Weak Key Acceptance and Curve Mismatch in ECDSA (ES256/ES384/ES512) Signature Generation #62
Description
Hi,
We are a research group dedicated to helping developers build secure and standards-compliant cryptographic software. As part of an ongoing study on JWT security, we developed an automated detector for identifying cryptographic misuse and insecure API design patterns in JWT libraries.
While analyzing your impressive public repository, our system identified several security issues that may impact the robustness of your JSON Web Signature (JWS) implementation:
- Insecure Key Length Acceptance
Your implementation allows the use of weak cryptographic keys in JWS:
HMAC: The system permits HMAC keys shorter than the recommended 112 bits (e.g., keys of 16 or 32 bytes). This violates CWE-326: Inadequate Encryption Strength and opens the door to brute-force attacks.
We recommend enforcing stronger key length validation for both HMAC in your signing API to prevent cryptographic downgrade risks. - Incorrect Curve Handling in ECDSA (ES256)
We also discovered that your library permits public keys generated over the P-256 curve to be used for signature generation, even when the JWT header explicitly specifies "alg": "ES512". This is a standards violation and introduces a dangerous algorithm downgrade scenario.
According to RFC 7518, Section 3.4, ES512 must use the P-521 curve. Allowing weaker curves can be exploited to mount signature confusion or cryptographic downgrade attacks. - Recommendation and Responsible Disclosure
We strongly encourage:
Strict enforcement of key length requirements for all supported algorithms.
Curve parameter validation to ensure alignment with the declared JWT algorithm.
Rejecting any JWTs where the key type or curve does not strictly match the alg header.
Thank you for your attention to these issues and for your work in supporting the open-source security ecosystem.
Best regards.