I had a quick look. Before you create a Jira issue, here are some
questions:
First, why did you pick the 120 bit secret key KeS5mHZGWAD6-5V9qwCE ?
Then, as I did no find any "Date expiresAt)" in any code ever in OFBiz:
https://ofbiz.markmail.org/search/?q=Date+expiresAt%29
my question is do you rather use
publicstaticStringcreateJwt(Delegatordelegator, Map<String, String>
claims, StringkeySalt, intexpireTime)
https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java#L299
?
That would be strange because you would be then forced to use the OOTB
"security.token.key" (property in security.properties) through one of the
JWTManager::getJWTKey
So you could pick what you want as security.token.key and set a 512 bit
secret key
I hope this will help to clarify
Jacques
PS: BTW totally unrelated, but I found this 2017 article interesting:
https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/
Le 06/12/2022 à 11:18, Jacques Le Roux a écrit :
Hi Ayan,
Thanks for your detailed answer, I now understand the issue and will
have a 1st look at it.
I have created a Jira account for you (ayanfarooqui). Could you please
create a Jira bug issue, you may follow
https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
Copying the information below as description would be perfect.
TIA
Jacques
Le 29/11/2022 à 13:39, Ayan Farooqui a écrit :
Hello Jacques,
Thank You for moderating the message.
I have secured my Solr setup using solr.JWTAuthPlugin <
https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I
need to provide the
algorithm name (HS512) and the secret key to verify the payload in
solr. The rest api for my Solr setup will be triggered from OFBiz for which
I am
generating a JWT token and validating it. Using the given key &
following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
public static String createJwt(Delegator delegator, Map<String, String>
claims, String keySalt, Date expiresAt)(ofbiz github code
<
https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
)
public static Map<String, Object> validateToken(String jwtToken, String
key) (ofbiz github code
<
https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java>
)
When I use the above generated token and key in Solr I get the
InvalidKeyException which says The secret is only 120 bits, 512 bits is
required by
HS512.
I suppose we should get such exception in OFbiz also, when generating
a token using shorter than recommended key size.
As mentioned in jawa-jwt docs
"Ensure the length of the secret is at least 512 bit long" under
HMAC512 header (Reference
<
https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
)
But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
validateToken(String jwtToken, String key) method and it is not throwing
any
exception for key size.
On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
Hi Ayan, Your message has been (somehow) moderated, else it would
not have reached this Mailing List. Please subscribe to the user ML for such
questions and then use your email client. See why here
http://ofbiz.apache.org/mailing-lists.html. You will get a better
support, people can
answer you on the ML. The wider the audience the better the answers
you might get. Also it's more work for moderators who have to accept your
messages as long as you have not subscribed. I'll personally no
longer accept them (other moderators still could). Thanks
This said, I moderated your message too late so it was no possible
to do it the conventional way. Anyway here we are. I see that you are
working
with Hotwax, and nobody from there moderated your email. So maybe
the issue is already "fixed" internally?
Else we need more information, like:
Why did you need a JWT token to use Solr? What makes you think that
"OFBiz is generating the token with a 120 bit key"? Etc.
HTH
Jacques
Le 21/11/2022 à 10:13, Ayan Farooqui a écrit :
Hello devs,
I was doing a POC on JWT authentication in Solr, to implement it I
generated a JWT token using OFBiz. When I used the same token and secret key
to authenticate a request on my local Solr instance, Solr gave an
error “A key of the same size as the hash output or larger MUST be used with
this algorithm”. Upon debugging the issue I found reference to
this rule.
“A key of the same size as the hash output (for instance, 256 bits
for
"HS256") or larger MUST be used with this algorithm. (This
requirement is based onSection 5.3.4 <
https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect of
the HMAC
Key) of NIST SP 800-117 [NIST.800-107 <
https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]”
OFBiz is generating the token with a 120 bit key when it should
throw an exception for key size while using the HS512 or HS256 algorithm.
Reference -https://www.rfc-editor.org/rfc/rfc7518#page-7 <
https://www.rfc-editor.org/rfc/rfc7518#page-7>
