Signature fix #85
Signature fix #85
Conversation
The signatures generated by JWS are invalid because it base64 encodes the signature as a string instead of a binary value, converting to binary first produces the correct signature value. Verified with example from JWS RFC and the debugger at http://jwt.io Results may be validated with echo -n "base64_header.base64_payload" | openssl dgst -sha256 -hmac "your_secret" -binary | base64 | tr -- '+=/' '- _'
…se64 encode." This reverts commit eb5a6889e058930003b1f787dc3b39ce59023d4f.
|
hey @stuartm thanks for this! Could you take a look at the tests on travis? cheers! |
|
Yes, I saw those, I'll update the pull request with a fix when I get a chance. |
|
I needed this fix and it works fine for me! I do not understand why the tests fail with "malformed input". It would be really great to have this in the master branch, so I can stop hacking the vendor files on every composer update... |
|
I know why the tests are failing, I'll try to find time in the next couple of days to update the pull request. |
|
thanks man :) On Thu, Mar 17, 2016 at 6:23 PM, Stuart Morgan notifications@github.com
Nadalin Alessandro |
|
@stuartm any update? |
|
Sorry, work has been really crazy. I'll make time tonight to sort this out. |
|
no worries man, know that feeling :) On Thu, Mar 31, 2016 at 1:05 PM, Stuart Morgan notifications@github.com
Nadalin Alessandro |
|
hey @stuartm any luck with this? :) |
|
closed for inactivity -- feel free to pick this up again! |
|
Well I will eventually find time to sort the patch out, however I don't think the ticket should be closed since the bug is still present. |
This fixes signature creation, the presently generated signature doesn't comply with the RFC and is rejected by other applications/libraries. The reason is that the signature is base64 encoded as a string instead of a hexidecimal representation of octets.
Convert signature to binary before base64 encode results in the expected signature as verified against the example in RFC 7515 and the http://jwt.io debugger.
Results may be validated with:
echo -n "base64_encoded_header.base64_encoded_payload" | openssl dgst -sha256 -hmac "your_secret" -binary | base64 | tr -- '+=/' '- _'