New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MAC keys insufficient requirement #92

Open

tanguilp opened this issue Jun 24, 2020 · 0 comments

Labels

bug enhancement

Milestone

tanguilp commented Jun 24, 2020

According to RFC7518 - section 3.2:

A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm

seems to not be respected when MACing. For instance:

iex> JOSE.JWK.generate_key({:oct, 3}) |> JOSE.JWS.sign("some text", %{"alg" => "HS256"})
{%{alg: :jose_jws_alg_hmac},
 %{
   "payload" => "c29tZSB0ZXh0",
   "protected" => "eyJhbGciOiJIUzI1NiJ9",
   "signature" => "a_NlCa7P1CqQsSRPEydkTsMvMntCjl6pMvEPW7vr98s"
 }}

should fail.

potatosalad added bug enhancement labels

potatosalad added this to the jose 1.12.0 milestone

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment