Closed rootmos closed 7 years ago
Hi @rootmos. Thanks for your effort, but I do not intend to accept this change to the library. The RFC 7518 (https://tools.ietf.org/html/rfc7518#section-3.2) is unambiguous:
A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm.
Hopefully you can convince the third party to come into conformance to the standard. Otherwise you may have to carry a patched version of hs-jose or use a different library that permits the use of invalid keys.
We had the misfortune of interacting with a third-party signing their JWT:s with too short keys. The added
signOct'
function does not perform the key length check and using it (instead ofsignOct
) during verification resolves this issue.In a perfect world this would not be needed. Do you agree with this pragmatic change? Or do you prefer adding a
verify'
?