b_c / jose4j / issues / #38 - debug logging of secrets in ConcatKeyDerivationFunction — Bitbucket

Issue #38 closed

Former user created an issue 2015-10-13

The ConcatKeyDerivationFunction code makes it possible for an unsuspecting user to log secrets. Would you consider removing these lines?

https://bitbucket.org/b_c/jose4j/src/e4ca546a19e775cdde16c98d8e23e793ac76a482/src/main/java/org/jose4j/jwe/kdf/ConcatKeyDerivationFunction.java?at=master&fileviewer=file-view-default

Comments (3)

Brian Campbell repo owner
Yeah, that's probably a good idea. I added a lot of logging to the KDF implementation in the earlier days of JWE to help troubleshoot the example in the appendix of JWA - http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20130826/003920.html - but it's probably outlived its usefulness and is more likely to do harm than good now.
- 2015-10-14T12:50:14+00:00
Brian Campbell repo owner
- changed status to resolved
done in 50417d5
- 2015-10-20T22:59:48+00:00
Brian Campbell repo owner
- changed status to closed
released with v 0.5.0
- 2016-03-04T23:14:13+00:00
Log in to comment

Assignee: Brian Campbell

Type: proposal

Priority: critical

Status: closed

Votes: 0

Watchers: 2

Jira: the preferred issue tracker for Bitbucket. Join the team!