Allow using GenericSecret for HmacSHA*

Extend the pre-existing check for SUN PKCS11 generic secret to allow all SecretKeys where getAlgorithm() returns "GenericSecret" to bypass the algorithm validation. This matches at least with AWS CloudHSM JCE provider, but likely others as well.
jwtk · Apr 16, 2024 · d4d3356 · d4d3356
1 parent c673b76
commit d4d3356
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/impl/src/main/java/io/jsonwebtoken/impl/security/DefaultMacAlgorithm.java b/impl/src/main/java/io/jsonwebtoken/impl/security/DefaultMacAlgorithm.java
@@ -135,9 +135,9 @@ private void assertAlgorithmName(SecretKey key, boolean signing) {
             throw new InvalidKeyException(msg);
         }
 
-        // We can ignore PKCS11 key name assertions because HSM module key algorithm names don't always align with
-        // JCA standard algorithm names:
-        boolean pkcs11Key = KeysBridge.isSunPkcs11GenericSecret(key);
+        // We can ignore key name assertions for generic secrets, because HSM module key algorithm names
+        // don't always align with JCA standard algorithm names:
+        boolean pkcs11Key = KeysBridge.isGenericSecret(key);
 
         //assert key's jca name is valid if it's a JWA standard algorithm:
         if (!pkcs11Key && isJwaStandard() && !isJwaStandardJcaName(name)) {

diff --git a/impl/src/main/java/io/jsonwebtoken/impl/security/KeysBridge.java b/impl/src/main/java/io/jsonwebtoken/impl/security/KeysBridge.java
@@ -36,6 +36,7 @@ public final class KeysBridge {
 
     private static final String SUNPKCS11_GENERIC_SECRET_CLASSNAME = "sun.security.pkcs11.P11Key$P11SecretKey";
     private static final String SUNPKCS11_GENERIC_SECRET_ALGNAME = "Generic Secret"; // https://github.com/openjdk/jdk/blob/4f90abaf17716493bad740dcef76d49f16d69379/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java#L1292
+    private static final String GENERIC_SECRET_ALGNAME = "GenericSecret";
 
     // prevent instantiation
     private KeysBridge() {
@@ -95,10 +96,15 @@ public static byte[] findEncoded(Key key) {
         return encoded;
     }
 
-    public static boolean isSunPkcs11GenericSecret(Key key) {
-        return key instanceof SecretKey &&
-                key.getClass().getName().equals(SUNPKCS11_GENERIC_SECRET_CLASSNAME) &&
-                SUNPKCS11_GENERIC_SECRET_ALGNAME.equals(key.getAlgorithm());
+    public static boolean isGenericSecret(Key key) {
+        if (!(key instanceof SecretKey)) {
+            return false;
+        } else if (key.getClass().getName().equals(SUNPKCS11_GENERIC_SECRET_CLASSNAME) &&
+                SUNPKCS11_GENERIC_SECRET_ALGNAME.equals(key.getAlgorithm())) {
+            return true;
+        } else {
+            return GENERIC_SECRET_ALGNAME.equals(key.getAlgorithm());
+        }
     }
 
     /**