You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When signing and verifying with ECDSA, this library will take the resulting R and S values and asn1.Marshal them. While the correct behavior for general ECDSA signing (for instance, this is how openssl does it in the general case), for JWS it's actually invalid. See https://tools.ietf.org/html/rfc7515#page-45
The result is that signatures produced on JWTs via this library cannot be validated elsewhere, and signatures produced elsewhere cannot be validated here.
When signing and verifying with ECDSA, this library will take the resulting R and S values and asn1.Marshal them. While the correct behavior for general ECDSA signing (for instance, this is how openssl does it in the general case), for JWS it's actually invalid. See https://tools.ietf.org/html/rfc7515#page-45
The result is that signatures produced on JWTs via this library cannot be validated elsewhere, and signatures produced elsewhere cannot be validated here.
For an example of how other libraries do it, see https://github.com/square/go-jose/blob/16bf7df8a3277fab10a591bc75b9fa0d24e7dab6/asymmetric.go#L511
The text was updated successfully, but these errors were encountered: