Hello Jacques, I have created a JIRA issue for the same https://issues.apache.org/jira/browse/OFBIZ-12724
Please let me know if I need to make any changes Thanks Ayan On Tue, Dec 13, 2022 at 6:21 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > Hi Ayan, > > I totally agree about your conclusion. We can go as we agreed and I can do > that. > > Would you take care of creating a Jira? Else I can do it for you. > > Thanks > > Jacques > > Le 13/12/2022 à 08:14, Ayan Farooqui a écrit : > > Hello Jacques, > > > > I have used an online tool (https://mkjwk.org/) to generate this > specific > > secret key where I specified the size, algorithm and type. > > Thank you for providing me with a solution but my specific problem and > use > > case was solved already, I'm using the key of recommended size. It may > have > > been unclear in the first mail but please allow me to correct myself, the > > mail was sent in the dev list with the intent of suggesting that we > should > > follow the rule and give a 512 bit key by default and provide validation > > based on the same rule. > > > > "Ensure the length of the secret is at least 512 bit long" under HMAC512 > > header (Reference > > < > https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html > > > > ) > > > > Thanks and Regards, > > Ayan Farooqui > > > > On Thu, Dec 8, 2022 at 8:16 PM Jacques Le Roux < > jacques.le.r...@les7arts.com> > > wrote: > > > >> Hi Ayan, > >> > >> Few other questions: > >> Are you using a salt when generating the key? > >> Then when and how do you measure the KeS5mHZGWAD6-5V9qwCE to say it's a > >> 120 bit key? > >> Without a salt it seems to be a 160 bit key to me, do I miss something? > >> > >> To answer you question, I guess we did not care about that by ignorance > of > >> the rule you mentioned. > >> > >> A possible solution is in createJwt() to check the size of the key is at > >> minimum 512 bits and modify the rest of the code to handle in case of > >> reject. > >> > >> HTH > >> > >> Jacques > >> > >> Le 07/12/2022 à 14:50, Ayan Farooqui a écrit : > >>> Hello Jacques, > >>> > >>> This is a randomly generated key (KeS5mHZGWAD6-5V9qwCE) > >>> Yes the method I'm using internally calls the method you mentioned > >>> > >>> public static String createJwt(Delegator delegator, Map<String, > >>> String> claims, String keySalt, int expireTime) > >>> > >>> and yes I am getting the key from properties file (security.token.key) > >>> only, where I can replace it with a stronger 512 bit key. > >>> But I wanted to point out that OFBiz is not throwing any exception > >>> when I am using a key of less than recommended length. My concern > >>> being, why does OFBiz allow less secure keys such as 120bits when 512 > >>> is recommended for that algorithm. > >>> > >>> > >>> On Tue, Dec 6, 2022 at 9:45 PM Jacques Le Roux< > >> jacques.le.r...@les7arts.com> > >>> wrote: > >>> > >>>> I had a quick look. Before you create a Jira issue, here are some > >>>> questions: > >>>> > >>>> First, why did you pick the 120 bit secret key KeS5mHZGWAD6-5V9qwCE ? > >>>> > >>>> Then, as I did no find any "Date expiresAt)" in any code ever in > OFBiz: > >>>> https://ofbiz.markmail.org/search/?q=Date+expiresAt%29 > >>>> my question is do you rather use > >>>> publicstaticStringcreateJwt(Delegatordelegator, Map<String, String> > >>>> claims, StringkeySalt, intexpireTime) > >>>> > >>>> > >> > https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java#L299 > >>>> ? > >>>> > >>>> That would be strange because you would be then forced to use the OOTB > >>>> "security.token.key" (property in security.properties) through one of > >> the > >>>> JWTManager::getJWTKey > >>>> So you could pick what you want as security.token.key and set a 512 > bit > >>>> secret key > >>>> > >>>> I hope this will help to clarify > >>>> > >>>> Jacques > >>>> PS: BTW totally unrelated, but I found this 2017 article interesting: > >>>> > >>>> > >> > https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/ > >>>> Le 06/12/2022 à 11:18, Jacques Le Roux a écrit : > >>>>> Hi Ayan, > >>>>> > >>>>> Thanks for your detailed answer, I now understand the issue and will > >>>> have a 1st look at it. > >>>>> I have created a Jira account for you (ayanfarooqui). Could you > please > >>>> create a Jira bug issue, you may follow > >>>> > >> > https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices > >>>>> Copying the information below as description would be perfect. > >>>>> > >>>>> TIA > >>>>> > >>>>> Jacques > >>>>> > >>>>> > >>>>> Le 29/11/2022 à 13:39, Ayan Farooqui a écrit : > >>>>>> Hello Jacques, > >>>>>> > >>>>>> Thank You for moderating the message. > >>>>>> I have secured my Solr setup using solr.JWTAuthPlugin < > >>>> https://solr.apache.org/guide/8_11/jwt-authentication-plugin.html>. I > >>>> need to provide the > >>>>>> algorithm name (HS512) and the secret key to verify the payload in > >>>> solr. The rest api for my Solr setup will be triggered from OFBiz for > >> which > >>>> I am > >>>>>> generating a JWT token and validating it. Using the given key & > >>>> following methods - secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit > >> key) > >>>>>> public static String createJwt(Delegator delegator, Map<String, > >> String> > >>>> claims, String keySalt, Date expiresAt)(ofbiz github code > >>>>>> < > >> > https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java > >>>>> ) > >>>>>> public static Map<String, Object> validateToken(String jwtToken, > >> String > >>>> key) (ofbiz github code > >>>>>> < > >> > https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java > >>>> ) > >>>>>> When I use the above generated token and key in Solr I get the > >>>> InvalidKeyException which says The secret is only 120 bits, 512 bits > is > >>>> required by > >>>>>> HS512. > >>>>>> I suppose we should get such exception in OFbiz also, when > generating > >>>> a token using shorter than recommended key size. > >>>>>> As mentioned in jawa-jwt docs > >>>>>> > >>>>>> "Ensure the length of the secret is at least 512 bit long" under > >>>> HMAC512 header (Reference > >>>>>> < > >> > https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html > >>>>> ) > >>>>>> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the > >>>> validateToken(String jwtToken, String key) method and it is not > throwing > >>>> any > >>>>>> exception for key size. > >>>>>> > >>>>>> > >>>>>> On Tue, Nov 29, 2022 at 3:20 PM Jacques Le Roux < > >>>> jacques.le.r...@les7arts.com> wrote: > >>>>>> Hi Ayan, Your message has been (somehow) moderated, else it > would > >>>> not have reached this Mailing List. Please subscribe to the user ML > for > >> such > >>>>>> questions and then use your email client. See why here > >>>> http://ofbiz.apache.org/mailing-lists.html. You will get a better > >>>> support, people can > >>>>>> answer you on the ML. The wider the audience the better the > >> answers > >>>> you might get. Also it's more work for moderators who have to accept > >> your > >>>>>> messages as long as you have not subscribed. I'll personally > no > >>>> longer accept them (other moderators still could). Thanks > >>>>>> This said, I moderated your message too late so it was no > >> possible > >>>> to do it the conventional way. Anyway here we are. I see that you are > >>>> working > >>>>>> with Hotwax, and nobody from there moderated your email. So > maybe > >>>> the issue is already "fixed" internally? > >>>>>> Else we need more information, like: > >>>>>> > >>>>>> Why did you need a JWT token to use Solr? What makes you think > >> that > >>>> "OFBiz is generating the token with a 120 bit key"? Etc. > >>>>>> HTH > >>>>>> > >>>>>> Jacques > >>>>>> > >>>>>> Le 21/11/2022 à 10:13, Ayan Farooqui a écrit : > >>>>>>> Hello devs, > >>>>>>> > >>>>>>> > >>>>>>> I was doing a POC on JWT authentication in Solr, to implement > >> it I > >>>> generated a JWT token using OFBiz. When I used the same token and > >> secret key > >>>>>>> to authenticate a request on my local Solr instance, Solr > gave > >> an > >>>> error “A key of the same size as the hash output or larger MUST be > used > >> with > >>>>>>> this algorithm”. Upon debugging the issue I found reference > to > >>>> this rule. > >>>>>>> “A key of the same size as the hash output (for instance, 256 > >> bits > >>>> for > >>>>>>> "HS256") or larger MUST be used with this algorithm. (This > >>>>>>> > >>>>>>> requirement is based onSection 5.3.4 < > >>>> https://www.rfc-editor.org/rfc/rfc7518#section-5.3.4>(Security Effect > >> of > >>>> the HMAC > >>>>>>> Key) of NIST SP 800-117 [NIST.800-107 < > >>>> https://www.rfc-editor.org/rfc/rfc7518#ref-NIST.800-107>]” > >>>>>>> OFBiz is generating the token with a 120 bit key when it > should > >>>> throw an exception for key size while using the HS512 or HS256 > >> algorithm. > >>>>>>> Reference -https://www.rfc-editor.org/rfc/rfc7518#page-7 < > >>>> https://www.rfc-editor.org/rfc/rfc7518#page-7> > >
