Invalid signature for JSF and XML examples

[andreas-hilti]

The examples on https://cyclonedx.org/use-cases/#authenticity were modified over the years (e.g. the specification version), but the signature was not modified. Thus, the signature became invalid.

I managed to verify this JSF signature:
https://github.com/CycloneDX/cyclonedx.org/blob/e44cfc0576a5202450aad357e904ba0e9ea753f9/theme/_includes/examples/authenticity.html
roughly:

var str = [...] //json document without value
var strCanonical = new JsonCanonicalizer(str).GetEncodedString();
var publicJswKey = new JsonWebKey { Kty = "RSA", N= "qOSWbDOGS31lv3[...]", E= "AQAB" };
var encSignature = "HGIX_ccdIcqmaOpk[...]";
var signingProvider = new CryptoProviderFactory().CreateForVerifying(publicJswKey, "RS512");
var result = signingProvider.Verify(Encoding.UTF8.GetBytes(strCanonical), Base64UrlEncoder.DecodeBytes(encSignature));

(based on the current document, result = false)

I haven't yet managed to verify the initial xml document.

[stevespringett]

Thank you for pointing this out and the code example. We're in the process of completely rewriting the existing website and I'll make sure this gets incorporated.