- changed title to Verification not working as expected, it accepts modified signature
Verification not working as expected, it accepts modified signature
Issue #558
invalid
I created JWT string by using SignedJWT.serialize(), then I appended one letter at the end ("a" letter).
Tried to verify created string by using this code:
JWSVerifier verifier = new ECDSAVerifier(eckey);
Assertions.assertTrue(SignedJWT.parse(s).verify(verifier));
and it passed.
JWT created by me with “a” letter appended:
eyJhbGciOiJFUzM4NCJ9.eyJpc3MiOiJodHRwczovL2MyaWQuY29tIiwiZXhwIjoxNzIzMzgxMjcxLCJzdWIiOiJhbGljZSJ9.pWOUF4Gkgqy9Il7KYfIWpS99m1K17-LdMDukwD6LqKol3RUZYc3XF0HzJ6F97iXFcK76FHgESDlpm3-44AlA1zfUDclx6aHKXfJPA-0yB5fPGocJf7kURMh6tCdTkdbia
My Public Key:
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEL9cb9Rp7HHu/oIw+r8KJGrJFEgxiFXUC
QK75XwGkisiLYlTfB0KWa0T9t3FdmASOWqa3FTfXxd49tPYBUEWCqtrKKkdwqA2g
HfWLG/m8J+kKP6rTbTK0MY5cEYFeGw/u
-----END PUBLIC KEY-----
https://jwt.io/ correctly tells that signature is invalid
nimbus-jose-jwt 9.40
Comments (3)
-
reporter
-
- changed status to invalid
Hi Adrian,
When adding a char at the end of a JWS sig the BASE64 must be decoded to check whether the underlying bytes output by codec have indeed changed. When seeing non alphabet chars or incomplete trailing bits in a BASE64 string codecs have 2 strategies - ignore them or take the entire BASE64 to be invalid.
Tickets like this have been posted before so we added this new section to the FAQ:
https://connect2id.com/products/nimbus-jose-jwt/faq#base64url-signature-rep
-
reporter
Thanks for clarification
- Log in to comment
