nuts-foundation · stevenvegt · May 12, 2026 · May 12, 2026
@@ -23,7 +23,6 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -575,27 +574,23 @@ func TestService_parseAndValidateJwtBearerToken(t *testing.T) {
 	})
 
 	t.Run("wrong signing algorithm", func(t *testing.T) {
-		t.Setenv("GODEBUG", "rsa1024min=0") // minimum key-length has changed to 1024 -> https://pkg.go.dev/crypto/rsa#hdr-Minimum_key_size
-		privateKey, err := rsa.GenerateKey(rand.Reader, 512)
-		require.NoError(t, err)
-
 		keyID := "did:nuts:somedid#key-id"
+		secret := []byte("test-hmac-secret")
 
-		ctx.keyResolver.EXPECT().ResolveKeyByID(keyID, nil, resolver.NutsSigningKeyType).Return(privateKey.Public(), nil)
+		ctx.keyResolver.EXPECT().ResolveKeyByID(keyID, nil, resolver.NutsSigningKeyType).Return(secret, nil)
 
-		// alg: RS256
 		token := jwt.New()
 		hdrs := jws.NewHeaders()
 		hdrs.Set(jws.KeyIDKey, keyID)
-		signedToken, err := jwt.Sign(token, jwt.WithKey(jwa.RS256, privateKey, jws.WithProtectedHeaders(hdrs)))
+		signedToken, err := jwt.Sign(token, jwt.WithKey(jwa.HS256, secret, jws.WithProtectedHeaders(hdrs)))
 		require.NoError(t, err)
 
 		tokenCtx := &validationContext{
 			rawJwtBearerToken: string(signedToken),
 		}
 		err = ctx.oauthService.parseAndValidateJwtBearerToken(tokenCtx)
 		assert.Nil(t, tokenCtx.jwtBearerToken)
-		assert.Equal(t, "token signing algorithm is not supported: RS256", err.Error())
+		assert.Equal(t, "token signing algorithm is not supported: HS256", err.Error())
 	})
 
 	t.Run("valid token", func(t *testing.T) {

@@ -27,7 +27,7 @@ import (
 // ErrUnsupportedSigningKey is returned when an unsupported private key is used to sign. Currently only ecdsa and rsa keys are supported
 var ErrUnsupportedSigningKey = errors.New("signing key algorithm not supported")
 
-var SupportedAlgorithms = []jwa.SignatureAlgorithm{jwa.ES256, jwa.EdDSA, jwa.ES384, jwa.ES512, jwa.PS256, jwa.PS384, jwa.PS512}
+var SupportedAlgorithms = []jwa.SignatureAlgorithm{jwa.ES256, jwa.EdDSA, jwa.ES384, jwa.ES512, jwa.PS256, jwa.PS384, jwa.PS512, jwa.RS256}
 
 const DefaultRsaEncryptionAlgorithm = jwa.RSA_OAEP_256
 const DefaultEcEncryptionAlgorithm = jwa.ECDH_ES_A256KW

@@ -120,14 +120,14 @@ func TestSignJWT(t *testing.T) {
 
 func TestParseJWT(t *testing.T) {
 	t.Run("unsupported algorithm", func(t *testing.T) {
-		rsaKey := test.GenerateRSAKey()
+		secret := []byte("test-hmac-secret")
 		token := jwt.New()
-		signature, _ := jwt.Sign(token, jwt.WithKey(jwa.RS256, rsaKey))
+		signature, _ := jwt.Sign(token, jwt.WithKey(jwa.HS256, secret))
 		parsedToken, err := ParseJWT(string(signature), func(_ string) (crypto.PublicKey, error) {
-			return rsaKey.Public(), nil
+			return secret, nil
 		}, nil, nil)
 		assert.Nil(t, parsedToken)
-		assert.EqualError(t, err, "token signing algorithm is not supported: RS256")
+		assert.EqualError(t, err, "token signing algorithm is not supported: HS256")
 	})
 
 	t.Run("allow clock skew (default DefaultJWTClockSkew)", func(t *testing.T) {
@@ -595,7 +595,7 @@ func TestCrypto_convertHeaders(t *testing.T) {
 
 func Test_isAlgorithmSupported(t *testing.T) {
 	assert.True(t, jwx.IsAlgorithmSupported(jwa.PS256))
-	assert.False(t, jwx.IsAlgorithmSupported(jwa.RS256))
+	assert.True(t, jwx.IsAlgorithmSupported(jwa.RS256))
 	assert.False(t, jwx.IsAlgorithmSupported(""))
 }