fix: update envelope.Payload() logic

Payload() returns the raw payload context instead of base64 encoded data

signature/jws/envelope.go

@@ -46,13 +46,8 @@ func ParseEnvelope(envelopeBytes []byte) (signature.Envelope, error) {
 
 // Sign signs the envelope and return the encoded message
 func (e *envelope) Sign(req *signature.SignRequest) ([]byte, error) {
-	ks, err := req.Signer.KeySpec()
-	if err != nil {
-		return nil, &signature.MalformedSignRequestError{Msg: err.Error()}
-	}
-	alg := ks.SignatureAlgorithm()
-
-	signedAttrs, err := getSignedAttrs(req, alg)
+	// get all attributes ready to be signed
+	signedAttrs, err := getSignedAttrs(req)
 	if err != nil {
 		return nil, err
 	}
@@ -129,12 +124,29 @@ func (e *envelope) Payload() (*signature.Payload, error) {
 	if e.internalEnvelope == nil {
 		return nil, &signature.MalformedSignatureError{Msg: "missing jws signature envelope"}
 	}
+	// parse protected header to get payload context type
 	protected, err := parseProtectedHeaders(e.internalEnvelope.Protected)
 	if err != nil {
 		return nil, err
 	}
+
+	// convert JWS to JWT
+	tokenString := compactJWS(e.internalEnvelope)
+
+	// parse JWT to get payload context
+	parser := jwt.NewParser(
+		jwt.WithValidMethods([]string{"PS256", "PS384", "PS512", "ES256", "ES384", "ES512"}),
+		jwt.WithJSONNumber(),
+		jwt.WithoutClaimsValidation(),
+	)
+	var claims jwtPayload
+	_, _, err = parser.ParseUnverified(tokenString, &claims)
+	if err != nil {
+		return nil, err
+	}
+
 	return &signature.Payload{
-		Content:     []byte(e.internalEnvelope.Payload),
+		Content:     claims,
 		ContentType: protected.ContentType,
 	}, nil
 }
@@ -197,11 +209,7 @@ func sign(payload jwtPayload, headers map[string]interface{}, signer signature.S
 		privateKey = localSigner.PrivateKey()
 	} else {
 		// remote signer
-		var err error
-		signingMethod, err = newRemoteSigningMethod(signer)
-		if err != nil {
-			return "", err
-		}
+		signingMethod = newRemoteSigningMethod(signer)
 	}
 	// generate token
 	token := jwt.NewWithClaims(signingMethod, payload)

signature/jws/jws.go

@@ -176,24 +176,27 @@ func generateJWS(compact string, req *signature.SignRequest, certs []*x509.Certi
 	}, nil
 }
 
-func getSignedAttrs(req *signature.SignRequest, sigAlg signature.Algorithm) (map[string]interface{}, error) {
+// getSignerAttrs merge extended signed attributes and protected header to be signed attributes
+func getSignedAttrs(req *signature.SignRequest) (map[string]interface{}, error) {
 	extAttrs := make(map[string]interface{})
 	crit := []string{headerKeySigningScheme}
 
+	// write extended signed attributes to the extAttrs map
 	for _, elm := range req.ExtendedSignedAttributes {
 		extAttrs[elm.Key] = elm.Value
 		if elm.Critical {
 			crit = append(crit, elm.Key)
 		}
 	}
 
-	alg, err := convertAlgorithm(sigAlg)
+	// extract JWT algorithm name from signer
+	jwtAlgorithm, err := extractJwtAlgorithm(req.Signer)
 	if err != nil {
 		return nil, err
 	}
 
 	jwsProtectedHeader := jwsProtectedHeader{
-		Algorithm:     alg,
+		Algorithm:     jwtAlgorithm,
 		ContentType:   req.Payload.ContentType,
 		SigningScheme: req.SigningScheme,
 	}

signature/jws/jwt.go

@@ -14,8 +14,8 @@ type remoteSigningMethod struct {
 	signer signature.Signer
 }
 
-func newRemoteSigningMethod(signer signature.Signer) (jwt.SigningMethod, error) {
-	return &remoteSigningMethod{signer: signer}, nil
+func newRemoteSigningMethod(signer signature.Signer) jwt.SigningMethod {
+	return &remoteSigningMethod{signer: signer}
 }
 
 // Verify doesn't need to be implemented.