Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Payload gets mangled by JWS signing with multiple recipients + unencoded payload #89

Closed
1 task done
nhartner opened this issue Aug 4, 2020 · 2 comments
Closed
1 task done

Payload gets mangled by JWS signing with multiple recipients + unencoded payload #89

nhartner opened this issue Aug 4, 2020 · 2 comments
Labels
bug Something isn't working

Comments

@nhartner
Copy link

nhartner commented Aug 4, 2020

Describe the bug

Using unencoded option (RFC7797) with multiple signatures/recipients causes the payload to the signed JWS to get garbled.

To Reproduce

Following code will reproduce the issue:

jose = require('jose')

var key1 = jose.JWK.generateSync('EC')
var key2 = jose.JWK.generateSync('EC')

var payload = 'test'
var signer = new jose.JWS.Sign(payload)
signer.recipient(key1, { b64: false, crit: ['b64'] }, {})
signer.recipient(key2, { b64: false, crit: ['b64'] }, {})
signer.sign('general')

The result is:

{
  payload: '��-',
  signatures: [
    {
      protected: 'eyJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJhbGciOiJFUzI1NiJ9',
      header: {},
      signature: 'O63LN2RxA2aa3QoCAR2PmfJDciDGrzlJYOWF-d1JDiczHHWG_VdMZvNfof6QWvK3H3q-0LsfuCacdZng6ELLPA'
    },
    {
      protected: 'eyJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJhbGciOiJFUzI1NiJ9',
      header: {},
      signature: 'fKWZYFlY0HWRrF1mb3TacaLMK_awINlVWriZkwK6Re7HxtznJu6jOL99mE4oA11U8w1k3p8-L9iUBsGZiRuxrA'
    }
  ]
}

Note: the weird characters in the payload. Should just be test.

Expected behaviour

The result should look like this:

{
  payload: 'test',
  signatures: [
    {
      protected: 'eyJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJhbGciOiJFUzI1NiJ9',
      header: {},
      signature: 'O63LN2RxA2aa3QoCAR2PmfJDciDGrzlJYOWF-d1JDiczHHWG_VdMZvNfof6QWvK3H3q-0LsfuCacdZng6ELLPA'
    },
    {
      protected: 'eyJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJhbGciOiJFUzI1NiJ9',
      header: {},
      signature: 'fKWZYFlY0HWRrF1mb3TacaLMK_awINlVWriZkwK6Re7HxtznJu6jOL99mE4oA11U8w1k3p8-L9iUBsGZiRuxrA'
    }
  ]
}

Environment:

  • jose version: [e.g. v1.27.2]
  • node version: [e.g. v14.5.0]

Additional context
Add any other context about the problem here.

The above code works as expected if only one recipient is added before signing.

  • [X ] the bug is happening on latest jose too.
  • i have searched the issues tracker on github for similar issues and couldn't find anything related.
@nhartner nhartner added the triage label Aug 4, 2020
@panva panva added bug Something isn't working and removed triage labels Aug 4, 2020
@panva
Copy link
Owner

panva commented Aug 4, 2020

Thanks for bringing this up.

@panva panva closed this as completed in 9383d10 Aug 4, 2020
panva added a commit that referenced this issue Aug 4, 2020
@panva
fix: do not mutate unencoded payload when signing for multiple parties
1695423 
resolves #89
@panva
Copy link
Owner

panva commented Aug 4, 2020

Fixed in v1.27.3.

@github-actions github-actions bot locked and limited conversation to collaborators Nov 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@panva @nhartner