JWS payload is re-encoded when verifying the signature

For verification the payload is currently being decoded and then re-encoded to produce the signing input. Verification should instead be on the singing input from the original encoded payload of compact serialization to more accurately get at what the sender signed.

In practice this should rarely, if ever, be a problem. But there are cases of base64url looking content can have more than one value decode to the same thing. These two values for example:

IVRoaXMgaXMgbm8gbG9uZ2VyIGEgdmFjYXRpb24u and IVRoaXMgaXMgbm8gbG9uZ2VyIGEgdmFjYXRpb24uX

But encoding again will yield only the former. If the original JWS contained the latter, the signature wouldn't verify.

To address this, we should hold onto the original encoded payload and use it in signature verification.

Comments (3)