Unable to verify digital signature with public key and detached payload

[shreyadalviatavendus]

Hi Team,

I have a response from the external API in the below format:

const inputData = {
   signature: 'eyJhbGciOiJSUzI1NiIsImtpZCI6InNhbXBsZS1rZXktaWQifQ..SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
   response: 'jdskhfgdjskfgkjsdhf'
};

The signature is without the payload check ("..") in inputData signature, and I am trying to verify the signature.

My public key format is:

PublicKey: {
   "kty": "RSA",
   "e": "AQAB",
   "use": "sig",
   "kid": "erityuiuerot",
   "n": "kjfghdsjkbfdasbf"
}

The inputData is:

const inputData = {
   signature: 'eyJhbGciOiJSUzI1NiIsImtpZCI6InNhbXBsZS1rZXktaWQifQ..SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
   response: 'jdskhfgdjskfgkjsdhf'
};

I am using the below code to verify it in nodejs:

const jose = require("node-jose");

async function createKeystore() {
    const keystore = jose.JWK.createKeyStore();

    // Add the public key to the keystore
    const key = await keystore.add({
        kty: 'RSA',
        kid: "erityuiuerot",
        use: 'sig',
        alg: 'RS256',
        n: "kjfghdsjkbfdasbf",
        e: 'AQAB'
    }, 'json');

    return keystore;
}

async function verifyDetachedJWS(jws, payload) {
    try {
        const keystore = await createKeystore();
        console.log("keystore", keystore);
        // Use JWS.createVerify to verify the token
        const verifier = jose.JWS.createVerify(keystore);

       const result = await verifier.verify(jws);

        console.log('Verification successful:', result);
    } catch (error) {
        console.error('Verification failed:', error);
    }
}

// Example JWS token (without payload) and payload (replace with your actual values)
const jws = 'eyJhbGciOiJSUzI1NiIsImtpZCI6InNhbXBsZS1rZXktaWQifQ..SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';


verifyDetachedJWS(jws, payload);

But I am getting the following error:

Verification failed: Error: no key found
    at processSig (/node_modules/node-jose/lib/jws/verify.js:132:22)

I am unable to figure out where the issue is. Can you please help me resolve this as soon as possible?

Do I need to use private for verification, if yes then please suggest code how to do it.

my private key is in below format :

PrivateKey : {
keys : [{
"p": "",
"kty": "RSA",
"q": "",
"d": "",
"e": "",
"use": "sig",
"kid": "",
"qi": "",
"dp": "",
"dq": "",
"n": ""
}]
};

Kindest Regards,
Shreya

[klimashkin]

The issue might affect all Node.js 20.12.0+ versions

https://nodejs.org/en/blog/vulnerability/february-2024-security-releases#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium

[webdevhu]

We're experiencing the same error. However, it works in our production environment running Node.js 14. Our test environment throws the error you mentioned running Node.js 14. We upgraded to Node.js 16 and the error remains. The code bases between both environments are the same, so we're not sure exactly how this is error came about.

Here's the line of code we see the error occurs:

jose.JWE.createDecrypt(JOSE_DECRYPT_KEY).decrypt(authorizationToken).then(function(jwt) { 
   // code here doesn't run
}

[webdevhu]

We're experiencing the same error. However, it works in our production environment running Node.js 14. Our test environment throws the error you mentioned running Node.js 14. We upgraded to Node.js 16 and the error remains. The code bases between both environments are the same, so we're not sure exactly how this is error came about.

Here's the line of code we see the error occurs:

jose.JWE.createDecrypt(JOSE_DECRYPT_KEY).decrypt(authorizationToken).then(function(jwt) { 
   // code here doesn't run
}

After consulting this community forum post, we realized our public and private keys were wrong, thus the error. After fixing them, no error was thrown.