HMAC secret length requirement

[lagden]

I generated the jwt using jose@2.x.
Is possible verify that jwt using the jose@3.x?

Example:

2.x:

// Old way to sign:
import {Buffer} from 'node:buffer'
import {JWT, JWK} from 'jose'

const _options = {
  algorithm: 'HS512',
  header: {typ: 'JWT'},
  ignoreIat: false,
  ignoreNbf: false,
}
const _payload = {data: {name: 'Sabrina Takamoto'}}
const secret = 'de66bd178d5abc9e848787b678f9b613'
const _key = JWK.asKey(Buffer.from(secret))

const jwt = JWT.sign(_payload, _key, _options)
// eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjp7Im5hbWUiOiJTYWJyaW5hIFRha2Ftb3RvIn0sImlhdCI6MTYyODgyOTk2OH0.t7Ft9UxLeBJIKq1c8AbVq8tB1snHYNJ7v434ILmC7yJ6V3IepgXtlI7iKkVFatonINvKzaUpj6tRnwtFEzE0eg

// ---

// Old way to verify:
const payload = JWT.verify(jwt, _key, {})
// {"data": {"name": "Sabrina Takamoto"}, "iat": 1628829968}

3.x:

I tried

import {Buffer} from 'node:buffer'
import {createSecretKey} from 'node:crypto'
import {jwtVerify} from 'jose/jwt/verify'

// JWT generated using 2.x above
const jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkYXRhIjp7Im5hbWUiOiJTYWJyaW5hIFRha2Ftb3RvIn0sImlhdCI6MTYyODgyOTk2OH0.t7Ft9UxLeBJIKq1c8AbVq8tB1snHYNJ7v434ILmC7yJ6V3IepgXtlI7iKkVFatonINvKzaUpj6tRnwtFEzE0eg'

const secret = Buffer.from('de66bd178d5abc9e848787b678f9b613')
const _key = createSecretKey(secret)
const {payload, protectedHeader} = await jwtVerify(jwt, _key)

and

TypeError: HS512 requires symmetric keys to be 512 bits or larger

Is possible?!

[panva]

Yes it is possible if you pad the secret with 0x00 to the required length. Nevertheless I only suggest to do so for migration purposes as you generate a new secret that follows the requirements.

const secret = Buffer.alloc(64, 0x00)
secret.write('de66bd178d5abc9e848787b678f9b613')

[lagden]

Understood!!

Thank you so much!! 😉