Description
Hi,
We are a research group dedicated to helping developers build secure and standards-compliant cryptographic software. As part of an ongoing study on JWT security, we developed an automated detector for identifying cryptographic misuse and insecure API design patterns in JWT libraries.
While analyzing your impressive public repository, our system identified several security issues that may impact the robustness of your JSON Web Signature (JWS) implementation:
1. Insecure Key Length Acceptance
Your implementation allows the use of weak cryptographic keys in JWS:
Incorrect Curve Handling in ECDSA (ES256/ES384/ES512)
We discovered that your library permits public keys generated over the P-192 (secp192r1) curve to be used for signature verification, even when the JWT header explicitly specifies "alg": "ES256". This is a standards violation and introduces a dangerous algorithm downgrade scenario.
According to RFC 7518, Section 3.4, ES256 must use the secp256r1 (P-256) curve. Allowing weaker curves like P-192 undermines the intended 128-bit security level of ES256 and can be exploited to mount signature confusion or cryptographic downgrade attacks.
The example code we used to test is:
$privateKey_p192 = <<<EOD
-----BEGIN EC PRIVATE KEY-----
MF8CAQEEGPRkK7lK/9FuZ3BE8ZX+dlHavL22Q9CN2KAKBggqhkjOPQMBAaE0AzIA
BL4pM50YcLq/I9Y8T+C+fwoOtwRW8zdV6yQmG9fD8zWaAs28+UxHeK8VD7THatbp
wg==
-----END EC PRIVATE KEY-----
EOD;
$payload = [
'iss' => 'example.org',
'aud' => 'example.com',
'iat' => 1356999524,
'nbf' => 1357000000
];
$jwt = JWT::encode($payload, $privateKey_p192, 'ES256');
echo "Encode:\n" . print_r($jwt, true) . "\n";
Recommendation and Responsible Disclosure
We strongly encourage:
- Curve parameter validation to ensure alignment with the declared JWT algorithm.
- Rejecting any JWTs where the key type or curve does not strictly match the alg header.
All issues have been confirmed via automated and manual validation using test vectors. We are submitting this disclosure privately in accordance with responsible disclosure practices, and we are happy to collaborate or provide PoC scripts upon request.
Thank you for your attention to these issues and for your work in supporting the open-source security ecosystem.
Best regards