Merge pull request #105 from aarondav/patch-2

Avoid potentially critical vulnerability in ECDSA signature validation
2025-03-09 06:46:50 +00:00 · 2016-07-04 11:56:48 -07:00 · 2016-07-04 11:56:48 -07:00 · e55ea34e95
commit e55ea34e95
parent 8e6e165c1d 707f7bc046
1 changed files with 2 additions and 2 deletions
--- a/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java
+++ b/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java
@ -319,8 +319,8 @@ public class DefaultJwtParser implements JwtParser {

                if (!Objects.isEmpty(keyBytes)) {

-                    Assert.isTrue(!algorithm.isRsa(),
-                                  "Key bytes cannot be specified for RSA signatures.  Please specify a PublicKey or PrivateKey instance.");
+                    Assert.isTrue(algorithm.isHmac(),
+                                  "Key bytes can only be specified for HMAC signatures. Please specify a PublicKey or PrivateKey instance.");

                    key = new SecretKeySpec(keyBytes, algorithm.getJcaName());
                }