Solved: How do I make sure the shared secret size for maki...

Report Inappropriate Content · 05-01-2017 04:01 AM

I'm trying to implement JWT signing using DinoChiesa's code: https://github.com/apigee/iloveapis2015-jwt-jwe-jws/tree/master/jwt_signed/callout

However, when I call the service I get the following error: com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: The shared secret size must be at least 256 bits

How can I fix this?

I've added the following JAR files:

apigee-edge-callout-jwt-signed-1.0.6.jar
guava-18.0.jar
json-smart-1.3.jar
nimbus-jose-jwt-3.10.jar

And my policy is like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JavaCallout async="false" continueOnError="false" enabled="true" name="Java-Generate-JWT">
    <DisplayName>Java Generate JWT</DisplayName>
    <Properties>
        <Property name="algorithm">HS256</Property>
        <Property name="secret-key">secret</Property>
        <!-- standard claims -->
        <!--<Property name="subject">http://dinochiesa.net</Property>-->
        <!--<Property name="issuer">ApigeeEdge-{organization.name}-{environment.name}-{request.path}</Property>-->
        <!--<Property name="audience">{apiproxy.name}</Property>-->
        <Property name="expiresIn">86400</Property>
        <!-- in seconds -->
        <!-- custom claims -->
        <Property name="cc1">1</Property>
        <Property name="cc2">2</Property>
    </Properties>
    <ClassName>com.apigee.callout.jwtsigned.JwtCreatorCallout</ClassName>
    <ResourceURL>java://apigee-edge-callout-jwt-signed-1.0.6.jar</ResourceURL>
</JavaCallout>

DChiesa

You are using "secret" as your password. You need something at least 32 characters long.

So try "secret01234567890ABCDEFGHIJKLMNO"

or... ideally you will using something random for the secret key.

View solution in original post

DChiesa

You are using "secret" as your password. You need something at least 32 characters long.

So try "secret01234567890ABCDEFGHIJKLMNO"

or... ideally you will using something random for the secret key.

Report Inappropriate Content

The key my client generates is 20 characters.

Can I change the minimum in the code? And if so, where?

DChiesa

The JWT library that is doing the signing is Nimbus.

That is where the restriction is happening. It's not in any code I've written, not anywhere you could change it.

When you say "the key my client generates"... how is that happening? How is the secret being generated and shared?

Are you using the key + secret in the Apigee Developer app? If so you can get a 32-char secret out of that system.

API-Evangelist

We have a client which uses apigee and shared client key for hs256 jwt and it fails with same exception. How do we inform/get 32 char secret from apigee?

dchiesa1

You can file a request with Apigee support via the support portal. Ask them to set the org property

keymanagement.consumer.secret.length

...to at least 43. (for Entropy requirements)

API-Evangelist

Will try to request and educate on the vulnerabilities but curious question on the way apigee policy with generate jwt does allow but via java code (github) is fails..Does both uses diff JWT library one is more relaxed and does generates and other fails(which is more good in meeting the requirements -https://tools.ietf.org/html/rfc7518#section-3.2). Or it is not mandating but more of recommendaition?

dchiesa1

The Apigee builtin policy extends the secret key with zeros, as per the specification on HMAC. So ... it complies with the technical requirements, but ... it does not _enforce_ good key standards

The Java callout delegates to a third-party library which does enforce key length requirements.

How do I make sure the shared secret size for making a JWT with Java is big enough?