JwtObject ECDSAVerifier verifying the wrong signature format
Hi,
I am creating a jwt token outside of java and I am able to verify the payload with the signature using standard java security. However, if I parse the jwt into a SignedJWT and try to verify, it fails. Looking at it closer, the problem is in ECDSAVerifier.java. In line 182 it converts the signature to DER using
derSignature = ECDSA.transcodeSignatureToDER(jwsSignature);
If I use the jwsSignature in line 177 instead, the verification a few lines below succeed. Any idea why?
I am using the latest jose-jwt sdk 8.9 in java. Here is the token and the public key (all test data, safe to share)
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjAwMDEiLCJpc3MiOiJCYXNoIEpXVCBHZW5lcmF0b3IiLCJpYXQiOjE1ODM1NDIyNTEsImV4cCI6MTU4NDU0MjI1MH0.eyJkSWQiOiIwMTZlOTBhMy01ZGI5LWQxYTUtZjZhNS0xYmVlMGJkOWUyMmQiLCJhdWQiOiJkZXZpY2UifQ.MEQCIEZB2kA97gDTh0kE1-d6TrDJI9JSCXUhe3lX96VLo-7-AiANQW644_T-HsJzc1oniLodH2kV6fV2eh0py98SYHxDjA
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErO9ybka4GEe3wu1rOoW3Cd/ddIVu yCMaHVps36J65d9YExrfcxHmhSk/Awk6ZkNRFvGeFwI45nheIP03Qirt2A== -----END PUBLIC KEY-----
Comments (2)
-
-
- changed status to invalid
Thanks for figuring this out :)
- Log in to comment
Nevermind, I figured it out. The signature I created with openssl is already DER (ASN.1) encoded but nimbus-JOSE-JWT expects it in the concatenated format for ES256 signatures. So this issue can be closed.