The verification fails because key_ops does not meet the criteria of the SimpleJwkFilter created from static method filterForInboundSigned(JsonWebSignature jws) in SelectorSupport. The public key looks something like this:
{
"kid": "xxx",
"use": "sig",
"key_ops": [
"sign"
],
"kty": "xxx",
"e": "xxx",
"n": "xxx"
}
According to the SimpleJwkFilter "key_ops" either has to be null or contain the value "verify" to match the criteria.
Is there some way to customize this behaviour in jose4j? Maybe skip validation of "key_ops"?
If you're using
HttpsJwksVerificationKeyResolver, you could have simple little subclass ofHttpsJwkswhich unsets the "key_ops" on each JWK before the filter sees them. That'd look something like this:And then instantiate the resolver like
new HttpsJwksVerificationKeyResolver(new MyHttpsJwks("https://bad.example.com/jwks"));If you're using
JwksVerificationKeyResolver, you can just do the same kind thing to the JsonWebKey list before instantiating the resolver with it. Similar preprocessing on the list will also work, if you are usingVerificationJwkSelectoror the SimpleJwkFilter directly.FWIW, according to RFC7517 the "use" and "key_ops" parameters shouldn't be used together and if they are, they are supposed to convey the same meaning. I would argue that the JWK in question isn't honoring that because the "key_ops" of "sign" says the key can be used to compute a digital signature while a "use" of "sig" says that the key can be used for digital signature operations in general (sign or verify).