We have been notified that certain JWS messages with ES256 signatures
come with 63 byte signatures instead of the desired 64, and that
jwx successfully verifies these. Upond digging, we have found that
PR #65 removed the previous check for the key sizes, way back in 2019.

Without this check it is possible for an unpadded R value to pass
verification. For example, R with 31 bytes worth of data without
padding followed by S with 32 bytes can pass the verification
because when generating math.BigInt produces a valid result.

For example:

  Regular Signagure -> | R (32 bytes)... | S (32 bytes)... |

  Invalid Signature -> | R (31 bytes)... | S (32 bytes)... |

The type of signature that will get past is a signature where,
both values of R and S are valid but R is not padded at byte 0.

Since the signature content must match the correct content either
way, it is highly unlikely that this can be used for anything other
than adding an extra byte at the end of such a signature (that is,
the end user who produced the signature must already have the
correct signature anwyays).

However, omitting the check _does_ allow otherwise invalid signature
to be verified correctly.