The verification fails because key_ops does not meet the criteria of the SimpleJwkFilter created from static method filterForInboundSigned(JsonWebSignature jws) in SelectorSupport. The public key looks something like this:
{
"kid": "xxx",
"use": "sig",
"key_ops": [
"sign"
],
"kty": "xxx",
"e": "xxx",
"n": "xxx"
}
According to the SimpleJwkFilter "key_ops" either has to be null or contain the value "verify" to match the criteria.
Is there some way to customize this behaviour in jose4j? Maybe skip validation of "key_ops"?
If you're using HttpsJwksVerificationKeyResolver, you could have simple little subclass of HttpsJwks which unsets the "key_ops" on each JWK before the filter sees them. That'd look something like this:
class MyHttpsJwks extends HttpsJwks
{
public MyHttpsJwks(String location)
{
super(location);
}
@Override
public List<JsonWebKey> getJsonWebKeys() throws JoseException, IOException
{
List<JsonWebKey> jsonWebKeys = super.getJsonWebKeys();
for (JsonWebKey jwk : jsonWebKeys)
{
jwk.setKeyOps(null);
}
return jsonWebKeys;
}
}
And then instantiate the resolver like new HttpsJwksVerificationKeyResolver(new MyHttpsJwks("https://bad.example.com/jwks"));
If you're using JwksVerificationKeyResolver, you can just do the same kind thing to the JsonWebKey list before instantiating the resolver with it. Similar preprocessing on the list will also work, if you are using VerificationJwkSelector or the SimpleJwkFilter directly.
FWIW, according to RFC7517 the "use" and "key_ops" parameters shouldn't be used together and if they are, they are supposed to convey the same meaning. I would argue that the JWK in question isn't honoring that because the "key_ops" of "sign" says the key can be used to compute a digital signature while a "use" of "sig" says that the key can be used for digital signature operations in general (sign or verify).