Closed ecthiender closed 6 years ago
See https://tools.ietf.org/html/rfc7518#section-3.2:
A key of the same size as the hash output (for instance, 256 bits for
"HS256") or larger MUST be used with this algorithm. (This
requirement is based on Section 5.3.4 (Security Effect of the HMAC
Key) of NIST SP 800-117 [NIST.800-107], which states that the
effective security strength is the minimum of the security strength
of the key and two times the size of the internal hash value.)
This issue is a duplicate of #46. Have a look at the key sanity check function in https://github.com/frasertweedale/hs-jose/commit/59ca5e656370e5b7812faadf5234aa9b0724e782, which I have not merged yet. Does this meet your needs?
Closing this ticket. Discussion can continue at #46.
When JWT verification is done via
verifyClaims
it results inJWSInvalidSignature
, when using secret key length less than 32 characters (256 bits)Steps to reproduce:
Go to https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ.8OB07dpDCXm3FBT5I7v64oX2XoTqpLsj7OSdDWX8k6s
Use a secret less than 32 characters long (e.g "mysecret").
Copy the resulting JWT and run:
Actual output:
Expected output: I don't know what the spec says, I did not read the spec. But it should be either of the following two:
Left (JWSError KeySizeTooSmall)
Version: 0.7.0.0
PS:
ClaimsSet
.