[JBoss JIRA] (WFWIP-288) JWT signed by 1024 bit long key is rejected

Wednesday, 18 December 2019

    [
https://issues.redhat.com/browse/WFWIP-288?page=com.atlassian.jira.plugin...
] 

Darran Lofthouse commented on WFWIP-288:
----------------------------------------

Ok this seems to be an ambiguity within the specification.

So section 4.1 of the MP JWT specification states that "alg" must be set to
"RS256".

Then section 9.2 of the MP JWT specification states key sizes of 1024 and 2048 are
required to be supported hence this bug report.

However if I consult the RFE which defines the "RS256" algorithm is clearly
states a minimum key size of 2048 bits: -

https://tools.ietf.org/html/rfc7518#section-3.3

I suspect that section 9.2 of the specification may be from an older version and pre-date
the requirement to use RS256, regardless I do not believe it would be intentional for the
MP JWT spec to bypass the minimal key size so I will raise an issue against the
specification.

...
 JWT signed by 1024 bit long key is rejected
 -------------------------------------------

                 Key: WFWIP-288
                 URL: https://issues.redhat.com/browse/WFWIP-288
             Project: WildFly WIP
          Issue Type: Bug
          Components: MP JWT
            Reporter: Jan Kasik
            Assignee: Darran Lofthouse
            Priority: Blocker

 According to MP-JWT 1.1 specification, 1024 and 2048 bit key sizes must be supported.
Though when there is JWT signed by 1024 bit long key presented to the server, it is
rejected and client receives "Unauthorized" (code 401) message.
 See chapter 9.2. Supported Public Key Formats:
 {quote}
 Support for RSA Public Keys of 1024 or 2048 bits in length is required. Other key sizes
are allowed, but should be considered vendor-specific.
 {quote} 

--
This message was sent by Atlassian Jira
(v7.13.8#713008)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006