Signature verification

[rww2012]

Thank you for your library!

I must have something wrong or am missing something and need advice.

We host for various companies that use different identity providers and I wish to verify the signature of the received tokens. What I have put together verifies the signature, but if I replace the payload from a different provider, it still verifies. Is a new signature created using the header and payload, therefore verification will always pass?

procedure Tfrm_Main.btnAccessIDClick(Sender: TObject);
var LRes: TStringDynArray;
LToken: TJWT;
LSigner: TJWS;
LKeyPair: TKeyPair;
sToken,sHeader,sPayload,sSignature,sAlg: String;
begin
sToken := RESTResponse.JSONValue.FindValue('access_token').Format();
LRes := SplitString(sToken,'.');
if (Length(LRes) = 3) then begin
sHeader := TBase64.Decode(LRes[0]);
sPayload := TBase64.Decode(LRes[1]);
sSignature := LRes[2];
end;

try
LToken := TJWT.Create(TJWTClaims);
LToken.Header.JSON.Free;
LToken.Header.JSON := TJSONObject(TJSONObject.ParseJSONValue(sHeader));

LToken.Claims.JSON.Free;
LToken.Claims.JSON := TJSONObject(TJSONObject.ParseJSONValue(sPayload));

sAlg := TJSONUtils.GetJSONValue(THeaderNames.ALGORITHM, LToken.Header.JSON).asString;
FAlg := GetAlg(sAlg);
try
  LSigner  := TJWS.Create(LToken);
  LKeyPair := GenerateKeyPair;
  LSigner.SkipKeyValidation := True;
  LSigner.Sign(LKeyPair.PrivateKey,FAlg);
  LSigner.SetKey(LKeyPair.PublicKey);

...
if (FAlg.AsString = 'RS256') then FCompact := TJOSE.SerializeCompact(LKeyPair.PrivateKey.Key, FAlg, LToken);
...
if (TJWS.CheckCompactToken(FCompact)) then begin
LSigner.CompactToken := FCompact;
if (LSigner.VerifySignature AND LToken.Verified AND (LToken.Claims.Expiration > Now)) then begin
memo_Verify.Lines.Add('Token signature is verified');
end
else begin
if NOT (LSigner.VerifySignature) then memo_Verify.Lines.Add('Token signature is not verified (LSigner)');
if NOT (LToken.Verified) then memo_Verify.Lines.Add('Token is not verified (LToken)');
if (LToken.Claims.Expiration < Now) then memo_Verify.Lines.Add('Token expired (LToken.Claims)');
end;
end;
finally
LSigner.Free;
LKeyPair.Free;
end;
finally
LToken.Free;
end;

LSigner.VerifySignature and LToken.Verified always passes

I have been using an RSA pub/priv pem I created. Do I need the clients pems? Is there a setting to prevent regeneration of the signature and use the sig as is?

I also have a .NET version which uses the kid value in the header paring with values in the jwks_uri to verify signature, is that option available with this library?

[rww2012]

Any ideas?