jwt
jwt copied to clipboard
Is the RS256 implementation complete/correct?
It looks like validateEncodedJwtWithEncodedSecret
calls encodedSignature
which ends up calling j.s.Signature.sign
; this value is compared literally with the input signature value. This does not match the description of RS256
from the JWA spec:
Submit the JWS Signing Input, the JWS Signature, and the public key corresponding to the private key used by the signer to the RSASSA-PKCS1-V1_5-VERIFY algorithm using SHA-256 as the hash function.
I believe RSASSA-PKCS1-V1_5-VERIFY
here corresponds to j.s.Signature.verify
. The corresponding test that came with #14 should also be updated to use the public key part for verification.