- Recognition and marking
- JWS/JWE editors
- (Semi-)Automated attacks
- Bleichenbacher MMA
- Key Confusion (aka Algorithm Substitution)
- Signature Exclusion
- Base64url en-/decoder
- Easy extensibility of new attacks
To compile the JOSEPH extension from source, it is necessary to have Apache Maven installed and to run the following command:
$ mvn clean package
To skip the (unit) tests, use the following command:
$ mvn clean package -DskipTests
JOSEPH has been tested with Java 1.7 and 1.8.
If the Oracle JDK is installed, the used Bouncy Castle JCE provider dependency is not allowed to be loaded from within a newly compiled fat-JAR, as it breaks the needed signature integrity check.
When performing the Bleichenbacher attack without Bouncy Castle being correctly loaded, the following error will occur:
[BleichenbacherPkcs1Info]: Error during key encryption: Cannot find any provider supporting RSA/NONE/NoPadding
If this issue arises, please perform the following step(s):
Copy the Bouncy Castle JAR-file
libfolder into the
In some cases, it is necessary to additionally amend the
/[PATH_TO_JVM]/jre/lib/security/java.securityfile and add the following line (preferably directly below the other provider definitions):
9in this case specifies the priority and should be adjusted to fit into existing definitions.
target/JOSEPH-1.0.1.jar and load the
target/lib folder to your Java Environment under