jwt Digital Signature with ECDSA not implemented according to RFC 7518

Digital Signature with ECDSA not implemented according to RFC 7518

Open paceto256 opened this issue 9 years ago • 0 comments

ES256, ES384 are not implemented according to RFC 7518

RFC 7518: "Generate a digital signature of the JWS Signing Input using ECDSA P-256 SHA-256 with the desired private key. The output will be the pair (R, S), where R and S are 256-bit unsigned integers ..."

here is the problematic sign method: https://github.com/psecio/jwt/blob/master/src/Psecio/Jwt/Jwt.php#L324

test case:

create private & public key with ES384.
use the private key and this lib to sign the token use the signed token generated by this lib and try to validate it using the public key and this tool: http://kjur.github.io/jsjws/tool_jwt.html (working correct by RFC7518)

here is a working implementation with ES256, ES384, etc you can check https://github.com/lcobucci/jwt/blob/master/src/Signer/Ecdsa.php#L82

Regards, Plamen

Jul 07 '16 11:07 paceto256

jwt jwt copied to clipboard

Digital Signature with ECDSA not implemented according to RFC 7518

jwt
jwt copied to clipboard