Skip to content
This repository has been archived by the owner on Dec 20, 2024. It is now read-only.

Invalid signature for JSF and XML examples #335

Open
andreas-hilti opened this issue Nov 2, 2024 · 1 comment
Open

Invalid signature for JSF and XML examples #335

andreas-hilti opened this issue Nov 2, 2024 · 1 comment
Assignees
@stevespringett
Labels
bug Something isn't working

Comments

@andreas-hilti
Copy link

The examples on https://cyclonedx.org/use-cases/#authenticity were modified over the years (e.g. the specification version), but the signature was not modified. Thus, the signature became invalid.

I managed to verify this JSF signature:
https://github.com/CycloneDX/cyclonedx.org/blob/e44cfc0576a5202450aad357e904ba0e9ea753f9/theme/_includes/examples/authenticity.html
roughly:

var str = [...] //json document without value
var strCanonical = new JsonCanonicalizer(str).GetEncodedString();
var publicJswKey = new JsonWebKey { Kty = "RSA", N= "qOSWbDOGS31lv3[...]", E= "AQAB" };
var encSignature = "HGIX_ccdIcqmaOpk[...]";
var signingProvider = new CryptoProviderFactory().CreateForVerifying(publicJswKey, "RS512");
var result = signingProvider.Verify(Encoding.UTF8.GetBytes(strCanonical), Base64UrlEncoder.DecodeBytes(encSignature));

(based on the current document, result = false)

I haven't yet managed to verify the initial xml document.
@stevespringett stevespringett self-assigned this Nov 3, 2024
@stevespringett
Copy link
Member

Thank you for pointing this out and the code example. We're in the process of completely rewriting the existing website and I'll make sure this gets incorporated.

@stevespringett stevespringett added the bug Something isn't working label Nov 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@stevespringett stevespringett

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stevespringett @andreas-hilti