From 7c70e7b9700886dfad8e7555b909da8e079c88da Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Fri, 12 Nov 2021 11:12:22 +0100
Subject: [PATCH] fix: Compact JWS verification handles a zero-length payload
 string

---
 src/jws/compact/verify.ts          |  6 +-----
 test/jws/compact.verify.test.mjs   | 18 +++++++++++++++++-
 test/jws/flattened.verify.test.mjs | 11 +++++++++++
 test/jws/general.test.mjs          | 12 ++++++++++++
 4 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/src/jws/compact/verify.ts b/src/jws/compact/verify.ts
index 392386baaa..083d1bef85 100644
--- a/src/jws/compact/verify.ts
+++ b/src/jws/compact/verify.ts
@@ -72,11 +72,7 @@ export async function compactVerify(
   }
 
   const verified = await flattenedVerify(
-    {
-      payload: <string>(payload || undefined),
-      protected: protectedHeader || undefined,
-      signature: <string>(signature || undefined),
-    },
+    { payload, protected: protectedHeader, signature },
     <Parameters<typeof flattenedVerify>[1]>key,
     options,
   )
diff --git a/test/jws/compact.verify.test.mjs b/test/jws/compact.verify.test.mjs
index 3b347dcc3b..502f05b0d1 100644
--- a/test/jws/compact.verify.test.mjs
+++ b/test/jws/compact.verify.test.mjs
@@ -1,9 +1,25 @@
 import test from 'ava'
+import * as crypto from 'crypto'
 
 const root = !('WEBCRYPTO' in process.env) ? '#dist' : '#dist/webcrypto'
-const { compactVerify } = await import(root)
+const { compactVerify, CompactSign } = await import(root)
+
+test.before(async (t) => {
+  t.context.secret = crypto.randomFillSync(new Uint8Array(32))
+})
 
 test('JWS format validation', async (t) => {
+  {
+    await t.notThrowsAsync(async () => {
+      await compactVerify(
+        await new CompactSign(new Uint8Array())
+          .setProtectedHeader({ alg: 'HS256' })
+          .sign(t.context.secret),
+        t.context.secret,
+      )
+    })
+  }
+
   await t.throwsAsync(compactVerify(null, new Uint8Array(0)), {
     message: 'Compact JWS must be a string or Uint8Array',
     code: 'ERR_JWS_INVALID',
diff --git a/test/jws/flattened.verify.test.mjs b/test/jws/flattened.verify.test.mjs
index 06118cda58..789e6746b4 100644
--- a/test/jws/flattened.verify.test.mjs
+++ b/test/jws/flattened.verify.test.mjs
@@ -34,6 +34,17 @@ test('JWS format validation', async (t) => {
     })
   }
 
+  {
+    await t.notThrowsAsync(async () => {
+      await flattenedVerify(
+        await new FlattenedSign(new Uint8Array())
+          .setProtectedHeader({ alg: 'HS256' })
+          .sign(t.context.secret),
+        t.context.secret,
+      )
+    })
+  }
+
   {
     const jws = { ...fullJws }
     delete jws.signature
diff --git a/test/jws/general.test.mjs b/test/jws/general.test.mjs
index 979cd196ea..f971a6daba 100644
--- a/test/jws/general.test.mjs
+++ b/test/jws/general.test.mjs
@@ -81,6 +81,18 @@ test('General JWS verify format validation', async (t) => {
 
   const generalJws = await sig.sign()
 
+  {
+    await t.notThrowsAsync(async () => {
+      await generalVerify(
+        await new GeneralSign(new Uint8Array())
+          .addSignature(t.context.secret)
+          .setProtectedHeader({ alg: 'HS256' })
+          .sign(),
+        t.context.secret,
+      )
+    })
+  }
+
   {
     await t.throwsAsync(generalVerify(null, t.context.secret), {
       message: 'General JWS must be an object',