Skip to content

HmacSecretKey.importJsonWebKey ignores length #302

Description

@harrshita123

Description

HmacSecretKey.importJsonWebKey accepts a length parameter, but the public wrapper does not forward it to the backend. As a result, importing the same HMAC key material as raw bytes and as JWK can produce different key bytes and different signatures whenever length trims bits from the final byte.

This breaks the package's cross-format parity: HmacSecretKey.importRawKey(..., length: n) honors the requested HMAC key length, while HmacSecretKey.importJsonWebKey(..., length: n) silently uses the full JWK k value.

Expected behavior

JWK import should honor length the same way raw import does. In the example above, both imports should export [255, 128], and signatures produced by the two keys should match.

Actual behavior

The length argument is dropped in HmacSecretKey.importJsonWebKey, so the JWK-backed key keeps the untrimmed final byte and signs/verifies with different key material.

Notes

A fix should also validate JWK import length consistently with raw imports so the native backend does not silently accept invalid lengths.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions