Details
-
Bug
-
Status: Closed
-
Trivial
-
Resolution: Fixed
-
17.12.09
-
None
-
OS - Ubuntu 16.04
DB - MySql
Description
I have secured my Solr setup using solr.JWTAuthPlugin. I need to provide the algorithm name (HS512) and the secret key to verify the payload in solr. The rest api for my Solr setup will be triggered from OFBiz for which I am generating a JWT token and validating it.
Using the given key & following methods -
secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
public static String createJwt(Delegator delegator, Map<String, String> claims, String keySalt, int expireTime)
public static Map<String, Object> validateToken(String jwtToken, String key)
https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
When I use the above generated token and key in Solr I get the InvalidKeyException which says The secret is only 120 bits, 512 bits is required by HS512.
I suppose we should get such exception in OFbiz also, when generating a token using shorter than recommended key size.
As mentioned in jawa-jwt docs
"Ensure the length of the secret is at least 512 bit long" under HMAC512 header ( https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html )
But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the validateToken(String jwtToken, String key) method and it is not throwing any exception for key size.
We should follow the rule and give a 512 bit key by default and provide validation based on the same rule.