Yes.
This is a good question. Let me provide some additional background. I have a hard time being brief sometimes. This might be one of those times. I may provide more information than you asked for, but I want to do that in case anyone else has a similar question about JWS
JWS, JSON Web Signing, is described in IETF RFC 7515. It is part of the "JOSE" suite of standards, JOSE stands for JSON Object Signing and Encryption. Here's the list:
|
moniker
|
name
|
RFC
|
|
JWS
|
JSON Web Signing
|
7515
|
|
JWE
|
JSON Web Encryption
|
7516
|
|
JWK
|
JSON Web Key
|
7517
|
|
JWA
|
JSON Web Algorithm
|
7518
|
|
JWT
|
JSON Web Token
|
7519
|
The JWS spec, specifically in Section 5.1, describes how to compute and verify a JWS. Processors must construct the hash on the result of:
- the base64 encoded header,
- dot-concatenated with
- the base64-encoded payload
We can call the result of those steps as "the signature base". The has is performed on that signature base.
Verifying the signature would follow the same pattern.
Appendix F in that specification describes how to serialize with detached content. Serialization is independent of encoding or computing the signature.
So to answer your specific question, yes, VerifyJWS will base64-encode the payload, prior to constructing the signature base, when verifying the signature on a JWS with detached content.
LinkedIn
Twitter
