decode base64, pad to required length

Signed-off-by: Maciej Mierzwa <[email protected]>
MaciejMierzwa · Oct 23, 2023 · eb45337 · eb45337
1 parent 1d5fcb4
commit eb45337
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 17 deletions.
diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java b/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java
@@ -61,6 +61,7 @@
 import org.opensearch.rest.RestRequest.Method;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.authtoken.jwt.JwtVendor;
 import org.opensearch.security.dlic.rest.api.AuthTokenProcessorAction;
 import org.opensearch.security.filter.SecurityResponse;
 
@@ -250,8 +251,10 @@ JWK createJwkFromSettings(Settings settings, Settings jwtSettings) throws Except
         String exchangeKey = settings.get("exchange_key");
 
         if (!Strings.isNullOrEmpty(exchangeKey)) {
+            byte[] decoded = Base64.getDecoder().decode(exchangeKey);
+            String paddedSecret = JwtVendor.padSecret(new String(decoded), JWSAlgorithm.HS512);
 
-            return new OctetSequenceKey.Builder(Base64.getDecoder().decode(exchangeKey)).algorithm(JWSAlgorithm.HS512)
+            return new OctetSequenceKey.Builder(paddedSecret.getBytes(StandardCharsets.UTF_8)).algorithm(JWSAlgorithm.HS512)
                 .keyUse(KeyUse.SIGNATURE)
                 .build();
         } else {
@@ -264,8 +267,9 @@ JWK createJwkFromSettings(Settings settings, Settings jwtSettings) throws Except
             }
 
             String k = jwkSettings.get("k");
-
-            return new OctetSequenceKey.Builder(Base64.getDecoder().decode(k)).algorithm(JWSAlgorithm.HS512)
+            byte[] decoded = Base64.getDecoder().decode(k);
+            String paddedSecret = JwtVendor.padSecret(new String(decoded), JWSAlgorithm.HS512);
+            return new OctetSequenceKey.Builder(paddedSecret.getBytes(StandardCharsets.UTF_8)).algorithm(JWSAlgorithm.HS512)
                 .keyUse(KeyUse.SIGNATURE)
                 .build();
         }

diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java
@@ -11,6 +11,7 @@
 
 package org.opensearch.security.authtoken.jwt;
 
+import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
 import java.util.Base64;
 import java.util.Date;
@@ -19,6 +20,8 @@
 import java.util.function.LongSupplier;
 
 import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.util.ByteUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -37,6 +40,7 @@
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.settings.Settings;
 
+import static com.nimbusds.jose.crypto.MACSigner.getMinRequiredSecretLength;
 import static org.opensearch.security.util.AuthTokenUtils.isKeyNull;
 
 public class JwtVendor {
@@ -75,8 +79,10 @@ public JwtVendor(final Settings settings, final Optional<LongSupplier> timeProvi
     static Tuple<JWK, JWSSigner> createJwkFromSettings(Settings settings) {
         final OctetSequenceKey key;
         if (!isKeyNull(settings, "signing_key")) {
-            String signingKey = settings.get("signing_key");
-            key = new OctetSequenceKey.Builder(Base64.getDecoder().decode(signingKey)).algorithm(JWSAlgorithm.HS512)
+            byte[] decoded = Base64.getDecoder().decode(settings.get("signing_key"));
+            String paddedSecret = padSecret(new String(decoded), JWSAlgorithm.HS512);
+
+            key = new OctetSequenceKey.Builder(paddedSecret.getBytes(StandardCharsets.UTF_8)).algorithm(JWSAlgorithm.HS512)
                 .keyUse(KeyUse.SIGNATURE)
                 .build();
         } else {
@@ -89,9 +95,12 @@ static Tuple<JWK, JWSSigner> createJwkFromSettings(Settings settings) {
             }
 
             String signingKey = jwkSettings.get("k");
-            key = new OctetSequenceKey.Builder(Base64.getDecoder().decode(signingKey)).algorithm(JWSAlgorithm.HS512)
-                .keyUse(KeyUse.SIGNATURE)
-                .build();
+            byte[] decoded = Base64.getDecoder().decode(signingKey);
+            String paddedSecret = padSecret(new String(decoded), JWSAlgorithm.HS512);
+
+            key = new OctetSequenceKey.Builder(paddedSecret.getBytes(StandardCharsets.UTF_8)).algorithm(JWSAlgorithm.HS512)
+                    .keyUse(KeyUse.SIGNATURE)
+                    .build();
         }
 
         try {
@@ -101,6 +110,18 @@ static Tuple<JWK, JWSSigner> createJwkFromSettings(Settings settings) {
         }
     }
 
+    public static String padSecret(String signingKey, JWSAlgorithm jwsAlgorithm) {
+        int requiredSecretLength;
+        try {
+            requiredSecretLength = getMinRequiredSecretLength(jwsAlgorithm);
+        } catch (JOSEException e) {
+            throw new RuntimeException(e);
+        }
+        int requiredByteLength = ByteUtils.byteLength(requiredSecretLength);
+        // padding the signing key with \0s to meet the minimum required length
+        return StringUtils.rightPad(signingKey, requiredByteLength, "\0");
+    }
+
     public String createJwt(
         String issuer,
         String subject,

diff --git a/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java b/src/test/java/org/opensearch/security/authtoken/jwt/JwtVendorTest.java
@@ -28,7 +28,6 @@
 import org.junit.Assert;
 import org.junit.Test;
 import org.mockito.ArgumentCaptor;
-import org.opensearch.OpenSearchException;
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.settings.Settings;
 import org.opensearch.security.support.ConfigConstants;
@@ -37,7 +36,6 @@
 import com.nimbusds.jose.jwk.JWK;
 
 import static org.hamcrest.MatcherAssert.assertThat;
-import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.nullValue;
@@ -70,13 +68,6 @@ public void testCreateJwkFromSettings() {
         Assert.assertTrue(jwk.v1().toOctetSequenceKey().getKeyValue().decodeToString().startsWith(signingKey));
     }
 
-    @Test
-    public void testCreateJwkFromSettingsWithWeakKey() {
-        Settings settings = Settings.builder().put("signing_key", "abcd1234").build();
-        Throwable exception = Assert.assertThrows(OpenSearchException.class, () -> JwtVendor.createJwkFromSettings(settings));
-        assertThat(exception.getMessage(), containsString("The secret length must be at least 256 bits"));
-    }
-
     @Test
     public void testCreateJwkFromSettingsWithoutSigningKey() {
         Settings settings = Settings.builder().put("jwt", "").build();