Add padding back but not for obo

Signed-off-by: Ryan Liang <[email protected]>
MaciejMierzwa · Oct 23, 2023 · 2848560 · 2848560
1 parent 1d5fcb4
commit 2848560
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java b/src/main/java/com/amazon/dlic/auth/http/saml/AuthTokenProcessorHandler.java
@@ -18,7 +18,6 @@
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
-import java.util.Base64;
 import java.util.Date;
 import java.util.List;
 import java.util.Optional;
@@ -61,6 +60,7 @@
 import org.opensearch.rest.RestRequest.Method;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.security.DefaultObjectMapper;
+import org.opensearch.security.authtoken.jwt.JwtVendor;
 import org.opensearch.security.dlic.rest.api.AuthTokenProcessorAction;
 import org.opensearch.security.filter.SecurityResponse;
 
@@ -247,11 +247,11 @@ private JWSHeader createJwsHeaderFromSettings() {
     }
 
     JWK createJwkFromSettings(Settings settings, Settings jwtSettings) throws Exception {
-        String exchangeKey = settings.get("exchange_key");
+        String exchangeKey = JwtVendor.padSecret(settings.get("exchange_key"), JWSAlgorithm.HS512);
 
         if (!Strings.isNullOrEmpty(exchangeKey)) {
 
-            return new OctetSequenceKey.Builder(Base64.getDecoder().decode(exchangeKey)).algorithm(JWSAlgorithm.HS512)
+            return new OctetSequenceKey.Builder(exchangeKey.getBytes(StandardCharsets.UTF_8)).algorithm(JWSAlgorithm.HS512)
                 .keyUse(KeyUse.SIGNATURE)
                 .build();
         } else {
@@ -263,9 +263,9 @@ JWK createJwkFromSettings(Settings settings, Settings jwtSettings) throws Except
                 );
             }
 
-            String k = jwkSettings.get("k");
+            String k = JwtVendor.padSecret(jwkSettings.get("k"), JWSAlgorithm.HS512);
 
-            return new OctetSequenceKey.Builder(Base64.getDecoder().decode(k)).algorithm(JWSAlgorithm.HS512)
+            return new OctetSequenceKey.Builder(k.getBytes(StandardCharsets.UTF_8)).algorithm(JWSAlgorithm.HS512)
                 .keyUse(KeyUse.SIGNATURE)
                 .build();
         }

diff --git a/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java b/src/main/java/org/opensearch/security/authtoken/jwt/JwtVendor.java
@@ -19,6 +19,8 @@
 import java.util.function.LongSupplier;
 
 import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.util.ByteUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -37,6 +39,7 @@
 import org.opensearch.common.collect.Tuple;
 import org.opensearch.common.settings.Settings;
 
+import static com.nimbusds.jose.crypto.MACSigner.getMinRequiredSecretLength;
 import static org.opensearch.security.util.AuthTokenUtils.isKeyNull;
 
 public class JwtVendor {
@@ -101,6 +104,18 @@ static Tuple<JWK, JWSSigner> createJwkFromSettings(Settings settings) {
         }
     }
 
+    public static String padSecret(String signingKey, JWSAlgorithm jwsAlgorithm) {
+        int requiredSecretLength;
+        try {
+            requiredSecretLength = getMinRequiredSecretLength(jwsAlgorithm);
+        } catch (JOSEException e) {
+            throw new RuntimeException(e);
+        }
+        int requiredByteLength = ByteUtils.byteLength(requiredSecretLength);
+        // padding the signing key with 0s to meet the minimum required length
+        return StringUtils.rightPad(signingKey, requiredByteLength, "\0");
+    }
+
     public String createJwt(
         String issuer,
         String subject,