Merge pull request #1451 from modelix/hmac-key-length

slisson · web-flow · commit 60e7dd491f1e · 2025-03-06T17:55:51.000+01:00
fix(authorization): HMAC512 key length requirement was 512 bytes instead of bits
diff --git a/authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt b/authorization/src/main/kotlin/org/modelix/authorization/AuthorizationConfig.kt
@@ -228,21 +228,21 @@ fun ByteArray.ensureMinSecretLength(algorithm: JWSAlgorithm): ByteArray {
     val secret = this
     when (algorithm) {
         JWSAlgorithm.HS512 -> {
-            if (secret.size < 512) {
+            if (secret.size * 8 < 512) {
                 val digest = MessageDigest.getInstance("SHA-512")
                 digest.update(secret)
                 return digest.digest()
             }
         }
         JWSAlgorithm.HS384 -> {
-            if (secret.size < 384) {
+            if (secret.size * 8 < 384) {
                 val digest = MessageDigest.getInstance("SHA-384")
                 digest.update(secret)
                 return digest.digest()
             }
         }
         JWSAlgorithm.HS256 -> {
-            if (secret.size < 256) {
+            if (secret.size * 8 < 256) {
                 val digest = MessageDigest.getInstance("SHA-256")
                 digest.update(secret)
                 return digest.digest()
