Skip to content

Commit

Permalink
fix: allow shorter HMAC secrets
Browse files Browse the repository at this point in the history
With workarounds available its enforcement is just adding extra code
that annoys developers.
  • Loading branch information
panva committed Nov 1, 2021
1 parent 4f99309 commit 57126f1
Show file tree
Hide file tree
Showing 3 changed files with 0 additions and 34 deletions.
8 changes: 0 additions & 8 deletions src/runtime/browser/check_key_length.ts
Original file line number Diff line number Diff line change
@@ -1,12 +1,4 @@
export default (alg: string, key: CryptoKey) => {
if (alg.startsWith('HS')) {
const bitlen = parseInt(alg.substr(-3), 10)
const { length } = <HmacKeyAlgorithm>key.algorithm
if (typeof length !== 'number' || length < bitlen) {
throw new TypeError(`${alg} requires symmetric keys to be ${bitlen} bits or larger`)
}
}

if (alg.startsWith('RS') || alg.startsWith('PS')) {
const { modulusLength } = <RsaKeyAlgorithm>key.algorithm
if (typeof modulusLength !== 'number' || modulusLength < 2048) {
Expand Down
4 changes: 0 additions & 4 deletions src/runtime/node/sign.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,6 @@ const sign: SignFunction = async (alg, key: unknown, data) => {
const keyObject = getSignKey(alg, key, 'sign')

if (alg.startsWith('HS')) {
const bitlen = parseInt(alg.substr(-3), 10)
if (!keyObject.symmetricKeySize || keyObject.symmetricKeySize << 3 < bitlen) {
throw new TypeError(`${alg} requires symmetric keys to be ${bitlen} bits or larger`)
}
const hmac = crypto.createHmac(hmacDigest(alg), keyObject)
hmac.update(data)
return hmac.digest()
Expand Down
22 changes: 0 additions & 22 deletions test/jws/restrictions.test.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -63,28 +63,6 @@ Promise.all([
}
})

async function testHMAC(t, alg) {
const size = parseInt(alg.substr(-3), 10)
const message = `${alg} requires symmetric keys to be ${size} bits or larger`
const secret = crypto.randomFillSync(new Uint8Array((size >> 3) - 1))
await t.throwsAsync(
new FlattenedSign(t.context.payload).setProtectedHeader({ alg }).sign(secret),
{ instanceOf: TypeError, message },
)

const jws = await new FlattenedSign(t.context.payload)
.setProtectedHeader({ alg })
.sign(crypto.randomFillSync(new Uint8Array(size >> 3)))

await t.throwsAsync(flattenedVerify(jws, secret), { instanceOf: TypeError, message })
}
testHMAC.title = (title, alg) =>
`${alg} requires symmetric keys to be ${alg.substr(-3)} bits or larger`

test(testHMAC, 'HS256')
test(testHMAC, 'HS384')
test(testHMAC, 'HS512')

async function testRSAsig(t, alg) {
const message = `${alg} requires key modulusLength to be 2048 bits or larger`
const keyBad = t.context.rsa2040
Expand Down

0 comments on commit 57126f1

Please sign in to comment.