to compact, as nimbus-jose-jwt doesnt seem to support it.
     *
     * @param json
     * @return
     */
    static JsonWebSignature parseJSONSerialization(String json) {
        try {
            JsonNode root = mapper.readTree(json);
            JsonNode payload = root.get("payload");
            JsonNode signatures = root.get("signatures");
            JsonNode signature = signatures.get(0);
            String protectedString = signature.get("protected").asText();
            String signaturePart = signature.get("signature").asText();
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setCompactSerialization(protectedString + "." + payload + "." + signaturePart);
            return jsonWebSignature;
        } catch (Exception e) {
            throw new RuntimeException("Could not parse jws json");
        }
    }

}

Comments (6)

  2. Brian Campbell repo owner

    You need the .asText() bit on the payload part as well. The payload part has quotes around it when building the compact serialization, which results in the JWS being header."payload".signature and signature verification failing.

  3. Stefan Norberg reporter

    Doh! Many thanks.

    Is there support for, or any plans to, handle parsing of JWS JSON Serialization?

  7. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!