We use ruby-jwt in one of our applications and recently we had noticed that if the Signature passed to this method is shorter than byte_size, I returns an invalid signature which fails the verification and causing a 500 Internal Server Error.
See the below sample code to understand better:
2.2.3 :004 > str = 'abcdef'
=> "abcdef"
2.2.3 :005 > str[0..10]
=> "abcdef"
2.2.3 :006 > str[10..-1]
=> nil
To fix this we could add a check for passed in signature’s length on #L165 and return “” (empty string) if signature is shorter.
If you feel this could be the right way to fix this issue, let us know how we can contribute to ruby-jwt.
P.S: We are using the ES256 algorithm. It looks like our keys are 256 bits long.
Please let us know your thoughts.
We use ruby-jwt in one of our applications and recently we had noticed that if the Signature passed to this method is shorter than byte_size, I returns an invalid signature which fails the verification and causing a 500 Internal Server Error.
See the below sample code to understand better:
To fix this we could add a check for passed in signature’s length on #L165 and return “” (empty string) if signature is shorter.
If you feel this could be the right way to fix this issue, let us know how we can contribute to ruby-jwt.
P.S: We are using the ES256 algorithm. It looks like our keys are 256 bits long.
Please let us know your thoughts.