Islandora / documentation

Contains islandora's documentation and main issue queue.
MIT License
104 stars 71 forks source link

Move away from RSASSA-PKCS1-v1_5 using SHA-256 (RS256) as JWT default #1232

Open kayakr opened 5 years ago

kayakr commented 5 years ago

http://future.islandora.ca/admin/config/system/jwt defaults to RSASSA-PKCS1-v1_5 using SHA-256 (RS256). Security review of an Islandora 8 instance pointed out that https://tools.ietf.org/html/rfc3447#page-28 says "RSASSA-PKCS1-v1_5 is included for compatibility with existing applications, and while still appropriate for new applications, a gradual transition to RSASSA-PSS is encouraged." Perhaps HMAC using SHA-512 (HS512) should be the default instead?

antbrown commented 5 years ago

I've forked the ansible-role-keymaster to generate hmac keys here:

It would be good to get some advice from the core contributors on whether this is the right place to be doing this kind of stuff and whether there are plans already in place on how to transition to JWT HMAC keys.