From 448b97796357a84f3f835f7bae838da49198cce8 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Fri, 8 Mar 2019 19:15:24 -0700 Subject: [PATCH] v1.1.7: bugfix ecdsa signature padding --- keyfetch.js | 16 ++++++++++------ package.json | 2 +- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/keyfetch.js b/keyfetch.js index eb46551..386f9ed 100644 --- a/keyfetch.js +++ b/keyfetch.js @@ -260,7 +260,8 @@ keyfetch.verify = function (opts) { return require('crypto') .createVerify(alg) .update(jwt.split('.')[0] + '.' + payload) - .verify(jwk.pem, sig, 'base64'); + .verify(jwk.pem, sig, 'base64') + ; } function convertIfEcdsa(header, b64sig) { @@ -272,7 +273,10 @@ keyfetch.verify = function (opts) { var hlen = bufsig.byteLength / 2; // should be even var r = bufsig.slice(0, hlen); var s = bufsig.slice(hlen); - // pad ambiguously non-negative BigInts + // unpad positive ints less than 32 bytes wide + while (!r[0]) { r = r.slice(1); } + while (!s[0]) { s = s.slice(1); } + // pad (or re-pad) ambiguously non-negative BigInts to 33 bytes wide if (0x80 & r[0]) { r = Buffer.concat([Buffer.from([0]), r]); } if (0x80 & s[0]) { s = Buffer.concat([Buffer.from([0]), s]); } @@ -286,7 +290,7 @@ keyfetch.verify = function (opts) { var buf = Buffer.concat([ Buffer.from(head) , Buffer.from([0x02, r.byteLength]), r - , Buffer.from([0x02, r.byteLength]), s + , Buffer.from([0x02, s.byteLength]), s ]); return buf.toString('base64') @@ -304,7 +308,7 @@ keyfetch.verify = function (opts) { } function verifyOne(jwk) { - if (verify(jwk, payload)) { + if (true === verify(jwk, payload)) { return decoded; } throw new Error('token signature verification was unsuccessful'); @@ -315,10 +319,10 @@ keyfetch.verify = function (opts) { if (jwks.some(function (jwk) { if (kid) { if (kid !== jwk.kid && kid !== jwk.thumbprint) { return; } - if (verify(jwk, payload)) { return true; } + if (true === verify(jwk, payload)) { return true; } throw new Error('token signature verification was unsuccessful'); } else { - if (verify(jwk, payload)) { return true; } + if (true === verify(jwk, payload)) { return true; } } })) { return decoded; diff --git a/package.json b/package.json index 47e8f6a..aa4dd67 100644 --- a/package.json +++ b/package.json @@ -29,5 +29,5 @@ "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, - "version": "1.1.6" + "version": "1.1.7" }