Validated parsed JWS header instead of header string

YahooArchive / end-to-end

Use OpenPGP-based encryption in Yahoo mail.

http://yahoo.tumblr.com/post/113708033335/user-focused-security-end-to-end-encryption

Apache License 2.0

223 stars 40 forks source link

Validated parsed JWS header instead of header string #36

Closed diracdeltas closed 9 years ago

diracdeltas commented 9 years ago

The JOSE implementation that we're using for the keyserver recently changed the default JWS header. Checking the parsed header for expected parameters is less fragile than checking the header string against expected values.

Do not merge yet; haven't checked that tests still pass with this change.

yahoocla commented 9 years ago

CLA is valid!

diracdeltas commented 9 years ago

For reference, the merge that caused verification to break in the extension was https://github.com/square/go-jose/pull/20.

coruus commented 9 years ago

LGTM. Thanks for the detailed catch.

diracdeltas commented 9 years ago

Please note the request in my pull request:

Do not merge yet; haven't checked that tests still pass with this change.

they in fact don't pass, but it's a trivial change so i'll do it now.