search

cisco / node-jose

Apache License 2.0
699 stars 125 forks source link

Unable to verify digital signature with public key and detached payload #427

Open shreyadalviatavendus opened 3 months ago

shreyadalviatavendus commented 3 months ago

Hi Team,

I have a response from the external API in the below format:

const inputData = {
   signature: 'eyJhbGciOiJSUzI1NiIsImtpZCI6InNhbXBsZS1rZXktaWQifQ..SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
   response: 'jdskhfgdjskfgkjsdhf'
};

The signature is without the payload check ("..") in inputData signature, and I am trying to verify the signature.

My public key format is:

PublicKey: {
   "kty": "RSA",
   "e": "AQAB",
   "use": "sig",
   "kid": "erityuiuerot",
   "n": "kjfghdsjkbfdasbf"
}

The inputData is:

const inputData = {
   signature: 'eyJhbGciOiJSUzI1NiIsImtpZCI6InNhbXBsZS1rZXktaWQifQ..SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
   response: 'jdskhfgdjskfgkjsdhf'
};

I am using the below code to verify it in nodejs:

const jose = require("node-jose");

async function createKeystore() {
    const keystore = jose.JWK.createKeyStore();

    // Add the public key to the keystore
    const key = await keystore.add({
        kty: 'RSA',
        kid: "erityuiuerot",
        use: 'sig',
        alg: 'RS256',
        n: "kjfghdsjkbfdasbf",
        e: 'AQAB'
    }, 'json');

    return keystore;
}

async function verifyDetachedJWS(jws, payload) {
    try {
        const keystore = await createKeystore();
        console.log("keystore", keystore);
        // Use JWS.createVerify to verify the token
        const verifier = jose.JWS.createVerify(keystore);

       const result = await verifier.verify(jws);

        console.log('Verification successful:', result);
    } catch (error) {
        console.error('Verification failed:', error);
    }
}

// Example JWS token (without payload) and payload (replace with your actual values)
const jws = 'eyJhbGciOiJSUzI1NiIsImtpZCI6InNhbXBsZS1rZXktaWQifQ..SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';

verifyDetachedJWS(jws, payload);

But I am getting the following error:

Verification failed: Error: no key found
    at processSig (/node_modules/node-jose/lib/jws/verify.js:132:22)

I am unable to figure out where the issue is. Can you please help me resolve this as soon as possible?

Do I need to use private for verification, if yes then please suggest code how to do it.

my private key is in below format :

PrivateKey : { keys : [{ "p": "", "kty": "RSA", "q": "", "d": "", "e": "", "use": "sig", "kid": "", "qi": "", "dp": "", "dq": "", "n": "" }] };

Kindest Regards,
Shreya

klimashkin commented 3 months ago

The issue might affect all Node.js 20.12.0+ versions

https://nodejs.org/en/blog/vulnerability/february-2024-security-releases#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium