Demo Project: CVE-2022-21449 Vulnerability This project demonstrates the CVE-2022-21449 vulnerability, which affects Java's ECDSA signature verification. The vulnerability allows a malicious actor to bypass signature verification by using a signature with zero values (r=0 and s=0). The project uses real and fake JWT tokens with EC signatures to showcase the issue on Java 17 without the security patch. Features Real JWT Token: A valid JWT token signed with an EC private key. Fake JWT Token: A JWT token with a zeroed signature (r=0, s=0). Validation: Demonstrates how the vulnerability allows the fake token to pass validation. Prerequisites Java 17 (without the security patch for CVE-2022-21449). Maven for building the project. Project Structure JwtGenerator: Generates real and fake JWT tokens. JwtUtils: Validates JWT tokens using a public EC key. SecurityConfig: Configures Spring Security to demonstrate token-based authentication. ProtectedController: Provides endpoints to test token-based access control. How to Use the JwtGenerator Console App The JwtGenerator class is a standalone console application that generates and prints both valid and fake JWT tokens. Steps to Run Build the Project: bash mvn clean install Run the JwtGenerator Class: bash mvn exec:java -Dexec.mainClass="com.symphony_solutions.demo.util.JwtGenerator" Output: The application will print: A valid JWT token. A fake JWT token with a zeroed signature. Example: “` ===…Read More