Hello,
Receiving a JWT, I try to implement Signature validation for ES256, ES384 and ES512. I did it successfully for RSA types based on public certificate sent as content in JWT. I try to do the same for ES algorithm, but It don’t work. Must I have other input parameters such couple (x,y) to do this validation ? I don’t think so, but …
I use io.jsonwebtoken Java library.
I don’t know how the debugger do it and need to have same behavior.
Can somebody have tips, or sample java code ?
Thanks for your help
François
Hi all,
In fact I produced Token signed with ES256, ES384 or ES512 containing public certificate in x5c key, but cannot understand how site validate (or not) such token …
I tried several methods with no success.
Can somebody help me ?
Thanks for your support
François
Current Validation Java code is (using java.security.Signature)
…
// send algorithm name
Signature signature = Signature.getInstance(algo.getJcaName());
// contains public X.509 certificate
signature.initVerify(certificate);
// contains header.claims parts from token
signature.update(jwtAssertion.getBytes());
// verification with signed part from token converted in Der format
verifiedToken = signature.verify(toDerSignature(signPart));
// >>> return true in all cases …
…
private static byte[] toDerSignature(byte[] jwsSig) throws IOException {
byte[] rBytes = Arrays.copyOfRange(jwsSig, 0, jwsSig.length/2);
byte[] sBytes = Arrays.copyOfRange(jwsSig, jwsSig.length/2, jwsSig.length);
BigInteger r = new BigInteger(1, rBytes);
BigInteger s = new BigInteger(1, sBytes);
DERSequence sequence = new DERSequence(new ASN1Encodable[]{
new ASN1Integer(r),
new ASN1Integer(s)
});
return sequence.getEncoded();
}