1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

Incorrect validation of secret length for MACVerifier

Issue #563 open
Petr Dvořák created an issue

I am aware of issue #454

However, the secret length validation is done very minimalisticly. If the intention is to validate the correct secret length for the provided algorithm, the check should reflect the algorithm selected, not just check for:

if (secret.length < 32) {
    throw new KeyLengthException("The secret length must be at least 256 bits");
} else {
    this.secret = secret;
    this.secretKey = null;
}

IMO, this check is redundant altogether. Auth0 can live without it, as authenticating the MAC token with, i.e., 16B is quite sufficient…

Comments (2)

  1. Vladimir Dzhuvinov
    • changed status to open

    It's true that the Mac can be initialised with shorter keys. Like you I have observed that some libs will not check the key length or accept shorter lengths. The JWA spec is clear about the security properties of the HSxxx family of algs.

    https://datatracker.ietf.org/doc/html/rfc7518#section-3.2

    A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm. (This requirement is based on Section 5.3.4 (Security Effect of the HMAC Key) of NIST SP 800-117 [NIST.800-107], which states that the effective security strength is the minimum of the security strength of the key and two times the size of the internal hash value.)

    If a lib issues a token with HS256 but the key happens to be shorter, this isn't technically HS256, it's something else.

  2. Petr Dvořák reporter

    The point is that you do a correct check for 256 bits but not for all other algorithms… For HS512, your check is incorrect…

  3. Log in to comment
Assignee
Type
proposal
Priority
minor
Status
open
Component
Crypto package
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!