connect2id / Nimbus-JOSE-JWT / issues / #219 - Enforce strict RSA key length checking in existing RSA crypto constructors, add new legacy constructor to permit keys shorter than 2018 bits — Bitbucket

Issue #219 resolved

Former user created an issue 2017-04-14

Chapter 3.3 and 3.5 of the JWA specification require RSA keys to have a length of at least 2048 bit.

This requirement is currently not enforced by the library. I attached a test case that illustrates the behaviour.

shortRSAKeyTestCase.java

Comments (4)

Vladimir Dzhuvinov
That's true, we've had developers who insisted on support 1024 bit RSA keys for various reasons.

I'm thinking of adding a second 'legacy' constructor to permit shorter keys, while making the original constructor strict (require 2048+ bits).
- 2017-04-19T08:41:43+00:00
Vladimir Dzhuvinov
- changed title to Enforce strict RSA key length checking in existing RSA crypto constructors, add new legacy constructor to permit keys shorter than 2018 bits
- marked as enhancement
Legacy apps still need to be able to work with RSA keys shorter than 2048 bits.
- 2017-04-19T09:04:49+00:00
Vladimir Dzhuvinov
- changed status to open
- 2018-10-08T08:32:58+00:00
Vladimir Dzhuvinov
- changed status to resolved
Addressed in b3c700b44955c982c653e18f67964f6278a1e60f

To be released in 6.1
- 2018-10-08T10:53:41+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: minor

Status: resolved

Component: Crypto package

Milestone: –

Votes: 0

Watchers: None

Jira: the preferred issue tracker for Bitbucket. Join the team!