Signature verification for Elliptic Curve

Hello,

Receiving a JWT, I try to implement Signature validation for ES256, ES384 and ES512. I did it successfully for RSA types based on public certificate sent as content in JWT. I try to do the same for ES algorithm, but It don’t work. Must I have other input parameters such couple (x,y) to do this validation ? I don’t think so, but …

I use io.jsonwebtoken Java library.

I don’t know how the debugger do it and need to have same behavior.

Can somebody have tips, or sample java code ?

Thanks for your help
François

Hi all,

In fact I produced Token signed with ES256, ES384 or ES512 containing public certificate in x5c key, but cannot understand how site validate (or not) such token …

I tried several methods with no success.

Can somebody help me ?
Thanks for your support
François

Current Validation Java code is (using java.security.Signature)


// send algorithm name
Signature signature = Signature.getInstance(algo.getJcaName());
// contains public X.509 certificate
signature.initVerify(certificate);
// contains header.claims parts from token
signature.update(jwtAssertion.getBytes());
// verification with signed part from token converted in Der format
verifiedToken = signature.verify(toDerSignature(signPart));
// >>> return true in all cases … :frowning:

private static byte[] toDerSignature(byte[] jwsSig) throws IOException {

    byte[] rBytes = Arrays.copyOfRange(jwsSig, 0, jwsSig.length/2);
    byte[] sBytes = Arrays.copyOfRange(jwsSig, jwsSig.length/2, jwsSig.length);

    BigInteger r = new BigInteger(1, rBytes);
    BigInteger s = new BigInteger(1, sBytes);

    DERSequence sequence = new DERSequence(new ASN1Encodable[]{
        new ASN1Integer(r),
        new ASN1Integer(s)
    });
    return sequence.getEncoded();
}