- changed status to resolved
JWSObject.parse with empty signature must throw ParseException instead of signal an invalid signature
No description provided.
Comments (4)
-
reporter -
reporter Release:
version 9.25.4 (2022-09-27)
-
All previous versions handled
JWSObject jwsObject = JWSObject.parse("eyJhbGciOiJIUzI1NiJ9.eyJ0YXJhX3N0YXRlIjoidW9sNVVkSF9RTHVLTnZULUZsVS1Za21iX3R6TmhGMDJucjVjbG0tcTFzYyIsImxvZ2luX2NoYWxsZW5nZSI6IjllZWIzZmMzMzVlMjQ2ODc5Mzc3MDk4YmZkYzkxZDJmIiwidGFyYV9ub25jZSI6IkNMSmthOXpZQmg5Y1Nsa0ZUR1hJdE5vem5FaGV1ZUlncS16bTNCaUR6MHMifQ.");
successfully andjwsObject.verify(verifier)
returnedfalse
.But starting from this version,
JWSObject jwsObject = JWSObject.parse("eyJhbGciOiJIUzI1NiJ9.eyJ0YXJhX3N0YXRlIjoidW9sNVVkSF9RTHVLTnZULUZsVS1Za21iX3R6TmhGMDJucjVjbG0tcTFzYyIsImxvZ2luX2NoYWxsZW5nZSI6IjllZWIzZmMzMzVlMjQ2ODc5Mzc3MDk4YmZkYzkxZDJmIiwidGFyYV9ub25jZSI6IkNMSmthOXpZQmg5Y1Nsa0ZUR1hJdE5vem5FaGV1ZUlncS16bTNCaUR6MHMifQ.");
throwsParseException
.This looks like a change in library’s API. Maybe changing libray’s API shouldn’t be incorporated to a minor or patch version, maybe it should be planned to a major version?
-
reporter According to the spec the JWS compact format expects a signature after the second dot, thus this is a format error and not a signature validation error.
https://www.rfc-editor.org/rfc/rfc7515#section-7.1
Detecting such errors up front is a good thing.
- Log in to comment
Fixed: 6662912d