search

frasertweedale / hs-jose

Haskell JOSE and JWT library
http://hackage.haskell.org/package/jose
Apache License 2.0
122 stars 46 forks source link

Verifying JWT with shared secret results in invalid signature error when using secret length less than 256 bits #66

Closed ecthiender closed 6 years ago

ecthiender commented 6 years ago

When JWT verification is done via verifyClaims it results in JWSInvalidSignature, when using secret key length less than 32 characters (256 bits)

Steps to reproduce:

verify :: L.ByteString -> L.ByteString -> IO (Either JWTError ClaimsSet)
verify k s = runExceptT $ do
  let k' = fromOctets k      -- turn raw secret into symmetric JWK
       audCheck = const True  -- should be a proper audience check
  s' <- decodeCompact s    -- decode JWT
  verifyClaims (defaultJWTValidationSettings audCheck) k' s'

  1. Go to https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ.8OB07dpDCXm3FBT5I7v64oX2XoTqpLsj7OSdDWX8k6s

  2. Use a secret less than 32 characters long (e.g "mysecret").

  3. Copy the resulting JWT and run:

    verify "mysecret" "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4ifQ.foxp_NGV2a8Yaikh-qBpx3LAro_jDUvyaKAqbGEv2K4"

Actual output:

Left (JWSError JWSInvalidSignature)

Expected output: I don't know what the spec says, I did not read the spec. But it should be either of the following two:

  1. Spec doesn't mention anything about key size: Results in a claimset.
  2. Spec says should not validate if key size is less than 256 bits: Results in: Left (JWSError KeySizeTooSmall)

Version: 0.7.0.0

PS:

  1. If in the same jwt.io debugger if you increase the secret to be 32 characters, then the same verify function above results in a valid ClaimsSet.
  2. I did not generate a JWT using jose with key size less than 32 and try.
  3. I spent the better half of my evening trying to debug why it was an invalid signature, when infact the error was the key size was small.
frasertweedale commented 6 years ago

See https://tools.ietf.org/html/rfc7518#section-3.2:

A key of the same size as the hash output (for instance, 256 bits for
"HS256") or larger MUST be used with this algorithm.  (This
requirement is based on Section 5.3.4 (Security Effect of the HMAC
Key) of NIST SP 800-117 [NIST.800-107], which states that the
effective security strength is the minimum of the security strength
of the key and two times the size of the internal hash value.)

This issue is a duplicate of #46. Have a look at the key sanity check function in https://github.com/frasertweedale/hs-jose/commit/59ca5e656370e5b7812faadf5234aa9b0724e782, which I have not merged yet. Does this meet your needs?

Closing this ticket. Discussion can continue at #46.