connect2id / Nimbus-JOSE-JWT / issues / #493 - JWSObject.parse with empty signature must throw ParseException instead of signal an invalid signature — Bitbucket

Issue #493 resolved

Vladimir Dzhuvinov created an issue 2022-09-27

No description provided.

Comments (4)

Vladimir Dzhuvinov reporter
- changed status to resolved
Fixed: 6662912d
- 2022-09-27T16:35:47+00:00
Vladimir Dzhuvinov reporter
Release: version 9.25.4 (2022-09-27)
- 2022-09-27T17:11:35+00:00
Alar Kvell
All previous versions handled JWSObject jwsObject = JWSObject.parse("eyJhbGciOiJIUzI1NiJ9.eyJ0YXJhX3N0YXRlIjoidW9sNVVkSF9RTHVLTnZULUZsVS1Za21iX3R6TmhGMDJucjVjbG0tcTFzYyIsImxvZ2luX2NoYWxsZW5nZSI6IjllZWIzZmMzMzVlMjQ2ODc5Mzc3MDk4YmZkYzkxZDJmIiwidGFyYV9ub25jZSI6IkNMSmthOXpZQmg5Y1Nsa0ZUR1hJdE5vem5FaGV1ZUlncS16bTNCaUR6MHMifQ."); successfully and jwsObject.verify(verifier) returned false.

But starting from this version, JWSObject jwsObject = JWSObject.parse("eyJhbGciOiJIUzI1NiJ9.eyJ0YXJhX3N0YXRlIjoidW9sNVVkSF9RTHVLTnZULUZsVS1Za21iX3R6TmhGMDJucjVjbG0tcTFzYyIsImxvZ2luX2NoYWxsZW5nZSI6IjllZWIzZmMzMzVlMjQ2ODc5Mzc3MDk4YmZkYzkxZDJmIiwidGFyYV9ub25jZSI6IkNMSmthOXpZQmg5Y1Nsa0ZUR1hJdE5vem5FaGV1ZUlncS16bTNCaUR6MHMifQ."); throws ParseException.

This looks like a change in library’s API. Maybe changing libray’s API shouldn’t be incorporated to a minor or patch version, maybe it should be planned to a major version?
- 2022-09-29T19:49:38+00:00
Vladimir Dzhuvinov reporter
According to the spec the JWS compact format expects a signature after the second dot, thus this is a format error and not a signature validation error.

https://www.rfc-editor.org/rfc/rfc7515#section-7.1

Detecting such errors up front is a good thing.
- 2022-09-30T07:45:09+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Component: –

Milestone: –

Votes: 0

Watchers: 2

Jira Software: the preferred issue tracker for Bitbucket. Join the team!