Relax verification of JWSs signed with too short keys

frasertweedale / hs-jose

Haskell JOSE and JWT library

http://hackage.haskell.org/package/jose

Apache License 2.0

122 stars 46 forks source link

Relax verification of JWSs signed with too short keys #57

Closed rootmos closed 7 years ago

rootmos commented 7 years ago

We had the misfortune of interacting with a third-party signing their JWT:s with too short keys. The added signOct' function does not perform the key length check and using it (instead of signOct) during verification resolves this issue.

In a perfect world this would not be needed. Do you agree with this pragmatic change? Or do you prefer adding a verify'?

frasertweedale commented 7 years ago

Hi @rootmos. Thanks for your effort, but I do not intend to accept this change to the library. The RFC 7518 (https://tools.ietf.org/html/rfc7518#section-3.2) is unambiguous:

A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm.

Hopefully you can convince the third party to come into conformance to the standard. Otherwise you may have to carry a patched version of hs-jose or use a different library that permits the use of invalid keys.