connect2id / OAuth 2.0 SDK with OpenID Connect extensions / issues / #412 - Truncation issue in SecretKeyDerivation — Bitbucket

Issue #412 resolved

Philip Smart created an issue 2023-01-20

It seems to me that the SecretKeyDerivation#deriveSecretKey method is incorrectly truncating a 128 or 192-bit SHA-256 hash. That is, it is ‘right-truncating’ it, and not ‘left-truncating’ it.

The spec has been updated to make this clearer (which I admit confused me entirely the first time): https://openid.net/specs/openid-connect-core-1_0-25.html#Encryption

Comments (4)

Yavor Vasilev
- changed status to open
Ouch. Thanks for reporting this. We'll check what's going on. This AES key derivation code had been around for almost 10 years now and is based on the very first OIDC drafts.
- 2023-01-23T09:45:33+00:00
Yavor Vasilev
Found the spec change re secret key derivation:

https://bitbucket.org/openid/connect/commits/15668505dbe66b290c7e84ecc2e7bff70d942012

And the original ticket:

https://bitbucket.org/openid/connect/issues/1005/clarify-left-truncated-sha-2-hash-in
- 2023-01-23T10:02:49+00:00
Yavor Vasilev
- changed status to resolved
Fixed: c96b8d9f
- 2023-01-23T11:26:47+00:00
Philip Smart reporter
Thanks!
- 2023-01-23T11:28:28+00:00
Log in to comment

Assignee: –

Type: bug

Priority: minor

Status: resolved

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!