Open mindtheme opened 2 years ago
Finally, it should be noted that which algorithms may be used in a given context is an application decision. Even if a JWT is successfully validated, unless the algorithms used in the JWT are acceptable in the application, the JWT should be rejected.
The many methods to distinguish a JWE from a JWS are listed below. As a matter of fact, every method would result in the same output for all legal input values; they may produce different results for illegal inputs. • If the object is using the JWS Compact Serialisation or the JWE Compact Serialisation, the number base64url-encoded segments that are separated by a period character are three and five respectively. • If the object is using the JWS JSON Serialisation or the JWE JSON Serialisation, JWS will have a payload member and JWE will not, whereas JWE will have a “ciphertext” and JWS will not. • There is a stark difference between the JOSE header for a JWS and that for a JWE, which can be concluded by examining the “alg” (algorithm) header parameter value. If the value represents a digital signature or MAC algorithm, or a value “none”, then it is for JWS; if it represents a key encryption, key wrapping, direct key agreement, key agreement with key wrapping, or direct encryption algorithm, then it is for a JWE. This is very straightforward if working with compact serialisations of the JWS or the JWE, whereas maybe a little difficult when using JSON serialisation of the JWS or the JWE. • If “enc” (encryption algorithm) member exists in the JOSE header, it is a JWE; otherwise, a JWS.
Also, uploading the JWT file for full reference, if required. JWT.pdf
If we want to use an existing library to implement this part of the analysis, there are some open-source-libraries we could try:
I was not able to test these implementations yet, so I cannot recommend one over the others, but if I had to choose one, I would probably start with the first one, since it has the most stars and is actively maintained.
Sources:
User Story
Acceptance Criteria