Fixes #94

[tillz]

(hopefully finally)

[odino]

hey @tillz let us know when the PR is finalized (I see Call to undefined method Namshi\JOSE\Signer\OpenSSL\RS256::getSignatureLength() error on travis) so that we can review! Thanks for taking a look at this man!

[Spomky]

Without any verification based on test vectors you cannot assert the PR is compliant with the RFC.
You will find all the material in the RFC7520 or the RFC6979.

[tillz]

@odino It's working now, I've also enhanced the tests a bit. I just was a bit to focused on the EC classes, so i've totally missed there are still the other algorithms which inherit from the PublicKey class.

@Spomky It's impossible to verify against test vectors, as the signature includes a random nonce. Just testing the successful verification of known signatures would be possible, but would bring a false feeling of conformity, which is - in fact - not tested nor proved.

Anyways, I just wanted to contribute this feature I needed for a customer back to the community, but can't afford the time to implement everything sbd expects from some random open-source library. Please open an issue to inform the other authors about this if you think it's necessary.

[Spomky]

@Spomky It's impossible to verify against test vectors, as the signature includes a random nonce. Just testing the successful verification of known signatures would be possible, but would bring a false feeling of conformity, which is - in fact - not tested nor proved.

You are absolutely right, however if you verify test cases from the RFCs and you implement your own signature/verification then you can assert the signature is correctly performed.

Another way could be to use a third party library/application to verify the JWS issued by this library are correctly loaded. The counterpart is that you must be confident that the third party tool you choose is doing the job the right way.

[odino]

closing for inactivity -- feel free to reopen if you can take another crack at it! :)