Related issues about HMAC key length and RSA key length in JWS

[ZupeiNie]

Hi, We are a research group dedicated to helping developers build secure applications. We have developed a cryptographic misuse detector that focuses on the secure implementation and use of JSON Web Tokens (JWT). While analyzing your impressive public repository, our detector identified several security concerns.
Specifically, we found that the HMAC and RSA key lengths used in your JSON Web Signature (JWS) implementation do not meet recommended security standards(RFC 7518、NIST SP800-117、RFC 2437). According to CWE-326 (Inadequate Encryption Strength), using keys that are too short can lead to serious vulnerabilities and potential attacks.
We kindly suggest reviewing and updating the key lengths to ensure that your cryptographic implementations adhere to best practices and maintain robust security.
Thank you for your attention.

[anakinj]

Hi,

Thank you for your generic message. Could you be a bit more specific what you are referring to.

The algo implementations are not enforcing any key lengths (except the RSA/PS algo that requires a key >= 2048 bits)

[anakinj]

Im going to close this as the keysize is not something that is enforced by this library. Currently more recent version sof OpenSSL is enforcing some key sizes and those restrictions apply the users of this gem also.