Generated JWT secret is too small for HMAC SHA256 (#582)

The key that is automatically generated weaken the security strength.
As noted in RFC7518 section 3.2 [0]:
```
A key of the same size as the hash output (for instance, 256 bits for
"HS256") or larger MUST be used with this algorithm.  (This
requirement is based on Section 5.3.4 (Security Effect of the HMAC
Key) of NIST SP 800-117 [NIST.800-107], which states that the
effective security strength is the minimum of the security strength
of the key and two times the size of the internal hash value.)
```

Some JWT libraries are rejecting by default keys that are too small in
a attempt to prevent misusages so generating a key that does not respect
the minimal length can be problematic for OO integrations.

[0] https://www.rfc-editor.org/rfc/rfc7518.html#section-3.2
This commit is contained in:
Thomas Gerbet 2023-02-07 07:02:40 +01:00 committed by GitHub
parent cac79dea01
commit 83825d26e9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -87,7 +87,7 @@ fi
[ -z $JWT_SECRET ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.' [ -z $JWT_SECRET ] && JWT_MESSAGE='JWT is enabled by default. A random secret is generated automatically. Run the command "docker exec $(sudo docker ps -q) sudo documentserver-jwt-status.sh" to get information about JWT.'
JWT_SECRET=${JWT_SECRET:-$(pwgen -s 20)} JWT_SECRET=${JWT_SECRET:-$(pwgen -s 32)}
JWT_HEADER=${JWT_HEADER:-Authorization} JWT_HEADER=${JWT_HEADER:-Authorization}
JWT_IN_BODY=${JWT_IN_BODY:-false} JWT_IN_BODY=${JWT_IN_BODY:-false}