Right, the reference to the incoming signed data (the protected payload)
is indeed available but the read process will fail to complete if the
verification process fails.
I'll need to make it more obvious in the docs.
Thanks, Sergey
On 12/05/17 17:24, Ilari Liusvaara wrote:
On Fri, May 12, 2017 at 05:03:51PM +0100, Sergey Beryozkin wrote:
Thanks for the initial feedback. I'm not following at the moment how any of
these attacks can affect it. Perhaps I'll need to work on making it more
obvious how it is all implemented.
Well, from the description I gathered that (partial) output is passed
to application before the signature is verified. This is bad. But
perhaps the description is just a bit misleading, and all input is
buffered until signature is verified, and only then is the signed
content sent to the application.
JWS has an issue where signatures and MACs can be confused, leading to
signature forgery if JWS implementation is not careful.
JWE when used with ECDH-ES with NIST curves has an issue that
compromises the private decryption key if JWE implementation is not
careful.
-Ilari
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
