From 5385e0d7d3671b4736c0246475a03c648b1da68a Mon Sep 17 00:00:00 2001
From: Aaron Davidson <aaron@databricks.com>
Date: Sat, 19 Mar 2016 22:40:44 -0700
Subject: [PATCH] Avoid potentially critical vulnerability in ECDSA signature
 validation

Quite possible we're missing something here, so please forgive if so. After seeing [this article](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/) (see "RSA or HMAC?" section), we did a quick scan through the JJWT implementation to see if it was vulnerable. While it seems like the RSA check should work, no such check seemed to exist for ECDSA signatures.

As a result, it may be possible for users of this library to use `setSigningKey(byte[] key)` while intending to use ECDSA, but have the client alter the algorithm and signature to use HMAC with the public key as the "secret key", allowing the client to inject arbitrary payloads.

cc @thomaso-mirodin
---
 src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java b/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java
index a5d68aec..81e113ce 100644
--- a/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java
+++ b/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java
@@ -312,6 +312,9 @@ public class DefaultJwtParser implements JwtParser {
                     Assert.isTrue(!algorithm.isRsa(),
                                   "Key bytes cannot be specified for RSA signatures.  Please specify a PublicKey or PrivateKey instance.");
 
+                    Assert.isTrue(!algorithm.isEllipticCurve(),
+                                  "Key bytes cannot be specified for ECDSA signatures.  Please specify a PublicKey instance.");
+
                     key = new SecretKeySpec(keyBytes, algorithm.getJcaName());
                 }
             }