The vulnerability description explicitly identifies setSigningKey in DefaultJwtParser and signWith in DefaultJwtBuilder as impacted functions. Code references show these methods handle cryptographic key configuration, and the original advisory claims they ignore certain characters. Though disputed, the functions match the described vulnerability mechanism. The DefaultJwtParserBuilder.java reference (line 242) shows related key handling logic, supporting the assessment.