A valid signature is failing verification. What are common non-cryptographic reasons for this, and how can they be mitigated?
Node.js interview question for Advanced practice.
Answer
A valid signature can fail verification if the data being verified does not exactly match the data that was originally signed, byte for byte. This often happens due to subtle differences introduced during transmission or processing. Common Reasons & Mitigations: 1. JSON Canonicalization: A server signs a JSON object. The client re-parses and re-serializes it before verifying. The new serialization might have different key ordering or whitespace, causing the hash to be different and the verification to fail. Mitigation: Always canonicalize JSON before signing and verifying using a library (like canonical-json) that sorts keys and removes insignificant whitespace to produce a consistent string. 2. Character Encoding: The data was signed as UTF-8 but verified using a different encoding. Mitigation: Ensure a single, standard character encoding (UTF-8) is used consistently throughout. 3. Line Endings: Text data may have its line endings changed during transit (e.g., LF to CRLF). Mitigation: Normalize line endings before signing and verifying.
Explanation
Even a single byte difference between the data at signing time and verification time will cause a valid signature to fail verification.